TECHNICAL FIELD

The present invention relates to the field of secure remote access systems and methods.

BACKGROUND

Secure remote access is an umbrella under which a number of security strategies reside. These strategies are directed to any security policy or solution that prevents unauthorized access to an internal network or sensitive data.

With the proliferation of internet- connected devices, an organization’s workforce is no longer limited to a single location. Instead, an organization may have employees connecting to their internal network and accessing sensitive data from locations worldwide. This rise in the number of endpoints (laptops, servers, tablets, smartphones) requiring access to corporate networks substantially broadens the range of attackable targets for malicious actors.

To address these ever-growing threats, there is a need in the art for a new secure remote access system and method.

GENERAL DESCRIPTION

In accordance with a first aspect of the presently disclosed subject matter, there is provided a system for providing secure remote access, the system comprising: an internal authentication system of an organization, the internal authentication system comprising an internal authentication system processing circuitry; a remote workstation remote from the internal authentication system, the remote workstation comprising a remote workstation processing circuitry; wherein the remote workstation processing circuitry is configured to: (a) perform a Basic Input/Output System (BIOS) check, (b) authenticate a user logging in to the remote workstation using user credentials, (c) obtain hardware identification information identifying at least part of the hardware of the remote workstation, and (d) obtain software information by executing one or more software checks for validating software installed on the remote workstation; upon the BIOS check and the user authentication being successful, the remote workstation processing circuitry is further configured to establish a Virtual Private Network (VPN) tunnel between the remote workstation and the internal authentication system of the organization; after successful establishment of the VPN tunnel, the remote workstation processing circuitry is further configured to send the hardware identification information and the software information to the internal authentication system; and wherein the internal authentication system processing circuitry is configured to validate the remote workstation by (a) validating the hardware identification information utilizing reference hardware information, and (b) validating the software information using reference software information; upon the remote workstation validation being successful, the internal authentication system processing circuitry is further configured to provide the remote workstation with limited access to at least one component of a secured system of the organization via the VPN tunnel and a second secure connection established between the internal authentication system and the secured system, wherein the second secured connection is established using second user credentials, other than the user credentials.

In some cases, the user credentials include at least one of: (a) a username (b) a password, (c) biometric information, (d) facial recognition, or (e) a Hardware Security Module (HSM) generated identifier.

In some cases, the remote workstation further comprises an agent configured to collect one or more BIOS events logs and send the collected BIOS events logs to the internal authentication system.

In some cases, the VPN tunnel is configured to allow only input obtained using a keyboard or a mouse connected to the remote workstation to be sent from the remote workstation to the internal authentication system.

In some cases, the hardware identification information includes identification information identifying at least one of: one or more hard disks connected to the remote workstation, one or more Read Only Memory (ROM) modules of the remote workstation, one or more Central Processing Units (CPUs) of the remote workstation.

In some cases, the hardware identification information includes identification information identifying at least one external hardware device detachably connected to the remote workstation. In some cases, the hardware identification information is obtained by a log agent configured to collect the hardware identification information and send the collected hardware identification information to the internal authentication system.

In some cases, the software information includes information associated with one or more software components installed on the remote workstation.

In some cases, the software information is obtained by one or more of: (a) executing one or more executables on the remote workstation, (b) executing a DLLs integrity check on the remote workstation, (c) executing one or more file name change identification checks, (d) executing one or more file deletion identification checks.

In some cases, the software information is obtained by a log agent configured to collect the software information and send the collected software information to the internal authentication system.

In some cases, the limited access to the at least one component in the secured system of the organization is performed using the second user credentials stored on a logical electronic vault.

In some cases, the remote workstation further comprises a control agent configured to block external devices connection to the remote workstation.

In some cases, the remote workstation further comprises anti-virus software.

In some cases, the internal authentication system further comprises firewall software.

In some cases, the remote workstation further comprises an agent configured to prevent the remote workstation from performing one or more of: (a) file renaming of at least part of the files stored on the remote workstation, (b) file deletion of at least part of the files stored on the remote workstation, or (c) file execution of at least part of the files stored on the remote workstation.

In some cases, a session conducted via the VPN tunnel is monitored by a human operator and wherein the human operator can provide a termination instruction to the VPN tunnel, thereby terminating the connection between the remote workstation and the internal authentication system.

In some cases, a session conducted via the VPN tunnel is recorded and stored on a data repository.

