Better Safe Than Sorry

Information technology has become an invaluable business tool around the world. With it, businesses ' the traditional kind and those that operate over wires (and wirelessly) ' including law firms are able to increase efficiency and lower costs. After all, information technology is the gateway to one of the e-commerce sector's most important assets: Information.

But what happens when information cannot be trusted? When it is vulnerable and exposed to Internet threats?

When information is secure, it is trustworthy; anything less than that, and it simply loses its value.

And then there's availability. To be useful, information must be accessible to the right people at the right time. Information that is secure and available does more than simply boost the bottom line. It also protects a company's brand, productivity and reputation.

Ensuring the integrity of information is a balancing act that requires organizations to understand their information technology (IT) environment, act to protect it and control it on an ongoing basis.

Information and Technology

Many industries have embraced IT wholeheartedly, and that's not surprising, considering the benefits it has brought in terms of efficiency and speed.

Years ago, word processors replaced typewriters, enabling professionals and tradespeople to quickly produce written documents. Next came computer networking, which gave various professional and trade sectors a central repository for accessing and storing documentation on every matter from the convenience of a desktop. Combined with database-management software that can instantly find any document with the click of a mouse, networking eliminated the cumbersome and error-prone process of manually managing the considerable volumes of material that accompany a typical legal case or the maintenance of e-business records.

Then came e-mail and document scanners, which allowed the working world to make the quantum leap from a paper-based workplace to a virtually paperless environment. This, in turn, obviated the need for apportioning large percentages of costly real estate to document storage.

The Internet was next, dramatically leveling the business playing field by offering quick online access to information of all types that until then was stored in files and libraries and other facilities, and that required personnel and other overhead to maintain and manage. In the legal profession, large firms that could access databases remotely or that they built and maintained themselveshad an advantage over smaller firms that relied on county or private law libraries for research. Also, as the cost of online research services dropped dramatically, even sole practitioners could have vast virtual libraries at their fingertips.

Of course, this increased reliance on technology isn't without risk. Today's Internet landscape is riddled with threats that aim to jeopardize the security and availability of information.

Threats and Vulnerabilities

A decade ago, traditional viruses were the primary danger associated with computing and sharing information via computers. Not so today. According to the most recent Internet Security Threat Report from information security provider Symantec Corp., malicious code now aims to steal confidential information through a variety of means. Threats with the potential to expose confidential information have continued to increase since 2003. Between July 1 and Dec. 31, 2004, such threats represented 54% of the top 50 malicious code samples the company received, up from 44% in the first half of 2004, and 36% in the second half of 2003. Information exposure threats can be present in almost any type of malicious code, including Trojan horses, worms, viruses and backdoor server programs.

Then there's phishing. In phishing scams, attackers try to dupe users into divulging confidential information such as passwords, credit card numbers and other sensitive data. Unfortunately, they're often successful; from May 2003 to May 2004, U.S. banks and credit card issuers lost an estimated $1.2 billion to phishing scams.

What's more, many of today's confidential-information threats arrive unsolicited via e-mail in-boxes. Spam is no longer just a nuisance. It has become the vehicle of choice for launching phishing attacks and delivering Trojan horses and viruses. Also, high volumes of spam can create denial of service (DoS) conditions that overload e-mail systems and prevent legitimate mail and network traffic from getting through. Spam made up more than 60% of all e-mail traffic during the last half of 2004.

That's not all. Vulnerabilities in popular software applications are being disclosed at an alarming rate. Vulnerabilities are design or implementation errors in information systems that can result in a compromise of the confidentiality, integrity or availability of information stored on or transmitted by the affected system.

During the second half of 2004, an average of 58 new vulnerabilities were disclosed per week. Worse yet, 97% of vulnerabilities disclosed were rated as moderately or highly severe, and 70% were considered easy to exploit. And the time between the announcement of a vulnerability and the release of an exploit for that vulnerability is, on average, a mere 6.4 days. The message for IT administrators is that they have their work cut out for them as they struggle to identify and patch vulnerable systems before those systems are compromised.

