300-720 Securing Email with Cisco Email Security Appliance (300-720 SESA) Questions and Answers

Large file attachments will be sent as a securedoc attachment. This means that the recipient will receive an encrypted message with a securedoc.html attachment that contains a link to download the large file from the Cisco Secure Email Encryption Service portal[ 2 , p. 9].

This feature can only be enabled if the Read from Message feature is enabled. The Read from Message feature allows you to encrypt messages based on keywords or phrases in the subject or body of the me ssage. You need to enable this feature before you can enable the large file attachments feature[ 2 , p. 8].

The other options are not valid because:

A. Large file attachments can be sent using both the websafe portal and the Cisco Secure Email Add-In. The we bsafe portal allows you to compose and send encrypted messages from any web browser, while the Cisco Secure Email Add-In allows you to encrypt messages from your email client such as Outlook[ 2 , p. 6-7].

B. This feature allows users to send up to 100MB of a ttachments in a secure email, not 50MB[ 2 , p. 9].

D. Large file attachments can be sent using both the websafe portal and the Cisco Secure Email Add-In. The websafe portal allows you to compose and send encrypted messages from any web browser, while the Cis co Secure Email Add-In allows you to encrypt messages from your email client such as Outlook[ 2 , p. 6-7].

To allow phishing simul-ations to bypass antispam scanning, the administrator must add two components to the allow list: domains and senders. Domains are the email domains that are used in the phishing simulations, such as example.com or test.com. Senders are the email addresses that are used to send the phishing simulations, such as phish@example.com or tes t@test.com. By adding these components to the allow list, the administrator can prevent them from being blocked by antispam scanning and allow them to reach the end users for testing purposes.  References : [Cisco Secure Email Gateway Administrator Guide - C reating Allow Lists]

The default behavior of any listener for TLS communication is B. off. This means that TLS is not allowed for incoming connections to the listener and connection s to the listener do not require encrypted Simple Mail Transfer Protocol (SMTP) conversations. This is stated in the web search result  1 .  To enable TLS for a listener, you need to configure the Use TLS option in the mail flow policy settings for the listener on the Mail P olicies > HAT Overview page 1 .  You can choose from three different settings for TLS: No, Preferred, or Required 1 .

Public/Private keypair. A public/private keypair is a pair of cryptographic keys that are used to generate and verify digital signatures. The private key is used to sign the email message, while the public key is used to verify the signature. The public ke y is published in a DNS record, while the private key is stored on the Cisco Secure Email Gateway appliance[ 1 , p. 2].

Domain signing profile. A domain signing profile is a configuration that specifies the domain and selector to use for signing outgoing mes sages, as well as the signing algorithm, canonicalization method, and header fields to include in the signature. You can create multiple domain signing profiles for different domains or subdomains[ 1 , p. 3].

The other options are not valid because:

A. DMARC verification profile is not a component for utilizing a digital signature in outgoing emails. It is a component for verifying the authenticity of incoming emails based on SPF and DKIM results[ 2 , p. 1].

B. SPF record is not a component for utilizing a digi tal signature in outgoing emails. It is a component for validating the sender IP address of incoming emails based on a list of authorized IP addresses published in a DNS record[ 3 , p. 1].

E. PKI certificate is not a component for utilizing a digital signatu re in outgoing emails. It is a component for encrypting and decrypting email messages based on a certificate authority that issues and validates certificates[ 4 , p. 1].

If the McAfee antivirus scanning is enabled on the Cisco Secure Email Gateway and the virus scanning action is set to “scan for viruses only”, then no repair is attempted, and the attachment is either dropped or delivered based on the antiv irus policy settings. The administrator can choose to drop or deliver the infected attachment by selecting the appropriate action in the antivirus policy.  References : [Cisco Secure Email Gateway Administrator Guide - Configuring McAfee Antivirus Scanning]

The global setting that is configured under Cisco ESA Scan Behavior is the actions for unscannable messages due to attachment type. This setting allows the administrator to specify what action to take when a message contains an attachment that cannot be scanned by the appliance, such as encrypted or password-protected files. The possible actions are:

Deliver - Deliver the message normally.

Drop - Drop the message silently without notifying the sender or recipient.

Quarantine - Quarantine the message in a specified policy quarantine.

Bounce - Bounce the message back to the sender with a specified reason.

