Crime Fighters Cast Wide Net

By Peter Piazza

Working in his office in Toronto, Mark Fabro needs to download a recent white paper written by a government law enforcement officer who specializes in fighting cybercrime. Fabro, chief security scientist at American Management Systems (AMS), a global business and IT consulting firm, turns on his computer, points his browser to a special Web address, and enters his username and password in the Web page that opens. A moment later, he is inside a secure collaboration work space known as the Cybercop Secure Portal. He enters the site’s library, which contains more than 2,000 documents relative to cybercrime, terrorism, and homeland security, and locates the paper. When he finishes, he sends a secure e-mail to the author to share his comments.

Thousands of miles away, Toby Finnie is at her office in Tacoma, Washington. Finnie is the director of the High-Tech Crime Consortium, a nonprofit group that supports law enforcement and corporate investigators tasked with digital crime cases. She is also inside the Cybercop site, where she is watching a real-time PowerPoint presentation given by a law enforcement agent located across the country. The presentation includes a mug shot and a criminal record of a cybercriminal. Around the country, a number of law enforcement investigators are simultaneously viewing the same presentation.

Though they work in different organizations and live a country apart, Fabro and Finnie, as well as more than 5,000 Cybercop members around the world, are able to securely view and share the vast archive of material in the Cybercop database thanks to the efforts of an application service provider (ASP) called The Extranet Secure Portals (ESP) Group.

The ESP Group provides authentication to and secures the Cybercop database; it also restricts physical access to the machines that store the data. These steps, in conjunction with secure programming procedures, help keep the Cybercop portal data from falling into the wrong hands.

Authentication. The Cybercop portal is entirely Web-based, meaning that no additional software clients need to be downloaded onto users’ machines. That allows Cybercop users to enter the portal from any machine, anywhere. But such ubiquitous access poses the first security challenge: making sure that only authorized users are able to gain access to the portal.

George Johnson, chief technology officer with The ESP Group, says that Donlon and Manson carefully considered Cybercop’s security policies and needs, such as what level of access control was necessary. Then, he says, ESP programmers customized the portal to fit those requirements (more on the best practices followed by the organization’s programmers later).

Authentication to the Cybercop portal relies on usernames and robust passwords (robust passwords are long combinations of letters, numbers, and characters; they do not include easily guessed words, and they are changed regularly.) This approach provides a strong level of authentication and doesn’t require users to have any additional hardware such as biometric readers or smart cards.

Monitoring. Log-on attempts to the Cybercop site are constantly monitored from The ESP Group’s headquarters. “If you type the wrong password several times, your account will get locked,” Johnson says. “We have personnel here that watch when that happens, and we immediately start to call people when we identify that to see if people are maliciously trying to gain access, or the people just forgot their password.”

In the former case, the account will immediately be locked and an administrator notified. In the more frequent latter case, those monitoring the system assist members in retrieving their credentials and then logging in. ESP administrators also monitor user behavior so that suspicious patterns of behavior, such as a user logging on from two different locations within a short period of time, can be instantly noted and appropriate action taken.

SSL encryption. Because information such as a username or password that travels across the Internet is vulnerable to capture, ESP, like most ASPs, uses an encryption protocol known as secure sockets layer (SSL), which is built into most standard Web browsers, to encrypt authentication information as it moves across the Internet. Johnson adds that all data, not only authentication information but every file that is uploaded to or downloaded from the Cybercop database, is encrypted using at least 128-bit encryption. This encryption is strong enough that even if a document is intercepted, it will be virtually impossible for attackers to decrypt it.

Secure systems. Important as it is to encrypt data as it travels through cyberspace, it is only one part of the security puzzle. Keeping it safe once it’s inside ESP’s computers is a much bigger, and more important, issue. “This is where a lot of systems really start to fail,” Johnson says. “They think they’re secure because they use SSL.” The real question, he says, is how secure is the information in the database?

Blocking malicious code. The first step toward protecting the database is blocking unauthorized visitors and unwanted code such as viruses and worms. Software inside the ESP network detects and blocks mobile code—small and potentially dangerous applications such as Java that execute on a user’s computer—and a virus scanner is used to inspect all files uploaded into the portal for any type of malicious code.

Firewalls. ESP employs several technologies to make it as difficult as possible for hackers to get access to Cybercop’s sensitive information, Johnson says. Firewalls, which allow or deny certain types of traffic into the system, or block users from IP address blocks that have been determined as dangerous, are used to provide one level of defense.

Firewalls are not a sufficient defense, however, because they are as frequently subject to the same types of vulnerabilities and attacks as other pieces of software and hardware. To mitigate this risk, ESP uses multiple inline firewalls to secure the network. Johnson likens the multiple firewall configuration to a stack of Swiss cheese slices. “They all have holes in them, but if you stack them all up, you can’t see through the cheese. That’s effectively what we do,” he says.

Each firewall is made by a different manufacturer, runs on a different operating system, and uses a different technology. For example, one firewall employs packet filtering. Data moving across the Internet is broken into small packets, each of which contains a header that serves as an envelope and contains information such as the sender and destination address. Packet-filtering firewalls examine these envelopes and can block unwanted network traffic based on its originating address or its type (such as file transfer protocol, or FTP, traffic).

