Read this whole guide offline with no ads, for a low price!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Need more practice? 300 additional Security+ questions!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 2:  Communication Security (Domain 2.0; 20%)
      9  2.2  Email
           9  2.2.3  Vulnerabilities

Previous Topic/Section
Client-Side Issues
Previous Page
Pages in Current Topic/Section
1
Next Page
2.2.3.1  Spam
Next Topic/Section

Implementation Flaws

And then, as always, there are implementation flaws. Both Sendmail and Microsoft Exchange are infamous for bugs affecting mail server security. Rather than go through a laundry list of bugs here, we’ll just say that there have been problems in both which could result in an attacker gaining system administrator privileges. See your vendor for details – they’ll have plenty of them. There is no excuse for not watching for security bulletins and keeping key software packages, particularly ones as widely used as those email servers, updated with the vendor’s latest security fixes. If you don’t, your mail server risks “death by script kiddie”.

Still other vulnerabilities involve purely content issues -- undesirable messages sent via email, including Spam and hoaxes – which are discussed in the next section.

Email Security

Email security issues include:

· Header and data privacy during transmission, logging and storage

· Lack of sender authentication in protocols for sending mail makes sending spoofed emails (with forged sender information) easy (this is a reason to use S/MIME or PGP)

· Some mail-related protocols such as POP3 and IMAP still require the user to send user/password information in clear text or with weak encryption, allowing attackers to obtain user passwords

· Issues in email-related client and server programs

· Risk for transmission of undesirable content such as viruses.


Email in the Real World

How does your organization handle email? Do you have an email security policy? How much sensitive information can be gained about your organization by sniffing email packets as they travel around the network? You might want to look into implementing S/MIME or PGP.



Previous Topic/Section
Client-Side Issues
Previous Page
Pages in Current Topic/Section
1
Next Page
2.2.3.1  Spam
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.