User and routing are two query types that are available when an LDAP profile is configured on Cisco ESA. User queries are used to validate end-user credentials, such as for Spam Quarantine End-User Authentication or SMTP Authentication. Routing queries are used to determine the destination mail server for a recipient, such as for Mail Flow Policies or Delivery Methods.

Configuring the outbound firewall rule to permit traffic on port 3237 is the additional action that resolves the issue. AMP file reputation is a feature that allows Cisco ESA to check files attached to messages against a cloud-based database of known malicious files and apply appropriate actions, such as block, deliver, or quarantine.

By default, AMP file reputation uses TCP port 3237 to communicate with the cloud-based database. If this port is blocked by a firewall, AMP file reputation will not work properly.

To resolve this issue, the administrator can configure the outbound firewall rule to permit traffic on port 3237 from Cisco ESA.

The other options are not valid actions to resolve the issue, because they do not affect the port used by AMP file reputation.

When DKIM (DomainKeys Identified Mail) signing is configured on Cisco ESA, the DNS record that must be updated to load the DKIM public signing key is the TXT record. The TXT record is used to store arbitrary text information in the DNS, such as the DKIM public key, which can be retrieved by the recipients to verify the DKIM signature in the message header.

External spam quarantine is a feature that allows Cisco SMA to store and manage spam messages quarantined by multiple Cisco ESAs in one central location, providing a unified view and administration of the spam quarantine data.

The maximum attachment size to scan is a configuration on the scan behavior that determines the maximum size of an attachment that Cisco ESA will scan for viruses and malware. If an attachment exceeds this size, Cisco ESA will apply the configured action for unscannable messages, such as deliver, drop, or quarantine.

To allow the attachment to be scanned on the Cisco ESA, this configuration must be updated to a larger value than the attachment size, which is 10 MB according to the message header.

The other options are not valid configurations to allow the attachment to be scanned on the Cisco ESA, because they do not affect the maximum attachment size to scan.

The content filter condition that checks to see if the “From: header” in the message is similar to any of the users in the content dictionary is Forged Email Detection. This condition compares the sender’s name or email address with a list of names or email addresses in a content dictionary and triggers an action if they match or are similar.  References : [Cisco Secure Email Gateway Administrator Guide - Forged Email Detection]

Message splintering is a process that occurs when configuring separate incoming mail policies on Cisco ESA. Message splintering means that Cisco ESA will split a single incoming message into multiple copies, each with a different recipient and policy, and apply different security services and actions to each copy.

Disabling the Local Spam Quarantine to Activate the External Quarantine If you were using a local spam quarantine before enabling an external spam quarantine, you must disable the local quarantine in order to send messages to the external quarantine. https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_0101010.html?bookSearch=true#con_1172419

https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_ chapter_01011.html

According to the User Guide for AsyncOS 12.0 for Cisco Email Security Appliances 2 , the order of virus scanning when multilayer antivirus scanning is configured is as follows:

The McAfee engine scans the message first. If the McAfee engine detects a virus, the message is dropped or repaired, depending on the configuration. If the McAfee engine does not detect a virus, the message is passed to the next layer of scanning.

The Sophos engine scans the message second. If the Sophos engine detects a virus, the message is dropped or repaired, depending on the configuration. If the Sophos engine does not detect a virus, the message is delivered to the recipient.

A TXT record is a type of DNS record that contains arbitrary text data that can be used for various purposes such as verification, configuration, or authentication. A TXT record can contain the DKIM public key per RFC 6376, which is used to verify the digital signature of an email message generated by the DKIM private key of the sender domain.

The other options are not valid because:

A. A CNAME record is a type of DNS record that maps an alias name to a canonical name or another alias name. It does not contain any DKIM public key information.

B. An AAAA record is a type of DNS record that maps a hostname to an IPv6 address. It does not contain any DKIM public key information.

D. A PTR record is a type of DNS record that maps an IP address to a hostname, which is the reverse of an A or AAAA record. It does not contain any DKIM public key information.

The type of attack that is prevented by configuring file reputation filtering and file analysis features is zero-day. Zero-day attacks are those that exploit unknown vulnerabilities in software or systems before they are patched or fixed. File reputation filtering and file analysis features help to protect against zero-day attacks by checking the reputation of files attached to email messages and sending them to a cloud-based service for dynamic analysis.