Another firewall uses stateful inspection, where the contents of the packets are more thoroughly inspected in accordance with a set of administrator-defined rules. A third firewall technology is the proxy, which stands between the internal and external networks and examines and relays authorized traffic.

The multiple firewalls make hacking into the network an extremely complex endeavor, Johnson says. “If someone can compromise the first one, then they have to go through the compromised [firewall] and try to attack the second one. Even if they can do that, then they’ve got to try to get through the third one.”

To make it even tougher for attackers to penetrate into the Cybercop database, administrators at The ESP Group are “sniffing at each layer in between” the firewalls, Johnson says. This means that they are monitoring traffic as it passes into the network. If they notice any probes or compromise attempts, Johnson says, they can take action to stop the intruder. If an attack is serious enough, they will even alter the network architecture to make future incursions harder. For example, they can quickly rotate the entire stack of firewalls. “When they attack next time, they have a completely different architecture that they have to come against,” Johnson says.

Limited protocols. There are a large number of “protocols” used to transmit different types of traffic across the Internet. Some, such as HTTP (hypertext transport protocol), are used for normal Web traffic; others, such as UDP (user datagram protocol), are used to send streaming audio files. Each protocol enters a network through a particular port; the more ports that are open, the less secure the network is. Therefore, The ESP Group’s network further tightens security by allowing only one protocol, encrypted Web traffic known as HTTPS (hypertext transport protocol secure), to enter the network, meaning that all traffic is sent through one secure port. All others are closed, rendering the system immune to attacks on different ports, such as the ones that allow e-mail or normal Web traffic to pass.

Allowing only one protocol through the system does put some limits on the services available, but the tradeoff is well worth it, Johnson says. It makes the network much more secure. It also makes it easier to configure firewalls to block malicious traffic and simplifies the process of reviewing firewall logs to look for attempted attacks.

Because only HTTPS can pass into the network, Cybercop members cannot use audio or video in net meetings. But any inconvenience is more than offset by the gain in security, says Johnson. He notes that sending audio or video data across the Internet is inherently insecure, because that data cannot be encrypted using SSL, so that while the text shared in net meetings is encrypted and secure, the audio and video is not. Likewise, Johnson says, many firms use the Internet for phone calls to reduce phone bills, but, he cautions, “it’s going wide open, so if you sniff that, you’ll be able to listen about all [the company’s] business.” Toby Finnie says that if Cybercop members want to hold a meeting online to share a PowerPoint presentation, for example, investigators use telephones to participate in a conference call while viewing the uploaded presentation securely.

IDS. The next level of defense comprises three separate intrusion detection systems (IDSs) that allow three different perspectives on traffic. Johnson explains that one IDS looks for problems with the packets themselves, to make sure that they are not malformed in a way that could compromise the system. A second is signature-based and looks for specific instances of malicious code (for example, the Code Red or Nimda viruses) that can be identified by a known signature. This second IDS must be updated with signatures of new species of virus or worm, a process that happens regularly.

The third IDS is a freeware program known as Snort. Snort is an open-source network intrusion detection system that also checks packets for anomalies. Because it is open source and widely used in the security field, it is updated more quickly than the commercial intrusion detection systems and thus makes a good third level of defense. Johnson says that ESP administrators view all the activity across all three monitors in real time, to look for correlations that can prevent false alarms. “In other words, did they all agree that something bad is happening?” he asks. If so, administrators can take whatever steps are necessary to block the threatening traffic and prevent further intrusion.

DNS defense. Despite the multiple firewalls and intrusion detection systems, some attacks cannot be easily defended against and require a more proactive offense. One particularly dangerous attack is known as DNS cache poisoning. DNS, or domain name system, is the distributed database on the Internet that translates Web addresses such as into a numerical Internet protocol (IP) address such as Once the address has been translated, the request for the Web page is routed to the proper address across the Internet. But hackers who are able to compromise a DNS server can inject a new IP address for a particular Web site so that any requests for that Web site will be redirected to the attacker’s site. This attack is called DNS cache poisoning.

Savvy attackers can set up a Web page that looks identical to the one whose IP address they’ve stolen. When a visitor, not realizing that he or she has been misdirected, types in a user name and password, the attacker sees those credentials in plain text. Using those credentials, the attacker enters the real site and hands it back to the user, effectively and clandestinely acting as a proxy for the site, while seeing every page the legitimate user sees. According to Johnson, most Web sites are vulnerable to DNS cache poisoning attacks, due to the prevalence on the Internet of DNS servers that can be exploited.

ESP tries to be more proactive. “We constantly scan the Internet looking for problems with DNS cache poisoning,” Johnson says. ESP staff monitor the DNS servers that are typically used by Cybercop and other customers to look for evidence of this type of attack. “If we see a DNS server that responds to or with any other IP address than what should really be there, we immediately notify the customers and shut down the accounts that we believe are using that DNS system, until the problem gets solved,” Johnson says.

