October 31, 2014

The Top Six Benefits of Event Log Analyzers

One of the best applications you can add to your systems administration toolset is an event log analyzer. These applications enable administrators to go from reactive management to proactive management, which is good for all concerned. The business has better uptime, management is happy, and the admins don’t get calls in the middle of the night. While those are all actual benefits of being proactive, here are six tangible benefits you can get out of an event log analyzer:

GFI EventsManager - EventsManager management console

GFI EventsManager – EventsManager management console (Source: http://www.gfi.com)

1. Centralized logging

With diverse systems across your datacenter or across the globe, event log analyzers can bring all those logs from all those systems into one place, where they can be parsed, analyzed and stored.

2. Support for multiple log formats

There are almost as many log formats as there are systems and it can be a daunting task to understand them all. But an event log analyzer can understand protocols and log formats from syslog to Oracle, SNMP to IIS and anything in between – letting admins focus on the content and not worry about the format.

3. Fine-grained control

If there’s one thing admins know, it’s that event logs have a lot of fluff and noise. Event log analyzers can help admins cut through all the excess, so they can focus on what’s really important.

4. Search and filtering

Even when you tune out the noise, if you are searching for a specific event amongst millions of records, you need to find what you need quickly and be able to filter down to just what you need. Event log analyzers excel at find what you need, when you need it.

5. Security capabilities

Security incident response always starts with the logs. The problem with that is it’s after the fact. Event log analyzers with Security Information and Event Management (SIEM) can detect issues before they become incidents, helping you to lock down and secure your environment.

6. Compliance capabilities

PCI, HIPAA and other regulations and standards all have the expectation that admins are reviewing logs. Event log analyzers can help your company meet those requirements easily and economically.

Event log analyzers can take the overwhelming task of managing all the logs on all your various systems, and turn that into a simple-to-manage, largely automated process. When you proactively manage your systems using an event log analyzer, you can get ahead of issues before they become problems. Uptime goes up, and so does your quality time.

Editor Note: This guest post was provided by Casper Manes on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Find out more on how you can benefit from an event log analyzer.

Disclaimer: All product and company names herein may be trademarks of their respective owners.

How to Secure Your Systems in Nine Easy Steps

That you need to secure your systems is obvious; how to do so that isn’t though. You’ve heard of port scanners and vulnerability scanners and you know antivirus software and patching are important, but it’s easy to get lost in the weeds when it comes time to formalize your approach.walt-gfi

In this article we are going to see how to secure your systems in nine easy steps. We’ll keep things high level so that you can apply the concepts to as many systems as possible, rather than drilling down to the specifics on product X. Applying these steps to your systems will help ensure your systems are as secure as possible, will reduce the risks as much as possible and will get the boss and the security guy off your back. Here’s how you begin:

1. Get a network security application

It doesn’t have to be a $100K purchase, nor will it necessarily be something you download from an open source website. What it will be is one that can run in your environment, is easy for you to start using, has support and updates included, and can help you to automate and perform many of the tasks that are in this list. A good network security application is a key part of any security program, and with so much to do and so little time, not an option.

2. Use a vulnerability scanner

Vulnerability scanners are tools that can scan systems over the network looking for security issues that you need to remediate. Vulnerability scanners include databases of known vulnerabilities for all kinds of systems and applications, and it is critical to keep that database up-to-date so your vulnerability scanner can look for the latest discovered issues. Use your vulnerability scanner to scan every new system before it is approved for production, before the firewall ports on the Internet are open, and whenever the configuration is changed. You should also use your vulnerability scanner to assess your entire network. Run it from the Internet against your DMZ to see everything an attacker outside would see. Run it internally against your entire network to be sure every system is up-to-date. Regular use is key to ensure nothing slips through the cracks.

3. Lock down defaults

Vulnerability scanners can also help you to identify default settings. These are the things that the vendor sets up out-of-the-box, and that often can be used by attackers to find a back door into your network or to access data on devices. Examples include default passwords, running services that you don’t need, open shares that contain sensitive information and protocols that don’t use encryption. Finding these defaults and either securing or disabling them reduces your exposure and takes away an easy in for any attacker to exploit.

