With word last week that yet another police agency has been hacked and its records placed online, and with word yesterday that 90,000 military emails and password hashes from the consulting firm Booz Allen Hamilton had been placed online (analysis here), and today that the mobile phone of London’s police chief was hacked, we at PLI take this opportunity to give a wakeup call to police agencies.
This blog post will set forth some basic network security theory, some context, and links to resources.
In failing to secure your computer networks, there is a clear danger to your officers, your citizens – those you have sworn to protect. Their names, addresses, descriptions, personal identifiers, photos and intimate details are often stored – often contrary to guidelines and common sense – on police networks.
Just look at the message left by the criminal hackers in the BHA hack:
We infiltrated a server on their network that basically had no security measures in place. We were able to run our own application, which turned out to be a shell and began plundering some booty. Most shiny is probably a list of roughly 90,000 military emails and password hashes….
This isn’t fear, uncertainty and doubt: the danger is immediate. Your location is irrelevant. Computer network breaches can happen to any agency at any time.
Basic Security Theory
There is nothing in this blog post which differs from security procedures in fortified areas since the dawn of Mankind: Limit access. Separate facilities. Require authorization for entry. Install intruder detection capabilities. Create layers of security, so that if one layer is breached, there’s a backup.
Context
As soon as you say to yourselves that “there’s nothing on our network worth stealing,” think of the embarrassment and unnecessary time and public money spent recovering from the accidental dissemination of the bra sizes of officers, the potentially racist murmurings of officers, and other distractions from police work.
By no means is this limited to the United States; a criminal hacking group released what it says are the names and personal details of Peru’s National Police; while the German police have had suspect location data stolen and placed online, we can only thank a merciful God above that we have yet to have information about suspects, witnesses or other innocent civilians stolen and plastered on the Internet for all to see.
Meanwhile, in the United Kingdom, while a controversy rages over police allegedly selling to journalists the cell phone numbers of suspects, victims and members of Parliament, Big Brother Watch UK reports that 904 police officers and civilian employees were disciplined for offenses under the Data Protection Act in the three years up to 1 June 2011.
We’ve written about this before, and said that we would offer some advice. In looking over the issues we see the problems are incredibly serious, and that giving anything other than the most basic advice is simply not actionable: these law enforcement networks are so fundamentally unprotected that we need to give computer network security 101. That said, I assume you have some basics in place: an always-on Internet connection and a firewall.
So here it is.
The Top Five Things You Need To Do To Secure Your Network
Like all things computery, my list of five starts at number 0.
0. Stop Messing Around – Get someone in your agency trained on computer security. You cannot act as if this is not a clear, immediate and police-specific problem. Computers are not some separate, non-law enforcement issue, they are fundamental to every arrest, every search, every prisoner transfer, every warrant, every case.
We depend on our computer networks for everything we do, and relegating them to the “geeks” has utterly failed. Seek out courses by trusted organizations like SANS, which offers things like Intro to Information Security, which describes itself thusly:
We begin by covering basic terminology and concepts, and then move to the basics of computers and networking as we discuss Internet Protocol, routing, Domain Name Service, and network devices. We cover the basics of cryptography, security management, and wireless networking, then we look at policy as a tool to effect change in your organization. In the final day of the course, we put it all together with an implementation of defense in-depth.
–SANS
Don’t be limited by that: local community colleges and colleges often have basic courses as well. There is a geeky, nerdy cop in your agency – they guy you’re already using to update your iPhones and patch your Windows machines. Send her to these classes. Now.
1. Stop Using Stupid Wireless. If I were attacking your network, the first thing I would do would be to drive up to your station-house and turn on a WiFi network detector. About 75% of the time, I’d be done – most small agencies are not even encrypting or disguising the fact that they have a WiFi hotspot. Most of the rest of the time, they’re using WEP – a trivially defeated security protocol that has been completely unreliable since at least 2004.