Faced with such challenges, many organizations resort to installing more software ' often, products that promise to eradicate or at least reduce their susceptibility to a portion of these threats. But such a solution represents yesterday's answer to the problem. Today's more complex challenges require organizations to take a more sophisticated and innovative approach to information integrity ' one that enables them to create the resilient IT infrastructure they need to protect the security and availability of the data they rely on every day.

A Flexible, Formidable Framework

A resilient infrastructure is built on a framework that provides a highly coordinated and prioritized strategy aimed not simply at protecting devices, but also at safeguarding information. It requires the integration of technologies, processes and policies that are traditionally viewed as separate and isolated components of a typical IT environment. In a resilient infrastructure, security management is tightly linked with device, systems and network management, while intelligence on external threats is combined with internal infrastructure knowledge.

To build this framework, organizations must understand and define their environment, assessing risks against the latest vulnerabilities, exposures and threats. Identifying risk requires organizations to evaluate what is at risk and why it is at risk, with the goal of singling out the 20% of risks that have 80% of the potential impact.

Risk analysis is next, wherein the organization assesses the probability that risks will occur, gauges their potential impact, and then determines the appropriate response to each risk.

They also need to detail which systems are authorized and connected to the network, which applications are deployed, and which personnel are logged on. They must understand the status of their patching efforts, and know whether system and data backup procedures are being followed.

Next, organizations must act to protect their information assets and minimize the risk of disruption. Information must be shielded from attacks, threats must be mitigated and errors must be fixed, even as organizations also ensure recovery from security incidents that do occur.

To that end, organizations must keep critical systems up-to-date, in compliance with relevant industry and government regulations, and they have to keep these critical systems restorable. Devices, applications and networks must be protected against emerging threats, and new technologies and processes must be easily integrated into the existing infrastructure.

Finally, organizations must be able to control their IT resources to prevent disruptions, reduce downtime and extend their capabilities. This requires organizations to understand the external threat environment as well as their own internal security posture. Remediation capabilities have to be in place to automatically deploy software and content updates and patches when a threat or vulnerability is discovered. Asset-management capabilities must also be implemented to ensure prioritized remediation, and selective restore capabilities must be in place to recover critical assets quickly and efficiently.

Competitive Advantage

Having a resilient infrastructure that balances information security with information availability delivers significant benefits to organizations. Information integrity increases operating margins by lowering costs, minimizing disruptions, improving operational effectiveness and reducing unit costs.

Information integrity also extends the efficiency of assets by reducing vulnerability and complexity, and by decreasing reactive problem solving. It increases the lifetime value of existing assets and enhances revenue growth by protecting and strengthening brand and reputation, helping attract and retain customers, and improving customer satisfaction.

Information integrity also improves expectations by boosting employee, partner, customer and investor confidence as well as by enhancing accountability and governance.

Back to the Desktop

The value of balancing information security and information availability is not likely to diminish any time soon. Threats to information continue to evolve as attackers leverage new hacking tools and methodologies to exploit mainstream software.

For most organizations, the focus on security strategies has been on the network perimeter, including servers, firewalls and other assets with outward-facing exposure. But as administrators have become more effective in establishing and adjusting security network perimeters, attackers have shifted their attention to vulnerable user desktops.

Indeed, a common threat that continues to warrant warnings from security experts is attackers' increased targeting of client-side exploits to compromise the integrity of information and information assets. Client-side vulnerabilities are directed at the computer systems of an organization's individual users rather than at its servers. They aim at applications such as Web browsers, e-mail clients, peer-to-peer networks, instant messaging clients and media players. Client-side vulnerabilities are often the result of logic errors or flaws in access-control systems, and they are frequently easily exploitable, particularly in browsers.