4. Patch

It’s as simple as that. Patch. Patch everything. Patch operating systems on servers and workstations, third party applications, drivers, network devices, firmware and anything else you can. Keeping all of your systems 100% updated on patches closes the largest number of vulnerabilities of any action you can take. In support of this fact, your vulnerability scanner will identify many unpatched systems and list the patches they need. It may not find them all, but it will find the ones most attackers would find too. Seriously, if you do nothing else on this list, patch. If you have more systems than you have fingers, then you need patch management software to keep up with everything. Look for patch management software that includes vulnerability scanning so you can get a two for one solution.

5. Use good passwords

That means using strong, easy-to-remember but hard-to-guess passwords on every system, and training your users to do the same. It also means using different passwords on different systems, and changing those passwords regularly. It also means resetting any default passwords, and never sharing them. Each user should have his or her own access to any system, and no one should know another user’s password.

6. Practice least privilege

The concept of least privilege is pretty straightforward. Don’t give out any access to someone unless they need that access. Only give them the minimum access they need to do their job. Take away that access when it is no longer required.

7. Document

One of the most difficult tasks for many sys admins is one of the most important. Documenting your systems, your network, your configurations, and your best practices is a critical part of maintaining your systems. Without documentation, how do you know what you have? How can you be sure you didn’t miss something? Never put off documentation until ‘later’. ‘Later’ will never come.

8. Establish baselines

Each system will have its own particular behaviours. How busy is it? How much RAM is it using? What services is it running? How quickly is it running out of disk space? Make sure that you establish baselines for every new system while you are still paying close attention to it and before you declare it production-ready, and add those into the documentation. When the server varies from its baseline, it’s a good indication that something might be wrong. Whether that is an errant app, an underestimated load, or an uninvited guest remains to be seen, but consider spikes in CPU and RAM, and rapidly diminishing disk space all to be your early warning system.

9. Set up alerts

If you have central monitoring, it is easy to stay on top of these baselines and also to automate reviews of logs. Smaller shops aren’t so well equipped. Setting up alerts on your systems for things like failed logons, spikes in CPU, low disk space, etc., not only helps you with the sys admin tasks of maintaining the systems, but can also call to your attention issues that might indicate a security incident is happening.

Getting these nine steps in place now, consistently and across all systems, will immensely help you in securing your systems. You would cover the majority of things that could be exploited by an attacker, and set yourself up to stay informed on what is happening with your systems.

Editor Note: This guest post was provided by Casper Manes on behalf of GFI Software Ltd. Learn more about the importance of network scanning by downloading the free eBook: A first aid kit for SysAdmins.

Disclaimer: All product and company names herein may be trademarks of their respective owners.

 

3 Reasons Why Your Organization Needs a Network Scanner

A network scanner is a somewhat vague term. While it is easy to answer questions such as “what does a patch manager do?”, the same cannot be said of a network scanner. The main reason for this is that a network scanner, unlike a patch manager, is not designed to perform a single function. In general, a network scanner can perform a series of different tasks and checks to ensure that your network is secure against all known vulnerabilities as well as to make sure that it is configured in a secure way.

GFI LanGuard 2012 Dashboard

This is all well and good, but at the end of the day, why do you need a network scanner?

1. To ensure your software is configured securely:

An administrator’s life can be quite demanding at times. It is not enough for an administrator to make sure that any software deployed on the network works as it should but s/he also needs to make sure that this software is configured securely in a way that makes it quite hard for others to exploit.

I cannot stress enough this point. Consider a mail server, for example, that allows relaying from any source. Such a mail server would be seen as working correctly. Any person on your network would be able to send and receive emails without any issues. In fact, in terms of functionality there are no issues.

However, a mail server which relays messages from any source is prone to be discovered by spammers and it is quite likely that they will exploit it to run massive spam campaigns through it. This will lead to a severely degraded performance as your bandwidth would be flooded with spam. Moreover, such activity could get the organization into trouble, your server blacklisted internationally and your company labelled a spammer. This is why a securely configured server is a must.

2. Ensuring there are no unnecessary services or applications:

Every service or application that runs on a system is a potential security risk. One can never be absolutely sure that a service or application is not exploitable. The solution is to avoid running unnecessary services or applications and to do so you have to identify what these are.

