Spam and Outlook

Microsoft Outlook - @SeniorDBA

Many people don’t understand how a spam filter works, especially with the email software from Microsoft called Outlook. In my experience, people are confused about how emails are blocked, or how emails are filtered into the Junk Email folder inside Outlook.

Generally speaking, your email server is usually used to block common unwanted emails, known as spam. This means the email server has the ability built into the server software to detect and filter (block) emails from being delivered to your email interface, or there is some additional software installed and configured to perform that filtering process. This means less unwanted email is delivered to your inbox.

There is an additional feature built into Outlook that looks at the emails delivered to your Outlook client to determine if it should block the email and redirect it into your “Junk E-mail” folder.

Junk E-Mail - @SeniorDBA

Any email forwarded from your email server (usually Exchange, but could be Gmail, Yahoo, etc.) but identified as spam by our Outlook client will be automatically moved to your “Junk E-mail” folder. Depending on your spam filter settings inside the Outlook Options, you may find you missing emails in this folder. You may disable the filter, but that doesn’t mean all your emails will now be delivered to your Outlook inbox.

As we discussed already, the spam filter on the email server could have blocked the email, Outlook may move the email to Junk E-mail, or even your anti-virus software might have blocked the email. If you work with your team in you IT department, they have tools available that can tell them if the server ever received the email, if it was forwarded to our computer, if it was intercepted by your anti-virus software, etc. They will need to know the address of the person sending you the email, when it was sent, and the subject line (when known).

How can I disable the Outlook spam filter?

How can I mark emails detected as spam by Outlook as “not spam”?

Advertisements

Starting an Information Security System

bd051-hacker

The diverse and open nature of the Internet makes it important for businesses to focus on the security of their networks. As companies move business functions to the public network and rely more on remote access, they need to take precautions to ensure that corporate data cannot be compromised. You must also verify that business data is not accessible to unauthorized users.

The traditional problem, before the internet, was securing business assets from physical threats like buglers, and the threat was fairly low because the people with physical access to your office was a fairly low number when compared to the population of the planet. Now anyone with an internet connection can attack your corporate assets, from almost anywhere in the world. Your threat profile has now grown exponentially.

If you haven’t already done so, you should develop an Information Security program to protect your corporate assets.

  1. Define the Perimeter – When you look at your network digram, you should draw a circle around those systems and devices you choose to protect from unauthorized access. This circle will probably include everything, but you might not include systems managed by trusted vendors, or temporary systems you might be using in a test environment. You must also accept that protecting the included systems will cost you money, and you might make a decision to exclude systems because the risk to those systems or devices doesn’t justify the expense. What you have now is your “in-scope systems”, and these are the systems that must be properly configured, monitored, patched, etc.
  2. Properly Configured – Create documentation around how to properly configure each in-scope system, and verify each system has been configured to match that documentation. This includes newly installed systems or replacement devices. You must also put controls in place to verify these systems have the correct version of software installed. This must include service packs, patches, hot fixes, etc. You may also need to work with cloud and vendor supported systems to make sure they consistently meet your standards as well. This includes how to properly configure the network settings, installing anti-virus or anti-malware software, configuring the operating system, etc.
  3. Minimize Access – Each user or system account should only have the minimal access required to operate correctly. There should be a security process for approving any requests for elevated privileges, and those requests should be rarely and infrequently approved. While it will vary depending on your environment and the size of your technology team, you want very few people to have complete control on these critical in-scope systems. Your users should never have access to systems, devices, file shares, etc. when that access isn’t absolutely required. If fewer people have access to critical information or systems, the risk of unauthorized access is significantly diminished.
  4. Change Management – All proposed systems and device changes, including requests for elevated user permissions, should be formally documented and there should be an approval process to review each requested change. There must also be a separation of duties between the person requesting the change and the person making the change. This prevents unauthorized changes from sneaking around the the approval process. You must also have a manager reviewing all actual changes at the end of the week or month and matching them back to the changes submitted through the formal approval process. This will help catch those changes made but not formally approved.
  5. Periodic Reviews – Your team needs to be performing quarterly vulnerability scans. There are multiple tools to help overworked IT technicians complete this task, but what we are recommending is scanning all in-scope systems and devices and matching them against a long list of known security issues. These periodic scans will alert your team to systems that have missing patches or are subject to a known vulnerability that must be addressed to prevent a potential security threat from leading to an attack. This also includes reviewing that circle you put around your in-scope systems. Maybe it is time to move that line to exclude more systems, or to include some additional systems or new devices as your business changes. You should also schedule periodic reviews of who has authenticated access to your network. This includes standard users accounts, employees with remote access, automated system accounts, or remote vendor accounts. This will give you an opportunity to disable or delete terminated employee accounts, remove vendor accounts that no longer need access, etc. All policies and procedures will also require periodic review to make sure they stay accurate and relevant.
  6. Security Training – Every employee plays a part in your overall network security. In the physical security world, it doesn’t make sense to lock the front door but leave all the windows open. It also doesn’t make sense to secure the network and allow your users to tape their network passwords to their monitor or keyboard. Users must be educated about how to secure their passwords, how to select a strong network password, how to secure their mobile devices, etc. There should be initial training for any new employee, and every employee should get a refresher course at least once each calendar year.
  7. Monitor Vendor Alerts – Most vendors have the ability to alert you if they discover a vulnerability for their product. You should sign-up for these alerts and monitor the emails on a daily basis. If there is an email alert about a vulnerability to an in-scope system you need to have procedures around assigning a priority to the alert, how you will score the risk in your environment, and a timeline for taking action on the alerts.
  8. Stay in Control – You must have technical controls in place (firewalls, VPN, ACLs, IPS, etc.) to protect your in-scope systems, but you must also look at non-technical physical controls (door locks, safes, video cameras, fire suppression systems, battery backups, etc.) to protect those same in-scope systems. Make sure you limit physical access to critical systems, and implement any physical controls you need in your environment to protect your systems and business data.
  9. Policies and Procedures – You must document your expectations and verify constant compliance. This includes threats from insider attacks. Make sure you write policies that says what must be done and the penalty for non-compliance, and then write the procedures around how people are to complete technical tasks so that your compliance expectations are met. You must also make sure people are following your policies and procedures while understanding that there are consequences to non-compliance.
  10. Monitor Logs – Someone on your team needs to be monitoring and reviewing the logs from your in-scope systems. This process can be time-consuming and difficult without some additional software to collect and automate that process, but that will depend on your environment and the quantity of in-scope systems. There are multiple solutions available from third-party vendors to simplify this process. The logs from your in-scope systems can be used to track system changes, discover system vulnerabilities, track potential internal or external attacks, list unauthorized access attempts, investigate malware infections, etc.

