Interview: An Ethical Hacker Protects the World Cup Network

By Paul Kerstein

The 2006 World Cup is arguably the most publicized and watched sporting tournament around the globe. The need to secure the information systems for a massive juggernaut of worldwide data networking and access is paramount. CSOonline’s Paul Kerstein recently caught up with Dr. Tom Porter, the mastermind behind the security for the World Cup network and a lifetime hacker himself. This is what he told us about network security, hacking and working on the World Cup network.

CSOonline: What is your background, and why are you called a hacker?

Dr. Tom Porter: I’m a hacker in the more traditional sense. Old-school hackers want to learn how things work and try to take it apart or gain access out of curiosity. Getting into networks and systems is good or bad based on your vantage point. Most traditional hackers do it just to see if they can, but they’re not there to steal information or destroy the integrity of a system.

Can you mention some of your notorious hacks?

Nothing that I’ve done has made public news, and there are some things I’d rather not mention. I did raise the interest of the Defense Department once, but I’ve never been involved in any criminal activity. At one point in my career, I was interested in finding proof of alien life, so I did access the network at China Lake, also known as Area 51 in Roswell, New Mexico.

How does a hacker disclose his or her credentials?

There are two kinds of hackers. Those who do it to impress their friends or become famous, and those that you don’t know about. The really good, and smart, hackers won’t tell you that they are hackers. Many of them are also not very sociable–they keep what they do on the QT, and if they have real credentials or experience, they don’t say anything about it.

How did you start working with Avaya, and what is its relationship with the World Cup?

I was working on the Avaya Security Practice a couple of years ago and they asked me if I wanted to work with World Cup network security. As most security executives know, the Internet has become more hostile, and they wanted my expertise. Avaya helped FIFA, EGS and Deutsche Telekom formalize a security strategy for the World Cup to try and perfect security for the current network.

You were hired on as what’s called an “ethical hacker.” What is your image at Avaya and the World Cup IT community?

Both Avaya and the people we work with are OK with it. For the last 10 years, I have been working on, and am known for, business information security. I am a firm believer and preach heavily on IT ethics. The folks here trust me very much, but that is a reputation that I’ve earned over time.

Can you explain what happened and the scope of the network disruptions at the 2002 World Cup?

Luckily, no Internet outages occurred. There were several large denial-of-service (DoS) attacks launched, but they were human attacks, not bots inundating the Internet with information or e-mail. There was nothing really consequential, and there was no Internet downtime.

IT has changed a lot in the last four years. How has protecting networks and hackers changed?

We’re a lot better at security. For two reasons:

    1. We have more experience, and people are more aware of the need for information security. The level of awareness is up, and we’re able to devote more resources to it.

    2. The tools and processes are better. The technology surrounding firewalls, intrusion detection and honeypost databases is better and continues to develop.

What sort of attacks was it most important to protect against, and what did you do to prevent them?

We are concerned about any attack that will result in network downtime. The network holds realtime information that needs to be accessed around the globe at any given time and we have to ensure that the information and results are available as the action happens. We focused on the “CIA Triad”: Confidentiality, Integrity and Availability.

We are also worried about worms, viruses and DoS attacks, of which, the DoS attacks can be particularly hard to protect against.

Can you tell our readers about the staff you have available to protect your information systems?

We have a relatively large staff compared to most organizations because we have a very dynamic network. Different portions of the event network are installed and deinstalled at different times. We had it up in mid-May and we have to have everything disassembled immediately after the tournament is over on July 9. Additionally, equipment needs to be set up and taken down for each game, so it’s not your typical stable enterprise network.

Our staff spends a lot of time dedicated to watching the network in real time. And if someone isn’t doing that, they are checking random areas and subsets of our network. We also run frequent scans of the entire information system.

You have to deal with a multitude of media types that access your network, such as telephones, PCs and BlackBerrys to name a few. How did you approach security for that, and were there any memorable roadblocks that you overcame?

As you stated, our network carries a lot of different access points. Digital cameras presented a very interesting challenge because they require high bandwidth, and secure transference of digital images was a bit of a challenge. Voice, multimedia, data–it doesn’t matter–it’s all IP traffic, so it’s all treated the same way on an overall Internet level–you start with the fundamentals. It sounds cliche, but a network is only as strong as its weakest link.