While one can manually do a software inventory periodically, using a good network scanner will allow the administrator to do so accurately on a daily basis and be a lot more proactive.

3. Removing unused user accounts and open shares:

User accounts that are no longer required should be deleted at once. They can easily be exploited by their former owners when they leave the company especially if they were fired or they left on bad terms and hold a grudge against the organization.

Deleting accounts as soon as people leave the company is a good practice but is not always enough. Employees with a grudge might have created new user accounts on a number of systems, even more so nowadays when you can deploy virtual machines so easily. Apart from sending out alerts when new user accounts are created, a network scanner can be set to notify the administrator when an account has not been used for a long period of time.

Open shares are also common vectors used to spread malware. A good network scanner can periodically look for such unauthorized shares saving administrators from having to do lengthy inventories in order to maintain network integrity.

There are other reasons why you should be using a network scanner. For instance, to identify vulnerabilities that are hard to find manually. You can regularly monitor the network, automatically carry out audits that otherwise would take ages to complete manually.

What is important is that issues are discovered today and not in a month’s time or when something goes wrong. That is the difference between a safe network and one at risk of being exploited and compromised.

Editor Note: This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Read more on the importance of using a network scanner.

Disclaimer: All product and company names herein may be trademarks of their respective owners.

The Top Nine Best Practices for Network Scanning

(LiveHacking.Com) — Systems admins and security personnel looking to get the most out of their network scanners want to make sure they are using their tools in the right way. Follow these nine best practices for network scanning, and you’ll get the best bang for your buck out of your network scanner.

1. Update regularly

Generating general network reports

Generating general network reports (Source: gfi.com)

A network scanner helps you to find when your systems are out of date, and with new vulnerabilities discovered regularly, it is critical that you update your scanner each time you go to use it. Either set up a process to check for updates daily, or run the update process each time you go to perform a scan.

2. Scan early, often, and on a schedule
Using a network scanner should be a regular part of your systems security and maintenance. You should scan early in the deployment of any new system, and scan your entire network on a regular basis, not just when someone reads about a new vulnerability. By the time a new vulnerability makes it into the press, the bad guys already know about and are attempting to exploit it.

3. Scan new systems before they go into production
You want to make sure a system is fully up-to-date before it goes into production, so you can patch it as necessary. Once it is in production change control will apply.

4. Scan everything
Scanning a subset of systems may be quicker, but scanning your entire IP range makes sure you catch everything, including those rogue systems that someone deployed outside of your normal processes.

5. Scan internally
Whether the threat is a malicious user, a worm, or just someone with too much curiosity, don’t assume your firewalls will protect your internal systems. Scan everything you have internally to make sure all systems are up-to-date.

6. Scan externally
Attackers are scanning your external networks regularly. See what they see by scanning your systems from an external network so you know exactly what is accessible to the rest of the world.

7. Check those deltas
When you perform regular scans, you can see what changes over time. Investigate any deltas between one scan and the next to confirm that any changes were appropriate and authorized.

8. Share the results
Too many companies keep the security scans a closely guarded secret. I don’t suggest you publish the results on your website, but make sure that all the admins are aware that you are scanning, see what you find, and know where their systems stand.

9. Remediate what the scanner finds
Using your network scanner to find vulnerabilities is only half the task; you must remediate what the scanner finds. Make sure that senior management understands the results of the scan, and makes remediation a priority.

Follow these nine best practices for network scanning to get the best use of your network scanner. Don’t underestimate the importance of that first step. New vulnerabilities are discovered regularly, and checking your systems with an outdated scanner is as bad as running with outdated virus definitions. The sense of false confidence can lead to disaster. Maintain your network scanner like the fine tool it is, and you’ll get years of great use out of it, helping maintain secure and updated systems.

Editor Note: This guest post was provided by Casper Manes on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Read more on the importance of using a network scanner.

Disclaimer: All product and company names herein may be trademarks of their respective owners.

5 Threats Posed by Vulnerabilities

(LiveHacking.com) – A vulnerability scanner is an essential tool for any systems administrator. Vulnerabilities on your network and in your software can easily lead to compromised systems. There is a false impression that it requires a lot of skill to compromise a computer system. However, in reality, the number of incidents where machines are compromised due to trivial events is substantial. And these could all be identified and prevented up by a good vulnerability scanner.
In this article we outline five threats posed by vulnerabilities and juxtapose them with five real-life cases.

