Back in the old days of bar association computer networks (10 years ago), the biggest threat most bars faced to network security was if an employee inserted a floppy disk into a PC and accidentally introduced a file infected with a virus into the system. Firewalls and network virus protection software were rarely, if ever, used.
Not anymore. Although they generally aren’t targets on the scale of banks or large e-commerce Web sites, just by being always connected to the Internet, bars face a multitude of potential threats to the integrity of their internal computer networks. And without proper defenses, their systems would be open targets for those who look for vulnerable computers and networks.
“I’m sure it would be minutes before you’d be looking at things going down left and right because someone discovered that ‘Hey, this guy’s wide open,’ ” says Mike Miller, director of information systems for the Allegheny County (Pa.) Bar Association.
While no bars have reported security breaches on the level of those of governmental agencies and credit reporting agencies that have been in the news lately, all IT staff interviewed for this article recognize that the threat to their systems, and the data they contain, is real and continues to grow.
ACBA will spend about 25 percent of its IT budget on security-related purchases in 2006, Miller says. This includes new hardware and software to help safeguard the system. In 2005, the bar spent about 10 percent of its IT budget on security, mostly for software subscriptions to keep protection up to date.
In addition to the increased demand on time and resources that security requires, keeping safe also means that other projects may not receive the attention they need. “It’s a big enough part of the budget where you could say, ‘Well, if I didn’t have to do that, I could get something else,’ ” Miller says, noting that the bar may not be able to experiment with a new technology because of the need to provide proper security.
Threats from within
When speaking of network security, most IT staff break the problems into two areas of threats: external and internal. All recognize the very real threat of attack from the outside, but many IT staff members are more concerned about potential problems from within.
“The biggest challenge we have is keeping the staff up on internal policy,” says Lincoln Mead, IT administrator for the Utah State Bar. When the bar has had information- or data-related incidents, he explains, it’s been because of “a mistaken assumption by someone on our staff” that led to the accidental release of confidential information, such as a member’s home address or disciplinary information.
The fear of such accidental data releases is compounded by the increased mobility of the bar’s staff, as people take information with them on laptops or portable devices such as USB “thumb” drives. Mead has set up many of the bar’s PCs to not allow the thumb drives to mount on the computer, but other staff members’ PCs do recognize the drives, and allow information to be copied to them. For those employees, education about the dangers of mishandling the information is key. “There’s a large degree of trust with that,” Mead says.
Having proper policies and protocols to limit internal threats is also a big part of how the New York State Bar Association approaches network security, says John Nicoletta, the bar’s MIS director.
Nicoletta agrees with those who say the most likely threat to a system is from within, either from a disgruntled employee or a “clueless employee with access beyond his or her job responsibility,” he says. So his security efforts are more focused on the internal risks than the external ones.
What about hackers?
That allocation of resources is not without risks, however. “There are tons of hackers out there in the world, searching the Internet, looking for a system to break into,” Nicoletta says. “If they got in, they would be able to do far more damage than any disgruntled employee probably could do.” But the likelihood of someone succeeding with such a break-in is much higher from inside than outside, he notes.
In addition to hackers trying directly to break into a system, there are numerous other external threats to be concerned about. The biggest outside threats networks face today are “attacks against client applications such as mail readers and Web browsers,” according to Johannes Ullrich, chief research officer at the SysAdmin, Audit, Network, Security (SANS) Institute, an information and training resource focused on IT system security. These attacks often come in the form of an e-mail that contains either a malicious application or a link to a Web site that attempts to load such software onto the user’s computer, Ullrich says.
Defending against such attacks involves a multifaceted approach, since “there is no magic black box” that will keep an association free of risks. Some ways Ullrich suggests fighting intruders include: using virus protection software and keeping it up to date; installing software and/or hardware firewalls; having PCs run as users instead of administrators, which limits the ability of malicious software to be installed; monitoring server logs to try to notice attempts to break into your system; and providing “constant education” to users about the risks of inappropriate security behavior.
Probably the most serious loss for a bar association that suffers a security breach is the resulting loss of productivity, says Reggie Henry, chief technology officer for the American Society of Association Executives. “For most associations, we’re not going to be the subject of someone trying to break into the organization to get information. Most of the information we have is public information, and is available on the Web site,” Henry says.
More likely to cause an association problems, he says, is something like a denial of service attack, where hackers flood a Web server with so many simultaneous requests for information that the server is unable to process any legitimate requests.
Protecting against that productivity loss figures highly in Utah’s security defense plan. Mead says the key is to have an effective disaster recovery plan in place for the organization’s data. “One of my biggest security issues isn’t ‘How can I protect my bar from intrusion?’ but ‘How can I make sure that my backups and my disaster recovery plan are responsive and flexible enough to deal with the inevitable intrusion?’ ”
Mead says there was a “spirited discussion” at the last NABE meeting he attended, about whether to put more money into security or disaster recovery. He believes it’s better to focus on the disaster recovery portion, since whether there is a malicious break-in or a natural disaster, having a proper, timely backup means the association will be able to resume work with minimal loss of time.
NABE’s recently created IT Section has joined forces with the Administrative and Finance Section to attempt to create ways bar associations could help each other with disaster recovery, Mead says. One proposal under discussion would have bar associations provide remote backup sites for each other, so one bar association could store encrypted backup data on a server residing in a different bar. This geographical separation is important protection against regional natural disasters or catastrophic disasters to a bar’s headquarters, Mead says.
IT SECURITY RESOURCES
Here are some resources for bar association IT staff (including the one- or two-person association staff) to learn more about security threats and how to deal with them.
| NABE’s IT Section (www.abanet.org/nabe/it). A group of NABE members who are on their bars’ IT staff, and who have a Listserv and help keep each other up to date on IT security matters. | SANS (www.sans.org). A compendium of free security information available to read and/or download. Includes the Internet Storm Center (wwwa.isc.sans.org), which has up-to-date info on the latest threats and the attempts to fight them. | The Computer Emergency Response Team (www.cert.org). A federally funded research and development center operated by Carnegie Mellon University that focuses on identifying Internet threats. | The Computer Security Division of the National Institute of Standards and Technology (www.csrc.nist.gov). A more technically oriented site that offers guidelines on good security practices.