Electronic Commerce Commands Canny Insight Into Hacker Moves

May 2000
By Clarence A. Robinson, Jr.

Whether companies become competitors or cyberroadkill requires knowing which systems may come under attack.

Profound Internet growth and the changes it generates in the economy and society is a double-edged sword. Electronic commerce benefits are fundamentally altering the way people produce, consume and communicate. Yet, risks and vulnerabilities are inherent network byproducts. Growing electronic threats mandate risk management, customer confidence and at least some level of information protection.

Unless e-businesses understand the intricacies of information technology products and various aspects of information trustworthiness, investments in security products may bring only limited effectiveness. A new breed of information protection company is emerging, however, to provide security-focused services structured to meet information assurance demands not just as a technology issue but as a business priority. Customers are demanding trust as a condition of doing business

The defining issue in e-commerce and network security is trust. A combination of seemingly unrelated vulnerabilities in today’s complex technologies can quickly put a company in great jeopardy. This makes understanding vulnerabilities and the methods to keep companies operational the raison d’être of trusted network security companies.

One example of an information assurance company is Para-Protect Services Incorporated, Alexandria, Virginia. Company officials speak of their work in hushed tones, carefully guarding the confidentiality of their clients. Four of the company’s principals bring with them years of U.S. Defense Department experience in establishing information security systems. As part of a new national information infrastructure protection plan, the Clinton administration recently cited the Pentagon’s expertise in these areas as a model for other federal agencies and industry (SIGNAL, March 2000, page 17).

An 18-month-old venture capital startup, Para-Protect offers services and uniquely packaged commercial products obtained from information security vendors. These products perform security incident responses, penetration testing, network threat identification, assessment, intrusion detection and analysis. “It is possible to protect information systems and associated business assets. To do so requires an understanding of the state of the hacker’s art, or more simply, the state of the hack,” Michael R. Higgins, Para-Protect’s president, says.

While in the Defense Department, Higgins created the automated systems security incident support team, the forerunner of today’s computer emergency response team (CERT). He also developed the vulnerability analysis and assistance program, which actively analyzes information systems for security weaknesses through focused penetration exercises.

“Today’s hackers have much more sophisticated tools and an extensive network of like-minded individuals who share their information, usually via the Internet, about the vulnerabilities they discover and how to exploit them,” Higgins explains. These people take advantage of seemingly trivial or unrelated weaknesses in operating systems, networks and application programs, linking them with weaknesses in other areas to infiltrate what was thought to have the best protection. Many of these weaknesses are inherent in even the most carefully written and tested software, especially off-the-shelf systems. And edits, updates or installation of new applications can cause configuration changes that enable a ‘hack’ or defeat of a security mechanism.”

Higgins emphasizes that the key to protecting an enterprise is to recognize that the state of the hack is constantly changing, which means that protection depends on understanding what hackers look for and how they use it to serve their ends. Understanding the latest in intrusion techniques gives companies a better idea of how to protect their assets and how to make certain that their business remains securely operational. Providing security for today is only the first step in real protection. Keeping systems current with the state of the hack is essential to operating any information processor into the future, he adds.

In this regard, Higgins believes Para-Protect has the advantage because Robert McNeal is a company computer security engineer. He ranks McNeal’s capability as equal to that of the top four or five hackers in the United States. As a former U.S. Army soldier, McNeal worked for Higgins in the Defense Information Systems Agency before joining the company. McNeal and the other 43 employees help clients keep abreast of the most advanced hacking techniques, constantly studying public or open-source channels, including hacker chat rooms, software and hardware manufacturers’ updates, World Wide Web sites dedicated to security, and security company product advances. “It also means working actively to identify when your systems may be under attack and then reacting quickly to keep the system operational,” Higgins stresses.

Para-Protect orchestrates rapid security incident responses for clients around the world. The company’s own CERT functions in both commercial and academic environments. Using its independent validation of a client’s information security processes, company-developed packages that include off-the-shelf products and services are designed to protect businesses and keep them functioning. Higgins notes that customized risk management for each client is the focus of the company. “We use a model of the customer to develop risk management that says you must understand your threats before you begin spending money to defend yourself,” Higgins asserts.

Risk management is very different than risk avoidance. “There is not enough money or technology to build a wall high enough to keep everyone out—to prevent people from getting inside,” Higgins observes. “First, determine the threats to the systems involved. If a company is in the electronic banking business, we address a completely different set of threats than if the company offers new product information on the Internet. So, the key question is what is your business process, and what are the threats to that process? We help companies understand business and operations together, and we help them determine the threats and what must be done operationally to protect against technologies that exploit those threats.”

The company uses the information it gathers 24 hours a day, seven days a week on state-of-the-hack techniques to stay ahead of network vulnerabilities with one goal—keeping companies up and running, Higgins explains. His company also must keep pace with rapidly emerging security technologies. An independent operation with no product line per se, Para-Protect is free to concentrate on network vulnerabilities and the tools to repair holes, regardless of the security product vendors. “We simply locate the problem and recommend a solution.”

One or several products might be recommended, depending on the threat environment, size of the company and the cost involved. This process has been refined and relates to Para-Protect’s extensive database of identified vulnerabilities, which have been built up with experience and can change almost hourly. Product companies are also good at focusing on susceptible systems. An example Higgins cites is Internet Security Systems, Atlanta, Georgia, “with one of the better commercial vulnerability sweepers on the market.”

It is not enough to protect only state-of-the-art information systems. Many of the vulnerabilities exist in older technology systems, which are infinitely easier to penetrate and could be linked to a network with newer systems. This makes network assessments an important feature.