The other issue is that most agencies are plugging that WiFi hotspot directly into the core of their network. This means that anyone attaching to the WiFi hotspot is plugged right in – with the same privileges as anyone actually inside the building to access local resources, hard drives, etc. This is stupid, short-sighted and totally preventable.
- Create an enforceable Wireless access policy
- Use sensible encryption – at the moment this means WPA2-PSK, but these standards change, so keep up with the times.
- Create a digital demilitarized zone (DMZ) within your network so that WiFi users are not granted the keys to the kingdom just by successfully logging into the hotspot – allow Internet access only from within the WiFi DMZ.
- Disable sharing
- Seek (by listing specific computer identifiers, called MAC addresses) to limit access to specific computers (this is not foolproof, but it is better than not doing it)
2. Airgap and Segregate. NCIC requires you to provide a standalone computer to access that network. Is your NCIC computer a networked Windows box? Are there other programs running on the NCIC box? I’ll bet you an ice-cold Dr Pepper that the answers to those two questions are “Yes” and “Yes”.
As we saw with WiFi, we need to segregate assets which don’t need to be accessed on, or by people, outside the network or in places on the network where it is inappropriate. Just as there is no conceivable reason to have anyone outside the network accessing the records management system, there’s no conceivable reason for anyone inside the network to be able to access the NCIC box.
All your computer assets should have moats around them – ideally in the form of actual physical disconnection (called, “air-gapping”,) or at worst, virtual segmentation.
Your network administration should also include setting the lowest necessary permission level on individual officers’ credentials, not just for the applications you use (we’re good at this) but also for the machines we use (we suck at this). And for Pete’s sake, can we please start using some seriously reasonable passwords?
By the way, I’m a strong supporter of passphrases as opposed to passwords. My favorite recent story about this is about the cop who kept going to the supervisor saying he couldn’t remember the password 97dj12sd04!oj$
Tired of constantly re-setting the guy’s password, the supervisor gave the cop the password, I am Marius 1027’s Bitch.
Now that is an easy-to-remember password.
Another by the way: if you do make your passwords hard to remember like 97dj12sd04!oj$ then you end up with, you guessed it, lots of cops writing their passwords down on Post-It notes and placing these password-laden Post-Its where? Under their keyboards – as good a hiding place for passwords as are sock-drawers for hiding cash, guns and jewelry. Among the first things a computer network intruder does is walk down the desk-rows flipping keyboards to find the Post-Its. Do you have Trustees in your department who may have access to your computer keyboards? I’m not sayin’, I’m just sayin’.
3. Set a realistic and enforceable Internet surfing policy I’m sorry, but cops should not be using police computers to just surf the Web except as part of their official duties. Limit severely the surfing privileges of any Internet-connected computer. Buy and use a proxy server that blocks access to most sites. Any machines which must be used by officers to access the full Internet (for example, for investigators or fugitive tracking) should be segregated off into their own sub-net and isolated as much as possible physically and digitally.
- Why? Any Windows computer will be rife with viruses and other malicious software after a typical day of net-surfing, and immediately upon viewing any Internet pornography. I say this with the same confidence as when I say that shooting yourself with a 9mm round in the thigh will result in a trip to the hospital. It’s that simple.
Facebook, Twitter, Google+, MySpace – any social media – have no business in a police station outside the public information officer’s office, the intelligence analysis division, warrant division and CID, and absolutely no business being on most police-owned computers. Do it at home. This is a public safety issue. This is an officer safety issue. Lives, truly, depend on this.
4. Establish a system of logging and intrusion detection and prevention Everyone gets hacked. Everyone. The trick is to understand when it has happened and recover quickly. This requires understanding of what goes on in your network, and knowing what is “normal”. Only by understanding normal can you recognize abnormal. This means you must start logging and recording activity on your network.
