The ESP Group LLC

Full Circle Security | Defense-In Depth | Security Reviews | Web App Defense

Security is the backbone of Tthe ESP Group. Raising the security bar to the highest level, the ESP Group embraces a highly secure operating environment – built to rigorous U.S. government standards for Sensitive Compartment Information Facility (SCIF). Following these standards, every portal supports SSL with up to a 256-bit AES encryption (with a minimum 128-bit required). The portals support multiple strong authentication methods, including strict registration protocols, authorized management, human revalidation processes, and portal activity monitoring and reporting.

Full Circle Security

The Full Circle solution encompasses all aspects of The ESP Group products, services and business methodologies. It incorporates the hiring process, continual training of employees, coding practices, physical security and development of security certified applications. However, no full circle solution can be complete unless one takes into account the security practices that are taught and enforced with the cooperation of end users. These practices include user authentication and the enforcement of usage policies. The ESP Group enforces strong authentication practices, provides security education for clients and proactively monitors the activity and usage of its systems.

Physical Security

The first step in the full circle security model is the physical security protection. In order to ensure the security and integrity of its systems, The ESP Group implements strong physical security controls. Highly sophisticated software, encryption, and authentication will not provide the full cycle of security if the system operations are not physically secure.

SCIF Level Facilities: Data processing operations are conducted in The ESP Group's Secure Operating Centers (SOCs) that meet or exceed the standards for U.S. Government Sensitive Compartmentalized Information Facilities (SCIF). These standards include perimeter protection, auditing, access control, intrusion alarms, etc.
Top Security Professionals: The ESP Group leadership includes leading security experts as well as technical experts to assure the most disciplined security procedures.
Secure Administrative Procedures: The ESP Group employs stringent administrative security procedures that meet or exceed Government requirements for sensitive data. These security procedures include documented policy, policy reviews, auditing and compliance oversight and reporting.
Cleared Staff: All ESP staff have been through the necessary security requirements to obtain a U.S. Government Security clearance. Employees receive ongoing security education and training.
User/Administrator Awareness and Training: The ESP user base is provided with training to understand the ESP environment to ensure compliance with current security policies. This is the most overlooked and important component of information security.

User Security

A system is only as good as its weakest link. Therefore, ESP technology focuses on User Control, to create a customizable, single sign-on portal for each client. Every portal incorporates 128 bit-encrypted access to the applications. All of the best authentication methods are supported, augmented by registration protocols, audited authorization management, HUMAN revalidation processes, activity monitoring, and reporting.

Authentication Techniques and Monitoring: The systems include the most advanced authentication techniques and are consistent with current Government regulations.
- PKI, RSA Secure ID and integrating web-based biometric authentication - these optional user authentication techniques can be provided as part of the customization process to meet the client's level of security requirements.
- Hard enforcement of lockouts - after a certain number of unsuccessful attempts, the user is locked out of the system to prevent a brute force attack attempt. The user is not notified that their account is locked so as not to alert a potential intruder that they are being monitored. The help desk receives a notice when a user is locked out of the system so that they can take the appropriate action, whether that is assisting the user in getting into the system or notifying a security administrator than an unauthorized login is being attempted.
- Enforced strong passwords - the systems can enforce strong passwords that meet or exceed U.S. Government standards. Password requirements are customized in accordance with the client's needs.
- Human in the loop - the live help desk is available to assist users with logon problems, system questions and username/password resets. Users must verify the security information they supplied when they first registered, in order to have their account credentials reset. The Help Desk does not send out authentication information via email or other non-secure channels that may be intercepted by an unwanted third party.
- Heuristic User Monitoring - User usage patterns are monitored using advanced statistical analyses to identify anomalous activity. Intervention procedures, tailored specifically for each client, are implemented at several levels when such activity is identified. The analyses consider expected patterns based on user profiles, type of transactions, volume of data transfer, time of day, and location of originating URL among other factors.

User Training

All client administrators within the system undergo a security and system orientation training session to ensure they know how to operate the portal effectively. The ESP Group also conducts brief security overviews to ensure that administrators and users understand and practice general security procedures.

Development of usage policy - Portals include a usage policy designed by the client in conjunction with The ESP Group to ensure that users understand their expected behavior.

Training and Administration: The operations and help desk team are another critical element in the maintenance of a secure environment. Therefore education and effective policy oversight and management are essential.
- Social Engineering training for all Help Desk personnel - all help desk personnel receive training on social engineering to ensure they take the necessary steps to avoid giving information to an unauthorized user.
- System Administrator Training and Support - the System Administrator is also important in the maintenance of a secure system environment. The operations team receives ongoing training on user vetting and standard responses to security alerts. In addition, The ESP Group maintains alliances with several entities that provide advance vulnerability notices and security alerts.