To allow the Cisco ESA to encrypt an email using the CRES (Cisco Registered Envelope Service), a provisioned email encryption profile must be configured on Cisco ESA. A provisioned email encryption profile is a type of encryption profile that specifies how messages are encrypted using CRES, such as the encryption key strength, the notification options, the branding settings, etc.

one of the methods to enable Cisco SecureX integration on a Cisco Secure Email Gateway appliance is to use the Threat Response service 1 .  This s ervice allows the appliance to send telemetry data to the SecureX cloud and provide visibility and response capabilities across multiple security products 1 .  To use this service, the administrator needs to perform the following steps 1 :

Enable the Threat Respons e service: The administrator needs to go to Network > Cloud Service Settings and enable the Threat Response service.  This will generate a registration token that can be use d to register the appliance with SecureX 1 .

Select the correct Threat Response Server: The administrator needs to select the appropriate Threat Response server based on the region where the appliance is located.  The availa ble regions are North America, Europe, and Asia Pacific 1 .

If the assigned certificate under one of the IP interfaces is modified, then the HTTPS traffic when connecting to the web user interface of the Cisco Secure Email Gateway will be impacted. The administrator must ensure that the certificate is valid and trusted by the browser or client that is used to access the web user interface. Otherwise , the connection may fail or generate a warning message.  References : [Cisco Secure Email Gateway Administrator Guide - Configuring Certificates]

Message filters can only be applied to the ESA via command line. So, you will need command line access to the ESA.

Log into the ESA via command line.

Run the following highlighted commands to apply the message filter to the ESA:

ironport.example.com > filters

Choose the operation you want to perform:

- NEW - Create a new filter.

- IMPORT - Import a filter script from a file.

[] > NEW

Enter filter script. Enter ' . ' on its own line to end.

large_spam_no_attachment:

if ((body-size > 2097152) AND NOT (attachment-size > 0)) {

quarantine( " large_spam " );

log-entry( " *****This is a large message with no attachments***** " );

}

1 filters added.

Enabling Logging of URLs and Message Tracking Details for URLs

Logging of URL-related logs, and display of this information in Message Tracking details, is disabled by default. This includes the logs for the following events:

Category of any URL in the message matches the URL category filters

Reputation score of any URL in the message matches URL reputation filters

Outbreak Filter rewrites any URL in the message

To enable logging of these events, use the outbreakconfig command in the command-line interface (CLI).

https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_01110.html?bookSearch=true

To perform DLP scanning on Cisco ESA, two components must be configured:

Add a DLP policy to the DLP Policy Manager, which is a repository of predefined or custom DLP policies that specify what types of data to scan for and what actions to take if a match is found.

Enable a DLP policy on the Outgoing Mail Policy, which is a set of rules that determine how outgoing messages are processed by Cisco ESA, including whether to apply DLP scanning or not.

Bounce Verification is a feature that mitigates denial of service attacks on Cisco ESA. A denial of service attack is an attempt to overwhelm a system or network with excessive traffic or requests, rendering it unavailable or slow for legitimate users. Bounce Verification prevents Cisco ESA from accepting bounce messages that are not generated by it self or by trusted hosts, reducing the load on the system and preventing backscatter spam.

Message filter and content filter are two filters that should be configured to address this issue. Message filter and content filter are rules that allow Cisco ESA to perform actions on messages based on predefined or custom conditions, such as headers, envelope, body, attachments, etc.

To reduce the number of inappropriate emails containing profanity, the network administrator can create a dictionary that contains a list of profane words or phrases and use it as a condition in a message filter or content filter that applies an action of “drop”, “quarantine”, or “modify subject” on the matching messages.

The other options are not valid filters to address this issue, because they do not use dictionaries or conditions based on message content.

A content filter action is an operation that Cisco ESA performs on a message if it matches the conditions of a content filter rule, such as headers, envelope, body, attachments, etc.

Quarantine is a valid content filter action that allows Cisco ESA to store the message in a quarantine area for further review or release by an administrator or an end user.

The other options are not valid content filter actions on Cisco ESA.

A benefit of implementing URL filtering on the ESA is that it provides URL reputation protection. URL filtering uses SenderBase, a web-based service that collects information about URLs and domains from various sources, to assign a reputation score and a cate gory to each URL. Based on these attributes, you can configure content or message filters to take actions on messages containing malicious or undesirable URLs.