Send someone to a class on logging. SANS offers a great one, called Log Management In-Depth: Compliance, Security, Forensics, and Troubleshooting, in which
You will learn how to enable logging and then how to deal with the resulting data deluge by managing data retention, analyzing data using search, filtering and correlation as well as how to apply what you learned to key business and security problems. The class also teaches applications of logging to forensics, incident response and regulatory compliance.
Once you’ve got logging going, start running other tools, like those from NetWitness, which costs as little as nothing.
Now get some Intrusion detection and prevention going. Snort, from Sourcefire, is open source and free to acquire, but of course you’ll need training. Sourcefire runs a four-day class…
…for those who want to learn how to build a Snort sensor from scratch using many of the open source tools and plug-ins available to help manage, tune and deliver feedback on suspicious activity on your network. Hands-on labs with fully documented instructions help students construct solid, secure Snort installations and understand the inner workings of the premier open source IDS/IPS available today.
Once up, properly tuned (this is very important) and running, your IDS will give your administrator warning when something seems screwy. What’s more, you can program the system to simply reject traffic which is obviously malicious.
5. Spend some money on anti-virus, you cheap bastards. Don’t get me wrong, anti-virus is stupid, and protects against the attacks of yesteryear in an inefficient manner. I have revised this because of a very valid point from a friend in the AV industry. He said,
The simple fact today is that most threats are known threats. AV as an industry is challenged due to the sheer volume, but not stupid.
Great point, and I hereby revise my post accordingly. He also mentioned – and I agree with wholeheartedly – in fact this was the point I was making in this section – that AV can’t fix what it’s not intended to fix. It’s not a panacea, it defends against known threats.
I’ll now return to my blogpost, already in progress:
However the sheer volume of malware in the wild means that one must buy [anti-virus]. But it’s important to recognize that anti virus protects against known threats, and only known threats: you are not “safe” when you run anti-virus (and you’re even less safe if you don’t update it regularly), you’re just relatively more protected against known threats. So buy some.
Now hear this: AVG Free is not sufficient protection for a law enforcement network, nor is it legal to use it. Just read the license agreement:
AVG Anti-Virus Free Edition is for private, non-commercial, single home computer use only. The use of AVG Anti-Virus Free Edition within any organization or for commercial purposes is strictly prohibited.
If you put a gun to my head and asked me to select one single anti-virus it would be Prevx, but you should buy something, install it on every machine, update it regularly (with update periods measured in hours, not days or weeks) and pay your annual bill. Seriously.
I could add a 6 and 7 and 8 and more, all the way up to Avogadro’s number and still not cover it all, but these are good places to start. Some other things to explore: stop using POP for email; move to IMAP and force an encrypted mail connection. Require token based authentication to internal applications. Use one-time passwords for Web-facing applications. Regular patching of operating systems and applications. Regular backups with encrypted copies to safe, offsite storage. A contemporary firewall (or a “next-generation” one).
And on and on and on.
Will any of this make you impervious to hacks? Absolutely, positively not. But all of it will help you detect an intrusion faster, limit the damage caused by intrusions, and help you recover much faster and understand more precisely what records may have been compromised.
Ignore this at your peril.
Police-Led Intelligence 
S.P.
12 July 2011
This is some great advice, just wish more PDs would listen to it!
Nick
12 July 2011
Thanks, Sam,
We’re glad you like it. Let us know if there are specific topics you’d like to see us cover here at PLI.
Lee Mathers
1 August 2011
I wish that more than just police departments etc would adhere to this. Being a former IT administrator at a government arms length agency; I can attest to the complete failure of upper management to reign this stuff in. Hospitals, Police Stations, Fire Departments, Child Welfare and Childrens Mental Health agencies all fall victims to this stuff.
It appears too many people in positions of authority do not have the minimal understanding to figure out that using Skype, Twitter, Gmail, Hotmail, and Facebook etc from the office is not a good idea.
