Feature

posted 13 Mar 2006 in Volume 8 Issue 9

Facing the threat: IT security in a volatile landscape

In a business world that is increasingly reliant on the resilience of its IT infrastructure, firms need to identify, evaluate and respond to a variety of threats that could not only bring down the IT system, but damage productivity, profitability, client service and reputation.

When asked to write an article on business continuity, disaster recovery and IT security, it at first appeared to be too wide and disparate a topic. After much thought, though, an alternative title came to mind that encapsulated all of the above and was much easier to digest: threats and responses. The purpose of this article is to analyse how to identify threats, evaluate their risks and prepare appropriate responses to offset business risk.

Business is all about risks. Risks are also endemic and it has often been said that a business that avoided all risks would soon go bankrupt, due to the excessive costs of its product or service.

The aim here is to address each risk, fix those that are thought essential and risk those thought acceptable. IT risks are essentially no different, though their technical nature can make them more challenging to address and understand.

I will attempt to identify likely threats (and some that might be less obvious), offer a method of addressing these threats and finally propose suggestions for best-practice systems.

Natural risks

This is not restricted to ‘Acts of God’, but encompasses any accident beyond normal human control and without malice on any part. These threats are also more global in operation, in that they not only threaten your IT, but everything else as well. When identifying natural risks to a firm or a single property, it is essential to think laterally rather than concentrate on the obvious. For example, the risk of flooding may not look relevant if rivers are some distance away, but many new buildings have their heating and cooling plant in the roof space containing many large diameter pipes. A deluge from the roof will flood the entire building and will usually end up in the computer room on the ground floor. Other natural risks are:

Fire – Check your building design, as modern buildings tend to restrict fires to one floor. Remember that this might be the one containing your server room;
Wind damage – I have avoided reference to the word ‘hurricane’ as the actual definition of the storm in 1988 is still under doubt, but the resultant damage was indisputable. Scientists are warning that one consequence of global warming will be the greater incidence and severity of storms.

There are four points worth noting on the likelihood of natural threats:

1. Think creatively. Things might not be what they seem;

2. Things change. Something of low risk today may become high risk in years to come;

3. If risks are building specific, remember to reappraise your threat analysis if you move;

4. Disasters happen somewhere in the world all the time – one day it might be your turn.

Human threats – non-malicious

In this category come all the mistakes, losses and damage caused by staff operating with possibly the best of intentions but with sometimes catastrophic results:

Forgotten passwords – probably the bane of the IT department. The more complicated the password and the more often it has to be changed, then the more the likelihood of it being forgotten (or it being written down and stuck on the computer raising the potential of more malicious outcomes);
Deleted files – many people ring IT asking if they can magically recover a file lost from a momentary lack of concentration;
Deleted e-mails – this will be discussed in more depth but for now it is worth noting that unless a lot of money is spent on a complex solution, then e-mails are very difficult to restore;
Forgotten hardware – lawyers love their gadgets, be they BlackBerries, digital-dictation devices, RSA fobs, etc. The financial loss may be relatively low – though a lost laptop might be of slightly more significance – but all may result in loss of confidentiality. Less critically, what will the fee earner do if off-site and now lacking some essential piece of equipment? It is a sad fact that the more technology is used to improve efficiency, then the greater the possibility and significance of problems arising if the technology is lost;
Home computers – like many industries, law firms are coming under greater pressure to offer more flexible working. This puts a great pressure on IT departments to offer some form of home working, much of this on the home computer. In theory, this is such a simple idea, but beset by difficulties with the increasing number of security devices in software such as Windows XP Service Pack2 or Firefox browser, which may keep out hackers, but might also stop your own software working;
Government legislation – badly worded legislation with inadequate consultation with industry experts has led to new requirements on IT, with little advance notice and major financial costs. This paper does not attempt to tackle this issue, but some firms in the US have been required to locate and list all e-mails referring to an individual; costs to produce this seemingly simple requirement have run into six figure sums;
E-mail – e-mail is almost a threat in its own right, the reasons for which are explored below.

The threat of e-mail

In most firms, e-mail was never a properly planned and implemented project. It was often seen as a good idea and put together quickly on less than ideal hardware.

