Crime squad for hire
Charles Neal's specialised cyberdetective team bodyguards the systems of Exodus's clients.
The Exodus data centre in California, one of 43 worldwide, sits utterly undistinguished amid the sprawl fanning out from Los Angeles International Airport. The company's name doesn't even appear on the building, but the unassuming facade, which is wrapped in bulletproof Kevlar, belies its extremely high security, almost to the point of paranoia.
Inside, a biometric hand scanner, another layer of bulletproof glass, two Pinkerton security guards, and a 500-pound door block access to 66,000 climate-controlled square feet of Internet servers, the online backbones of Exodus clients like Best Buy, eBay, KPMG Consulting, British Airways, Virgin, Merrill Lynch, Yahoo, and some 4,500 other customers. It's estimated that as many as one-third of all Internet clicks pass through Exodus servers. In a real sense what's behind that 500-pound door is, well, the Internet.
If Exodus is the Internet, then Neal's Cyber Attack Tiger Team, or CATT, aspires to be the Internet's detectives. The group aims to sell managed security services to Exodus's clients. So far it's signed up more than 250 of the most security-conscious among them.
CATT's thesis is relatively simple: Internet security is complex. If you have poor security, you will be hacked. If you have the latest security hardware but don't use it properly, you will be hacked. Furthermore, if you are hacked, and you do nothing about it, you will be sued.
For roughly US$5,000 a monthâ€"the price varies widely depending on a company's needs and sizeâ€"a CATT infrastructure team installs a "content integrity monitoring system" on the client's servers. The CIMS can tell if key data is ever altered (like select passwords). An unexpected change probably means a hacker has breached the system, which pages one of CATT's incident responders, who then immediately sets to work ejecting the intruder. At the same time, the team starts investigating where the hack originated, what systems the hacker used, and exactly who it is. Meanwhile, an intelligence group monitors hacker sites, interviews insiders, and lurks undercover in hacker chat rooms.
One of Neal's first hires at Exodus was Swallow. He then tapped Knesek, the Mafiaboy case agent, and Mitch Dembin, an assistant U.S. attorney. Dembin's job, in part, is to make sure that evidence and investigations are handled legally, so that if companies want to pursue the hackers criminally the case is ready-madeâ€"just add a prosecutor.
But Neal's team has been less than successful at persuading companies to take legal action. It is working with the FBI on no more than a half-dozen cases. "That's been one of our major disappointments," Dembin says. "Companies aren't looking at these issues the right way. They just want us to kick [hackers] out. But then we start asking them, what if it's an employee? What if it's a former employee? Then they start to get a little interested. But by far the majority just want us to kick the people off."
Want to Prosecute?
Not every company can afford the services of an expert, but more companies want to prosecute cybercriminals or sue for damages. Some tips from Exodus's Bill Hancock on supporting your case.
- Determine "investigatability."
If you can't pinpoint where the attack came from, you have no case. If you do not keep log data from your servers, there is no evidence. And if you can't match the specific attack to a financial loss, you won't have a case in most courts. - Assess damage in dollar values.
Look at the cost of the personnel needed to fix the problem, loss of productivity, loss of customers, slowdown or stoppage in manufacturing or creating your product or service, and loss of revenue due to bad publicity.
A good story. Preaching to deaf ears in Australia though. Its going to take a massive attack which brings down a high profile company before people in Australia take security even remotely seriously.