var quiz = { questions : [ { text : 'What is Joel Snyder\'s "holy trinity" for evaluating email security, i.e. a framework for looking at email security problems?', img : 'http://media.techtarget.com/WhatIs/images/spacer.gif', responses : [ 'a. Authentication and authorization, data integrity, directory services', 'b. Authentication and authorization, privacy and data integrity', 'c. Authentication, authorization, and privacy', 'd. Privacy, data integrity, user integrity' ], answer : 1, score : 1, expandedAnswer : '
The "holy trinity of security" is authentication and authorization, privacy and data integrity.\n

\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
', moreInfo : 'For more information on ways to evaluate email security, check out Joel Snyder\'s video: The Foundation of an Email Security Strategy.' }, { text : 'What are the layers in Joel Snyder\'s "onion," the system layers -- starting with the network and transport layers and working your way up -- that are important in evaluating email security?\n', img : 'http://media.techtarget.com/WhatIs/images/spacer.gif', responses : [ 'a. TCP/IP, SMTP, SSL/TLS, MIME, Content', 'b. TCP/IP, SMTP, FTP, Body, MIME', 'c. TCP/IP, SMTP, MIME, POP, IMAP', 'd. TCP/IP, SMTP, Body, MIME, Content' ], answer : 3, score : 1, expandedAnswer : '
On top of network/transport (TCP/IP), the SMTP layer (RFC 821 or 2821) comes first. Then, the Internet Message Format (RFC 822 or 2822) packages up the message and its headers. Above that, you will generally find MIME encapsulation and message formatting (lots of RFC numbers). And, on top of MIME, there are the \'upper layers\' of security to worry about: content such as viruses, worms, spam and anything else that violates company policy.\n

\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
', moreInfo : 'A SearchSecurity.com reader asks application security expert Michael Cobb, "I\'ve heard people say that SSL "sits" between the network layer and application layer. What does that mean?"' }, { text : 'Which of the following is not a way in which Sender ID can help reduce spam?', img : 'http://media.techtarget.com/WhatIs/images/spacer.gif', responses : [ 'a. Helps \'distrust\' messages that come from the wrong server', 'b. Refuses to accept mail that doesn\'t pass basic Sender ID checks', 'c. Pinpoints likely IP address ranges from which spam may be sent', 'd. Publishes DNS records saying who can send email for a particular domain' ], answer : 2, score : 1, expandedAnswer : '
Sender ID doesn\'t address the spam question directly. Sender ID is a way of saying, "This message from this domain was sent by an approved server." Spammers who are willing to expose their real domain name can use Sender ID just as well as any other corporation. What Sender ID can do for the spam problem, indirectly, is let you "distrust" messages that come from the wrong server. For example, if you get a message purportedly from "AOL.COM" that didn\'t come from one of AOL\'s approved servers (according to Sender ID), you can factor that into the calculation on whether that message is spam or not. You can also refuse to accept mail that doesn\'t pass basic Sender ID checks. While that has the potential for a lot of false positives, it also will reduce the possibility of someone forging mail and causing security problems with spam or viruses.', moreInfo : 'Michael Cobb explains how well Sender ID actually stops spam.' }, { text : 'If your corporate firewall doesn\'t allow for SMTP extensions, such as TLS encryption or MIME SIZE advising, what\'s the best solution for improving email security?', img : 'http://media.techtarget.com/WhatIs/images/spacer.gif', responses : [ 'a. Upgrade the software; if not, sell it on eBay.', 'b. Implement a UTM device with advanced exception heuristics.', 'c. Open certain firewall ports but use network behavioral analysis.', 'd. Traditional antispam mechanisms; SMTP extensions aren\'t worth the hassle.' ], answer : 0, score : 1, expandedAnswer : '
If you\'re dealing with a reputable vendor, a software upgrade will usually solve those problems. If not, these products can often be sold on eBay.', moreInfo : 'For further information, read Filling SMTP gaps -- The secrets to using email standards.' }, { text : 'True or false: Even though S/MIME can provide authentication, privacy and integrity checking, it\'s not the perfect solution to email security because it has a variety of scalability problems.', img : 'http://media.techtarget.com/WhatIs/images/spacer.gif', responses : [ 'a. True', 'b. False', 'c. True and false' ], answer : 0, score : 1, expandedAnswer : '
S/MIME has a variety of scalability problems. Everyone has to have a digital certificate, and there has to be a trust relationship between the signers of these digital certificates. In this world, there is no "root CA" as there is a "root DNS server," so establishing that trust relationship can be a tedious and manual process.\n