Most firms would now, if questioned, put e-mail as one of their highest priority systems. Instinct, however, often puts the system as a lower priority so does not attract a high-priority spend.

In addition, e-mail systems were designed to pass e-mails between computers. Since then, they have taken on a mass of additional roles, many of which they handle very poorly:

E-mails are stored on the system. Storage is private (making collaboration difficult) and the organisation of that storage is decided by the user. Systems vary from highly structured folders to simply keeping everything in the inbox (17,000 e-mails is the highest I have seen to date, but I am sure there will be worse examples);
E-mail archiving and deletion is also often decided by the user, which leaves massive variants to finding specific e-mails on demand;
E-mail also becomes a document store. Again, storage is private, unstructured and can result in massive amounts of e-mail storage with commensurate costs, making it much harder to find e-mails when required. Most firms now keep outgoing documents three times: on paper in its file storage; electronically in its document store; and as an attachment to an outgoing e-mail. Software exists that can move documents from the e-mail store to a cheap file server leaving behind a link to the document. These are well worth investigation;
Systems also provide calendar functions, task lists and contacts information, which may or may not be shred properly with other staff.

Human threats – malicious

These are the most acknowledged of threats and regularly grab the headlines. The essential difference is the intention to cause damage. This may be a repeated attack with the attacker trying to use all their knowledge to overcome your defences. They are also the most likely to occur.

The most likely threat comes from employees moving to new employment, and attempting to take with them your precedents or your client list. Neither cause harm to your systems but may damage your future profitability.

On the other hand, employees who leave in less than friendly terms are a major threat to your systems. They have knowledge of your IT and possibly a method of logging in. It is essential that user accounts for leavers must be disabled, as well as ensuring they hand back their front-door key (or any copy they may have made), and that other staff (especially in a large firm) are aware that they should no longer be afforded access. There is great value in a formalised leaver’s procedure.

Spam

More than 60 per cent of e-mails every day are spam messages. If all such e-mails were passed to fee earners it would result in a considerable amount of lost fee-earning time. If all is stopped externally then there is the concern that real e-mails may also be lost. A central quarantine, however, would probably swamp your IT staff every day. A possible solution is one of tiers:

Known spam stopped externally under contract (MessageLabs, Postini etc). Probable spam forwarded to a central e-mail box checked by IT staff;
Possible spam sent to users but in very much smaller numbers;
White lists to mark all e-mail from specified client addresses as legitimate.

Viruses

Virtually all viruses are now e-mail borne. It was recently reported that the 100,000th virus had been identified and some 25-50 new e-mails or variants are identified daily. A single virus-protection program is no longer sufficient to protect a network. These rely, traditionally, on a library of known viruses and will let through anything they do not recognise.

The new threat is the ‘day zero’ virus. As an example was the recent Nyxem virus. This was first seen around 6pm on 15 January 2006. The first library fix for the virus was at 9am the following morning, by which time, over 5,000 PCs were infected. Heuristic scanning is now an essential addition, as this looks for behaviour that matches other viruses and then quarantines anything considered potentially harmful.

Spyware

Generally most spyware does not do real harm but will decrease fee-earner productivity and cause a burden on your IT in removing spyware from computers.

New threats

Never be complacent. All you can ever say about the most successful IT system is that it is secure today. A few new concerns are:

Cross-over threats – a classic example is a virus that can be picked up on a PDA with absolutely no effect whatsoever, but as soon as that PDA is docked to a PC then the hostile payload is released and, thus, onto the whole network;
Voice over IP telephony – short of intercept, telephones have never been seen as a major problem. IP phones, however, are computers in their own right and a number of security bulletins have already been released;
Bluetooth – this has now moved into PDAs and even laptops. If computers are badly set up, then someone hacking into a Bluetooth connection might be able to relay to the actual computer network.

Calculating the response to threats

Having identified all the potential threats to the firm the next stage is to evaluate each of those threats by asking questions, such as: what is the likelihood of the threat and what will be its expected impact – financial or credibility loss? And if you decide to address the threat, will you attempt to stop it happening, or fix it if and when it happens?

Deciding whether or not to cover the threat is a crucial point. Successful risk management involves taking some risks.