In some cases, the VPN channel is established only if a request to establish secure remote access is pre-approved by an internal user. In some cases, the pre-approval defines a time window for the secure remote access, and wherein the VPN channel is establishable only during the time-window.

In accordance with a second aspect of the presently disclosed subject matter, there is provided a method for providing secure remote access, the method comprising: in a remote workstation remote from an internal authentication system of an organization: (a) performing a Basic Input/Output System (BIOS) check, (b) authenticating a user logging in to the remote workstation using user credentials, (c) obtaining hardware identification information identifying at least part of the hardware of the remote workstation, and (d) obtaining software information by executing one or more software checks for validating software installed on the remote workstation; establishing a Virtual Private Network (VPN) tunnel between the remote workstation and the internal authentication system; sending the hardware identification information and the software information to the internal authentication system; and, in the internal authentication system of an organization: validating the remote workstation by (a) validating the hardware identification information utilizing reference hardware information, and (b) validating the software information using reference software information; providing the remote workstation with limited access to at least one component of a secured system of the organization via the VPN tunnel and a second secure connection established between the internal authentication system and the secured system, wherein the second secured connection is established using second user credentials, other than the user credentials.

In some cases, the user credentials include at least one of: (a) a username (b) a password, (c) biometric information, (d) facial recognition, or (e) a Hardware Security Module (HSM) generated identifier.

In some cases, the remote workstation further comprises an agent configured to collect one or more BIOS events logs and send the collected BIOS events logs to the internal authentication system.

In some cases, the VPN tunnel is configured to allow only input obtained using a keyboard or a mouse connected to the remote workstation to be sent from the remote workstation to the internal authentication system.

In some cases, the hardware identification information includes identification information identifying at least one of: one or more hard disks connected to the remote workstation, one or more Read Only Memory (ROM) modules of the remote workstation, one or more Central Processing Units (CPUs) of the remote workstation.

In some cases, the hardware identification information includes identification information identifying at least one external hardware device detachably connected to the remote workstation.

In some cases, the hardware identification information is obtained by a log agent configured to collect the hardware identification information and send the collected hardware identification information to the internal authentication system.

In some cases, the software information includes information associated with one or more software components installed on the remote workstation.

In some cases, the software information is obtained by one or more of: (a) executing one or more executables on the remote workstation, (b) executing a DLLs integrity check on the remote workstation, (c) executing one or more file name change identification checks, (d) executing one or more file deletion identification checks.

In some cases, the software information is obtained by a log agent configured to collect the software information and send the collected software information to the internal authentication system.

In some cases, the limited access to the at least one component in the secured system of the organization is performed using the second user credentials stored on a logical electronic vault.

In some cases, the remote workstation further comprises a control agent configured to block external devices connection to the remote workstation.

In some cases, the remote workstation further comprises anti-virus software.

In some cases, the internal authentication system further comprises firewall software.

In some cases, the remote workstation further comprises an agent configured to prevent the remote workstation from performing one or more of: (a) file renaming of at least part of the files stored on the remote workstation, (b) file deletion of at least part of the files stored on the remote workstation, or (c) file execution of at least part of the files stored on the remote workstation.

In some cases, a session conducted via the VPN tunnel is monitored by a human operator and wherein the human operator can provide a termination instruction to the VPN tunnel, thereby terminating the connection between the remote workstation and the internal authentication system.

In some cases, a session conducted via the VPN tunnel is recorded and stored on a data repository.

In some cases, the VPN channel is established only if a request to establish secure remote access is pre-approved by an internal user.

In some cases, the pre-approval defines a time window for the secure remote access, and wherein the VPN channel is establishable only during the time-window.

In accordance with a third aspect of the presently disclosed subject matter, there is provided a non-transitory computer readable storage medium having computer readable program code embodied therewith, the computer readable program code, executable by at least one processor to perform a secure remote access method, the secure remote access comprising one or more components, the method comprising: in a remote workstation remote from an internal authentication system of an organization: (a) performing a Basic Input/Output System (BIOS) check, (b) authenticating a user logging in to the remote workstation using user credentials, (c) obtaining hardware identification information identifying at least part of the hardware of the remote workstation, and (d) obtaining software information by executing one or more software checks for validating software installed on the remote workstation; establishing a Virtual Private Network (VPN) tunnel between the remote workstation and the internal authentication system; sending the hardware identification information and the software information to the internal authentication system; and, in the internal authentication system of the organization: validating the remote workstation by (a) validating the hardware identification information utilizing reference hardware information, and (b) validating the software information using reference software information; providing the remote workstation with limited access to at least one component of a secured system of the organization via the VPN tunnel and a second secure connection established between the internal authentication system and the secured system, wherein the second secured connection is established using second user credentials, other than the user credentials. BRIEF DESCRIPTION OF THE DRAWINGS

