Peeling back the layers of GTMaritime security
If you missed it, you can view the recording here.
As part of our commitment to bringing you the best service, we will be hosting monthly WebEx sessions for our resellers, providing information across a range of subjects including hot topics with the maritime industry, presentations from relevant external and internal experts, and GTMaritime products. As well as providing sessions on training and sales support.
These sessions will be hosted by our sales and operations team, providing you with the opportunity to connect with both your individual sales manager and our wider team.
For our November Webinar, we walked you through ‘Peeling back the layers of GTMaritime security’.
Don’t worry if you missed it, you can still access the recording here.
Or, you can read all the information below.
Peeling back the layers
Before accepting an inbound email into our infrastructure, a number of ‘frontline tests’ are conducted which will typically reject a high percentage of unsolicited emails before even being received. These tests include; RBL checking, SPF checking, grey listing and reverse DNS lookup.
What is an RBL?
There are many companies offering such services, one in particular spam Haus which is currently utilised by GTMaritime.
RBL checking can block up to 90% of all incoming mail making them a “must have” test for any email system.
What is SPF?
SPF also known as sender policy framework is a method for publishing a list of servers authorized to send mail for a particular domain. This allows SPF enabled mail servers to check for an SPF record and verify if the server sending mail is listed on the SPF record.
An example of GTMaritime’s SPF record is as follows: v=spf1 include:satcloud247.com -all
This example will only allow mail servers registered using the satcloud247.com domain to send.
What is greylisting?
Greylisting will reject all mail temporarily. All SMTP compliant mail servers will defer the mail and resend it after a set period of time, usually around 5 minutes.
Spam sending servers are rarely SMTP compliant, it is very likely that they will not resend the rejected mail so straight away spam will be blocked. If a spam server does resend the mail it is likely that the spam server IP address will be blacklisted when the mail is received a second time and a different test will block it.
The simple act of delaying the mail greatly increases the probability that it will be blocked.
What is Reverse DNS lookup?
Reverse DNS lookup validates a fully qualified domain name against the IP address of the sending mail server.
It only takes one click of a link on a malicious email to allow malware into your network, and the cost of such an error can be colossal.
– SpamTitan 2017
Spam content checks
This category encompasses tens of thousands of individual tests. These tests examine the actual content of the mail and try to determine if a mail contains spam-like content. Only a small percentage of mail will make it this far.
An example of the spam content checks as as follows:
- Identification of spam-like phrases and words in the mail body
- Links in the mail body that contain domains that are on URI blacklists
- Fuzzy-checksum-based spam detection (Pyzor & Razor)
- Bayesian filtering
With Bayesian filtering this is a spam learning technique where libarys are used with known spam key words. The system will self-learn using this filtering method.
64% of malware was ransomware in 2016” Symantec
Block Dangerous File Types
We take preventative action to block dangerous file types from being delivered through the systems.
The current blocklist as of November 2017 is as follows:
Blocked file types:
ADE GADGET MAU OSD SHS ADP GRP MAV OXN TMP APP HLP MAW PCD URL ASP HTA MCF PIF VB BAS INS MDA PL VBE BAT ISP MDT PLG VBP CER ITS MDW PRF VBS CHM JAR MDZ PRG VSMACRO CLA JS MSC PS1 VSW CLASS JSE MSH PS1XML WS CMD KSH MSH1 PS2 WSC CNT LNK MSH1XML PS2XML WSF COM MAD MSH2 PSC1 WSH CPL MAF MSH2XML PSC2 XBAP CSH MAG MSHXML PST XNK DER MAM MSI REG DLL MAQ MSP SCF EXE MAR MST SCR EXE-MS MAS OCX SCT FXP MAT OPS SHB
Mime Types Filtered:
From the GTMaritime dashboard direct control to allow and reject messages can be configured using the rules. This category allows control using multiple filter types such as:
- Sender matches / does not match
- Recipient matches / does not match
- Subject contains
- Is a high priority message
- Message size is larger than
- Attachment size is larger than
Multiple AV scanning
Anti-viruses work using signature based scanning which work only with known variants being recognised within their database. This is a problem as malware would first have to be released into the wild before an anti-virus vendor can test and release necessary patches for their software to know about each variant.
At GTMaritime we utilise a multi-vendor approach to anti-virus scanning to provide greater coverage and decrease risk.
Advanced Threat Protection (ATP)
GTMaritime’s Advanced Threat Protection (ATP) adds an additional layer of protection providing advanced malware detection, backed by a global threat intelligence network. With its deep content inspection, the ATP solution works using behaviour based technology utilising its elastic sandbox environment to visualise and report on exactly what the malware interacts with compared to the typical signature based detection which relies upon previously known exploits.
Sophisticated malware can determine whether it is on an actual user’s device, or inside an environment like a sandbox, or a virtual machine instance. Once it detects these environments it alters its behaviour and avoids detection. Deep content inspection can remain hidden while determining which malicious objects are capable of evasion techniques and then provide the appropriate input to analyse the complete range of malicious behaviour.
The ATP which GTMaritime uses scored a perfect detection rate of 100% in all test categories with zero false positives. No other vendor or product has achieved this level of performance, in over 20 years of testing.” – NSS Labs, 2017
GTMaritime’s Anti-Phishing protection examines a number of key indicators whilst examining email content including:
- Sending domain – validates the age of registration and determines if the sending domain is genuine. Monitoring closely matched domain names to a true corporate domain.
- Header mismatch – determines whether the sender is hiding their real email address
- Display name analysis – determines whether the sender is attempting to spoof an internal sender.
- Keyword analysis – known attack phrases are closely examined against the threat database to determine authenticity of content.
If detected as suspicious the email will be tagged for quarantine. Which can be closely monitored through reporting and control using the GTMaritime Dashboard.
If you would like further information about anything in the above article, or any of our products or services, please feel free to get in touch with us.
Wherever you are, we are.
Since 1998 GTMaritime has been providing a range of technology solutions and services to the maritime industry that serve to enable effective communications over satellite.
We specialise in providing solutions and services that help ensure vessel compliance and business operability 365 days a year, as well as keeping crew in touch with friends and family whilst at sea. All of this is backed up by a market leading infrastructure and unrivalled 24-hour customer support, every day of the year.
We provide these services from two offices – one in the UK and the other in Singapore – and increasingly through an established and growing network of resellers and partners around the world.
UK Head Office – Global Technology House, 11 Padgate Business Park, Green Lane, Warrington, WA1 4JN. Singapore Office – 6RQ Executive Suites, 6 Raffles Quay, #15-00, Singapore 048580
Tel: +44 (0)1925 818 918