The cost of addressing every potential risk would not be effective, so some risks must be accepted. Of course, a low-cost, low-probability risk is an excellent candidate to ignore, but so might an extremely high-cost risk if the probability of the event is very low, especially if the cost of covering the risk is prohibitively high.

Assuming you are not simply going to run the risk, then there are two options open: to avoid it happening (either permanently by removing the threat or by providing redundancy of systems); or to add it to the business-continuity plan. Two points are of special interest:

Once the threat has been identified and acted upon, revisit your assessment regularly;
Whatever happens on the operational side of figure three is hidden from your clients; you must appear to be running perfectly. Once you are forced to the business-continuity side, then your performance will be exposed. Evidence from the 9/11 attack showed that some companies with a disaster plan still went bankrupt when that plan was found wanting. It is no longer sufficient simply to sign up to a disaster contract – there must be a detailed plan in place that involves your clients at all stages.

Threat responses

In a paper of this length it would not be possible (or correct) to offer solutions to any potential threat. Rather, it is worth highlighting two areas and illustrating how an issue might be tackled.

E-mail/HTML threats

These threats include spyware, viruses, spam and improper content. Also important is ensuring legislative compliance, as well as continuity of e-mails. These are complex threats and are mostly malicious, so it can be expected that the threat will be dynamic.

The best solutions to these threats are security in depth and maximum redundancy:

External protection. Companies such as MessageLabs and Postini offer an external service to check mail and internet access for viruses, spam and content (such as pornography). Although an ongoing P&L cost, they offer a superb first line of protection;
Firewall. The internet gateway must be protected by an adequate firewall to keep out hackers. Better still are two firewalls, each with their own internet connection, so that the likelihood of loss of service is dramatically diminished. Many modern firewalls also offer anti-virus, anti-spam and anti-spyware options though their performance is variable;
Internal content filter. This permits a second level of control especially for spam and content so that uncertain mails may be let through the external protection and be available to inspection. Again, duplication of systems is highly desirable;
E-mail server. Redundancy at this stage is now becoming an absolute requirement. Larger businesses deal predominantly by e-mail and being down for anything more than minutes is no longer an option. This is also the best location to commence internal virus filtering, due to the mass of e-mail viruses now live;
Compliance back up. As e-mails become more essential and with the growing raft of legislation, it will be necessary not only to disclose any and all e-mails pertaining to a person or matter, but to be able to do so in a form with evidential weight.

Since personal e-mail stores are not dependable, then every e-mail sent or received (internally or externally) needs to be separately archived.

Preferably, archived items should be digitally signed to prove in the future that not only was this e-mail archived at the specified date and time but that the record is still exactly as it was at the time.

Back-up and restore

Traditionally this has been considered a fairly unimportant aspect of IT and many sites can be tempted just to write everything to tape and leave it at that.

Nowadays, however, the system is required to do far more. Data-storage amounts are rising year on year. Increases of 200 per cent per year is not uncommon. This means a one gigabyte (GB) store in 2005 will be 243GB in just five years.

Data is the bedrock of a law firm so it must be available. Complete reliability (or 99.999 per cent) is the target to avoid costly downtime.

Do not think ‘back-up’ but think ‘restore’. When files are lost, how quickly can the latest copy be restored? It is now relatively cheap to back-up to an array of inexpensive hard disks with software backing up at each data change so nothing will be lost.

Use your geographical advantages. If you have two or more sites, then duplicate data between them on the basis that only a truly catastrophic disaster will result in data loss.

If you have a designated disaster site, back-up to it during the day. If this is also a disk-based back-up, the restore time can be massively reduced so key systems can be restored very quickly. Better still, add an additional server (domain controller for Windows networks), which will be kept up to date with user accounts, passwords etc.

This will save a major task on arrival at the disaster site.

A considered approach

While it has been impossible to completely cover such a key area of IT in a single article, it is hoped that the information will be valuable to any firm looking at disaster planning.

In conclusion, remember to think widely and laterally when considering potential threats; risks have to be taken to remain competitive; and while redundancy of equipment is expensive, it may be cheaper than relying entirely on a disaster plan that may be found wanting.

Greg Taylor is IT manager at Ward Hadaway. He can be contacted at greg.taylor@wardhadaway.com