In order to understand the presently disclosed subject matter and to see how it may be carried out in practice, the subject matter will now be described, by way of nonlimiting examples only, with reference to the accompanying drawings, in which:

Fig. 1 is a schematic illustration of an environment of a secure remote access system, in accordance with the presently disclosed subject matter;

Fig. 2 is a block diagram schematically illustrating one example of an internal authentication system, in accordance with the presently disclosed subject matter;

Fig. 3 is a block diagram schematically illustrating one example of a remote workstation, in accordance with the presently disclosed subject matter; and,

Fig. 4 is a flowchart illustrating one example of a sequence of operations carried out by a remote workstation and an internal authentication system, in accordance with the presently disclosed subject matter.

DETAILED DESCRIPTION

In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of the presently disclosed subject matter. However, it will be understood by those skilled in the art that the presently disclosed subject matter may be practiced without these specific details. In other instances, well- known methods, procedures, and components have not been described in detail so as not to obscure the presently disclosed subject matter.

In the drawings and descriptions set forth, identical reference numerals indicate those components that are common to different embodiments or configurations.

Unless specifically stated otherwise, as apparent from the following discussions, it is appreciated that throughout the specification discussions utilizing terms such as “obtaining“, “performing“, “sending“, “providing“, “validating”, “establishing”, “collecting”, “authenticating”, “preventing”, “allowing”, “blocking” or the like, include action and/or processes of a computer that manipulate and/or transform data into other data, said data represented as physical quantities, e.g. such as electronic quantities, and/or said data representing the physical objects. The terms “computer”, “processor”, “processing resource”, “processing circuitry”, and “controller” should be expansively construed to cover any kind of electronic device with data processing capabilities, including, by way of non-limiting example, a personal desktop/laptop computer, a server, a computing system, a communication device, a smartphone, a tablet computer, a smart television, a processor (e.g. digital signal processor (DSP), a microcontroller, a field programmable gate array (FPGA), an application specific integrated circuit (ASIC), etc.), a group of multiple physical machines sharing performance of various tasks, virtual servers co-residing on a single physical machine, any other electronic computing device, and/or any combination thereof.

The operations in accordance with the teachings herein may be performed by a computer specially constructed for the desired purposes or by a general-purpose computer specially configured for the desired purpose by a computer program stored in a non-transitory computer readable storage medium. The term "non-transitory" is used herein to exclude transitory, propagating signals, but to otherwise include any volatile or non-volatile computer memory technology suitable to the application.

As used herein, the phrase "for example," "such as", "for instance" and variants thereof describe non-limiting embodiments of the presently disclosed subject matter. Reference in the specification to "one case", "some cases", "other cases" or variants thereof means that a particular feature, structure or characteristic described in connection with the embodiment(s) is included in at least one embodiment of the presently disclosed subject matter. Thus, the appearance of the phrase "one case", "some cases", "other cases" or variants thereof does not necessarily refer to the same embodiment(s).

It is appreciated that, unless specifically stated otherwise, certain features of the presently disclosed subject matter, which are, for clarity, described in the context of separate embodiments, may also be provided in combination in a single embodiment. Conversely, various features of the presently disclosed subject matter, which are, for brevity, described in the context of a single embodiment, may also be provided separately or in any suitable sub-combination.

In embodiments of the presently disclosed subject matter, fewer, more and/or different stages than those shown in Fig. 4 may be executed. In embodiments of the presently disclosed subject matter one or more stages illustrated in Fig. 4 may be executed in a different order and/or one or more groups of stages may be executed simultaneously. Figs. 2 and 3 illustrate a general schematic of the system architecture in accordance with an embodiment of the presently disclosed subject matter. Each module in Figs. 2 and 3 can be made up of any combination of software, hardware and/or firmware that performs the functions as defined and explained herein. The modules in Figs. 2 and 3 may be centralized in one location or dispersed over more than one location. In other embodiments of the presently disclosed subject matter, the system may comprise fewer, more, and/or different modules than those shown in Figs. 2 and 3.

Any reference in the specification to a method should be applied mutatis mutandis to a system capable of executing the method and should be applied mutatis mutandis to a non-transitory computer readable medium that stores instructions that once executed by a computer result in the execution of the method.

