Phishing, spear phishing, whaling—no, you haven’t started reading an article on maritime law by mistake. Those are just some of the terms describing types of recent e-mail attacks that lure recipients into divulging private information, such as passwords that could be used by hackers to access bank accounts or business computer networks.
Damage from those types of attacks can be limited by educating users, but other kinds of attacks are less visible—but no less prevalent or potentially dangerous to the security of an association’s network.
“There’s no way anything is completely secure. Where there’s a will, there’s a way,” says Rick Loomis, director of information systems for the Oklahoma Bar Association.
But bar associations can adopt strategies and precautions to reduce the likelihood of having unauthorized visitors snooping around, according to Loomis and other IT experts.
“You typically want to approach the problem with a ‘defense in depth’ strategy,” he says. That approach involves using constantly changing methods of defenses in multiple layers to deal with potential threats.
“You want to isolate the things that need to be publicly accessible from the rest of the network as much as possible,” he advises. “If someone breaks into the publicly accessible part, they either won’t be able to go any farther, or it will take longer to get to your network—and hopefully, you will have discovered it by then.”
Loomis breaks down the tools often used for these purposes into two general categories: intrusion protection systems that look for signs of an attack and attempt to block it, and monitoring systems that look for suspicious network activity that could be the warning signs of an impending attack. System-monitoring tools either match suspicious activities against a database of known threats or look for generally suspicious behavior that may indicate an as-yet uncatalogued threat.
Systems alert! Lock down!
The OBA has installed a system that looks at the log files for various pieces of equipment—servers, firewalls, routers, and so forth—and analyzes them to determine if anyone is trying to break into the network. Repeated attempts to access areas that are not part of normal activity are warning signs that a break-in attempt may be occurring. The OBA system can help alert Loomis to that threat.
When the system that the bar purchased was delivered, it was completely “locked down,” meaning the bar’s staff could not access anything on their computers until IT had configured the software to permit the applications that staff members regularly use. A completely locked down system is obviously secure, but it also means people won’t be able to do their work. The organization using such a system must spend time determining which parts to unlock.
“There’s always that balance between locking it down too much and being secure, and being more open and letting people do what they’re supposed to do, but being less secure,” Loomis notes.
The OBA has defined different categories of users who receive different levels of access to applications, depending on their job functions. A user who needs access to other functions must go through the IT department.
Safety: Everyone’s job
While IT staff does its part to keep the network safe, responsibility also falls on all employees who use the system’s computers, says Catherine Sanders Reach, director of the American Bar Association Legal Technology Resource Center.
Techniques such as phishing work only if the recipient of the bogus e-mail acts on the message it transmits. While most people have learned to ignore the communiqués from banks and other institutions telling you to click on a link to update your account (phishing), more recent insidious attacks have not been as widely publicized. Examples include an apparent request from a department in your organization (spear phishing) or a fake subpoena or invoice directed at the head of a company (whaling). These attacks fall under the category of “social engineering” because they rely on someone who unknowingly gives out private information. They are often the most successful route for a hacker to follow.
“You need to make sure that your staff is trained and up to date on what to look for. If it sounds too good to be true, it is,” warns Reach. “Don’t open any e-mail attachments if you’re not sure of what they are and where they came from.” Just because an e-mail attachment came from a member does not guarantee its safety, she adds.
Many organizations are using some sort of spam filter and firewall to screen incoming e-mail, Reach notes. This is often best done by screening e-mail at the server level before it reaches the staff member’s in-box so that potential threats can be caught before they are opened and activated.
Reach advises bars not to use e-mail to obtain credit card information from members. While it’s possible that the information could be intercepted on its way to the association, Reach says she is more concerned that the e-mail may be forwarded to different e-mail boxes and therefore have more potential places where it could be accidentally revealed.
With the increased use of laptops, smart phones, and other mobile devices comes a greater need to protect an association’s data, she says. If a laptop or thumb drive is stolen, all of its information can be read by the thief unless it is protected by a password or encryption. Some high-profile cases involving Social Security numbers and other confidential information have received widespread publicity.
Doing nothing is expensive
Handling security has become an increasing part of most bars’ budgets. Even smaller bars that don’t have an IT staff should outsource security functions, recommends the OBA’s Loomis. “Security permeates everything,” he says, noting that at least some of his activities each day are security related.
Part of that work involves keeping up to date on the latest threats and ensuring that his systems have the most recent versions of software protection. “The hacker community has a subculture of people sharing information on what holes exist and how to attack different systems,” he explains. “One of the best things you can do is to keep everything patched and up to date, including the operating systems, Web servers, and other software that you’re using.”
Loomis believes it is important to apply patches as soon as possible after testing them first to make sure that they don’t cause unintended problems for other parts of the system.
People outside the IT field are often surprised to know how often potential intruders are attempting to learn about a typical network and its vulnerabilities. “If you look at firewall logs, there are constant attempts to do something,” Loomis says. “Sometimes it might just be an attempt to map your network and see what might be interesting to a hacker,” as opposed to an actual attack.
Loomis doesn’t believe the attacks or probes he has seen are directed specifically at the OBA. Rather, because all entities on the Internet have an assigned numerical address, hackers often program their computers to look at addresses sequentially, catalogue any vulnerability, and move on to the next address.
In most cases, if a hacker were to get into the typical association’s network, few “corporate secrets” are likely to be exposed. But if a bar’s Web site conducts e-commerce through credit cards, Loomis says, there is the potential for exposure of credit card information about its members.
For this reason, the OBA doesn’t store credit card information from its customers. The numbers are deleted once the transaction is completed so an intruder would not be able to discover them. “Once we’ve got the approval and the transaction is done and over with, we don’t need the numbers anymore,” Loomis adds.
With all the potential threats to security, how do IT people keep their own knowledge up to date? One way to learn is through trade journals, such as Network World (www.network world.com), InformationWeek (www.informationweek.com), and Secure Computing (www.scmagazine.com). The ABA’s Reach finds the Security Watch section of PC Magazine’s Web site (http://blogs.pcmag.com/sec uritywatch/) to be useful as well.
Loomis also relies on counterparts who are fellow members of the National Association of Bar Executives, both through its Listserv for IT staff and interaction at NABE meetings. There is usually at least one seminar at the Annual and Midyear Meetings devoted to IT security, he says. (Note: For a recap of one such workshop, see “Web wizards share practical wisdom,” page 14.)
Loomis says he is fortunate that OBA bar leaders understand the importance of security and budget the appropriate level of money and staff time. “I’ve talked to people who have to fight that battle,” he notes, “and it’s a matter of ‘you can pay me now or pay me later.’ And sometimes when later comes, it’s really costly.”