Hardened System Architecture

The proprietary hardened systems architecture, which includes multiple, in line, "polarized" firewalls, traffic and code scanning, special anti-hacker techniques and Operating System hardening, is actively managed on a 24x7 basis. The ESP environment utilizes advanced systems architecture; designed to defeat the most sophisticated intrusion techniques. These designs were developed utilizing the U.S. Government's Computer Emergency Response Team's (CERT) extensive data base of successful intrusions of supposedly secure systems.

Located at the Carnegie Mellon's Software Engineering Institute, CERT is one of the front line resources in managing data security.

Polarized Firewalls: Multiple, in-line firewalls are set to accept only one protocol in (HTTPS) through only one open port. Each firewall uses a different technology (packet filtering, proxy, stateful inspection, etc.) Also, each firewall is provided through a different manufacturer, which is designed to defeat attacks that exploit known weakness by any one vendor.
Aggressive Intrusion Detection: The system is monitored on a 24X7 basis by IDS software, firewall and log monitoring. Significant probes and other intrusion attempts are traced and originating ISP's notified of potential legal action.
Code Demobilization: The stream of data entering the system is constantly monitored for any type of mobile code. The system isolates and prevents it from taking any action. While tight control over this type of code blocks some non-essential functionality such as simple javascript, it greatly enhances system security by preventing the type of hacks that penetrated Microsoft's "hotmail". Comprehensive virus scanning is also used on file uploads into the portal.
Strong Encryption and Certification: The ESP environment utilizes 1024 bit key size certificates, which generate the strongest possible encryption, throughout the system. While 512-bit encryption has been compromised, the higher level utilized in the ESP environment requires an exponentially higher level of resource to crack, which is currently beyond the capability of any threat. Additionally, the crypto systems are easily upgradeable, so as encryption attacks become a greater threat, it is a simple matter to increase the key length to thwart these attempts.
State Theft Protection: A common attack in any system is the attempt of a user to change the level of permissions they have within the system, thereby gaining access to data or resources not normally provided. The ESP applications and state management strategy prevent this from occurring through the use of sophisticated session tokens that revolve with every click of the mouse. In addition, on each user request, information is compared to the last known state of the user to determine if this is the same person, or someone in a different location trying to impersonate them. The system audits anomalies and reports them to administrators.
Application Piping: The ESP environment operates utilizing, to the greatest extent possible, only a single protocol. Feeding information to applications through a single protocol eliminates one of the most important tools used by hackers, attacking unused protocol ports.

Proactive Monitoring

Proactive Security Monitoring includes tracing suspicious probes to their source and initiating appropriate management or legal actions. Proactive Monitoring is more than putting guards at the gates - it is regularly counting the silverware.

Multiple Intrusion Detection Systems (IDS): Each Secure Operating Center used by The ESP Group implements multiple advanced Intrusion Detection Systems, each with different architectures. Multiple IDS's help defeat hackers who structure their attack to exploit weaknesses in any single IDS system.
Front and Back End Monitoring: The primary IDS, 24 x 7 monitoring, occurs outside the SOC firewalls to identify all incoming threats. Additional instances of the IDS software are run at critical points of the architecture behind ESP security features to assure that attacks were unsuccessful. This is an expensive best practice, seldom implemented.
Code Integrity: All systems and application code is regularly scanned and cataloged to assure that no unauthorized code can be implemented. There is no remote access given to any of the ESP systems so that only authorized users have the ability to allow the appropriate code to gain physical access to the server.
Log File Analysis: Log files are analyzed for anomalous activity.
Network Status Monitoring: The ESP operations team assures quality operations through intense network status monitoring.
ESP Application Monitoring: ESP Applications are monitored to identify user problems such as failed password attempts or error conditions and users are contacted by the help desk to offer assistance rather than waiting for user calls. This increases both service and security.

Compartmented Portal

Using a Compartmented Portal with a granular authorization structure allows users to maintain private content within the portal while having the ability to still obtain wide collaboration. The ESP has created an easy use need-to-know management structure to give users an easy way to manage their data. Access configurations can be customized by role, organization, or a variety of other factors. Hackers know most networks may be hard and crunchy on the outside, but are soft and chewy on the inside. Need-to-know controls can be granted at the portal level, the organization level or the data level.