Any reference in the specification to a system should be applied mutatis mutandis to a method that may be executed by the system and should be applied mutatis mutandis to a non-transitory computer readable medium that stores instructions that may be executed by the system.

Any reference in the specification to a non-transitory computer readable medium should be applied mutatis mutandis to a system capable of executing the instructions stored in the non-transitory computer readable medium and should be applied mutatis mutandis to method that may be executed by a computer that reads the instructions stored in the non-transitory computer readable medium.

By way of introduction, nowadays, enterprises purchasing components from companies worldwide have to pay millions of dollars in service agreements in situations where a malfunction in the purchased component occurs and the service of a service provider, e.g., a technician or an engineer, on behalf of the company is required. Aside from the cost for the service provider’s work, the service agreements may include additional costs associated with transporting the aforementioned service provider to the location of the purchased component (flying costs, living costs, etc.) in cases where there is no service branch of the company at the vicinity of the purchased component’s location.

In a particular example, a company situated in Israel purchasing a component from, for example, Siemens (based in Germany), would have to pay Siemens a substantive amount of money, as part of the service agreement, for the transportation of a Siemens service provider from Germany to Israel in cases of need.

The presently disclosed subject matter aims to provide a Multi-Factor Authentication system for controlled remote access. This system would make redundant the need of transporting a service provider to the location of the component needing care and would allow the service provider to interact with the purchased component remotely (thus saving the costs involved in bringing the service provider to the location of the purchased component) while keeping the highest cybersecurity standards (e.g., military standards).

Bearing this in mind, attention is drawn to Fig. 1, showing a schematic illustration of an environment of the secure remote access system, in accordance with the presently disclosed subject matter.

In the schematic illustration, environment 100 includes an internal authentication system 200 in communication with a secured system 300 and a remote workstation 400 situated, for example, at a location remote from the location of the secured system 300. Both the internal authentication system 200 and the secured system 300 can be, for example, part of an organization network such that the secured system 300 may be inaccessible from outside the organizational network. In fact, according to the presently disclosed subject matter, a user using the remote workstation 400 does not have direct access to the secured system 300, as he is not found in the vicinity of the secured system 300, nor can he easily reach the vicinity of secured system 300. The remote workstation 400, and by virtue of its location also the location of the user, can be, for example, in another city, state, country, continent, side of the world from the secured system 300, making it impossible for the user at the location of the remote workstation 400 to reach the secured system 300 in cases where immediate attention is needed.

Given the fact that the secured system 300 is located at a different location than the remote workstation 400, the user is required to operate the secured system 300 from afar.

Attention is now drawn to the components of the internal authentication system 200.

Fig. 2 is a block diagram schematically illustrating one example of the internal authentication system 200, in accordance with the presently disclosed subject matter.

In accordance with the presently disclosed subject matter, internal authentication system 200 (also interchangeably referred to herein as “system 200”) includes a processing circuitry 202 linked to a data repository 204 and a network interface 206. The system 200 further includes an authentication module 208, which operates in conjunction with the processing circuitry 202 and data repository 204 to perform the presently disclosed subject matter. All of the components 202, 204, 206, and 208 are linked to each other so as to be in direct and/or indirect electronic and/or data communication with each other.

The processing circuitry 202 can be one or more processing units (e.g., central processing units), microprocessors, microcontrollers (e.g., microcontroller units (MCUs)), or any other computing devices or modules, including multiple and/or parallel and/or distributed processing units, which are adapted to independently or cooperatively process data for controlling relevant system 200 resources and for enabling operations related to system's 200 resources.

The data repository 204 (e.g., a database, a storage system, a memory including Read Only Memory - ROM, Random Access Memory - RAM, or any other type of memory, etc.) can be configured to store data, optionally including, inter alia, user credentials, hardware identification information (e.g., hard disks, Read Only Memory (ROM) modules, Central Processing Units (CPUs), external hardware devices detachably connected, etc.), software information (e.g., checksums of various software, etc.), software checks, BIOS events logs, VPN sessions, time windows, and the like. Data repository 204 can be further configured to enable retrieval and/or update and/or deletion of the stored data. It is to be noted that in some cases, data repository 204 can be distributed, while the system 200 has access to the information stored thereon, e.g., via a wired or wireless network to which system 200 is able to connect (utilizing its network interface 206).

The network interface 206 (e.g., a network card, a WiFi client, a LiFi client, 3G/4G client, or any other component) enables system 200 to communicate over a network with external systems and handles inbound and outbound communications from such systems, such as secured system 300, remote workstation 400, etc.