1. Change to a network - In 2004, a postal bank office in Israel suffered a break-in. A quick investigation found that nothing went missing, so the whole episode was dropped as some prank. In the following days however, the office noticed that tens of thousands of shekels were going missing. A more thorough investigation revealed a rouge access point installed on the network. The thieves had broken into the postal bank office to install it a few days earlier. The break-in obviously went unnoticed. A vulnerability scanner would have done a wealth of good in this case as it monitors changes to the network, advising the administrator when hardware is added or removed. Such an action would have alerted the administrator of the rouge access point the minute it was installed.

2. Creation of an account and irregular use - In April 2011, a story broke out about a former Gucci employee illegally accessing Gucci systems and causing $200,000 worth of damage. It all started when the Gucci employee was fired. His administrator promptly disabled his accounts as good security practices recommend. However, before being fired, the employee had created a fake user account that the administrator was not aware of, and which he then used to access Gucci systems. In this case, a good vulnerability scanner would have proved useful in detecting the threat firstly by alerting the administrator when the account was created, and secondly by notifying them when the account had been used on an irregular basis, so the administrator could then delete the unnecessary account.

3. Deploying a patch - On April 13, 2004, Microsoft released a patch for a security flaw in its Windows operating system. A few weeks after the patch was made available, a malicious computer worm was released on the internet. This Sasser worm exploited the vulnerability and caused wide-spread chaos even though companies had a few weeks’ head start to deploy the patch. This caused a news agency to lose satellite communications for hours, an airline to cancel flights and a financial institution to close 130 of its offices due to widespread infection. An important function of a vulnerability scanner is to scan the network for vulnerable applications for which a patch is available and inform the administrator. Provided the administrator is proactive in testing and deploying the patch, a few weeks would be more than enough to secure a network.

4. Creation of blank passwords - One of the top hacker stories recurring in the news over the past five years is that of Gary McKinnon. Out of his conviction that the United States government had certain information about extraterrestrials and knowledge of anti-gravity and free energy, in February 2001, McKinnon started looking for proof by trying to gain unauthorized access to US military and NASA’s computer systems . He allegedly scanned the system for administrator accounts using blank passwords, and actually managed to find quite a few systems, which he then compromised. A good vulnerability scanner will help in two ways in such a situation. First and foremost, it will scan and report on a system’s password policies, enabling the administrator to determine if users can create weak passwords. Additionally, a vulnerability scanner will also check administrator accounts for blank passwords.

5. File sharing software -We all know that the US military takes secrecy seriously, and there is no doubt that some of the most secretive details revolve around the presidential helicopter defense system. In March 2009, however, news broke out that details about Marine One’s missile system were being shared on a P2P network from a computer in Iran. It turned out that an employee of the contractor in charge of the helicopter had installed file sharing software and inadvertently shared the classified file. The dangers of file sharing software in relation to data leakage are well known. A good vulnerability scanner will not only inform the administrator if new software is installed on a system but also when file sharing software is installed on a scanned computer.

These threats could have easily been brought to the attention of the systems administrator by means of a vulnerability scanner. Vulnerabilities can cause a number of issues that can lead to a system compromise. The number is so staggering that it might not be possible to stay ahead without a systems support. A good vulnerability scanner nowadays checks for many vulnerabilities at the click of a button and can indeed provide the necessary information to help an administrator avoid many pitfalls, such as those discussed in the five examples above.

Editor Note: This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging need. Learn more on what to look out for when choosing a vulnerability scanner.

Disclaimer: All product and company names herein may be trademarks of their respective owners.

4 Key Features of Good Endpoint Security Software

(Live-Hacking.Com) – Data leakage occurs when data that should have never left the physical confines of your company’s brick and mortar walls does, and control of that data is lost. One of the main reasons why this could happen is because companies lack endpoint protection. When a user copies data to their smartphone (think contacts, critical documents that they wish to

GFI EndPointSecurity™ console

GFI EndPointSecurity™ console

review while mobile, email attachments, etc), or to a USB flash drive, your company is primed for a data leak. Endpoint protection is designed to prevent that from ever happening in the first place. Sure, you can remotely wipe smartphones, at least the ones that are compatible with your company’s policies, and you can protect data on portable media with encryption, but both of those depend in part on the end user. Whether that person is intentionally malicious, apathetic, or simply ignorant, it is entirely possible to transfer data to unprotected media, unless you prevent it in the first place through endpoint security.