Once you felt the network was prepared before the tournament started, what role do you play as the games are taking place?

I’ll feel prepared on July 9, when the tournament is over.

Until then, I still work with our IT partners and team members. The network is an interesting challenge, as I mentioned before, because it is installed and torn down in different cities, in different time-frames, as the tournament happens. We spend a lot of time planning what’s going to happen. During the game, We also trying to figure out what else we can do and what systems we can check. There’s always another area that needs focus. I’m also writing new rules for our intrusion detection system (IDS).

How could a CSO translate your information security and planning for the World Cup to a typical enterprise network?

I personally believe that when you start out to secure a network, it’s important to have policy documents and roles in place. Policy is needed for basic metrics and performance, and those documents create a starting point. As the implementation develops, it’s easy to change as you go.

I’d also like to see companies spend more time on their networks with IDSes and remote firewalls. Not so much on technical systems, but the human factor. You need humans playing defense and many companies can’t afford to do that, or don’t give their security staff the time to do it. For me, having live humans on hand to continuously monitor systems has definitely paid off.

How can the work you’re doing be converted to the myriad of public and private companies that are experiencing data losses?

Every company has a problem with losing laptops and other mobile devices; this is nothing new. A company can be great at protecting its network, but if you lose laptops, there’s not much you can do. I’m researching that as a major component of enterprise security as we look towards the year 2010. It’s important to secure the data center, but although it’s hard to do, companies also need to secure mobile nodes, such as laptops, BlackBerrys, etc. We can learn from what has happened too often in the last few months. Laptops need to be secured with passwords and encryption. Although it’s expensive, companies might think about novel ways of stopping data theft such as dead-man switches, or kill switches, to protect data.

Should CSOs be worrying about hackers or other threats?

Looking at history, most security threats come from viruses, worms and loss of physical assets. With that in mind, security executives should focus on educating users, enhancing existing authentication and authorization systems, monitoring internal Intrusion Prevention Systems (IPS’s), have security policies in place and keep business partners constrained when dealing with sensitive data.

There is also a confusing regulatory environment at the moment. Often companies want to do the right thing, but are not sure what to do. Compliance should be another concern of CSOs.

Can you provide a top-five list of things that CSOs should consider as they plan and implement strategies for information security?

1. Trust nobody.

2. Authenticate everyone and every device.

3. Protect data wherever it is. Don’t rely on single firewalled domains.

4. Physically protect mobile devices. This is one of my key concerns.

5. Economically satisfy regulatory requirements. This will be hard to do until they are clarified.

There are rumors that you challenged anyone to test the security of the World Cup network. Is there any truth to that? How confident are you in the security system you have in place?

I don’t remember issuing a challenge, and it would be pretty arrogant, not to mention a bad practice. This is the largest sporting event in the world, and protecting the network and allowing the games to move forward with proper access to all the information available is my only concern. The prudent thing for me to say is that I’ll be confident in our security after July 9. Until then, we continuously monitor the network.

Have you had any hacking attempts or attacks on the network so far?

We’ve had a lot of “noise” attacks on external interfaces that are affiliated with the network. Phishing, spamming, trojans related to World Cup tickets were pretty popular. So far, the attacks have been unsuccessful.

We also haven’t been surprised by anything, which is good. We’ve seen standard SSH attacks, cross-site scripting attacks, as well as worms and trojans brought into the network. Honestly, there’s been nothing more than what you’d expect.

Thomas Porter, PhD, is the director of IT security for the FIFA World Cup 2006 and the chief security architect for Avaya’s Global Services’ Consulting & Systems Integration practice. Recently, he also served as the first chief information security officer (CISO) at Avaya.  He joined the Avaya Global Managed Services in 2002 as a senior security consultant. Prior to joining AGMS, Porter worked at Alteon WebSystems and Nortel Networks.

 Dr. Porter has spent more than ten years in the networking and security industry as a consultant, speaker and developer of security tools. He has hacked into networks belonging to banks, credit unions, credit card companies, U.S. government institutions and spammers’ computers.