Internet Security - Firewalls & Encryption

The Cyber Cop's Perspective

By Michael Anderson

It has been an interesting transition. A few years ago I was a federal law enforcement agent breaking the 'crooks' computer security and teaching other cops how to do it. Now, I find myself in the reverse role of helping computer users protect their secrets. Interestingly, I also find myself helping corporations and government agencies in finding computer 'secrets'. They want to identify their security risks and need the capability of conducting their own internal computer investigations. You see....... it is not good for corporate public relations when law enforcement agencies are called in concerning computer breaches or employee Internet misuses. For the purposes of this article though, lets limit the discussion to protecting corporate and government secrets.

Due to the current popularity of international commerce on the Internet, the topic of computer security has moved quickly from being a low priority for corporations and government agencies to a high priority. This interest has been heightened by computer break-ins at places like Los Alamos National Laboratories and NASA. Admissions by the United States government that many attempted military computer break-ins were successful has only added fuel to the fire. Jim Settle, the retired director of the FBI's computer crime squad, was quoted in USA Today as saying, "You bring me a select group of hackers and within 90 days I'll bring this country to its knees." He was talking about the United States. Is there any truth to Jim's claim? I don't know if I fully agree with him, but Jim makes a good point. Our computer systems are at risk, but the good news is that we can do something about it.

The creators of the Internet never envisioned that it would become the hub of international commerce. They designed the Internet for the open and free exchange of research information between universities and government. They did not design it to be secure and Internet firewalls were an afterthought. Some firewalls are good and others are not. Are proxy firewalls better than filtering firewalls? Nobody really knows and may both are necessary depending on the risks involved. However, firewalls may not be enough protection. Secure network routers are coming on line, but they have yet to prove themselves. From my perspective, potential security problems exist anytime a government or a corporate computer is connected to the Internet. Furthermore, fragments of previously deleted e-mail and files may linger for years in the heart of a computer hard disk drives and discarded floppy diskettes. Trust me on this one....... Computer secrets never go away. Many crooks have learned this lesson the hard way. However, things may not be as bad as they appear from a computer security standpoint.

Through the implementation of proper computer security policies and strategies, network connections to the Internet can be made more secure and sensitive data can be secured by using file encryption. Also, computer storage media can be effectively cleansed of sensitive information. Knowing the risks up front makes the job much easier for computer users and security policy makers. We offer a training course that deals with this topic. If your are interested, click here for information about our Risk Identification Course. Firewalls and secure network routers haven't come of age yet and security tied to them may not be adequate protection for trade secrets and sensitive computer data. However, these technologies have their place and only a fool would connect a computer network to the Internet without some sort of firewall.

Given enough time, desire and resources, it is a safe bet that almost any computer security system can be broken. The only totally secure computer system is one locked in a room, without people and without connections to other computers. Since such a security strategy is impractical, other security strategies and policies must be implemented. Government and corporate management cannot ignore the Internet just because of potential Internet security problems. The wealth of 'free' information available on the Internet and inexpensive worldwide E-mail access can result in significant cost savings and increased productivity. Don't forget. We do live in the information age. A corporation cannot remain competitive if it doesn't take advantage of all available technologies.

Internet firewalls serve a very good purpose. Much like the perimeter fence at a military base, firewalls act as the first important line of defense. However, they are not the total answer. Encryption should be wisely used to protect sensitive information from 'unauthorized eyes'. It is no secret that foreign competitors of large U S corporations gainfully employ former Eastern Block intelligence agents. You see, it is more cost effective to steal the secrets of your competition than it is to spend millions of dollars for research and development. Unless good encryption is employed, they can make copies of the computer 'secrets' without leaving any trace or clue that they even compromised such secrets. Lets face it. Most written communications today are created on computers. Most of these computers are not secure and to make matters worse many computers involved are portable notebook computers. File encryption helps here also.

An Internet firewall is essentially one or more systems that control access between computer networks. In this regard, the Internet is nothing more than a very large computer network. An installed firewall on a computer network serves two basic purposes: it controls access to the network from outside servers, and it also controls the transfer of information from the network to outside servers. It is not enough to just install an Internet firewall. The type of firewall(s) needed is usually dictated by the needs of the organization and the level of risk involved. The most important thing to remember about a firewall is that it creates an access control policy for the organization. Executive management and the computer security staff must be involved in defining what the access policy will be prior to purchase and installation. Absent such planning, the organization will set its security policy based on the on the whim of the installer, or worse, the default configuration of the manufacturer. Let's not forget that....... hackers love default security settings.