Compartmented Organizations: Administrators can establish compartmented organizations that are NOT allowed to communicate with one another. Users only see the users and data for which they specifically have access. To a user, there is no concept of having data they cannot access because it is never visible anywhere on their portal.
Controlled Access to Core Tool and Plug-in Applications: Administrators can control the access to Core Tools and Plug-ins for users. Administrators can also push down the management of these applications to other administrators that manage a specific organization or group of users.
Need-to-know enforced at the data level: When a user posts data on the portal, they decide which users will be able to access the information. Therefore, every user has the ability to set need- to-know controls. This gives a user confidence in the data they post as well as audit capabilities to see when users view their information. The roles and rights system is hardened against compromise by proprietary, ESP state management tools built into the portal.

Certified Applications

All ESP applications are put through a Security Certification (SEC.Cert™) test to ensure that they can fit into the ESP secure collaboration environment. Only applications that are modified to comply with ESP's security standards are run in ESP Portals. Standards include secure coding practices and interfaces with ESP security tools. All system and application software is monitored for code integrity.

State Management: A proprietary system is deployed to re-verify privileges with each mouse click. These work with ESP's role based, granular, single sign-on, authorization system which is built into each ESP portal and all SEC.Cert™ applications.
Data Base Isolation: Sensitive data can be isolated behind additional firewalls between application and database servers, preventing access to key data even if applications are compromised.
Auditing and Logging: A full, click-by-click audit log is maintained for all portal activity ensuring that all activity is controlled and auditable at the firewalls, application access and internal applications levels. Logs are analyzed automatically and with human oversight.
Application Security Tools: Each user's data is examined by specialized software to remove potential malicious content.

Defense in Depth

The ESP Group employs a Defense in Depth approach in its network architecture by using:

Single Protocol: All collaborative tools are collapsed into a single protocol interface to reduce complexity of the system and reduce the opportunity for attack.
Outbound Notifications: No inbound mail is allowed due to the threat involved in opening mail protocols to the Internet.
Survivable Architecture : Redundant connections to the Internet to provide scalability and availability. No single point of failure in system (notional drawing does not depict all availability devices).
No Remote tools: All management and administration of systems is performed at console, no remote manipulation of the systems is permitted and can not be exploited (since they do not exist in our framework).
Hardened Architecture: Hardening means to run the absolute minimum necessary to perform a specific task using the best possible tools (best security track record). All systems within the ESP are hardened and perform single tasks to reduce the complexity of the environment of each system. Reduced complexity directly correlates to enhanced security.
Aggressive Cyber-Security Management: The ESP Group personnel provides on-going real-time updates to all systems (including, patches, anti-virus updates, hot-fixes, etc.) to combat the latest threats as they occur.

Security Reviews

This list comprises all security assessments, reviews and red teams of The ESP Group, LLC secure portal technology. The same technology is used for all sites to service all existing clients. For additional information regarding the results of these assessments and reviews, please contact George Johnson, CISSP at 703-418-6318 or via email at gjohnson@espgroup.net .
	Defense Advanced Research Projects Agency (DARPA) – Assessment done by Secure Computing – Positive Outcome - 1997
	National Security Agency (NSA) – Assessment – Positive Outcome - 1998
	Computer Emergency Response Team (CERT) – Red team - Positive Outcome - 1999
	National Security Agency (NSA) – Assessment – Positive Outcome - 2000
	Department of Energy (DOE) – Assessment and Red Team– Positive Outcome and Certification – Positive Outcome - 2002
	National Aeronautics and Space Administration (NASA) – Assessment done by SAIC – Positive Outcome - 2002
	Department of Justice – Review and accreditation based on Department of Energy Certification – Positive Outcome – 2002
	Office for the Secretary of Defense (NII) – Assessment – Positive Outcome – 2003
	Spi Dynamics – Red team – Positive Outcome – 2004
	Philip Morris – Assessment done by Grant Thornton – In process
	National Security Agency (NSA) – Assessment - Scheduled September 2005

Web Application Defense

Hackers target web-based applications because they know and exploit the fact that no matter how much security an organization may employ (firewalls, intrusion detection, virus scanning, etc…), the path for web based application must be open through these devices. To make matters worse, many organizations believe they are secure because they use SSL (encryption) to protect the information in transit from the user to the application. SSL is beneficial in that the data is protected from all prying eyes, but the problem is that the data is also protected from ALL security systems the organizations has employed to safeguard their systems. This allows a hacker to tunnel an attack right through hundreds of thousands of dollars of security infrastructure and personnel and successfully exploit sensitive systems while remaining hidden in the encryption.

