CyberSight: Security

Security Information

CyberSight's Unique Security Engine Hacking, Zero-Day Exploits Security FAQ's What Security Companies Don't Want you to Know Fact Attack:
A Few Facts About Security Fill the Large Gaps Stop Industrial Espionage Urban Myths

Urban myths

Firewalls... are not impenetrable

After virus checkers, firewalls are the most implemented security method for organisations. They are, however, only a small part of a comprehensive security system. Being a perimeter defense - designed to protect against intruders from outside a company - they cannot address the largest proportion of security violations which originate inside organisations. Firewalls were introduced to protect against the "old school" of hacking which were primarily external penetration attempts. As established as firewalls are, they are far from being impenetrable and because they've been around for so long people have found more and more ways to get around them. Also as they get more and more advanced they get very expensive and require even more expensive hardware and dedicated staff to manage and run effectively.

Firewalls do play an important part in protecting local networks from outside attacks. However, no matter how good the firewall, systems are still vulnerable to both internal and external attacks. The new hacking tools are designed to bypass firewalls altogether using several methods including HTTP tunnelling which makes network traffic look just like web traffic, and therefore completely ignored by a firewall. Most firewalls work by restricting communication between the local network and the outside world - typically by restricting port access. However, if users are given browser access to the World Wide Web they must have HTTP access. This requires opening a door in the firewall (port 80) to enable HTTP (the protocol used to browse the internet). Unfortunately this "door" can also be used for communicating with the Internet - bypassing the firewall. Some firewalls use a middle stage process to check for viruses. They do not, however, check for the thousands of hacking tools, processes and other threats that are readily and freely available.

Whilst some firewalls use this middle stage to look for known threat signatures it's a simple task for the hacker to modify the threat, sometimes by such a simple action as changing a file name or extension. More seriously the ability of the hacker to disguise the threat by "wrapping" it in a seemingly harmless document, renders the firewall all but useless. Emails also completely bypass firewalls. If an email contains a hacking tool wrapped in another harmless application it can install itself inside the network and invite hackers in. Once these tools are on the internal system any unscrupulous user can use them on the internal network.

The new breed of hacking tool is designed NOT to be detected using finger printing techniques used by virus detection engines, protocol based threat signatures used by network analysis tools or port number based data detection used by network utilities. Not only are they difficult to detect, most hacking tools are designed to be difficult to remove.

CyberSight™ is like having a very fine mesh net inside your existing security net to catch and detect everything that gets past your firewall. The majority of current security products do exactly what they say on the tin but there are methods of bypassing them all. CyberSight™ complements your existing security system - it is not designed to replace it. However, if you currently have no security in place at all, there is no more cost-effective solution on the market. Because CyberSight™ works at the lowest level possible, there is no way of hiding from it. If a threat exists on your system, CyberSight™ will detect it and, if required, remove it immediately.

Virus checkers. . .will never detect the vast majority of threats

Virus checkers are the most frequently used method for security protection. However, they only check for viruses (and a handful of the more common trojans) - it's what they're designed to do. The vast majority of threats - illicit material, hacking tools, pirated software, etc. - are not viruses and will therefore never be detected by this type of security. Some of the more publicised trojans are picked up by virus checkers (NetBus and BackOrifice for example) but there are thousands that aren't and never will be. There are even tools available which render virus checkers totally ineffective. Anti-virus software relies on a known virus "fingerprint database". Provided this is kept up to date you are protected. However protection against new viruses is dependent on your virus checker supplier indexing the new threat and releasing an update. Unfortunately this can often take months during which time your organization is fully exposed to any new threats. Hacker threats, by their design, are undetectable because, unlike viruses, they take no pre-determined action. They can, therefore, remain on a system indefinitely. For this reason many organizations are completely unaware of the ongoing threat they pose. In fact even when the hacking tool is used victims may be totally unaware that they have been hacked.

CyberSight™ is like having a very fine mesh net inside your existing security net to catch and detect everything that is missed by your anti-virus software. The majority of current security products do exactly what they say on the tin but there are methods of bypassing them all. Having loaded several thousand hacking tools and threats, that should not be found on a corporate network, on to a test system, we then scanned the system using two market leading virus detectors. Together they only detected a handful of threats.

If the threat is very new or even specific only to your company (for example, a confidential document that should not be anywhere else on the network) it is very easy to index the threat yourself and detect it instantly. CyberSight™ complements your existing security system - it is not designed to replace it. However, if you currently have no security in place at all, there is no more cost-effective solution on the market. Because CyberSight™ works at the lowest level possible, there is no way of hiding from it. If a threat exists on your system, CyberSight™ will detect it and, if required, remove it immediately.

Encryption . . . is only effective if your network is secure

Encryption on an insecure network is like having an iron door on a greenhouse. If people can see through the glass then what is the point of an "iron door"?