There are programs on the Internet today that can turn portable media players into mass storage devices capable of automatically seeking out and downloading key data to their storage. Search for podslurping to see just how creative these applications are, and don’t forget the users with DVD/CD burners in their machines that can burn a disk with gigabytes of data. Unless they have encrypted that data, it can be read by anyone who happens to come across that disk. Some companies have gone as far as to epoxy the USB connection on machines to prevent the physical attachment of external media, but this has several problems. They won’t be able to turn such damaged hardware back in at the end of a lease; any residual value after the useful life will be greatly decreased, there are lots of legitimate uses for USB that will be prevented by this, and it is not a full solution. Search on bluesnarfing to see how users can exploit Bluetooth connections to further transfer data. Instead of ruining your hardware, implement endpoint security to protect your data.

So how can endpoint security help a company to prevent data leakage? Here are the four most important features to look for in good endpoint protection software:

  1. Agent based enforcement: Endpoint protection software should use easy to deploy, tamperproof agents which can be rolled out to users, and once on their system, be locked down so even local admins cannot disable them.
  2. Easy, central management: Good endpoint protection software should support rapid policy creation through an easy to understand wizard, that can be deployed granularly with Active Directory Group Policy, and that has the flexibility to support business needs.
  3. Information at your fingertips
  4. Real-time centralized monitoring and alerts are just the starting point for endpoint protection’s information components. Look for centralized logging and reporting, that can generate on demand and scheduled reports.
  5. Flexibility:The one thing you can count on is that no matter what you set up, you will need exceptions. Whether you need to provide temporary access, allow systems admins or security personnel to bypass restrictions, or implement white-lists and blacklists, look for an endpoint protection that is not going to lock you down so tightly that it breaks business processes.

By deploying endpoint security, you are taking reasonable steps to prevent data leakage and protecting your company’s data and that of your customers. Endpoint protection makes good business sense in today’s environment where a data leakage can cost a company millions in reporting and monitoring, and cause irreparable damage to a company’s reputation.

Editor Note: This guest post was provided by Casper Manes on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more on how to make the best out of endpoint security.

Disclaimer: All product and company names herein may be trademarks of their respective owners.

5 Ways to Create the Right Patch Management Policy

While patch management is, conceptually, a straightforward task, its correct implementation is not always that simple. One might be tempted to simply deploy patches on a need to basis without giving it much thought; however, in order for patch management to be fully effective, the right patch management policy is required, as without it patch management could become the threat you’re actually trying to prevent.5 Ways to Create the Right Patch Management Policy

So what makes the right patch management policy?

1. Inventory

Without knowing which software or systems need patching, no proper patch management process can exist. While this might seem obvious, it’s a step often overlooked in a company’s patch management policy. An inventory is also required when testing environments are created – an essential item in any patch management policy. Inventories can be done manually, however it’s wise to either have scripts that automate the process to a degree, or use a network scanner to do the job.

2. Monitoring

Every patch management policy needs a process that can identify which patches are missing or outdated, and this can be achieved by either monitoring vendor sites or using patch management detection software.

3. Testing

Once an administrator determines and downloads the patches needed on the network, it is essential that they are tested before they are deployed to make sure that that they are working well across all systems. Test environments that perfectly mimic the actual environments that the patches will be deployed on are needed. A blueprint for such environments ought to be prepared during the inventory step. As time goes by it’s important to keep the test environments in line with the actual environments. This can be done by comparing inventories or through the use of software which can notify the administrator when environments change.

4. Deployment and Verification

This is another pitfall. For many, their patch management process does not include verification but just deployment; however, the right patch management policy requires both. If the deployment fails for any reason, especially if the whole process of deployment is unattended, it can easily happen that the failure goes unnoticed thus giving the administrator a false sense of security. To avoid this, ensure that there is a way to determine the patch level of each machine and confirm that all the patches deployed were successful.