\nIn order to encrypt messages to someone, you need to get their digital certificate. You could find it in an online directory somewhere, but most email clients don\'t support that, which means that you have to keep a stash of certificates -- a scalability problem. \n

\nWhen a message has been encrypted with S/MIME, it can\'t be virus scanned, spam scanned, policy scanned or effectively archived, which might be a problem for companies with regulatory or industry rules about what has to be done with email. And, if you ever lose your private key, then you can\'t decrypt old mail that might have been sent.', moreInfo : 'Get the last news and expert advice on email encryption.' }, { text : 'Which of the following would be part of an effective spam cocktail?', img : 'http://media.techtarget.com/WhatIs/images/spacer.gif', responses : [ 'a. Algorithms used to scan email headers', 'b. Algorithms used to scan the content, including subject lines and HTML code', 'c. IP-based blacklists', 'd. Only answers a and b', 'e. Answers a, b, and c' ], answer : 4, score : 1, expandedAnswer : '
The cocktail really isn\'t a single technique. The term describes a mixture of techniques you or your antispam vendor use to determine whether or not a message is spam. A cocktail can have many components, including algorithms that look at content, protocol and headers, and external information, such as IP-based black lists.', moreInfo : 'Does the "cocktail" need a little more kick? Learn how spam blockers have been losing ground on innovative attackers. (Login required)' }, { text : 'True or false: It is better to run antispam at the external MTA or on the email client (such as Outlook).', img : 'http://media.techtarget.com/WhatIs/images/spacer.gif', responses : [ 'a. True', 'b. False', 'c. The answer varies, depending on an organization\'s preferences.' ], answer : 2, score : 1, expandedAnswer : '
"Better" is always a difficult term in IT. The real answer is that you should run antispam at the point that makes the most sense for your organization, taking into account issues such as the handling of false positives and system performance. However, most antispam vendors have discovered that the closer to the Internet their product is, the better it can perform. This is because a direct connection between the antispam system and the spammer gives the system more information, including the real IP address of the sender and even some of the SMTP protocol behavior. If you push antispam towards the user\'s email client, much of this information is lost or potentially obscured. However, depending on your tolerance for false positives and the actual email load, you may find that some users prefer to have control at their local system, or that local control is more appropriate.\n \n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
', moreInfo : 'Spam using malicious attachments and social engineering techniques are targeting computer users in rising numbers, according to security vendor Sophos. ' }, { text : 'A company recently announced that its antispam product has no false positives. How is this possible?', img : 'http://media.techtarget.com/WhatIs/images/spacer.gif', responses : [ 'a. The company has its antispam signatures automatically updated twice a day.', 'b. The products utilize advanced authentication techniques like bounce address tag validation (BATV).', 'c. The company has its antispam product turned off.', 'd. The company most likely ignored gray-mail false positives, such as messages from mailing lists.' ], answer : 3, score : 1, expandedAnswer : '
You can assure that your antispam product has no false positives by never marking any message as spam. By increasing the false-negative rate to 100% (i.e., every single spam is missed), you are assured that no message will be accidentally called spam when it is not. However, as soon as you start to label messages as "spam" or "not-spam," you are assured that there will be both false positives and false negatives.\n