The authentication module 208 is configured to execute one or more authentication processes, as further detailed herein, inter alia with reference to Fig. 4.

Attention is now drawn to the components of the remote workstation 400.

Fig. 3 is a block diagram schematically illustrating one example of the remote workstation 400, in accordance with the presently disclosed subject matter.

In accordance with the presently disclosed subject matter, remote workstation 400 (also interchangeably referred to herein as “system 400”) includes a processing circuitry 402 linked to a data repository 404 and a network interface 406. The system 400 further includes an authentication module 408, which operates in conjunction with the processing circuitry 402 and data repository 404 to perform the presently disclosed subject matter. All of the components 402, 404, 406, and 408 are linked to each other so as to be in direct and/or indirect electronic and/or data communication with each other.

The processing circuitry 402 can be one or more processing units (e.g., central processing units), microprocessors, microcontrollers (e.g., microcontroller units (MCUs)), or any other computing devices or modules, including multiple and/or parallel and/or distributed processing units, which are adapted to independently or cooperatively process data for controlling relevant system 400 resources and for enabling operations related to system's 400 resources.

The data repository 404 (e.g., a database, a storage system, a memory including Read Only Memory - ROM, Random Access Memory - RAM, or any other type of memory, etc.) configured to store data, optionally including, inter alia, user credentials, hardware identification information (e.g., hard disks, Read Only Memory (ROM) modules, Central Processing Units (CPUs), external hardware devices detachably connected, etc.), software information (e.g., checksums of various software, etc.), software checks, BIOS events logs, VPN sessions, time windows, and the like. Data repository 404 can be further configured to enable retrieval and/or update and/or deletion of the stored data. It is to be noted that in some cases, data repository 404 can be distributed, while the system 400 has access to the information stored thereon, e.g., via a wired or wireless network to which system 400 is able to connect (utilizing its network interface 406).

The network interface 406 (e.g., a network card, a WiFi client, a LiFi client, 3G/4G client, or any other component) enables system 400 to communicate over a network with external systems and handles inbound and outbound communications from such systems.

The authentication module 408 is configured to execute one or more authentication procedures, as further detailed herein, inter alia with reference to Fig. 4.

Turning to Fig. 4, there is shown a flowchart illustrating one example of a sequence of operations carried out for authenticating and enabling a predefined and limited interaction between remote workstation 400 and secured system 300, in accordance with the presently disclosed subject matter. Accordingly, the secure remote access system can be configured to perform a computer-implemented process 500, e.g., using authentication modules 208 and 408.

For this purpose, the remote workstation 400, through its authentication module 408, performs a Basic Input/Output System (BIOS) check, and authenticates a user logging into the remote workstation using user credentials (block 502).

The Basic Input/Output System (BIOS) check includes executing a BIOS integrity measurement mechanism on the remote workstation 400 and validating the results. In some cases, in addition to, or as an alternative for the BIOS check, a logging mechanism can be utilized to track changes to the BIOS, and such logging mechanism can be used to verify that no deviation from the original configuration of the remote workstation 400 has been made. The remote workstation 400 can utilize, for example, an agent configured to collect the one or more BIOS events logs and send the collected BIOS events logs to the internal authentication system 200 for verification that no changes have been made to the remote workstation’s 400 BIOS.

The user authentication can prompt the user logging into the remote workstation 400 to supply user credentials. The user credentials can be, for example, at least one of: a username, a password, biometric information (e.g., fingerprint, retina scan, etc.), facial recognition, or a Hardware Security Module (HSM) generated identifier, or any other means that can be used to identify the user logging into the remote workstation 400.

In addition to the Basic Input/Output System (BIOS) check and the user authentication, the remote workstation 400 also obtains hardware identification information identifying at least part of the hardware of the remote workstation 400 (e.g., hard disks, Read Only Memory (ROM) modules, Central Processing Units (CPUs), external hardware devices detachably connected, etc.) and software information (e.g., checksums of various software, etc.) by executing one or more software checks for validating software installed on the remote workstation 400 (e.g., at least one of: an anti-virus software, firewall software, and the like).

