|
Security+ Domain 2.2 - Communication Security - E-mail Security 2.2 Recognize and understand the administration of the following email security concepts o S/MIME (Secure Multipurpose Internet Mail Extensions) o PGP (Pretty Good Privacy) like technologies o Vulnerabilities o SPAM o Hoaxes
E-mail security What is e-mail? E-mail, or electronic mail, is an electronic version of a letter that can include text, images, sounds, and attachments. They can be plain text or Hypertext Markup Language (HTML), which allows for additional formatting. How is e-mail sent from one place to another? E-mail first goes to your Internet Service Provider's (ISP) e-mail server, which looks up the IP addresses (unique number for identification of computers on a network) of the many of the domain name's server from a Domain Name System (DNS). It then requests the IP address of the receiver's domain (for example, in an e-mail to johndoe<at>gmail.com, gmail.com is the domain). It sends the e-mail to the server at the IP address, which then puts the e-mail in the receiver's mailbox. Is e-mail secure by default? E-mail is not secure by default. I would strongy suggest considering using some form of encryption for e-mail. The two methods of encryption on the Security+ exam include S/MIME, or Secure Multipurpose Internet Mail Extensions and PGP, or Pretty Good Privacy, but others exist.
S/MIME What is MIME? MIME, or the Multipurpose Internet Mail Extension, is an extension of Simple Mail Transfer Protocol (SMTP) that allows attachments in e-mails. When it is received, the e-mail client (such as Microsoft Outlook Express or Mozilla Thunderbird) checks the MIME header to see the type of the file, and the program associated with that file type. What is S/MIME? S/MIME is a more secure version of MIME. It encrypts the message using symmetric cryptography (domain 4) and sends the key and digital signature with public-key cryptography (domain 4). The symmetric portion can be used with DES (56-bit), 3DES (168-bit) and RC2 (64-bit).
PGP What is PGP? PGP is also a method of encrypting e-mail. PGP uses public-key cryptography (domain 4) in which the sender uses the recipient's public key to encrypt the message, which the recipient decodes with a mathematically related private key. The public key, as suggested by the name, is published and available for anybody to find. The private key, however, is known only by the user.
Vulnerabilities What are some vulnerabilities of e-mail? Malware - malware is often sent over e-mail, especially by mass-mailing worms that send themselves to everbody in the infected computer's contacts list. The risk can be lowered by limiting the type of attachments that can be opened. For example, it is best to not allow attachments ending in .exe and .vbs, among others. Spam - Spam is the name for unwanted e-mail messages. These can be advertisements or a variety of other messages sent to a large number of mostly unwilling recipients. There are many spam filters available that can help reduce the amount of spam received. Hoaxes - There are often multiple hoax e-mails circulating the Internet. These often claim that a dangerous virus has just been released and is extremely dangerous or a sad story of a missing child, and that you should forward the message to all of your friends. If you receive an e-mail like this, do not forward it, and tell your friends to do the same. Spam filters can help prevent these as well. Also, sites like http://www.snopes.com have a list of e-mail hoaxes that you should check to determine whether a message is real or not. Phishing - Phishing is an attempt to trick the recipient into giving the sender information such as a username and password to login to a bank account. These are often messages that claim to come from your bank (and may even have spoofed the header information) and say that your account will close unless you click the link and login. The link then asks for your bank accound login, credit card, personal information, etc. To avoid this, use a spam filter, and never click links from e-mails claiming to come from your bank. Always type in the bank's Uniform Resource Locator (URL) and contact your bank to ask about their e-mailing habits.
Resources:
This page was last modified on 06/28/07 07:08 PM |
|