\nWhile many products have dropped their false positive rate to a very low level, no vendor can truthfully boast that its products have no false positives. Products often claim to have a lower false positive rate than they really do because of the inherent errors in the reporting of false positives. People tend to ignore "gray mail" false positives (such as messages from mailing lists that are not technically spam), and there is generally a bias to under-report errors in a product that is otherwise very satisfactory.', moreInfo : 'Learn how reputation systems have gained credibility in the fight against spam.' }, { text : 'Which of the following email message scenarios may cause a virus scanner to not respond affirmatively?', img : 'http://media.techtarget.com/WhatIs/images/spacer.gif', responses : [ 'a. The message is encrypted.', 'b. The email archive is protected.', 'c. There is not enough disk space or memory to perform antispam functions.', 'd. The antispam product crashed or timed out.', 'e. All of the above' ], answer : 4, score : 1, expandedAnswer : '
You have designed an antivirus strategy that says that all messages with viruses in them are deleted, while all messages without viruses in them are passed on. What have you forgotten?\n

\nEvery virus scanner has three answers: "yes," "no" and "I don\'t know." You need to include in your strategy a plan for dealing with messages that might or might not have a virus in them. Some examples of messages that might show up as "I don\'t know" include encrypted email, messages that cause the virus scanner to crash, or messages with archives that are not supported by the virus scanner or would otherwise exceed the time and space limitations in place for expanding email.\n', moreInfo : 'Get the latest news and expert advice on antispam strategies.' }, { text : 'True or false: When mail received at an SMTP MTA is found to have an invalid recipient, the message should be deleted.', img : 'http://media.techtarget.com/WhatIs/images/spacer.gif', responses : [ 'a. True', 'b. False', 'c. True and false' ], answer : 1, score : 1, expandedAnswer : '
When mail is received at an SMTP MTA, it is not always known whether the recipient is valid. If, later on, the recipient is found to be invalid, it\'s probably because the message is spam. What\'s wrong with simply deleting that message?\n

\nIt\'s true that email messages addressed to invalid recipients are generally spam ones. However, invalid recipients are also the result of spelling errors, from either new incoming email (where the sender didn\'t know how to type a username or domain name) or replies where the sender made a \'fat-fingered\' error. You can weigh the tradeoffs yourself, but it\'s important that you be aware of the consequences of simply deleting misaddressed email.\n', moreInfo : 'Read more about the biggest mistakes that enterprises commit when battling spam and viruses.' }, { text : 'What will happen to a digital signature if a footer is injected into a message after it is signed by the sender? ', img : 'http://media.techtarget.com/WhatIs/images/spacer.gif', responses : [ 'a. Because a digital signature is most likely a hash, it will have little effect on the signature.', 'b. The digital signature will be invalidated.', 'c. Recipients of the message will likely think that the message has been tampered with or was forged.', 'd. Both answers b and c.' ], answer : 3, score : 1, expandedAnswer : '
A digital signature is something stamped onto a message by the sender. The signature is a cryptographic operation, usually a hash, across the message content, which is then locked with the private key of the sender. The recipient can use the sender\'s public key to compare a hash they compute with the transmitted hash to see if the message has been tampered with, or isn\'t from the purported sender at all.\n

\nInjecting a footer into a message after it is signed by the sender will invalidate the digital signature. As a result, all recipients of the message think that the message has been tampered with or was forged. If you want to digitally sign messages and have footers, then you need to put the footer into the message before the senders add their digital signature.\n\n', moreInfo : 'A SearchSecurity.com reader asks Joel Dubin, "Can a sender\'s private key and receiver\'s public key be used to create a digital signature?"' }, { text : 'What is wrong with putting message archiving functionality at the Internet gateway? ', img : 'http://media.techtarget.com/WhatIs/images/spacer.gif', responses : [ 'a. Nothing. It is your best, most efficient option.', 'b. The messages that pass to and from the Internet are less important to auditors.', 'c. Resources should be focused more on antispam defenses. ', 'd. Archiving at the Internet gateway will not address messages that are sent internally.' ], answer : 3, score : 1, expandedAnswer : '
Message archives can only archive messages that they see. If you are only concerned with archiving messages that pass to and from the Internet, then this might work. However, if your goal in archiving messages is to meet some regulatory requirement, it is likely that you will need to archive messages that are sent internally and never go to the Internet. In that case, you will need to have the archiving function attached to the user\'s mailbox rather than to a transport path out of the network. Only this can assure that you are copying every message that the user receives. If you are more concerned with archiving every transmitted message, then the appropriate place for the archiving function is the MTA or mailbox server that the user agent uses for message submission.', moreInfo : 'Are there specific provisions contained within the Sarbanes-Oxley Act (SOX) regarding the retention/archiving of email communications? Mike Rothman has the answer.' }, { text : 'When encrypted mail can\'t be scanned by a compliance checker, what is the best way to address the shortcoming?', img : 'http://media.techtarget.com/WhatIs/images/spacer.gif', responses : [ 'a. Better technology', 'b. Stronger policies', 'c. User awareness training', 'd. Because encrypted mail cannot be scanned, the issue does not need to be addressed.' ], answer : 1, score : 1, expandedAnswer : '
Compliance checking is a policy issue. It\'s a corporate policy to look into messages and try to see what is going on. If the message is encrypted, then clearly the compliance checker cannot look inside. Hence, this is a policy issue and not a technical issue. There are three scenarios: the policy states that such mail is out of compliance; the policy states that such mail is, by definition, within compliance; or, the policy says nothing about mail that cannot be checked.\n

