FOR

The biggest threat to network security today isn't the latest virus, or the cleverest cracker, or the most ingenious script-kiddie. The biggest threat is that of complacency. How many times have you heard systems administrators gloating about the invulnerability of their networks, simply because they have installed the latest and greatest version of the killer security application du jour?

Unfortunately, too many vendors fuel this complacency by shouting the superiority of their wares from the rooftops, whether it be their up-to-the-minute virus signature list, their impenetrable firewall, or their resistance to hacking. What they don't shout about - obviously - is that anything that can be invented can be deconstructed. A virus scanner with a comprehensive signature list and a clever heuristic engine may be able to detect any hostile program in existence, either known or unknown, but it isn't much use if the scanner itself has been disabled, or altered in some way to render it blind. For every security product, someone out there is constantly finding ways to circumvent it.

Of course, there appears to be a flaw in this argument. For the security product itself to be attacked, the attacker has to be able to get inside the network. However, this disregards those people already inside the network - the users. Over 60 percent of U.K. threats come from internal users (in the U.S. the figure is 80 percent). These trusted individuals have access to sensitive data and systems - or access to parts of the network that can give them that access.

To the casual observer of the security market, viruses and other hacking tools are the products of crazed geniuses in darkened rooms, not valued employees. But hundreds of malicious tools can already be downloaded from the Internet - and these are not massive programs that will ring alarm bells with the intrusion detectors, but one-line pieces of code, or multiple-zipped files, that can pass through the firewall undetected. Once in place, they can undermine the entire security of the network, blinding the 'infallible' firewall and the 'flawless' virus scanner, or wiping out BIOS and hard-drives. However comprehensive the company security policy, a determined hostile insider is far more dangerous than an external hacker. Which is why a product which determines a defined threat before it happens rather than a specific type of attack after it occurs is welcome news.

Cryptic Software's CyberSight product adopts a holistic approach to the problem. Rather than treating security as a collection of discrete attacks and solutions - firewalls and scanners versus hackers and viruses, for example - CyberSight goes back to basics and considers the true meaning of a threat.

At the core of CyberSight is a database of threats - currently over 250,000 of them, sorted into 250 or so categories. New ones are added every day, and can be downloaded over the Internet. Not only that, but it is very easy to detail threats that are specific to your own organisation and add them to your own database. But what constitutes a threat?

In CyberSight terms, a threat is any file that is inappropriate to the location. In itself, a file might be completely innocuous. But on a certain machine at a certain time, it might suggest suspicious, if not malicious, intent. The aim of CyberSight is to detect preparations for an attack before it takes place: far better than an expensive clean-up programme after the event.

For example, the capital expenditure budget might be perfectly okay on the CIO's machine - where it is meant to be. It might be fine on certain other people's machines when the budget is being discussed. But if it crops up on the wrong machine at the wrong time, it may represent a security breach. And CyberSight will flag it. MP3 files don't represent a threat, surely? But gigabytes of songs downloaded from Napster do represent copyright breach and illegal use of bandwidth and storage. Casual surfing isn't a bad thing, is it? It is when the threat database recognises image names as those residing on a pornographic website, however innocent the URL might appear.

As you can see, the threat database not only contains all manner of traditional threats, from the expected viruses (although Cryptic Software advises that you use CyberSight in conjunction with your existing virus scanners) to the third generation of hacking tools, but also files that are 'inappropriate'. It can even detect threats which have been disguised through multiple zips or other compression techniques. It can also be set to detect suspicious document content. It will flag certain words or sets of words that shouldn't be sitting on your network - racist information, hacking instructions and so on.

Threats are graded in terms of severity, allowing the administrator to react accordingly. A Napster addict might require a quiet word, while someone who has downloaded an app which neutralises the virus scanner or intrusion detector should be frogmarched out of the building. Administration of the threats is intuitive; the GUI allows the most detailed fine-tuning for your specific network needs.

Installation is simple. The server portion can be loaded in minutes, and the server doesn't even have to be running for threat collection to occur. Even more importantly, the client machine doesn't actually have to be connected to the network for the detection process to take place - increasingly important with remote laptops. And if you want to be really sneaky, the client app can be renamed so even the most suspicious laptop user is unaware of its existence. Cryptic even claims that installation of the client makes the machine run faster!

CyberSight's approach means that a threat becomes far more than just a recognised virus or some familiar hacking software. A threat becomes anything which falls outside the company security policy - and if that policy is comprehensive enough, CyberSight will police it for you. This has to be one of the most innovative products currently on the market, and a must-have for any network administrator who really does want belt-and-braces protection for their system.
 

SC On-Line
SC Magazine
www.scmagazine.com