How one company stays safe with two networks

Cryptography Research dodges computer attacks by having employees do Web surfing and e-mail on one network and sensitive work on another that's not connected to the Internet.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
5 min read
Paul Kocher, founder and president of Cryptography Research, and Tory Kallman, director of information technology, in front of Kocher's collection of antique encryption devices. James Martin/CNET
At Cryptography Research, the key number is two. There are two separate computer networks, two different systems on every employee's desk and twice the normal number of servers storing data.

To keep hackers out of the network the company runs disparate and unconnected networks--an A network for sensitive data and core engineering work that is not connected to the Internet, and a B network used for e-mail, Web surfing and other Internet activities.

"We built the networks out at least 10 years ago as soon as we started getting really sensitive client data," said Paul Kocher, founder and president of Cryptography Research. "We had to decide whether to secure the infrastructure that was connected to the outside, or to build a parallel system. We have been repeatedly thankful we did what we did and have never looked back."

That move has spared Cryptography Research the anguish most companies have: securing the corporate network and dealing with an attack. With employees accessing all manner of Web sites that could be hiding malware and opening up attachments that download Trojans designed to steal information and take over computers, security is a huge headache.

Companies are particularly vulnerable to targeted attacks where e-mails are sent to key employees with access to source code and other sensitive information. One carefully worded e-mail to the right person and attackers are able to turn the recipient's computer into a doorway to all the company's data and systems.

Google, Adobe Systems, and Intel were among more than 30 companies that were targeted by just such attacks last year. For its part, Google said that intellectual property was stolen and that separately Gmail accounts of human rights activists were targeted. Saying the attacks appeared to originate in China, Google eventually made good on its threat to stop censoring its search results in China and last week moved the search site for that country to Hong Kong.

Cryptography Research, which offers encryption technology used to combat fraud and counterfeiting, is located in a high-rise overlooking busy Market Street in downtown San Francisco. There may be lava lamps and ping pong tables at places like Google and Microsoft, but Cryptography Research has a collection of antique cipher devices including an original Enigma machine and eye scanners at the doors to server rooms.

Tory Kallman demonstrates the eye scanner that permits him access to Cryptography Research's server room. James Martin/CNET

Every engineer's desk has a laptop on it for Internet activities and a desktop computer for working on corporate and customer data and critical engineering tasks. There are about 50 employees but not everyone needs access to the A network.

The Internet-connected laptop is treated like any typical corporate system and secured with standard antivirus, firewall, and other security software, said Tory Kallman, director of information technology at Cryptography Research.

E-mail is given special treatment on the Internet-connected network. "On the B network, all the e-mail is popped off the server and stored on a local encrypted hard drive, so if the computer is stolen or access gained, there would not be a way to get to the data without the private key," he said.

The A network desktop systems are secured with antivirus and firewalls, but there are no hardware specific firewalls protecting from outside intrusions--only an internal host-based firewall, according to Kallman. Both networks require user name and password for access.

On the isolated A network the engineers use Virtual Network Computing (VNC), a client/server application that allows them to remotely access a virtual desktop session on the company's development servers. Thus they can be physically at their desks while accessing their development desktop environment on a centralized A network server.

When employees need to send sensitive information to clients, they will encrypt it using PGP, copy the file onto a flash drive, transfer it to the B network and send it via e-mail, Kocher said. The customer then decrypts it and reads it. If the customer doesn't use encryption, the data will be sent via Fed Ex or some offline way, he said.

"For our more paranoid customers, they will have a similarly disconnected network and we will share (encryption) keys back and forth, encrypt the data, transfer it to the B network and they will put it on a flash drive and move it to their private network and decrypt it," Kocher said.

After each use the flash drives are wiped clean, according to Kallman.

And the Web server is located at a separate hosting facility with nothing on it that is sensitive or that links back to the networks in the office.

More computers, less anxiety
But what about spies posing as delivery people or janitors? FedEx and other service personnel go to a locked elevator that is armed with an alarm system and use a call box to summon an administrator to pick up the package, and janitors do not work at night, Kallman said.

To thwart insider threats, the company conducts heavy background checks on potential employees. "We have rescinded offers based on the results of those checks," Kocher said.

The upfront costs are about double, for buying two systems and two software licenses for every desk, as well as separate printers for each network and double the wiring, said Kallman. But the security software costs are less than at other companies that are protecting their crown jewels from Internet-based attacks, he added.

"I have to manage twice as many computers but I don't have to spend time or money thinking about [public and/or exploited but unpatched] day zero security responses for our standalone network," he said. "I'm still securing the B network, but there's not as sensitive of information on it so I can sleep a little easier at night."

"I still have to patch the A network and make sure the security updates are installed," but there is not the urgency that the computers are exposed to attack from hackers exploiting holes in software because they are not connected to the Internet, Kallman said.

The engineers find it takes them a bit longer to share their work with clients because of the extra steps involved with flash drives and encryption. And there is no telecommuting allowed. But for Kocher and Kallman the trade-offs are worth it.

Paul Kocher views the two monitors on his A network computer where sensitive work is done. To his right are his laptop and a separate monitor for that computer, which is only used on the Internet-connected B network. James Martin/CNET

The system worked like a charm in keeping movies like 2004's "The Day After Tomorrow" and others from leaking to the public before they were released as Cryptography Research worked to put security codes in the movies as part of the authoring process for the BD+ system, which is part of the Blu-ray disc digital rights format. Cryptography Research developed the technology, which is designed to prevent unauthorized copies from being made, and sold it to Macrovision in 2007.

A large part of Cryptography Research's current business is designing antipiracy chips used in Pay TV devices.

What works for Cryptography Research won't necessarily work for everyone.

"Sometimes a big company will disconnect a group, like human resources, or a handful of people" to try to limit the impact from a network attack, said Kocher. "But a company like Google couldn't do this because they're all about being connected. You can't access Google services if you do this. Ours is the polar opposite of the cloud computing vision."