Geolocation-based filtering and senderbase reputation filtering are two features of Cisco Email Security that can be added to a Sender Group to protect an organization against email threats. Geolocation-based filtering allows Cisco ESA to accept or reject connections from email servers based on their geographic location, such as country or continent. Senderbase reputation filtering allows Cisco ESA to reject or throttle connections from email servers based on their reputation score, which is calculated by Talos using sensor information from various sources.

Step 1: Select Microsoft O365 as the message source.

Step 2: Set the Microsoft 365 Authentication to Read (visibility only, no remediation).

Step 3: Log in with a Microsoft 365 Global Admin account.

Step 4: Accept the permissions requested for the Secure Email Threat Defense app.

To use DKIM for outbound email, the administrator must export the DNS TXT record from the Cisco Secure Email Gateway and provide it to the DNS registrar of the domain. This will allow the recipient servers to verify the DKIM signature of the email by querying the DNS rec ord of the sender domain.  References : [Cisco Secure Email Gateway Administrator Guide - Configuring DKIM Signing]

Message-filter order and MIME structure of the message are two factors that must be considered when message filter processing is configured on Cisco ESA. Message-filter order determines the sequence in which message filters are evaluated and applied to incoming messages, which can affect the final outcome of the filtering process. MIME structure of the message determines how message filters match against different parts of the message, such as headers, body, attachments, etc., which can affect the accuracy and performance of the filtering process.

The altsrchost command enables an engineer to deliver a flagged message to a specific virtual gateway address in the most flexible way. This command allows you to specify an alternate source host for messages that match a message filter. You can use this command to route messages to different virtual gateways based on the message content or attributes.

If you store user information within LDAP directories in your network infrastructure you can configure the appliance to query your LDAP servers to accept, route, and authenticate messa ges. https://www.cisco.com/c/en/us/td/docs/security/esa/esa11- 0/user_guide_fs/b_ESA_Admin_Guide_11_0/b_ESA_Admin_Guide_chapter_011010.html

The maximum message size that can be configured for encryption on the Cisco ESA is 25 MB. This is the default value for the Maximum Message Size for Encryption setting in the Encryption Profile. Messages that exceed this size will not be encrypted and will be delivered as normal.

Modify Subject is an additional option that should be used to help the end users be aware of the elevated risk of interacting with these messages. Modify Subject allows the administrator to add a prefix or suffix to the message subject, such as “[SPF Fail]”, to indicate that the message has failed the SPF verification and may be fraudulent or spoofed.

The other options are not valid additional options to help the end users be aware of the elevated risk of interacting with these messages, because they do not affect the message subject or provide any warning to the end users.

According to the User Guide 1 , the steps to configure End-User Access to the Spam Quarantine via LDAP are as follows:

On the ESA, choose System Administration > LDAP > LDAP Server Profile page.

Click Add LDAP Server Profile.

Enter a name for the profile and click Submit.

Click Add Query.

Enter a name for the query and click Submit.

Configure the query settings, such as server address, port number, base DN, scope, filter, and attributes.

Check the Spam Quarantine End-User Authentication Query check box. This is the suboption that enables LDAP authentication for end users who access the spam quarantine.

Check the Designate as the active query check box. This is the suboption that specifies which query to use for end-user authentication. Only one query can be active at a time.

Click Submit and commit changes.

On the ESA, choose Monitor > Spam Quarantine > End-User Quarantine Access.

Check the Enable End-User Quarantine Access check box.

Choose LDAP from the End-User Authentication drop-down list.

Select the LDAP profile and query that you created earlier from the drop-down lists.

Click Submit and commit changes.

According to the [Cisco Secure Email User Guide] , graymail is a category of email messages that are not spam but may be unwanted by some recipients, such as newsletters, promotions, or social media updates[ 5 , p. 25]. Marketin g is one of the subcategories of graymail that includes messages that advertise products or services[ 5 , p. 26].

The other options are not valid because:

A. Malicious is not a category for classifying graymail. It is a category for classifying email message s that contain malicious content such as malware, phishing, or fraud[ 5 , p. 25].

C. Spam is not a category for classifying graymail. It is a category for classifying email messages that are unsolicited, unwanted, or harmful[ 5 , p. 25].

D. Priority is not a category for classifying graymail. It is a category for classifying email messages that are important, urgent, or relevant[ 5 , p. 25].