While at Carnegie Mellon's Software Engineering Institute (SEI), the ESP technologies and processes were hardened during research and operations with specific defenses against all known types of attacks in the SEI's Vulnerability Knowledgebase. Below the specific hardening of the application layer (web-based applications), an important layer of ESP's overall Defense-in-Depth strategy, is outlined.

Attack	Description	Defense
Application Buffer Overflow	Very long requests sent to an application intended to execute arbitrary code	All incoming data is inspected and trimmed according to the expected type and length. This occurs at the firewall and application level. Third party middleware application sites are closely monitored for security patches – testing is performed and patches are applied.
Cookie Poisoning	Changing a cookie's contents to obtain unauthorized information from the server	The ESP Group has developed a proprietary algorithm for managing cookie information that is computationally infeasible to break. Randomly substituting information into a cookie and reposting it will result in an attack signature that our defensive systems will pick up and alert system administrators and security administrators.
Hidden Field Manipulation	Changing the values of hidden fields, which are frequently used to provide status information to the server	All user permissions are checked during page creation and page return, so even if a user attempts this attack, they will only be able to perform actions that were within their granted privileges. All modifications to information that request unauthorized access are logged and sent to system administrators for further action.
Cross-Site Scripting	Malicious code, commonly starting with a script added into the URL to execute on a user machine	The ESP Group specifies character encoding schemes to remove the ability of attackers to “slip” encoded scripting through the system. The ESP Group performs input and output filtering to ensure that only correct information exists in the data stream. No active content is allowed into the site. Extensive user training is conducted to help users make good decisions about the security of their systems.
Parameter tampering	Submitting modified data to the web server	All permissions are checked when the page is submitted to ensure that a user is not gaining unauthorized access to information or resources.
Stealth Commanding	Modifying web form input fields to coerce the web server into actions it wouldn't ordinarily allow	All data that is exposed to the user interface is compared to acceptable input formats prior to being executed on the system to prevent unauthorized commands from being executed. All input into each field is checked against acceptable constraints prior to being operated on or executed to ensure it is legitimate. If illegitimate information is found, security notifications are sent to operations staff.
Forceful Browsing	Modifying URL to bypass web controls	While URL modification is allowed, a user is only allowed to browse to resources that they have been granted specific access. This allows users to bookmark resources within the system, while preventing them from accessing unauthorized information. Our tools inspect incoming requests and will trigger alerts to operations staff if negative activity is identified.
Known Vulnerabilities	Exploiting known vulnerabilities that haven't been patched	The ESP Group has an aggressive research division specifically watching for system patches. When these patches are identified, they are downloaded and evaluated to ensure they perform their intended purpose without adverse side-effects and then put in place on the systems.
Database Sabotage	Appending valid SQL commands to various parameters to execute arbitrary database native code	All customers facing data is compared to explicitly allowed input formats that prevent arbitrary strings from being appended to SQL calls to the database. This removes the ability of any user from sabotaging the database or gaining unauthorized privileges.
Backdoor and Debug Options	Exploiting functions intended for development, testing, and debugging that haven't been removed prior to production	All software on ESP systems is developed by seasoned professionals according to a stringent coding specification that leaves no room for back doors or debug options. Additionally, peer code reviews are performed on a regular basis to prevent single person errors from creeping into individual programs or the overall system architecture.
Data Encoding	Disguising attacks by using alternate encoding methods	Specific encoding formats are enforced on the web server and on each page sent to the users. Pages with alternate encoding strategies are not accepted by the applications.
Protocol Piggybacking	Modifying the application protocol structure – typically inserting additional headers to give packets explicit permissions that were never granted by the secure architecture	The ESP systems use only a single protocol and do not rely on extensions for authentication or authorization. No additional headers are parsed and no reliance on these technologies makes the ESP a secure solution.
Third-party Misconfiguration	Exploiting an insecure, default, or poorly configured server	The ESP Group has a very mature configuration management system. All systems are built to a stringent security standard, all modifications to the systems are tracked on a file system integrity checker, and all modifications must be known and approved. In the event that a modification shows up that is not known or approved, the system is imaged for evidence, the problem is identified, then rebuilt from a trusted source and the last known “good” data set is used to put the system back into production. Sniffers are then placed on the system to watch for unexpected activity. The ESP Group uses mature products that have a history of attention to security. By using products that have few if any security issues, the possibility of misconfiguration or bad default configurations are radically reduced. Additionally, we perform all custom installations, never a default installation – this prevents the typical default problems that cause most systems to exhibit vulnerabilities.