Frequently Asked Questions

When the organization uses only one network that is connected to the internet: an attacker from the outside penetrates into the internal sensitive network and hits the organization’s data, causing damages to its: availability, integrity, reliability and confidentiality.

Even when the organization uses two dedicated networks, it may face the same risks since the attacker can penetrate into the internal network and cause the same damages to the data.

A more secure topology would be to use separate networks combined of internal sensitive networks that at any time must be physically disconnected from less sensitive networks, with an emphasis on the internet.

In spite of the above, there are needs for:

• Insertion of external information into the sensitive network.
• Flow of internal information into public networks.

While there are incoming and outgoing files, protecting the internal sensitive data against threats is needed against:

• Attacks from the outside within incoming data.
• Leakage of sensitive information within outgoing data.

An attacker may be able to insert malicious code into any file, including common file types that you would normally consider safe. After corrupting the file, an attacker may distribute it through removable media, email, or post it to a website. Depending on the type of malicious code, you may infect your computer by just opening the file.

There are various types of malicious code, not only Viruses, Worms and Trojan horses. The popular Anti-Viruses protect only against part of the threats.

Malicious code may be designed to perform one or more functions, including:

• Interfering with your computer's ability to process information by consuming memory or bandwidth (causing your computer to become significantly slower or even "freeze")
• Installing, altering, or deleting files on your computer
• Giving the attacker access to your computer
• Using your computer to attack other computers (see Understanding Denial-of-Service Attacks for more information).

Files are the basic technique used to transfer information between computers.

• Files are a potential platform for malicious code.
• Files are a potential platform for leakage of sensitive information.
• Opening a file without filtering it exposes you to danger.
• When corrupting files, attackers often take advantage of vulnerabilities that they discover in the software that is used to create or open the file. These vulnerabilities may allow attackers to insert and execute malicious scripts or code.

For automatic filtering (Directory Watcher):

• Can be fed with files manually or by an application (FTP for instance).
• Defining the source and target directories.
• Different filtering policy for each source directory.
• On-line monitoring.

For interactive filtering (On-Demand):

• Source and target locations can be set by drive type: fixed, removable, optical, network, and unknown, or be a custom folder: local, remote and delegated.
• User management: access control, filters allocation.
• Filtered files can be burned onto removable media.
• Installed as a dedicated Kiosk or on the employee’s workstation.
• Can invoke filtering engine locally or remotely.

For E-mail filtering:

• Email is compounded of 3 groups of files: body, attachments, inline-objects. The current security systems (Mail gateway, Mail Relay) is missing high level of filtering for: body, attachments and inline-objects.
• Deep file filtering for components of the email message: body, attachments and inline objects.
• Repackaged Email messages with only authorized filtered attachments/objects.
• Specific attachments and embedded objects treatment: blocking files and objects with security hazards, as well as performing actions to remove hazards.
• Full flexibility and compatibility with market needs.

For 3^rd Party applications

• API to filtering engine using by any kind of 3rd party application.
• Types of API: WEB interface / Command line utility / DCOM.

Static:

• On removable media (CD, DVD, Flash based devices).

In motion, by protocol:

• Emails: process of sending and receiving files (SMTP, IMAP, POP3).
• Browsing: process of downloading files (HTTP, HTTPS).
• Transferring: process of uploading and downloading files (FTP, SFTP).
• In movement, by applications of secure file sharing and storage solutions:
• Cloud vendors: Google drive, Microsoft OneDrive (Sky drive), Apple iCloud drive, Amazon AWS.
• Cloud applications: Gmail, Dropbox, Hightail, Skype.
• Mobile applications.

Anti-Virus, the more traditional response in existence, is a classic solution against already known threats, and in most of cases is based on signature detection.

Symantec, the giant Anti-Virus manufacturer have themselves readily admitted: “AV software, which is used to prevent, detect and remove or disarm malicious computer programs and malware threats, is not sufficient protection on its own because it only protects against the bad software that we already know exists.

• Essentially, antivirus is only a passive technology.
• We have to know about a threat in order to be able to write a detection for it.
• So, although AV does a good job of catching new variants of existing threats, it doesn't catch everything.
• Today’s security landscape requires proactive attack protection to supplement basic AV. Using just AV is like fighting the enemy with one arm tied behind your back.

We can conclude that Anti-Virus is not a sufficiently secure tool when there is a need to provide an adequate solution against Zero Day Attacks (unknown attacks). In most cases, anti-virus is only a reactive technology which needs to recognize a threat in order to provide its detection and prevention. Therefore, to meet the challenges of today’s threats, there is a necessity to implement a real deep content filtering system that is much more than merely Anti-Virus.

Firewalls, also a traditional response, are a classic solution when there is a need for direct connection between the internal sensitive network and the external network (internet). A firewall is not a sufficiently secure tool when there is a need for physical separation between two networks, and at the same time allowing for file transferring between them. Therefore, where physical separation is needed between networks, there is a necessity to implement an alternate solution based on physical and not logical separation.

A sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third parties, suppliers, untrusted users and untrusted websites.  A sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system or read from input devices are usually disallowed or heavily restricted.

The common Sandbox is missing a security response for:

• Threats within files that are executable files.
• Removing objects containing risks that are not part of the files.

Therefore, to meet the challenges of today’s threats, there is a necessity to implement a real deep content filtering system, of which the sandbox is only part, as with Anti-Virus.

Manual:

• When there is a need to control the filtering process.
• Usually while checking files from removable media (CD, DVD, Flash devices).

Automatic:

• When there is a need to filter without the involvement of a human user.
• In most cases, files for filtering are created/transferred automatically by a 3rd party application, e.g.: Emails, FTP, MFT.
• API / Command-line:
• When there is a need for the filtering engine to be operated by 3rd party applications.

Any file type may contain malicious code, as well as leakage of sensitive information. Examples of popular families of files that need to be filtered include: Microsoft Office (containing the applications: Word, Excel, PowerPoint …), Adobe (PDF and others), Textual files, Messages files, Image files, Sound files, Video files, HTML files, XML files, Archive files.

Blocking the filtered file for the following reasons:

• Forbidden file type.
• Fake file extension.
• Forbidden content (word, expression).
• A Virus found.
• Forbidden object/content inside.
• File over size limitation.

Remove from the filtered file:

• Forbidden embedded/attachments.
• Forbidden objects and content.
• Hidden objects and content.
• Metadata and Properties.

Recursive actions:

• Disassemble complex filtered file.
• Filter the internals.
• Rebuild/reassemble it back.