|
go to top
The Problem Today, Security is a major concern and becoming more challenging by the use of Internet, Intranets, remote customers, business partners, and employees who work from home, hotels, airports, client’s sites, and satellite offices. |
|---|
| • | The primary need of each of these groups is the easy and efficient access to their organization's resources from any location. Both internal and external securities are costing companies billions of dollars and Security is a big issue and so fare we have not seen a true answer to security. |
|---|---|
| • | Another major concern is the vulnerability and sensitivity of the data where users of security software are at the mercy of such software and their venders and firewalls plus employees who handle such important data. Governments with their arm forces and sensitive information, banks, investment companies and privacy of individuals (such as medical and financial records) are at very high risk due to both internal and external security. |
| • | The biggest misleading of security the public do not understand is the fact that their encrypted and secured data is circulated throughout the World Wide Web and that the major web corporations and their clients and subcontractors have copies of such encrypted secured data which can be decrypted and used. There are also companies and individuals that are ear-dropping on web connected links and do get copies of these encrypted and secured data. |
| • | Another mistaken belief by the public is when it comes to security, the public believes that antivirus software is all the security they need, while hackers are breaking into big business database. |
| • | Browser-side security is another major misconception that even IT professionals are missing and not even aware of its potential danger or damage. Basically, users on the browser-side receive their secure application as XML and HTML pages with applets, JavaScript, or any programming code embedded within the pages. With tools such as byte-code readers, Java Reflection and decompilers, any hacker with little IT knowledge may be able to get a map and structure of the server-side and the database that are communicating with the pages sent to the browser. We believe that there are companies or governments that may have developed automated software that would be able to decode and read the browser-side code the same way the original code developers do. In simple terms, these hackers may be reading and debugging the browser-side code with hardly any effort. |
|
go to top
Traditional Thinking Traditionally, most people think of security as building a fence(s) between you and the thieves and keep a watchful eye on the valuables and your security problem is resolved. If it is this simple, banks and governments would not have any security issues and life would be a lot simpler. We need to present the following scenarios and show the security issue and its actual shocking picture. |
|---|
| • |
Hackers:
Sadly to say that Hollywood movies have made most people think of hackers as losers who have nothing to do but to cause problems for the rest of us. In reality, hackers can be a well disciplined group of professionals that make a living hacking our information. They can be well funded and know what they are doing. They can be working for governments or antigovernment with well structured teams that have the funds and the latest technological tools. |
|---|---|
| • |
Hacker’s job:
Hacker’s job is to get information. Hackers will do what it takes to see what the users see, smell what users smell and run what the users run. They will eventually place themselves between the users and the system and run the show. |
| • |
Hacker’s Tools:
Hackers have the same software you are running. They may have Digital Signature Initiative, authentication protocols, Encryption software plus a number of other tools such as decompilers, byte-readers, search and debuggers. They may be able to get a copy of the source code of the programs you are running and debug their code and know how to get the data. They may also have automated tools that run their software for them and make their job a lot easier. However, the hacker threat might become increasingly serious as more advanced attack tools are developed and an exponentially growing number of poorly maintained software are running. |
| • |
A Motherboard Chip:
A computer chip may be placed in the computer/server motherboard and runs and keeps track of all data and programs running on the system. It can also send copies of your hard drive to a remote site and no one will know or suspect its presence. |
| • |
Virus:
A program (virus) located on the system may be able to keep track of programs, screens, keystrokes and data. It can also send copies of your hard drive to a remote site. |
| • |
Batch Processing Virus:
A program (virus) that only runs as a batch processing when things are quiet and the system has hardly any activity; it will run and remotely hack your system and data and then it puts itself to sleep until the next batch processing. |
| • |
Remote Programs:
A remote program can hack your system and run your system as it wishes. |
| • |
Employees:
Employees are the biggest problem when it comes to security. They are the developers, the system administrators, the users and the trustees of the system and its performance. They are humans with intelligence that may out smart any gadgets or figure out system faults and use them to steel, hack, damage, abuse and sabotage the data. Traditionally, most security threats on information networks have been performed by the hacker community. Internal security threats are more numerous than outsiders. Additionally, there is no debate that insider security threats pose a far greater level of risk than do outsider attacks. |
| • |
Drive-by-Hacking:
With the rapid grown of wireless and the easiness of picking wireless signals from neighbors, anyone with the right equipment can drive through a neighborhood and hack any of the wireless system and get information from personal or companies’ computers with ease. |
|
go to top
Cost of Security Security’s cost is a burden that both companies as well as individuals have been paying for. Billions of dollars are spent on building secure system and it is ongoing burden that changes with the technology. Most small to medium size companies are running virus protection as their security, which it is not. Security venders are quite a few and each claims to have the answer to the security problem. The cost of maintaining a security system is quite high and the concern is that every few month hackers break through systems of major institutes and security phobia run wild. Cost of security can be measured in term of the follows: • Time/Money/Effort • Peace of mind - feeling of security • Protection of privacy • Maintenance • Institute’s reputation and standing go to top Building a Secure System Secure system may mean different things for different people and true security is more of a relative term. Therefore, “Building a Secure System” may have different interpretations. Most systems are vulnerable and protecting them is essential to their owners. The attack may come from within the institutes or outside them, the fact how can you build a true secure system? Building a secure system is ongoing task and the price for maintenance is quite high in term of time, money and effort. |
|---|
|
