On November, 2nd 2012, the GhostShell hacker group has published an announcement on the Internet. It threatened to start wide-range activities with the aim to crack information resources of Russian government institutions. The operation was called ‘Project BlackStar’. The hackers thus spoke their discontent with the current situation in Russia and the government policy.

It should be mentioned that the group has already carried out a part of the plan by stealing and publishing 2.5 million accounts and records of various government institutions on the web. The list included big state companies and educational, research and financial organizations.

How it was possible if one takes into account the fact that these organizations have large budgets for information security tools and protection systems?

Some experts agree that the government institutions are careless with regard to the requirements of the controllers and to the regulatory framework. The requirements are simply not complied with or are not fully complied with. Besides, hackers themselves know the security requirements and use this information in their activities. As for the big companies, their information security systems are usually modern and comply with all the requirements.

Some experts think that the most effective solution in this case would be regular audits of the information security tools in the enterprises and state organizations. On the other hand, what is to be checked, if even the most popular protection methods are not perfect and are inefficient, for example, against zero-day threats? Cracking and leakages occur regularly. One can be certain that GhostShell will succeed on the fronts of the cyberwar, because no one can offer an efficient protection yet.

Let’s try and understand how it happens. There are two reasons:

• Errors and vulnerabilities in software that controls the information systems of the enterprises and organizations.
• Human factor that, in its turn, is divided into:
  • Deliberate
  • Unintended.

Human factor

Let's start with the second reason: the human factor. It is possible that there is an insider in a target organization, i.e. a person who for some reason does not wish the employer well and leaks confidential information deliberately. If it is a system administrator, it is in her/his power to ‘leave the back door open’, that is, not to cover a detected vulnerability and to inform hackers about it.

Moreover, there are a lot of people in an organization who are not advanced users and have very little idea about the information security basics. These people can accidentally become the victims of fishing, connect a flash drive with a virus to a computer, get a virus from the Internet, or send important information to social networks, friends, etc., without realizing it.

Errors in software

The main issue that the violators exploit may be the errors and vulnerabilities in software. Errors creep in any software during its design and development. Many of the errors are not detected during testing and operation. Hackers scrutinize the target object, find undetected errors and penetrate the network of the organization through these errors. It should be mentioned that it is impossible to fix all the bugs in a program, especially in a complicated enterprise system.

Today, such errors and vulnerabilities are called zero-day threats. The idea is that until a hacker penetrates the network of an organization with the help of some vulnerability, nobody knows about the vulnerability. Neither software developers no information security system developers know about it. Such gaps in security remain unprotected, and hackers actively use them, which makes a serious security threat.

A hacker scrutinizes the target object, finds errors and penetrates the network through the errors. To find such errors, a hacker needs to reverse engineer the target program so as to understand how it works.

There are the systems that are designed to detect suspicious activity of the violators and stop it. Such systems are called the Intrusion Prevention Systems (IPS). According to the statistics, however, they do not work well enough and malfunction time after time. Besides, the IPSs themselves have vulnerabilities that can help hackers bypass the systems. The same applies to the DLP systems (Data Leak Prevention or Data Loss Prevention). They are designed to protect confidential information that circulates in an organization against leakage and uncontrolled usage. But these systems are also susceptible to the same zero-day threats.

From an unexpected quarter…

Printing and scanning devices operate in any corporate network. Today, such devices are complicated, all-in-one software and hardware systems. A large organization can have dozens and hundreds of such devices. The devices are often controlled not just by firmware, but by entire operating systems with lots of functions such as emailing. Hackers have been widely using vulnerabilities in software of such devices recently, in order to get information from them and penetrate the corporate network. That is because a lot of confidential information can go through a printer.

There has been a case in the University of Washington when a student had got access to and downloaded the examination questions several weeks before the exams had begun. The teaching stuff had been printing the questions. Using the errors in software that controlled the printer, the student had got advanced rights in the system and had been controlling the printer remotely. He could track and download all the documents being printed and had even penetrated the university network.

Nobody could have imagined such a scenario just several months earlier. Huge amounts of various office devices around the world are actually becoming a ‘back door’ in corporate networks. Printer manufactures release firmware updates and hotfixes for the operating systems. But all this does not prevent the violators from discovering new errors again and again. There are still a lot of vulnerabilities nobody knows about. Protection of software for multi-purpose devices against reverse engineering could solve the problem to a great extent.

Conclusions

Let us sum up all the above-mentioned and note that today there are no protection systems that can effectively resist the zero-day threats. The State and the market need a tool that can provide preventive protection of software systems against such threats, independently of the updates of anti-virus bases and black and white lists. Such a tool should not depend on updates and should be able to prevent hackers from finding vulnerabilities and exploiting them.

Since a violator decompiles and analyzes a program prior to intrusion, a reliable protection of the program code against cracking can complicate a hacker’s job. It can also make it very difficult for the hacker to penetrate the guarded system. The program itself operates as usual. The only side effect can be an insignificant increase in the consumption of resources that the hardware system requires to work with the protected program. However, this does not pose a serious problem because of the current level of development of the hardware components.

Both application software and the programs that provide security should be protected. This includes anti-viruses, firewalls, modules and components of the DLP, IPS and CMS systems, email software, etc. Multi-purpose printing devices controlled by complex applications need protection as well. A lot of important information passes through them, and they can become a ‘back door’ in the corporate network.