These steps do not address what you should do to react to an attack or suspected network breach. These listed steps could reduce the risk of a successful attack, but you also need to think about how you must react to an attack or breach and begin planning and documenting your response.

Anti-Virus and SQL Server Exclusion Recommendation

passwords

Anti-virus software is useful for scanning systems for infected files. Anti-virus software basically works by scanning files as they are accessed, looking for “signatures” of known viruses. The issue with this process is SQL Server is very heavily a disk-based storage system, and anti-virus solutions will have to essentially scan the files associated with your databases all the time. This will slow down your server performance, maybe just a second here or there, but that could be the difference in your overall server performance.

Here is my recommendation on what files to exclude from standard anti-virus scanning. Before you implement these changes to seek faster performance, you also need to make sure your server is protected from general internet access. Exclude these files in the configuration of your anti-virus software:

Files:

  • SQL Server data files – Including *.mdf, *.ldf, and *.ndf files.
  • SQL Server backup files – *.bak, and *.trn files.
  • Trace files – *.trc files.
  • SQL audit files (for SQL Server 2008 or later versions) – *.sqlaudit files.
  • SQL query files – *.sql files.
  • Analysis Services data – by default the files are located in the “Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Data” folder.
  • Full-Text catalog files – by default located in the “Program Files\Microsoft SQL Server\MSSQL\FTDATA” folder for default instances and “Program Files\Microsoft SQL Server\MSSQL$instancename\FTDATA” for named instances.

You may need to tweak the list based on your configuration or security concerns, but some basic testing and analysis will tell you if the effort is worth the boost in server performance. Some of the common anti-virus vendors agree with this recommendation. Even Microsoft recommends these exclusions.

Threats to Corporate Security

passwords

There are things that employees do that can present serious treats to corporate security, and you might not even realize that these simple things can undermine your security efforts. If you are responsible for security at your company, you need to start investigating these issues as simple ways to improve the corporate security at your place of business by educating your team about these risks.

  1. BYOD – Bring Your Own Device is something that almost everyone does today, even at places that specifically ban this process. With smart watches, personal cell phones, cheap tablets, etc. it is almost impossible to keep employees from brings their own devices into the workplace. Many companies don’t even have format policies around what devices are allowed or what systems these devices are banded from being connected to in their environment. The risk is an employee brings an infected device into the office and connects that device to one of your corporate assets like a laptop or server. The infected device is then able to bypass the typical network security and attack that device, potentially stealing corporate secrets or customer data. Education and formal policies are the best security against this type of dangerous behavior, as well as updating your security profile to detect rogue devices.
  2. Social Media – A post on social media may seem harmless to most people, but if the post includes information about a new business project, issues with a new business system, how many servers recently we re infected with a virus, etc. these posts can be used by your business completion to gain an advantage or even used as a source of technical information for international hackers to target your business for a cyber attack. Education is your best weapon against this type of issue.
  3. Poor Technical Security – Your technical team has to always be thinking of system security. This includes assuming responsibility for securing the business systems from both internal and external attacks. The obvious security measures include strong perimeter security through firewalls and intrusion detection, but not so obvious steps around keeping systems updated with security patches, education around recent security threats,  and monitoring vendor sites for announcements about newly discovered vulnerabilities. Make sure the technical team has formal policies and procedures around periodic security checks, and that there is some oversight into the process to it stays important to the entire team.
  4. Social Hacking – Hackers and scammers don’t always attack your assets through remotely hacking your computers, sometimes they just hack your employees. It can start as a simple telephone call asking someone in your office to download a vendor update because their system is outdated and causing a data issue. That seemingly harmless update is really a program that installs an backdoor into your system that allows the hacker access into the secure network. A scammer can also call someone in accounting acting as the CEO, requesting an emergency wire transfer to an off-shore account of $50,000. You need to make sure there are policies and procedures in place that will capture these types of unusual events and route them to someone who can ask the correct questions to uncover a scam and block silly mistakes like these.
  5. Anti-Virus Software – Just because your computer is behind a firewall doesn’t mean it can’t be infected with a virus. Computer viruses can do harmless and annoying things, but they can also do some really serious damage to your corporate computer systems and even shut down your business. While anti-virus software isn’t the most important part of your network security, it is just one part of an overall security infrastructure that will help keep your network secure.
  6. Weak Passwords – Any secure computer system starts with good passwords. A weak password is useless and puts your entire network at risk. Verify the business systems your company uses require strong passwords, and make sure you educate our team to always avoid weak passwords. This education should extend past internal corporate assets to include personal email accounts, social media sites, and their personal banking accounts.

