Training for cyber war

With computers came computer crime. Patrick Hook looks at how the cyber cops are keeping apace with the e-robbers

With computers came computer crime. Patrick Hook looks at how the cyber cops are keeping apace with the e-robbers

Well over two-thirds of the major companies, including financial and medical institutions in the US, have admitted suffering financial loss from security breaches on the Internet. The findings, published by the Computer Security Institute working closely with the FBI, relate only to the US but are, according to a leading British solicitor specialising in computer crime, indicative of a growing global problem.

Scams of one kind or another proliferate, while attacks on networks including spams, electronic theft, viruses, worms, Trojan horses and denial of service are all threats which business has to deal with.

Unchecked, the concern is that the willingness of companies to make the fullest possible use of the Internet will be adversely affected. Expansion of computer technology is, according to this theory, largely dependent on the degree of confidence felt by the public that their affairs will not be put at risk through exposure to an insecure medium. Support for this view comes from recent surveys by the Giga Information Group which show that 27% of companies cited a perceived lack of hardware and software security as the reason for not engaging in e-commerce.

Testing times

Perhaps unsurprisingly, organisations such as the giant Microsoft Corporation are now active in trying to find a way of securing e-commerce from outside interference. Like many of its competitors, the corporation spends millions of dollars a year testing the vulnerability of its software to attack and has dedicated teams of engineers whose sole function is to build up an encyclopedic knowledge of the attack techniques used by hackers and others.

Over the years, Microsoft's Rapid Exposure Detection (Red) team has produced and now constantly updates a comprehensive catalogue of attack techniques used by the hackers and passes on the lessons learned to law enforcement agencies like the FBI, the Computer Crime Unit at Scotland Yard and other law enforcement agencies across the world. The lessons are invaluable in enabling computer crime detectives to trace people hell-bent on wreaking as much havoc as possible and preserving the evidence for subsequent court hearings.

The team is closely supported by a second group, the Computer Emergency Response Team (Cert) and both groups form part of Microsoft's overall Information Assurance Programme. The success of this depends on several strands, including strategies to deal with telecommunications, application, physical and information security as well as a disaster recovery back-up facility.

But building confidence among potential customers is more than just making sure your own systems are resistant to attack. Microsoft, together with several other major software houses, now train police officers and members of other law enforcement agencies.

The training courses were originally confined to the investigation of Internet fraud with a particular emphasis on evidence gathering. In recent years, this has expanded to include instruction on the principles of digital evidence and the collection, preservation and presenting of other forms of electronic evidence in court. "Once officers are aware of what needs to be done," says Howard Schmidt, "the same principles can be applied again and again."

Potential target

For Schmidt, a former police officer who later headed the FBI's Computer Exploitation Team and then went on to become a supervisory special agent with the US Air Force Special Investigations dealing specifically with computer crime and information warfare, security is an ongoing issue. "It is important for any organisation to appreciate that it is a potential target, whether the threat comes from hackers, viruses or perhaps industrial espionage. The systems that it uses within the organisation should therefore be physically and electronically secure."

Just occasionally, the risk arises out of a failure to see the danger. Schmidt quotes the example of a small police force which chose to create its Web site on the same computer network which handled all its other, frequently sensitive, data. Nothing happened as a result of this lapse but the potential for embarrassment was real enough.

"The only sensible course for an organisation to follow is to separate the computer systems that carry sensitive data from those which have public access through the Internet," explains Schmidt. "If people must have access to sensitive data from outside the building, they should be obliged to use secure remote access services, using the appropriate firewall technology, good authentication and good encryption."

Software's 'fire department'

The Computer Emergency Response Team (Cert) are at the leading edge of Microsoft's defence strategy. The crack team of specialists can move in if an attack occurs or if a weakness found by the Red team cannot be dealt with immediately.

The Cert group has the responsibility of maintaining the integrity of all the software programs in use by the organisation and will provide real-time intrusion detection monitoring. Frequently (and always in the case of the Microsoft Cert) the team will co-ordinate its actions with other Cert groups in other organisations. "It is, if you will, the fire department of the computer business," says Schmidt. "When a vulnerable program is found within any of the companies or customers that we have dealings with," he says, "it is the Cert responsibility to bring that to the attention of the company concerned and suggest a patch or other solution."

Thin Red line

The Rapid Exposure Detection (Red) team is in the first line of Microsoft's defence against the hacker. Its job is to find the point of vulnerability in the development stage of software programmes, before the hacker, and to suggest a solution.

Together with the Cert group, the Red team forms part of the overall Information Assurance Programme designed to ensure that the corporation's internal systems are as secure as possible, with a 24- to 48-hour "ramp-up" to minimum configuration in the unlikely event of a system failure.

"Part of the problem," said Howard Schmidt, head of information security at Microsoft in Seattle, "is that during the development of new software, the security configurations are constantly shifting and what was OK an hour ago may no longer be the case now."

Sleeping with the enemy

Try as they might to eradicate vulnerabilities from their software offerings, Microsoft and their fellow suppliers are unlikely ever to produce totally secure software, a fact which leaves their customers always having to keep half an eye on the perimeters of their corporate IT, says Mark Lewis.

Ironically, doing so is starting to mean forming alliances with the very hackers they are trying to keep at bay. Not all hackers follow the dark path of MafiaBoy, the 15-year-old charged last week in connection with the denial of service attacks that struck Yahoo, and other sites in February. Increasingly, hackers are using their skills to generate cash, rather than chaos.

"People are currently dealing with security on a reactive basis", says David Litchfield, co-founder of Cerberus, one of an emerging breed of companies that offer ethical hacking services to organisations wanting to go the extra mile to ensure their infrastructural integrity. Litchfield reckons that some 70% of his company's business comes from organisations whose security has already been compromised. The challenge now, he says, is for IT departments to take pre-emptive action.

Alongside its vulnerability scan, Cerberus offers a penetration scan service, which, roughly translated, means they highlight your vulnerabilities by hacking into your systems.

"We get stuck in," says Litchfield, "and simulate the hacker. It's a proper hacker simulation, that requires a human to sit behind a console and bang away at it."

He likens the work of ethical hackers to checking the security of one's house. While a vulnerability scan will be able to check the locks on all the doors and windows, a penetration test will answer such questions as, "can you stick your arm through the letterbox and unlock the door that way?"

Litchfield concedes that it will take some time for the UK's IT directors to feel comfortable with making use of ethical hacking.

"If we can hack them, how can they be sure we're not going to do them over?" he says.

The non-disclosure agreements that ethical hackers sign go some way towards solving the problem. Beyond that, it is simply a question of trust, says Litchfield. "We have to convince them we are legit."

But, says Litchfield, a sea change will have to come if IT departments are to be confident of their data integrity.

"No scanner can hope to find vulnerabilities within something you have written yourself. We will hack in-house written script."

Read more on IT risk management