In my career as a 'cyber cop', not much difficulty was ever created by network or system security systems used by the criminal element, e.g., in my work helping other agencies, we easily accessed computers used by criminals. However, breaking good file encryption schemes proved to be a difficult, and sometimes it was an impossible task. Yes, we did have our successes thanks to private sector help. The encryption used by a CIA spy 'gone bad' was broken. The encryption used by a federal agent to secure child pornography files stolen from the evidence room locker was broken. Now they have more time to think about better computer security strategies........and you think I'm kidding. Some prisoners have more access to computer systems for training purposes than federal employees in government agencies. Sad but true.

Once the mysterious focus of spy stories and movies, encryption is really nothing more than the scrambling of data to make it unreadable. There is strong encryption and weak encryption, and an entire article could be written on the topic. Most word processing, spreadsheet and database applications that provide encryption as an option, are not secure. In fact, commercial applications exist which can be used to quickly defeat the security afforded by these applications. For our purposes of this article, I am talking about standalone file encryption products. To keep things simple, let's just say that the longer the encryption key the stronger the security. This assumes, of course, that a solid encryption algorithm has been employed. Unfortunately there are several algorithms to choose from.

The most secure encryption algorithms, implemented by software, have a key length of 128 bits or more. These include IDEA, Triple DES, 128 bit RC4 and 128 bit SEAL. A relatively new algorithm that seems secure is Blow Fish. The "lesser strength" but still relatively secure algorithms include 80 bit RC5 and 64 bit RC5 encryption schemes. The Data Encryption Standard (DES), developed back in the 70's is currently the standard used by the federal government regarding the encryption of sensitive but unclassified data. It deals with a 56 bit key length and is on the edge of what is breakable using todays technology and about $250,000 worth of computer hardware. We had one criminal case which involved the use of DES encryption and fortunately we were able to break the encryption scheme used by the 'bad guys'.

Currently, the United States government restricts the export of encryption software that relies strong encryption algorithms. However, there is heated controversy regarding this issue between government and software companies. Because of the potential loss of international technology trade by US companies, Congress will probably support the export of more powerful encryption products in the future. If they don't, this country could lose billions of dollars in foreign trade, over the next few years, to countries like Japan. If they do, it could create more problems for governments law enforcement and intelligence agencies. There are good arguments in both directions.

How difficult is it to break encryption? The answer involves the speed of the computer used to perform the task, the length of the key involved and how much money you have to throw at the problem. For the purposes of this article, I won't bore you with technical jargon. However, calculating how much time it takes to break a specific key length is simple. Given current technology, approximately 90 million DES key combinations or five million RC4 key combinations can be processed per second. The cost of the computer hardware to accomplish this is approximately $50,000 - $75,000. In other words, for about $50,000, given current technology, it would take only a second or so to break encryption tied to a key length of 26 bits. It would take approximately one hour to break a key length of 38 bits. A 40 bit key could be broken in about four hours, a 48 bit key in about one month, and a 56 bit key (Full DES) in 30 years or so. Up the price to about $1 million and DES can be broken in approximately 10 days. I think you get the idea. Security tied to a 128 bit encryption algorithm is very secure, given the state of technology today and the expected state of technology for the next 30 years.

My message to you is this: Fear of the Internet is unfounded if proper security measures are implemented as part of a well-designed security strategy. Firewalls have their place in the security design, but corporate trade secrets and sensitive government data need to be encrypted at a high level of security. To avoid the threat of destruction of data by hackers, make regular and periodic backups and store copies off site. That might sound pretty basic, but I know of several major federal agencies and large corporations that don't backup critical data files on a regular basis. To put it mildly, they are playing with 'cyber' fire.

If you are interested in computer security issues, be sure and check out the information about our M-SWEEP product. It eliminates ambient data from Windows swap files, file slack and unallocated space. This security product is only available to Fortune 500 corporations, government agencies and law enforcement agencies because it eliminates all security leakage on DOS/Windows computers. After this software is used, it is essentially impossible to extract 'secrets' using forensic techniques and tools.