 

Anti-Virus Engines might have Exploitable Flaws

While most computer users have an anti-virus product installed, it might not be making your computer safer. A security researcher has claimed to have found exploitable flaws in 14 major anti-virus engines used by some of the largest security vendors. In a presentation by Joxean Koret, a researcher at Singapore-based consultancy COSEINC, we see the details about how he used a custom fuzzing suite to find bugs in 17 of the major antivirus engines. These are the engines that are used by anti-virus software companies like AVG, Bitdefender, ESET, and F-Secure.

 

Koret explained that almost all of the engines he looked at were written in C and/or C++ coding languages, which could allow attackers to discover and leverage buffer and integer overflow bugs. “Exploiting AV engines is not different to exploiting other client-side applications,” he said. “They don’t offer any special self-protection. They rely on the operating system features (ASLR/DEP) and nothing else. And sometimes they even disable such features.”

If you are interested in software security, this makes for a good read.

AV engines not only need to support such large list of file formats but they also need to do this quickly and better than the vendor.

If an exploit for a new file format appears, customer will ask for support for such files as soon as possible. The longer it takes, the higher the odds of losing a customer moving on to another vendor.

Sample list of vulnerabilities:

  • Avast: Heap overflow in RPM (reported, fixed and paid Bug Bounty)
  • Avg: Heap overflow with Cpio (fixed…)/Multiple vulnerabilities with packers
  • Avira: Multiple remote vulnerabilities
  • BitDefender: Multiple remote vulnerabilities
  • ClamAV: Infinite loop with a malformed PE (reported & fixed)
  • Comodo: Heap overflow with Chm
  • DrWeb: Multiple remote vulnerabilities (vulnerability with updating engine fixed)
  • ESET: Integer overflow with PDF (fixed)/Multiple vulnerabilities with packers
  • F-Prot: Heap overflows with multiple packers
  • F-Secure: Multiple vulnerabilities in Aqua engine (all the F-Secure own bugs fixed)
  • Panda: Multiple local privilege escalations (reported and partially fixed)
  • eScan: Multiple remote command injection (all fixed? LOL, I doubt…)

    Exploiting an AV engine is like exploiting any other client-side application.

    • Is not like exploiting a browser or a PDF reader.
    • Is more like exploiting an Office file format.

Anti-Virus and SQL Server

sqlserver2014

As a security precaution in your corporate environment, you are usually asked to have anti-virus software installed on all production systems. Some compliance guidelines require anti-virus software on all in-scope systems. So what is a Database Administrator to do, when you are wanting every CPU cycle to be utilized on queries, not scanning data files for virus signatures?

McAfee, Symantec, and other solutions have some basic guidelines for how to configure their anti-virus products on your SQL Server instances, and I’ll review those today. Basically, you want anti-virus to do real-time scanning of files that may be contaminated with virus data, but you want to exclude those files used by the database. Since database files are constantly accessed, this should reduce the wasted CPU cycles and disk I/O delays caused by anti-virus scanning.

You want to exclude scanning of database specific files, including .MDF, .NDF, .LDF, .TRN, .TRC, and .BAK files.

You probably also want to exclude the scanning of SQL Server specific directories, which will reduce time spent by the anti-virus scanner examining the file contents each time they are accessed. The default directories are listed here, but you probably have changed the default paths so you should also specifically exclude those custom paths used by your specific instance.

  • \Program Files\Microsoft SQL Server\MSSQL$instancename\DATA\
  • \Program Files\Microsoft SQL Server\MSSQL$instancename\BACKUP\
  • \Program Files\Microsoft SQL Server\MSSQL$instancename\FTDATA\
  • \Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Data\
  • \Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Backup\
  • \Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Log\

The idea is to target those files which you are concerned might be contaminated, and exclude those files which are in constant use by SQL Server. These exclusions can be configured in the product installed on the server, or through the enterprise configuration tool, to effectively manage these settings.

Consult you specific anti-virus provider for details on how their product can make these exclusions work on your SQL Server instance. These changes are designed to help guide you to a security compromise that helps balance security with your desire for optimal performance.