\nIf you are lucky enough to have a policy that matches the first or second case, then you simply do what the policy says and don\'t worry about it. If your policy doesn\'t mention what to do about mail that cannot be examined, then the appropriate answer is to bring this to the attention of the policy people and have them fix the policy. Solving this problem technically, without policy input, is asking for a slap on the wrist or worse.\n', moreInfo : 'Before you start writing new security policies, make sure to check out our SearchSecurity.com resource center on the topic.' }, { text : 'If a policy states that you will accept 10 messages an hour, what is the best option for what to do with the 11th message?', img : 'http://media.techtarget.com/WhatIs/images/spacer.gif', responses : [ 'a. Accept it on a one-time basis', 'b. Accept it until the messages reach a point where the spam offense is obvious.', 'c. Temporarily refuse the message (with a 4xx response).', 'd. Permanently refuse the message (with a 5xx response).' ], answer : 2, score : 1, expandedAnswer : '
\nDon\'t accept it. The real answer, of course, is how you don\'t accept the message. There are two options: temporary refusal (4xx response) and permanent refusal (5xx response). In this case, the most appropriate thing to do is return a 4xx response to the message. You don\'t want to start bouncing messages because an MTA went down for an hour and has a small backlog for you.\n

\nIntelligent MTA design might have an escalating series of responses. For example, you could take the 11th through 1100th message and return 4xx responses, then start sending back permanent refusals (5xx responses) because it\'s clear that something is wrong on the other end that is not quickly getting better.\n

\nIn any case, immediately responding with a permanent refusal (5xx) may be more emotionally satisfying, but is not good practice.', moreInfo : 'The proliferation of botnets and profit motives are spurring new spam techniques that are getting through filters and clogging inboxes. Learn more about Spam 2.0 strategies.' }, { text : 'True or false: The two most common mistakes made when searching for keywords are to ignore case significance and to improperly stem words.\n\n', img : 'http://media.techtarget.com/WhatIs/images/spacer.gif', responses : [ 'a. True', 'b. False' ], answer : 0, score : 1, expandedAnswer : '
The two most common ways to search for keywords incorrectly are to ignore case significance and to improperly stem words.\n

\nCase significance is the easy one because most keyword searching tools are case significant. You have to turn off case significance anytime you\'re doing policy-based keyword searches. This is the number one error that most people make.\n

\nStemming is a more significant problem and one that is not handled easily. Without stemming, you have to search for every variation of the word that you\'re looking for. Don\'t ignore the spaces on either side of a word (or, more precisely, the white space, which can include line breaks, tabs and other formatting characters). Good regular expression and search engines handle word stemming automatically for you; more primitive ones require you to handle this kind of stemming by yourself.\n', moreInfo : 'If you haven\'t already, make sure to check out the rest of our Email Essentials lesson. For more tips on antispam strategies, visit our Messaging Security School, too. ' } ] };