go to top Total Picture It seems that organization's IT professionals, security consultants, and system administrators are missing the big picture. Simply, any computer system is composed of: • Users • Software • Hardware Software is mainly Programs and Data. To secure each of these is almost impossible due to a vast number of users, software and their complexities, platforms, software venders, hardware and their locations and data. Today, software systems are getting quite complex and huge for one type security to handle. Security can be implemented at every level of software, hardware as well as the users of any system. System performance, cost and users’ convenience should not be compromised because of system security. This requires that any security system should be a comprehensive answer to all the system parts (hardware, software and users). Any security system should be dynamic, scalable and able to change with technologies and cost effective. Users should not be at the mercy of the security software and their venders and would be able to modify and upgrade the system to adjust to their need and security requirements without paying a costly consulting fees. Security software should be more of a homegrown system that is easy to implement and maintain. go to top Size of Business and Competition It is very hard to put a dollar figure to the cost of security, but every computer including mobile phone is a security risk. Therefore the size and magnitude of “Security” as a business is quite considerable. Security software and specially web security are run by a small number of venders and security clients are terrified and at the mercy of these security venders. The fear is not a surprising one, but what is done by these security software and venders is a joke. So fare, security software and firewalls have reduced the number of amateurs, but professional hackers are finding more holes in operation systems and security software. go to top End-to-End Solution We believe that security should cover users, software and hardware and a security system should be architected to close all the gaps and leaks the system may have, without sacrificing performance and user’s convenience. Most of the existing securities for hardware and software have a number of great features that do secure the system, but there is always room for improvements. We also like to add the fact both operating systems and web/application servers have leaks and holes and hackers are finding ways to use these leaks and holes. A secure system has to handle these leaks and holes or at least prevent unauthorized access from getting into the system. In case of an attack, a secure system should be able to restart where left off without any lost of data, business and time. In other words, the system backup should be also handled by security. Our main focus at this point in time is the users and data. Secure system should limit system access to only specified users (internal and external) and keep unauthorized users out of the system. As for data, a secure system should make data an unsolvable puzzle that will not be of any value or make any sense to anyone without un-puzzling it. In other words, if an unauthorized (internal or external) user gets a hold of our data, he will not be able to un-puzzle our data and the data will be of no value and make no sense. The cost and time of developing a secure system and maintaining such a system should be within most companies’ budget. A secure system should be a dynamic system that can be easily changed, maintained, upgraded, and scaled, with reusable components. go to top ZebraSoft.com’s Answer Our approach is simple to understand, implement and maintain. Since most companies have or spent millions on protecting hardware and software, ZebraSoft.com’s focuses on users, data and communication. We use the following principles: • “Garbage-in, Garbage-out” • Encryption/Hashing using Mathematical Formulas with too many constants • Mapping Objects/Routing Objects are used to communicate • Dynamic Memory Heap Processing with Nested Objects • Template Design • Components Design • Make it Simple We are not here to give our secrets away, but we do want to show IT professionals that we can help companies build a secure system that is simple and easy to understand, implement and maintain. The idea here is the system we will be building is so dynamic, it uses objects and changes with system clock to make even an embedded computer chip on the motherboard or a virus that running our system is unable to do any of the following: • Process our information • Keep track of our information • Copy any data or objects • Run our objects Not only that, but also by the time the chip or virus figures out the information, the next second or system clock, a new set of objects, formulas, hashing, encryption and templates are used. To make things even worse, some of these processes are dummies or decoy. How do you build such a system? Object Oriented Design (OOD) is a way of thinking and Components Architect is its true implementation. Templates design gives components the power to change processes on the fly with hardly any effort. This may sound simple and it is since a good architect with reusable components that uses templates, will be able to perform an infinite number processes with small development effort. Basically our system may look to hackers as a chaotic mess, but in reality it is a well organized system with too many dynamic variables that only the company developing (not even ZebraSoft.com) such a system knows its components, structure, communication, processes and encryption, secretes and implementation. Decompiling the system code will not help solve the puzzle we are building since its pieces are coming and going from different sources. Nature has the best designs. Our system would look like a honeybee hive and to the average observer, the hive looks like a chaotic mess with too many bees coming and going and no one can tell which bee is doing what, but in reality, it is a well organized system with each individual bee having a unique task. Some of the bees have the task of going out and locating flowers and returning to inform other bees where to find the flowers. Some bees are guards and protect the hive. Our system is modeled after a bee hive, where each object has a unique task and interfaces with the rest of system components the same way bees interact with the rest of the bee colony. Some objects have the task of insuring that only authorized users access the system, other objects encrypt data and so on. To hackers our systems will look like a hive of objects coming and going in all directions. Hackers will not be able to figure out which object is doing what task; and this is our puzzle that our system is built on. The second important aspect of our design is we use templates to create numerous patterns that will take great effort to figure out which is which. Building such a system does need a well structured and documented independent components and interfaces. Our system is composed of the following: • Security Zones • Security Communication Links • Puzzles go to top Architect/e-Security Model ZebraSoft.com’s main goal is to help companies build a homegrown web security system that is practical, cost-effective and dynamic which will provide a true web security to the users. Such a homegrown system will free these companies from security software and their venders. The system is very simple to develop, test, integrate, use, scale and maintain. Also, it can be integrated with existing security systems. We will help companies build the system, and show them details of applying security secrets, but these companies will be the only keepers of their security details and not ZebraSoft.com. In short, we will provide “The-Know-How”, but what is implemented and how are companies’ decisions and secrets. The system architect is divided into the following zones as shown in the e-Security Model: • Brower • Server • Application • Database Communication Links is performed by: • e-Object (browser) • w-Object (server) • a-Object (application) • d-Object (database) Puzzles are objects that do all the processing and use the following objects: • Encryption • Transfer Data • Transfer Processes • Processes • Protocols • Mapping • Hashing • Routing • Puzzle • Dummy • Interfaces |
|---|