If you’re planning to take the SY0-501 version of the Security+ exam, you should have a basic understanding of some common security controls used to protect against malware. This includes spam filters on mail gateways.
For example, can you answer this question?
Q. Your organization has been receiving a significant amount of spam with links to malicious web sites. You want to stop the spam. Of the following choices, which provides the BEST solution?
A. Add the domain to a block list.
B. Use a URL filter.
C. Use a MAC filter.
D. Add antivirus software.
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Protecting Systems from Malware
Malware is a significant threat for any organization. Administrators commonly implement layered security, or a defense-in-depth plan, to protect against malware.
Here is a list of some common security controls used to protect against malware:
- Spam filter on mail gateways. Phishing attacks are delivered as malicious spam. Spam filters on mail gateways (email servers) detect and filter spam before it ever gets to users. Some networks route email through another device first to filter out spam. If users never receive a malicious email, there isn’t any chance of them clicking on a malicious link in that email.
- Anti-malware software on mail gateways. Malicious email often includes malware as attachments. Anti-malware software on the mail server can detect and block it. The software strips potentially malicious attachments off the email, and typically sends a notification to the user explaining what was removed and why.
- All systems. All workstations and servers have anti-malware software installed. Servers may have additional, specialized anti-malware software installed depending on the applications running on the servers.
- Boundaries or firewalls. Many networks include detection tools that monitor network traffic through the firewall. For example, unified threat management (UTM) inspects network traffic to reduce the risk of malware entering the network.
Data Execution Prevention
Data execution prevention (DEP) is a security feature that prevents code from executing in memory regions marked as nonexecutable. It helps prevent an application or service from executing code from a nonexecutable memory region. The primary purpose of DEP is to protect a system from malware.
DEP is enforced by both hardware and software. Advanced Micro Devices (AMD) implement DEP using the no-execute page-protection (NX) feature. Intel implements DEP using the Execute Disable Bit (XD) feature. Both are enabled in the Basic Input/Output System (BIOS) or Unified Extensible Firmware Interface (UEFI). Within Windows, DEP is enabled in the System Properties – Performance Settings.
If DEP is not enabled in the BIOS or UEFI, but you try to install Windows, you will typically see an error message such as “Your PC’s CPU isn’t compatible with Windows.” The solution is to enable DEP in BIOS or the UEFI.
Advanced Malware Tools
Many vendors have begun developing advanced malware tools. These go beyond just examining files to determine if they are malware. As an example, Cisco’s Advanced Malware Protection (AMP) combines multiple technologies to protect a network before an attack, during an attack, and after an attack.
AMP analyzes a network to prevent attacks using threat intelligence and analytics. It collects worldwide threat intelligence from Cisco’s Security Intelligence organization, Talos Security Intelligence and Research Group, and Threat Grid intelligence feeds. This information helps it detect and alert on malware similar to any antivirus software.
During an attack, AMP uses a variety of techniques to detect and block emerging threats before they infiltrate a network, or contain and remediate malware that gets into a network. AMP uses continuous analysis to detect suspicious file and network activity within a network, which helps it detect malware operating within the network.
Security administrators view logs and alerts to analyze and interpret the output from advanced malware tools such as AMP. For example, administrators might see an alert indicating that encrypted data is being sent out of the network. This is a serious red flag and indicates malware is collecting data and sending it to an attacker.
Spam Filters
Organizations often implement a multipronged approach to block spam. For example, many UTM systems include spam filters to detect and block spam. The output of the UTM goes to an email server. Email servers also have methods of detecting and blocking spam. The email server sends all email to the users, except for what it detects as spam. User systems also have anti-spam filters, or junk mail options, as a final check.
The challenge with any spam filter is to only filter out spam, and never filter out actual email. For example, a company wouldn’t want a spam filter to filter out an email from a customer trying to buy something. Because of this, most spam filters err on the side of caution, allowing spam through rather than potentially marking valid email as spam. Although the science behind spam filtering continues to improve, criminals have also continued to adapt.
Spam filters typically allow you to identify email addresses as safe, or to be blocked. You can add these as individual addresses or entire domains. For example, if you want to ensure you get email from Homer when he sends email from springfield.com, you can identify homer@ springfield.com as a safe email address. If you want to ensure you get all email from springfield.com, you can designate springfield.com as a safe domain. Similarly, you can block either the single email address homer@springfield.com or the entire domain springfield.com.
Q. Your organization has been receiving a significant amount of spam with links to malicious web sites. You want to stop the spam. Of the following choices, which provides the BEST solution?
A. Add the domain to a block list.
B. Use a URL filter.
C. Use a MAC filter.
D. Add antivirus software.
Answer is A. You can block emails from a specific domain sending spam by adding the domain to a block list. While the question doesn’t indicate that the spam is coming from a single domain, this is still the best answer of the given choices.
A URL filter blocks outgoing traffic and can be used to block the links to the malicious web sites in this scenario, but it doesn’t stop the email.
Routers and switches use MAC filters to restrict access within a network.
Antivirus software does not block spam.
See Chapter 6 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on malware.
1 thought on “Implementing Spam Security Controls”