Upon the BIOS check and the user authentication being successful, an attempt to establish a Virtual Private Network (VPN) tunnel, through, for example, an encrypted link, between the remote workstation 400 and the internal authentication system 200 is made (block 504). The VPN tunnel is directed, for example, to allow only input obtained using a keyboard or a mouse connected to the remote workstation 400 to be sent from the remote workstation 400 to the internal authentication system 200. In some cases, the VPN tunnel is established only if a request to establish secure remote access is pre-approved by an internal user. The internal user can be, for example, the person who ordered a service provider to assist in handling e.g., a malfunction, while the request to establish the secure remote access may be sent by the service provider through the remote workstation 400. As part of the pre-approval process, a time window for the secure remote access may be defined such that the VPN tunnel is establishable only during this specific time-window. This enables to verify that the connection between the remote workstation 400 and internal authentication system 200 was an authorized connection within an authorized time frame.

The remote workstation 400 sends hardware identification information and software information to the internal authentication system 200 through a session conducted via the VPN tunnel (block 506). The session can be, for example, recorded and stored on data repository 204 and/or monitored by a human operator that can provide a termination instruction to the VPN tunnel so as to immediately terminate the connection between the remote workstation 400 and the internal authentication system 200 in case of any suspicion.

The hardware identification information sent by the remote workstation 400 can include identification information identifying at least one of: one or more hard disks connected to the remote workstation, one or more Read Only Memory (ROM) modules of the remote workstation 400, one or more Central Processing Units (CPUs) of the remote workstation 400, and one or more external hardware device detachably connected to the remote workstation 400. The identification information is obtained, for example, by a log agent configured to collect the hardware identification information and send the collected hardware identification information to the internal authentication system 200.

The software information sent by the remote workstation 400 includes information associated with one or more software components installed on the remote workstation 400, which is obtained, for example, by one or more of: (a) executing one or more executables on the remote workstation, (b) executing a DLLs integrity check on the remote workstation, (c) executing one or more file name change identification checks, (d) executing one or more file deletion identification checks. Alternatively or additionally, the software information may be obtained by a log agent configured to collect the software information and send the collected software information to the internal authentication system 200. This enables to verify that no deviation from the original configuration of the remote workstation 400 has been made and that the remote workstation was not compromised.

As information sent by remote workstation 400 reaches internal authentication system 200, the internal authentication system 200 validates the remote workstation 400, through authentication module 208, by (a) validating the hardware identification information utilizing reference hardware information, and (b) validating the software information using reference software information (block 508).

Upon successful validation of the remote workstation 400 by the internal authentication system 200, the internal authentication system 200 provides the remote workstation 400 with limited access to at least one component of the secured system 300. The limited access is achieved by generating a secure communication channel between the internal authentication system 200 and the secured system 300 (block 510), which along with the VPN tunnel established between the remote workstation 400 and the internal authentication system 200, create an indirect communication between the remote workstation 400 and the secured system 300.

The communication channel is established, for example, using second user credentials that are different from the credentials initially entered by the user. The second user credentials may be, for example, stored on a logical electronic vault, making them unknown to the user of the remote workstation 400.

In some cases, additional checks can be performed by remote workstation 400 using at least one of: a control agent configured to block external devices connection to the remote workstation 400, an agent configured to prevent the remote workstation 400 from performing one or more of: (a) file renaming of at least part of the files stored on the remote workstation 400, (b) file deletion of at least part of the files stored on the remote workstation 400, or (c) file execution of at least part of the files stored on the remote workstation 400.

It is to be noted, with reference to Fig. 4, that some of the blocks can be integrated into a consolidated block or can be broken down to a few blocks and/or other blocks may be added. It is to be further noted that some of the blocks are optional. It should be also noted that whilst the flow diagram is described also with reference to the system elements that realizes them, this is by no means binding, and the blocks can be performed by elements other than those described herein. It is to be understood that the presently disclosed subject matter is not limited in its application to the details set forth in the description contained herein or illustrated in the drawings. The presently disclosed subject matter is capable of other embodiments and of being practiced and carried out in various ways. Hence, it is to be understood that the phraseology and terminology employed herein are for the purpose of description and should not be regarded as limiting. As such, those skilled in the art will appreciate that the conception upon which this disclosure is based may readily be utilized as a basis for designing other structures, methods, and systems for carrying out the several purposes of the present presently disclosed subject matter. It will also be understood that the system according to the presently disclosed subject matter can be implemented, at least partly, as a suitably programmed computer. Likewise, the presently disclosed subject matter contemplates a computer program being readable by a computer for executing the disclosed method. The presently disclosed subject matter further contemplates a machine -readable memory tangibly embodying a program of instructions executable by the machine for executing the disclosed method.