An application that will keep hackers at bay by thinking of every conceivable security attack option? Well, that is exactly what iViZ, an Indian information security firm, has come out with.

The Internet may have changed our lives but it also has made networks vulnerable and prone to hacking, leading to the loss of revenue, data and productivity. Such theft can affect all levels of organisations, irrespective of their size or nature.

iViZ, a budding Indian information security firm, has come up with a solution to prevent such frauds and possible attacks. In the words of Bala Girisaballa, vice president and head, Product Strategy and Marketing, iViZ Security: "We have developed the world's first tool to simulate human hacker intelligence to detect all possible paths of attack in a system or a network. This system will also suggest suitable remedies."

The birth of iViZ

IViZ was started in 2004 and has its roots in IIT-Kharagpur, with both its founders, Bikash Barai (CEO and co-founder) and Nilanjan De (CTO and co-founder), being alumni of the institute. The journey began as a security solutions company, focused on helping organisations secure their infrastructure. "While conducting one conventional penetration testing exercise, it dawned on the founders that even as security experts, they couldn't comprehensively detect all multi-stage attack path possibilities," says Girisaballa. The team also realised that all organisations find it difficult to hire good security experts and find it even more difficult to retain them, resulting in customers never having enough competent people to run security tools.

According to Girisaballa, "The founders realised that it is impossible to be exhaustive for testers using manual methods; once a system is broken, there is little additional incentive to find other ways, and companies realise that it is important to conduct security testing but they don't do it often enough because of the time-intensive, manual and expensive effort."

This, he says, prompted the founders of iViZ to develop an automated testing tool that can simulate the hacker's mind, which is fast, comprehensive, and cost-effective.

Girisaballa explains, "We explored the usage of Artificial Intelligence (AI) to simulate all multi-stage attack possibilities. A prototype was built and refined over a nine-month period. It was stabilised after testing in several environments. Thus, the automated penetration-testing product was born." This technology is currently 'patent pending' with the USPTO (United States Patents & Trademark Office).

The tech side

iViZ penetration testing is an on-demand service that can be scheduled by customers anytime and anywhere, over the Internet. Users can schedule these tests to run at a periodic interval on specific networks. The tests themselves are automatically conducted. iViZ also includes all stages of vulnerability assessment such as information gathering, fingerprinting, and goes beyond that by doing multi-stage attack analysis, protocol link analysis, exploitation and reporting.

Since iViZ's penetration testing is provided as an on-demand service remotely from iViZ's security operations centre, customers do not have to provision for any testing hardware or software themselves. For specialised testing, iViZ provides the same service as an appliance from inside the customer's network as well. An appliance is a hardware box which has iViZ's software pre-installed in it. Since testing of networks behind a company firewall cannot be done over the Internet, the appliance can be physically plugged inside the customer's network to conduct testing. The company helps customers in perimeter testing, internal network testing and Web application testing. Take, for instance, the case of online e-commerce sites, which are high value targets for hacking attacks. "If broken in, their websites can be manipulated to commit fraud. Incidentally, the global loss due to data theft is estimated to be $40 billion in 2007. Also, non-availability of a transaction heavy website will also result in revenue loss. To ensure safety and availability of their websites, these companies conduct robust penetration testing regularly to proactively secure their websites," says Girisaballa.

Technology highlights

Finds all possible attack paths: Normal tools may miss out several indirect ways in which hackers break into a network. iViZ has a solution for this in the form of automated Multi-Stage Attack Simulation (MAS), where the product tests all possible ways by which a network could get compromised.

Testing the human element: Hackers know their way in and out. They usually target unsuspecting users using social engineering tactics and fool them into divulging critical information. iViZ's technology can automatically conduct controlled social engineering attacks to measure security awareness and also train users.

On demand: The Software as a Service (SaaS) approach to provide on-demand penetration testing eliminates the need for expensive tools and professionals. The subscription-based solution addresses security and compliance needs in an easy, efficient and cost-effective way.

Encouraging creativity and innovation

The vision of the iViZ team is to make the Web a safe place. "We have provided free security advisory services in the event of major hacking attacks impacting Indian websites. This initiative was well received in the market and now iViZ is planning to launch it as a permanent service to provide free advisory services for common users," says Girisaballa.

The team at iViZ strives to contribute significantly towards digital security worldwide by protecting government, corporate and personal digital data from falling into the wrong hands. It operates in a highly evolving area of information security where at least five new security vulnerabilities are discovered every day. "To survive and grow, iViZ has built creativity and innovation into its DNA," says Girisaballa.

The company has taken initiatives to empower the team, challenging it to test its own limits, providing creative and entrepreneurial freedom and celebrating achievements. It has programs designed to achieve higher levels of innovation:

Hack Saturdays: Saturdays are meant for hacks! iViZ believes that to build a good security-testing product, you have to think like a hacker. For this, the team meets up on certain Saturdays and does hack drills where it gets into the mind of a hacker and explores ways that are not conventionally perceivable. The results from here are used to build a better product that can prevent hacks and protect customers from security threats.

Do the impossible: Individuals come up with very high team targets that are conventionally considered impossible and then attempt to beat them. This forces them to challenge their own assumptions, find radically new paths to solutions, or altogether disrupt logical axioms. This helps the team to not only expand its capabilities but also to think outside the box. The achievements are always well celebrated!

Idea dump week: It is human to forget why one does certain things in certain ways, particularly when one does them every day. This is why the iViZ team puts on the creative hat and for a designated week, goes on an idea rampage. The office atmosphere is super charged as hundreds of ideas of all kinds 'big, small, tough, easy' are dumped into a wiki page. The ideas relate to all functions and can range from a patentable technology to just plain fun.

Looking to the future

In the future, iViZ plans to broaden its technology to integrate with additional security related components, for example, a patch management system, so that along with identifying the real security vulnerabilities it can also provide remediation capabilities.

Another area of development is in the mobile and wireless space. Today there is a proliferation of wireless applications and devices. There are new classes of vulnerabilities that are emerging that are unique to this space. iViZ intends to provide solutions to help customers handle threats in this area.

In the coming years, iViZ's plan includes extending the product into the wireless and mobile space as well as into innovations in collaborative security testing. This is one company that seems bent on giving hackers a tough time, while ensuring the user's security.