Peeling back the layers of GTMaritime security

Peeling back the layers of GTMaritime security

26th January 2018 Uncategorised 0

Did you catch our recent webinar where we peeled back the layers providing an inside look into what security systems GTMaritime adopt to help protect your email flow?

If you missed it, you can view the recording here.

Introduction

As part of our commitment to bringing you the best service, we will be hosting monthly WebEx sessions for our resellers, providing information across a range of subjects including hot topics with the maritime industry, presentations from relevant external and internal experts, and GTMaritime products. As well as providing sessions on training and sales support.

These sessions will be hosted by our sales and operations team, providing you with the opportunity to connect with both your individual sales manager and our wider team.

For our November Webinar, we walked you through ‘Peeling back the layers of GTMaritime security’.

Don’t worry if you missed it, you can still access the recording here.

Or, you can read all the information below.


Peeling back the layers

Before accepting an inbound email into our infrastructure, a number of ‘frontline tests’ are conducted which will typically reject a high percentage of unsolicited emails before even being received. These tests include; RBL checking, SPF checking, grey listing and reverse DNS lookup.


What is an RBL?

An RBL also known as real-time blacklist, contains a list of IP addresses from mail servers across the internet who have a reputation of sending spam emails and compromised machines.

 

There are many companies offering such services, one in particular spam Haus which is currently utilised by GTMaritime.

RBL checking can block up to 90% of all incoming mail making them a “must have” test for any email system.


What is SPF?

SPF also known as sender policy framework is a method for publishing a list of servers authorized to send mail for a particular domain.  This allows SPF enabled mail servers to check for an SPF record and verify if the server sending mail is listed on the SPF record.

 

An example of GTMaritime’s SPF record is as follows: v=spf1 include:satcloud247.com -all

This example will only allow mail servers registered using the satcloud247.com domain to send.


What is greylisting?

Greylisting will reject all mail temporarily.  All SMTP compliant mail servers will defer the mail and resend it after a set period of time, usually around 5 minutes.

Spam sending servers are rarely SMTP compliant, it is very likely that they will not resend the rejected mail so straight away spam will be blocked.  If a spam server does resend the mail it is likely that the spam server IP address will be blacklisted when the mail is received a second time and a different test will block it.

 

The simple act of delaying the mail greatly increases the probability that it will be blocked.


What is Reverse DNS lookup?

Reverse DNS lookup validates a fully qualified domain name against the IP address of the sending mail server.


Attachment scanning

Any attachments contained within mail are examined to see if they are listed as a banned attachment type.
 

It only takes one click of a link on a malicious email to allow malware into your network, and the cost of such an error can be colossal.
– SpamTitan 2017

 

 

Spam content checks

This category encompasses tens of thousands of individual tests.  These tests examine the actual content of the mail and try to determine if a mail contains spam-like content.  Only a small percentage of mail will make it this far.

An example of the spam content checks as as follows:

  • Identification of spam-like phrases and words in the mail body
  • Links in the mail body that contain domains that are on URI blacklists
  • Fuzzy-checksum-based spam detection (Pyzor & Razor)
  • Bayesian filtering

With Bayesian filtering this is a spam learning technique where libarys are used with known spam key words. The system will self-learn using this filtering method.

 64% of malware was ransomware in 2016” Symantec


Block Dangerous File Types

We take preventative action to block dangerous file types from being delivered through the systems.

The current blocklist as of November 2017 is as follows:

Blocked file types:

ADE  GADGET  MAU  OSD  SHS ADP  GRP  MAV  OXN  TMP APP  HLP  MAW  PCD  URL ASP  HTA  MCF  PIF  VB BAS  INS  MDA  PL  VBE BAT  ISP  MDT  PLG  VBP CER  ITS  MDW  PRF  VBS CHM  JAR  MDZ  PRG  VSMACRO CLA  JS  MSC  PS1  VSW CLASS  JSE  MSH  PS1XML  WS CMD  KSH  MSH1  PS2  WSC CNT  LNK  MSH1XML  PS2XML  WSF COM  MAD  MSH2  PSC1  WSH CPL  MAF  MSH2XML  PSC2  XBAP CSH  MAG  MSHXML  PST  XNK DER  MAM  MSI  REG DLL  MAQ  MSP  SCF EXE  MAR  MST  SCR EXE-MS  MAS  OCX  SCT FXP  MAT  OPS  SHB

Mime Types Filtered:

Application/ecmascript

Application/JavaScript

Application/x-java-archive

Application/x-javascript

Application/x-msdos-program

Application/x-msdownload

Text/ecmascript

Text/javascript


Mail Filters

From the GTMaritime dashboard direct control to allow and reject messages can be configured using the rules. This category allows control using multiple filter types such as:

  • Sender matches / does not match
  • Recipient matches / does not match
  • Subject contains
  • Is a high priority message
  • Message size is larger than
  • Attachment size is larger than


Multiple AV scanning

Anti-viruses work using signature based scanning which work only with known variants being recognised within their database. This is a problem as malware would first have to be released into the wild before an anti-virus vendor can test and release necessary patches for their software to know about each variant.

At GTMaritime we utilise a multi-vendor approach to anti-virus scanning to provide greater coverage and decrease risk.


Advanced Threat Protection (ATP)

GTMaritime’s Advanced Threat Protection (ATP) adds an additional layer of protection providing advanced malware detection, backed by a global threat intelligence network. With its deep content inspection, the ATP solution works using behaviour based technology utilising its elastic sandbox environment to visualise and report on exactly what the malware interacts with compared to the typical signature based detection which relies upon previously known exploits.

Sophisticated malware can determine whether it is on an actual user’s device, or inside an environment like a sandbox, or a virtual machine instance. Once it detects these environments it alters its behaviour and avoids detection. Deep content inspection can remain hidden while determining which malicious objects are capable of evasion techniques and then provide the appropriate input to analyse the complete range of malicious behaviour.

The ATP which GTMaritime uses scored a perfect detection rate of 100% in all test categories with zero false positives. No other vendor or product has achieved this level of performance, in over 20 years of testing.” – NSS Labs, 2017


Anti-Phishing

GTMaritime’s Anti-Phishing protection examines a number of key indicators whilst examining email content including:

  • Sending domain – validates the age of registration and determines if the sending domain is genuine. Monitoring closely matched domain names to a true corporate domain.
  • Header mismatch – determines whether the sender is hiding their real email address
  • Display name analysis – determines whether the sender is attempting to spoof an internal sender.
  • Keyword analysis – known attack phrases are closely examined against the threat database to determine authenticity of content.

If detected as suspicious the email will be tagged for quarantine. Which can be closely monitored through reporting and control using the GTMaritime Dashboard.

If you would like further information about anything in the above article, or any of our products or services, please feel free to get in touch with us.

———————————————————————————-

GTMaritime
Wherever you are, we are.

Since 1998 GTMaritime has been providing a range of technology solutions and services to the maritime industry that serve to enable effective communications over satellite.

We specialise in providing solutions and services that help ensure vessel compliance and business operability 365 days a year, as well as keeping crew in touch with friends and family whilst at sea. All of this is backed up by a market leading infrastructure and unrivalled 24-hour customer support, every day of the year.

We provide these services from two offices – one in the UK and the other in Singapore – and increasingly through an established and growing network of resellers and partners around the world.

Company Details

UK Head Office – Global Technology House, 11 Padgate Business Park, Green Lane, Warrington, WA1 4JN. Singapore Office – 6RQ Executive Suites, 6 Raffles Quay, #15-00, Singapore 048580

Tel: +44 (0)1925 818 918
Email: sales@gtmaritime.com