5. Disaster Recovery

No matter how many precautions are taken and how many tests are run, there is no guarantee that a patch deployment will not cause issues. Computer software is complex and it is impossible to test all possible combinations, especially when you factor hardware and chipsets in. Therefore, it is essential that a patch management policy includes a section on disaster recovery, so, should things go wrong, an administrator will be able to quickly recover the network to a working state.

Without the right patch management policy in place, patch management can indirectly be a security risk since the patch deployment itself can cause issues and possibly downtime. Once designed, the patch management policy will require a little extra effort; however, this is a much more favourable option than the effort spent trying to fix a broken environment, not to mention the loss of productivity.

Editor Note: This guest post was provided by Casper Manes on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more about creating the right patch management policy.

Disclaimer: All product and company names herein may be trademarks of their respective owners.

12 Reasons to Deploy Email Monitoring

(LiveHacking.Com) – With all of the effort email administrators put into monitoring their email servers for utilization, disk space, and error logs, they may be overlooking some of the most important information they can get out of their email system – how it’s actually being used. Companies that implement email monitoring quickly find a wealth of useful information about how employees are actually using email to perform their jobs, or in some cases, instead of performing their jobs. Using email monitoring is much like using web monitoring. It provides insight into patterns and behaviors, identifies trends and issues, and can even support compliance efforts.12 Reasons to Deploy Email Monitoring

Here are 12 important reasons why you should deploy email monitoring on your network:

  1. See who users email the most time to identify patterns and efficiencies.
    This will let you know who communicates with whom, to ensure the right people are interacting with one another.
  2. Learn who the key contacts are for each user or role.
    If a job transitions to another user, it can help them quickly get up to speed on the primary contacts they will have.
  3. Discover which customers or vendors need the most attention.
    This is a great way to head off customer satisfaction issues early.
  4. Identify the customers most likely to provide good referrals to others.
    Those who receive the best communications are likely to be the most satisfied.
  5. Identify the users spending excessive time on personal email.
    Sending emails to traditional personal accounts (Hotmail, Gmail, Yahoo, etc.) is a pretty good indication that they are not communicating with your customers unless you are a consumer-focused business.
  6. Measure response times to customer emails to be sure they are getting answers when they should.
    You should have standards for response times, and this will let you confirm your employees are meeting those commitments.
  7. Confirm that the help desk is replying to users within their SLAs.
    Users tend to call the help desk because they don’t get responses to emails quickly enough. Knowing just how long it takes to get a response helps identify staffing or performance issues.
  8. Find the mail hoarders so you can work with them to purge email, or charge them for the excessive space.
    Disk space is a limited commodity, and departments that use excessive amounts either need to be brought into compliance, or charged for the usage.
  9. Ensure that your email system isn’t being used as a file server, and that attachments are business-related.
    Email is a convenient way to trade files between users, but it places increased demands on server resources. See just how much space is being used, and ensure it’s not for MP3s and videos.
  10. Make sure customers aren’t emailing inactive or deleted accounts so you don’t miss any opportunities or leave customers thinking they are being ignored.
    An unanswered email is a good reason for a customer to contact your competition next. Identifying inactive accounts that customers still email makes sure someone responds.
  11. Ensure email communications use professional and appropriate language.
    Every email an employee sends represents your organization, so you want to be sure communications are sent in a professional manner without profanity or slang.
  12. Make sure users aren’t forwarding emails to personal accounts or the competition.
    Finding emails going to competitors helps stop the loss of intellectual property.

An email monitoring solution will show you how your users actually use your email system, where communications channels exist, and whether or not any compliance issues exist. It’s the next level of email management and an extremely valuable source of information.

Editor Note: This guest post was provided by Christina Goggi on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more about the benefits of using email monitoring.

Disclaimer: All product and company names herein may be trademarks of their respective owners.

6 Ways to Optimize Your Spam Detection Mechanism

(LiveHacking.Com) – Spam is a scourge that causes several problems for most organizations and therefore needs to be stopped before it reaches the users’ mailboxes. Luckily, there are various types of anti-spam filters to suit different types of organizations; however, it is important to understand that spam detection can be quite tricky. If the configuration is wrong, valuable emails will be incorrectly classified as spam. You therefore need to ensure your anti-spam filter is configured correctly to avoid as many false negatives as possible and without creating false negatives as well.