ESP administrators have a procedure to follow if they find evidence of DNS cache poisoning. It includes notifying the ISP (Internet service provider) that it is under attack and asking it to provide logs that can be forwarded to research centers such as the CERT/CC, as well as to law enforcement authorities.

Physical security. Hardening the physical security around the machines that manipulate the Cybercop data is as important as hardening the applications and operating systems. Johnson says that ESP’s experience working with the national intelligence community has made it especially crucial that physical security be tight. He explains that the ESP environment has been built to meet strict government standards known as Sensitive Compartmented Information Facilities (SCIF) even though ESP’s facility is not formally an SCIF site given that no classified materials reside within it.

Background checks. All those who have access to the ESP environment have high-level government clearances, meaning that employees have gone through extensive background checks before joining the company. Having employees with such security clearances reduces the threat of having an insider steal data or assist a hacker or other malicious attacker, Johnson says.

Detection devices. As another resource, ESP headquarters employs motion detectors throughout the building. Johnson notes that these motion detection devices are monitored around the clock, seven days a week, from a remote location by an outsourced contractor “that typically does that for other sensitive government facilities,” he says. “So, if there were ever any kind of an issue here, there’s an external audit of all the activity that occurred inside our environment.”

The audit trail creates an unalterable log that, for example, could reveal  that a motion detector alarm was set off but no employee had used a proximity card at that time, indicating that perhaps an attempt had been made to break into the room. Likewise, access to the machines that store sensitive data is logged in such a way that it cannot be modified, preventing those with physical access from directly tampering with data without being noticed.

Other physical security devices in place include heat sensors that can be set up to detect even one degree of heat increase in a room, and multiple physical protection barriers, which Johnson declined to describe in more detail. He explains, however, that the multiple barriers work on the same principle as the multiple inline firewalls. “If somebody gets through the first one, it’s going to be difficult to get through the second one. As soon as you try to break the first one, alarms go off and you have to try to break the second. Meanwhile, the police show up and you’re beating your hands against a steel door,” he says.

Employees enter the headquarters using two-factor authentication, a proximity card and a personal identification number (PIN); a lost or stolen card by itself will not provide access to the building. Johnson says that ESP is in the process of researching a change to handprint geometry biometrics for access control.

Programming standards. Despite the high level of physical and information security that ESP provides, systems are only as secure as the applications running on them. Software vendors have come under fire for rushing products to market without adequately testing them for security, instead relying on patching them once vulnerabilities are discovered.

The most common of these vulnerabilities is the buffer overflow, where the input received by a program exceeds the expected input length. Attackers can write instructions in the extra data that overflows into areas of memory reserved for program instructions, thus forcing the system to execute a program on their behalf. To combat buffer overflows and other common weaknesses found in commercial software, the ESP Group writes and builds all its own applications. 

Coding standards. Johnson says that ESP programmers create programs that can stand up to attack by using a set of secure programming standards that ESP developed for certifying the security of applications run within its portals. ESP maintains coding standards against which all code is written (for example, vulnerabilities such as buffer overflows must be looked for and guarded against).

Programmers work on projects in teams, and completed code is subjected to peer review and discussion. “When the code is done,” Johnson says, “no matter who has written it, it always looks like one person wrote it. If you ever have to debug code, it’s easy to do because you can understand it, it’s intuitive,” because it was done according to ESP’s coding standards, which were built around security, Johnson says.

Compartmentalization. Johnson adds that the strong level of security inherent in its code helps ensure that users are securely compartmented. This mitigates the risk of an individual user jeopardizing the entire network even if there is a compromise.

“Say the worst thing happens, and I’ve lost my credentials and somebody else got them, and they log in as me,” he says. “They can’t do anything other than what only I could do or see; they could only compromise the data that I would have had access to.”

What’s more, Johnson says, host-based file integrity systems provide a record of every change made to every file in ESP’s systems. “If we know that an account was compromised, we can go in and rebuild the entire session that the person took, because we track every single click everywhere. We can identify every file that might have been compromised, and we can take appropriate security measures around that,” he says.  

Cybercops on the beat. Despite all the high-tech maneuvers taking place behind the scenes, Toby Finnie says that the Cybercop interface is smooth and easy to understand, and the only difficulty that members have encountered is memorizing robust passwords and changing them regularly. “But,” she says, “that’s best practices, and that’s what we like to prepare professionals to use.”

Mark Fabro of AMS agrees. “This is as good as it gets,” he says, adding that as the database and number of users has grown, so has his capability to do his job more effectively.

Because cybercrime stretches across state and international borders, it’s imperative that investigators, researchers, and law enforcement agents from around the world have the capability to meet and discuss digital crime cases. Using the Cybercop portal, Finnie says, is a lot less expensive than doing it face to face, and she is confident in the high level of security.

When you share information across the Internet, she says, “there is a risk that at some point along the information superhighway, somebody can gain access to data that you would just as soon they not have.” But with a secure ASP keeping an eye out for wrongdoers, she says, “investigators have some assurance that their information is protected and will get from point A to point B without being peeked at by bad guys.”

Peter Piazza is assistant editor of Security Management.



The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.