There are a large number of companies offering "unique" ways of encrypting all of your data using massive encryption keys that can "never" be broken. But if you don't use encryption, most programs allow you to protect your work with a password. However, if you don't have enough security in place, it's remarkably easy for anyone to bypass any encryption by watching or recording you as you work. And for those of you who haven't wasted enormous amounts of time and effort on a proprietary encryption system, there are many tools freely downloadable from the internet which are designed specifically to remove passwords from Word, Excel, Access and many other products. Unfortunately the majority of system encryption methods have been compromised and therefore encrypted files can automatically be cracked (broken into) by many tools freely available on the Internet.

Even the widely used DES and Triple DES security standards have fallen. Whilst encryption is a method that an organisation can use to protect its information it's a double edged sword as some users may also be using encryption methods to hide hacking tools, copied commercial and confidential information data and documents. Steganography (the art of hiding information inside harmless files like images) is also a growing area. Tools are now available that can wrap your corporate information up inside photos, sound files and other files which can then be sent out through your firewall in simple emails. Most disk encryption products are vulnerable because as soon as you open the encrypted volume hacker files can then gain access and copy out information and even store themselves inside the encryption. PKI keys can run for years, which means when encryption keys (or passwords) are compromised hackers can have free access for long periods of time.

The only really effective way to protect against this is to detect the presence (from any source not just the internet) of these hacking and cryptography tools. There are many readily available tools which give users, internal or external to your organisation, the ability to see what is on your screen at any time and see what keys you press. This can all be recorded and sent to any email address and it doesn't matter whether encryption is used or not. (The tools probably use encryption to send the data around the network.) Some of the tools available also gain access to your system, collect all your encrypted passwords and send them out through your firewall to external hackers.

CyberSight™ offers you the ability to see who in your network is using these tools to compromise security. It will even tell you if anyone is using another type of encryption to hide their own files.

Network sniffers ...will only detect a threat once it's active

Network sniffers are also known as network threat signature detection tools. These tools detect a limited amount of active threats by monitoring data on its way through the network. Whilst they do provide protection there are several drawbacks: the nature of the way they operate means that they are inefficient and resource hungry they can only identify threats when they are active. Hacking tools now use encryption to hide network traffic thus rendering this form of detection obsolete

CyberSight™ is like having a very fine mesh net inside your existing security net to catch and detect everything that won't be picked up by your network sniffer. The majority of current security products do exactly what they say on the tin but there are methods of bypassing them all. CyberSight™ will pick up network bound security threats before they happen because it will detect the tools used to generate the offending traffic. It also not only detects tens of thousands of threats but you can add your own which may even be specific to your organisation or even your department only. Because CyberSight™ works at the lowest level possible, there is no way of hiding from it. If a threat exists on your system, CyberSight™ will detect it and, if required, remove it immediately.

Content checkers . . . are easily bypassed

Content checkers are a very limited form of security. They are usually a perimeter form of defence, i.e. they only check for threats in emails coming from outside the network and not those that are already inside. Also they typically only check for particular words and viruses. This means there is often a large number of false positives generated by this type of product. If, for instance, an email contained the word Essex and sex was in the word list then this email would be unnecessarily held up so that dedicated staff could filter through the queued mail and then send it on it's way. This is not effective use of an operator's time and the vast majority of threats will not be picked up anyway. With steganography on the increase, it is now possible to hide any file (e.g. a document, program, picture, database, etc.) inside any other file. You could, for example, hide a confidential document inside a harmless picture file. This would not be picked up by any content checker. Wrapping or encrypting documents or executables can also cause the threat to bypass the content checker.

Intruder detection . . . detects a very limited number of threats

Most intruder detection tools use network sniffing to detect threats. This obviously has the same disadvantage as network sniffers in that they only detect threats once they're activated and they rely on being able to pick up a threat signature crossing the network. All of the intrusion detection systems detect a very limited number of threats - they detect hundreds rather than thousands of threats. The majority of threats still go undetected. Many of the systems are server based and can not, therefore, see what is going on on an individuals computer. Also many of these systems not only need dedicated staff to configure, run and maintain the system, but they need dedicated hardware too - all of which can be very expensive.

CyberSight™ is like having a very fine mesh net inside your existing security net to catch and detect everything that won't be picked up by intrusion detection software. The majority of current security products do exactly what they say on the tin but there are methods of bypassing them all. CyberSight™ will pick up network bound security threats before they happen because it will detect the tools used to generate the offending traffic. It also not only detects tens of thousands of threats but you can add your own which may even be specific to your organisation or even your department only. Because CyberSight™ works at the lowest level possible, there is no way of hiding from it. If a threat exists on your system, CyberSight™ will detect it and, if required, remove it immediately.