So how would one go about configuring spam detection?6 Ways to Optimize Your Spam Detection Mechanism

In order to have an effective spam detection mechanism, you can use various techniques. Different products might provide a combination of these technologies but it is important to understand what they are in order to be able to configure each one effectively.

1. Bayesian Filtering:

Bayesian spam filtering is an advanced way for a computer to determine whether an email is spam or not. Bayesian filtering is a system that through training can “learn” to distinguish between spam and legitimate emails. It does this through a statistical analysis of what words one expects to find in a legitimate email and not in spam. To do this, Bayesian filters need to be trained using legitimate emails and spam. Some products offer automated updates and allow the customer to do their own training. Having vendors do the training is advantageous due to the wider range of samples that the training is based on. It is hard to gauge the rate of false positives and false negatives this method can cause. The strength of this method is based entirely on the quality of the training and how typical the spam or legitimate email being checked is.

2. Databases:

Some anti-spam filters include databases of known spammers, open relays and spam emails. These databases have a variety of uses – from recognizing spam email, to recognizing other harmful content in emails such as links to malicious and phishing sites.

3. DNSBL:

DNSBL (DNS Blacklist) is a service offered by some organizations that provide a database of known spammers, open relays and zombies sending spam. Accuracy is dependent on the classification systems used by the service provider. While they’re generally quite good, these systems are sometimes accused of being too strict and thus causing some false positives.

4. Email Analysis:

There are a number of ways to analyze an email and be able to determine if it is spam or not. Some software might check that the headers are crafted correctly, for example if the emails are being addressed to whoever the email is claiming to be addressed to, while others might look for specific keywords. Accuracy can vary but you can expect that keyword-based anti-spam detection will have a higher than normal rate of false positives.

5. Greylisting:

Greylisting is a process whereby an email that arrives at your mail server from an unknown sender, is initially rejected. This will make a legitimate mail server retry again after a delay; if legitimate, the email will be accepted. In many cases the software used by spammers will not try again if the first attempt failed. Provided the mail server sending the email is properly configured, there is no chance of false positives with this method and a minor chance of false negatives should a spammer specifically cater for such scenarios.

6. Sender Policy Framework (SPF):

SPF works by having domain owners specifying what hosts are authorized to send email from the specific domain. If the host sending the email is an unauthorized source, it is marked as spam. This method can cause false positives if a legitimate user sends an email from an unauthorized location, such as a mobile phone.

Knowing what the major spam detection mechanisms are and to what extent they may create false positives are, will help you take an informed decision on how to choose and configure an anti-spam filtering solution.

Editor Note: This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Read more on what your anti-spam filter should include.

Disclaimer: All product and company names herein may be trademarks of their respective owners.

SecPoint Releases New Version of its Multi-threaded TCP Port Scanner

(LiveHacking.Com) – SecPoint, a Danish IT security network company, has released a new version of its multi-threaded TCP port scanner. The new version, which is released under a BSD style license and includes the source codes, adds new features like SYN scanning.

Other new features include:

  • Added host name resolution
  • Added option -o for output to file in plain text format
  • Added option -oh for output to file in html format
  • Added option -ox for output to file in xml format
  • Reversed the meaning of -r : by default shows port names, with -r does not show them
  • Skipping duplicated open ports: Due to the low delay between two sends, the pcap library may call the receive function multiple times for the same port. Increasing the delay time, this problem can be bypassed, but it will slow down processing. With this solution, it’s possible to keep a low delay and avoid duplicates at once.
  • Changed name to “portscanner”
  • Added target host name to output, if given
  • Removed printing of options -w and -n for Connect scan
  • Help message changed according to the new options

Using the program is simple and the ability to start multiple scanning threads makes the program quite fast. Running the following command will scan the common ports (ports 1-2000 plus a special selection that makes scanning more efficient):

./portscanner IP

Port ranges can be specified as follows:

./portscanner IP -p 21-80

Use the -s option to perform a SYN scan and -n to increase the number of threads. The default is 10. On our test machine running with -n 100 reduced the scan time for 7473 ports by 75%!

You can find out more here and the tool can be downloaded for Windows and Linux (including the source code) here.