Cisco® CCNA Security Exam Notes : Mitigation Technology For Email-based Threats

7. Content and Endpoint Security

7.1 Describe mitigation technology for email-based threats

ESA: Cisco Email Security (ESA) protects against ransomware, business email compromise, spoofing, and phishing. It uses advanced threat intelligence and a multilayered approach to protect inbound messages and sensitive outbound data.

The most common threats that are frequently encountered by email users are given below:

Virus: Email attachments may carry "viruses" that infect files, and directories in user computers. Sometimes, it may spread over the network and infect other computers also.

Spam: Spam is the unsolicited email that is dumped on the users inbox. Sometimes, spam may contain attachments, when opened, spread virus on user computer.

Phishing: Here, an attacker fools a user by making the email look genuinely from a trusted party (say, your bank). However, when clicked, the user will be taken to the attackers website, and prompted for username and password.

Spear phishing: These attacks are more directed towards specific individuals and/or organizations. Here, you may urged to provide your credentials for certain sites that you frequently visit, such as Facebook or Twitter.


Note that man-in-the-middle is an attack that usually takes place when you are trying to access some or the other resource on the Internet.

Several security features supported by Cisco's Email Security Appliance (ESA) are as given below:

1. Access Control: Provides access control according to the IP address, IP address range, or domain name.

2. Antispam: Uses multilayer filters based on Cisco SenderBase reputation.

3. Network Antivirus: Cisco partnered with McAfee supporting their antivirus engine at the gateway.

4. Advanced Malware Protection (AMP): Enables network admins to scan and alert on malwares.

5. DLP: Short for Data Loss Prevention, it prevents sensitive emails and documents from leaving the organization.

6. Email Encryption: ESA may be configured to encrypt outgoing email using locally hosted key server or hosted key service.

7. Email Authentication: Email authentication is useful in preventing spam. Email may be authenticated using DKIM, SPF, or SIDF.

8. Outbreak Filters: Prevents any new security outbreaks that are still not taken care of by traditional AV software, including zero day threats.

Cisco's SIO threat intelligence information while processing email

1. Email Encryption: ESA supports encryption of outgoing email at the gateway. You can use local key server or hosted key service to encrypt the email messages.

2. Email Authentication: Email mechanisms supported by ESA include Sender Policy Framework (SPF), Sender ID Framework (SIDF), and DKIM for incoming email and DKIM for signing of outgoing email.

3. Outbreak Filters: The Outbreak Filters provide protection against brand new threats that have not yet been included in traditional virus signature files of AV vendors. They include zero day threats. Outbreak filters are based on Cisco's Security Intelligence Operations (SIO) threat intelligence information.

X-Series Email Security Appliances:

Cisco X1070 - For service providers and large organizations.

C- Series Email Security Appliances:

Cisco C680 - Suitable for service providers and large organizations.

Cisco C670 - Suitable for medium sized organizations

Cisco C380 - Suitable for medium sized organizations

Cisco C370 - Suitable for small and medium organizations

Cisco C170 - Suitable for small organizations and branch offices.

Cisco ESA (Email Security Appliance) supports the following:

1. SIDF(Sender ID Framework): Sender ID Framework is an email authentication protocol designed to keep spammers out of the inbox. It's very similar to Sender Policy Framework (SPF), but with one main difference; Sender ID verifies sender identity based on the Purported Responsible Address (PRA) domain using the From: or Sender: header fields. It's basically a different way to identify the legitimacy of a sender. Sender ID verifies the origin of the email address based on IP address and domain, and then uses the validation results to determine email delivery.

when a sender deploys a message, the inbound mail server checks the DNS entries to obtain the SPF Record. It then checks the record to see if the IP address matches the sending server. If there is a match, then the messages pass authentication and can be delivered. However, if there is no match, authentication will fail and the email will either be rejected or delivered to the spam folder.

2. SPF(Sender Policy Framework): Domains use public records (DNS) to direct requests for different services (web, email, etc.) to the machines that perform those services. All domains already publish email (MX) records to tell the world what machines receive mail for the domain.

SPF works by domains publishing "reverse MX" records to tell the world what machines send mail from the domain. When receiving a message from a domain, the recipient can check those records to make sure mail is coming from where it should be coming from.

3. DKIM(Domain Keys Identified Mail): DKIM is an email authentication method designed to detect email spoofing. It allows the receiver to check that an email claimed to come from a specific domain was indeed authorized by the owner of that domain. It is intended to prevent forged sender addresses in emails, a technique often used in phishing and email spam.

In technical terms, DKIM lets a domain associate its name with an email message by affixing a digital signature to it. Verification is carried out using the signer's public key published in the DNS.

Cisco Content Security Management Appliance (SMA): The Cisco Content Security Management Appliance centralizes management and reporting functions across multiple Cisco email security and web security appliances. It simplifies administration and planning, improves compliance monitoring, helps to enable consistent enforcement of policy, and enhances threat protection.

Given below are some of the widely used email encryption standards:

1. S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption signing e-mail. S/MIME was developed by RSA Data Security, Inc. S/MIME provides the cryptographic security services for authentication, message integrity, and non-repudiation by combining a digital signature with encryption. Before S/MIME can be used in an application, the user must obtain and successfully install a unique key/certificate from a Certificate Authority (CA) or from a public CA.

2. PGP and OpenPGP: Pretty Good Privacy (PGP) is a standard that delivers cryptographic privacy authentication. PGP and OpenPGP require a client or plug-in. PGP uses both public-key cryptography and symmetric key cryptography.

3. GnuPG is a complete and free implementation of the Open PGP standard as defined by RFC4880 (also known as PGP) . GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. Version 2 of GnuPG also provides support for S/MIME and Secure Shell (ssh). GnuPG is Free Software (meaning that it respects your freedom). It can be freely used, modified and distributed under the terms of the GNU General Public License .

4. Web based email encryption service like SendInc.


Note that TrueVault, BitLocker, and FileVault are end point encryption schemes that enable encrypting you stationery files that are residing on your hard drive.

1. TrueCrypt: It can create a virtual encrypted disk within a file or encrypt a partition or (under Microsoft Windows except Windows 7/8 boot drive with GPT) the entire storage device (pre-boot authentication). It is discontinued now due to integrity concerns. Alternatives are CypherShed and VeraCrypt.

2. GPG: GNU Privacy Guard (GPG, also GnuPG) is free encryption software that's compliant with the OpenPGP (RFC4880) standard. Using GPG you can encrypt (and decrypt) files that contain sensitive data, such as protected health information (PHI) regulated by the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules.

3. BitLocker: A disk encryption software used with Windows Operating Systems

4. MAC OS X FileVault: An encryption scheme used with MAC OS X

5. AxCrypt: A Windows only encryption tool.

Previous   Contents   Next