These computers are tools provided to government officials to conduct official business they are not toys and definitely should not be consider perks of the job; regardless of your status in the organization.
Jag
12 July 2011
I love this article, great advice as usual. Small changes can make a big differance. Keep up the good work Nick
Nick
12 July 2011
Thanks, Julie,
We’re trying to keep it as breezy and practical as possible; I hope the links help! Thanks again for the comment.
Alex
12 July 2011
Thanks for the Prevx recommendation. Just so you know, Webroot bought Prevx and version 4 of their AV engine will be in the 2012 edition of their security suites.
Nick
12 July 2011
Which brings up an excellent point about dealing with vendors who are fiscally viable and have a responsible acquisition plan and integration strategy with their acquirers. Thanks, Alex.
BobL
12 July 2011
Hi Nick – Great stuff, as always.
For a secure deployment two other things that could be considered: (1) whitelisting such as CoreTrace or McAfee Application Control (fka Solidcore) which in theory do a better job with Zero-Day attacks because they don’t use signatures and (2) on the cheap bastard thread, hire an outside penetration testing firm and let them find your vulnerabilities. That is almost always money well spent.
Cool password memory trick – lifted from the Employee Security Manual for a very well-known, “establishment” Brisith company: Pick a song and artist you like. The example in the manual was Jimi Hendrix, “Third Rock from the Sun”. (I guess we are now the establishment). The password becomes jh-3rfts. That’s a reasonably strong password – only breakable by brute force but easy to remember.
BobL
Nick
12 July 2011
Excellent comments, Bob. Whitelisting is indeed important, and let’s not leave off any list of whitelisting vendors Bit9! Thanks for the comments, and the password tips. Much appreciated
JimmyMac
13 July 2011
NIck,
Excellent posting!! and OH SO TIMELY!!!
I am not a L.E.O. However, I am responsible for the system security of our Sheriff’s Department. The most quoted complaint I get from this group is, “The security procedures are too strong! We cannot get anything accomplished because of having to use VPN’s when on the road or at home, and when the VPN is active we cannot get on the Internet.” I had given them the reason why split tunneling was not enabled. Their canned response back to me is always, “YOU ARE NOT A COP AND YOU DO NOT UNDERSTAND!”
I knew given time it would become political. Last week it did, and a formal request came to me from a few elected officials, who are ultimately my bosses, requesting an explanation why I was “keeping our law enforcement officers from effectively utilizing the remote IT resources.”
I sent them all this link with a short explanation and a request that they read it.
While I was typing this response I received an e-mail from one of the elected officials stating that they understand the issue and that they, “appreciate the fact I am being proactive on this matter.”
Thanks again,
It is refreshing to see the name of a blog that is NOT oxymoronic.
JimmyMac
Nick
14 July 2011
We are so happy to hear this success story. Stick to your guns, JM, and thanks so much for taking the time to share this with us.
Nick
corq
14 July 2011
Having been a civilian IT specialist in a small agency; we walked into this very situation; barely any budget for IT itself (Most came by way of grant money) and dissimilar records systems that did not encourage complex passwords, and too many passwords (I know, I know) that truly thwarted Officers in maintaining secure passwords, because there were too many to keep straight.
Part of this was somewhat alleviated by integrating the systems systems, but we know that requires budget money, and is always a challenge.
I’m pleased this post is from law enforcement officers themselves, as its difficult to get buy-in from Officers when its coming from well-meaning civilian IT folks.
I too figured out after a while, how to articulate strong password language, and yes, colorful language seemed to help them embrace the practice.
I’m now in private industry; but I still worry that smaller agencies are at worse risk because Officers really have big dangers to manage in their daily work, and system security unfortunately shouldn’t have to be one of them — but I think getting the knowledge out there, from other officers, will speed that greatly.
Excellent work, gentlemen.
Nick
14 July 2011
Thank you so very much for taking the time to leave that interesting reply, and we appreciate your compliments!