Formed in October 1998 by Higgins and three of his Defense Department information security colleagues, Para-Protect uses its experience and understanding of network and system hacking to provide e-commerce security. Higgins notes that his firm provides independent validation of a company’s information security processes and offers a suite of products and services designed to protect businesses and keep them operational. The company focuses mainly on firms in the high-technology, entertainment and financial industries.

Although its basic business concentration is in industry, Para-Protect also functions under contract with various federal agencies. When hackers penetrated and corrupted the White House Web site, the company was called in to assess the damage and find ways to overcome intrusions. McNeal was a member of the team sent to the White House. Higgins reports that network forensics discovered a hole where the hackers entered, and it was plugged. A second hole, which otherwise could later have been exploited for network re-entry, was also detected and plugged, he continues.

The company uses an aggressive “attack or defend your network” approach to train its own employees and continually hone their skills, Higgins illustrates. One person builds a defensive network capability, while others seek to penetrate it, and then the roles are reversed. This type of training is essential not just for his company but also for organizations such as the Defense Department. “We must train as we fight, and red teaming is required during operational exercises to try to disrupt functions. However, most network disruptions will be against the sustaining base—supplies and transportation,” he observes.

Each Para-Protect employee spends at least 20 percent of the day on the network conducting vulnerability research and determining possible technology solutions. For example, if an individual is network oriented, the research is on networking and on the tools that are emerging for that purpose, Higgins recounts. “We are in constant touch with information technology and security product vendors and with our clients,” he assures.

After being selected by a global consortium, the company became a member of the international organization called the Forum of Incident Response and Security Teams (FIRST). More than 70 government, commercial and academic response and security teams from around the world compose FIRST. Members immediately react to local network and system vulnerabilities, then exchange computer security incident information with other forum members and coordinate appropriate responses with other teams. There are no geographical, time-zone or administrative boundaries to computer security incidents, Higgins states. “This is a network of partners who face and solve the same e-commerce problems.”

Higgins is a former chairman of FIRST, as is Kenneth R. van Wyk, Para-Protect’s vice president and chief technology officer. Companies such as Sun Microsystems, Hewlett Packard, Microsoft and IBM are among FIRST members. This group is considered to be the channel through which state-of-the-hack information and modus operandi are transmitted. “Whenever we see something, we funnel the information through FIRST so that the vendors can develop patches to address vulnerabilities and provide fixes to their operating systems,” he emphasizes.

Even so, merely applying patches to off-the-shelf software and systems or trusting firewalls—the electronic wall separating a company’s computer network from the outside world—is not the answer. Relying on firewalls in isolation can provide a false sense of security, while potentially leaving doors open on the company’s system. Most firewalls become obsolete over time unless they are diligently maintained. Even then, undetected open doors can leave a company vulnerable to a hacker, the destructive outsider, a disgruntled employee or a curious thrill seeker, Higgins says.

A recent example of the company’s international cooperation cited by Higgins involves an attack against the Web site of insurance giant Lloyd’s of London. One of Para-Protect’s security experts in the company’s operations center watched the perpetrators’ Internet discussion and learned that they were also seeking to break into the Bank of England’s network. The Para-Protect employee confirmed that the hackers had penetrated and altered Lloyd’s Web site, which momentarily disappeared from the Internet. The appropriate incident response team in London was notified.

When Lloyd’s restored the original Web page, it soon became obvious that not all of the holes had been plugged, Higgins stresses. Within minutes, the invaders again commandeered the site. “We were watching all of this live on Internet Relay C; we had the transcripts, knew the hackers by handle and had a complete history of the event.” Para-Protect alerted the British authorities about who the intruders were and that they were based in London, he illustrates. “We have figured out how to collect this type of information and provide advanced warnings to our customers.”

Lloyd’s, Higgins points out, is not a customer of his company, adding, “My greatest concern is that these hackers were breaking into an insurance company. One of our biggest clients is a large U.S.-based insurance corporation. We sent an immediate notification to this client alerting them of the details of the Lloyd’s hack.” Serendipitously, Para-Protect learned that its insurance customer had a link, a backdoor connection, with Lloyd’s because the two companies often buy and sell policies among themselves. “Our customer turned on all of their audit systems for the link to Lloyd’s.”

More than 90 percent of Para-Protect’s business is in its products and services packages. The packages are: Para-CERT, a 24-hour-a-day incident response capability to assist businesses in preparing for a possible security breach; Para-Watch, open-source monitoring to locate potential threats to a company’s business base in vast Internet space; Para-Probe, an internal and external system and network penetration testing service to determine vulnerabilities; and Para-Sentinel, a weekly information technology system, network and applications security vulnerability update.

Para-Secure is another company package that provides small- and medium-sized businesses with an Internet security solution that contains a firewall, operations monitoring and incident response. Other packages include Para-Alarm, a 24-hour, seven-day-a-week firewall monitoring service that detects and reacts to security breaches; Para-Assess, an overall appraisal of a company’s security policies, computer systems, networks and security practices; Para-Policy, a review and development of corporate security policies and practices; and Para-Engineering, a hands-on application of information protection and systems engineering designed to assist correction of vulnerabilities or improvement in the security posture of corporate information technology.

Higgins says he is continuously surprised at the similarity between the Defense Department and civilian e-commerce. The government’s focus is on continuity of operations; computers must be up and running properly to provide service. Even though industry is driven by the profit motive, the primary focus is on the same availability of service. He advocates removing barriers between government and industry so that federal agencies and industry can learn more from one another about information security.