Among the vulnerabilities found on these systems are Web browser weaknesses ' and not just in Microsoft Internet Explorer. During the last half of 2004, 21 vulnerabilities affecting the Mozilla browsers ' Mozilla and Mozilla Firefox ' were disclosed. That's up from just one over the previous 6-month period. And 13 vulnerabilities affecting Microsoft Internet Explorer were disclosed, up from three documented during the previous 6 months.

By exploiting a single vulnerable workstation through a universally exploitable client-side vulnerability, attackers can penetrate the target organization from outside its perimeter defense.

Clearly, ensuring the integrity of information in the digital age is a serious challenge. However, by building a resilient IT infrastructure that leverages integrated security and availability technologies along with appropriate best practices and policies, organizations can have a flexible yet strong operating environment that preserves business continuity while enabling them to grow into new, profitable markets and services.

Shaun Catlin is a systems analyst at Ford & Harrison LLP, a national labor and employment-law firm based in Atlanta that has more than 140 lawyers in 15 offices. The firm represents employers in labor, employment, immigration and employee-benefits matters, including litigation, in issues involving national and international jurisdictions. Clients range from Fortune 500 corporations to midsized and smaller businesses. Ford & Harrison is on the Web at www.fordharrison.com.

Information technology has become an invaluable business tool around the world. With it, businesses ' the traditional kind and those that operate over wires (and wirelessly) ' including law firms are able to increase efficiency and lower costs. After all, information technology is the gateway to one of the e-commerce sector's most important assets: Information.

But what happens when information cannot be trusted? When it is vulnerable and exposed to Internet threats?

When information is secure, it is trustworthy; anything less than that, and it simply loses its value.

And then there's availability. To be useful, information must be accessible to the right people at the right time. Information that is secure and available does more than simply boost the bottom line. It also protects a company's brand, productivity and reputation.

Ensuring the integrity of information is a balancing act that requires organizations to understand their information technology (IT) environment, act to protect it and control it on an ongoing basis.

Information and Technology

Many industries have embraced IT wholeheartedly, and that's not surprising, considering the benefits it has brought in terms of efficiency and speed.

Years ago, word processors replaced typewriters, enabling professionals and tradespeople to quickly produce written documents. Next came computer networking, which gave various professional and trade sectors a central repository for accessing and storing documentation on every matter from the convenience of a desktop. Combined with database-management software that can instantly find any document with the click of a mouse, networking eliminated the cumbersome and error-prone process of manually managing the considerable volumes of material that accompany a typical legal case or the maintenance of e-business records.

Then came e-mail and document scanners, which allowed the working world to make the quantum leap from a paper-based workplace to a virtually paperless environment. This, in turn, obviated the need for apportioning large percentages of costly real estate to document storage.

The Internet was next, dramatically leveling the business playing field by offering quick online access to information of all types that until then was stored in files and libraries and other facilities, and that required personnel and other overhead to maintain and manage. In the legal profession, large firms that could access databases remotely or that they built and maintained themselveshad an advantage over smaller firms that relied on county or private law libraries for research. Also, as the cost of online research services dropped dramatically, even sole practitioners could have vast virtual libraries at their fingertips.

Of course, this increased reliance on technology isn't without risk. Today's Internet landscape is riddled with threats that aim to jeopardize the security and availability of information.

Threats and Vulnerabilities

A decade ago, traditional viruses were the primary danger associated with computing and sharing information via computers. Not so today. According to the most recent Internet Security Threat Report from information security provider Symantec Corp., malicious code now aims to steal confidential information through a variety of means. Threats with the potential to expose confidential information have continued to increase since 2003. Between July 1 and Dec. 31, 2004, such threats represented 54% of the top 50 malicious code samples the company received, up from 44% in the first half of 2004, and 36% in the second half of 2003. Information exposure threats can be present in almost any type of malicious code, including Trojan horses, worms, viruses and backdoor server programs.

Then there's phishing. In phishing scams, attackers try to dupe users into divulging confidential information such as passwords, credit card numbers and other sensitive data. Unfortunately, they're often successful; from May 2003 to May 2004, U.S. banks and credit card issuers lost an estimated $1.2 billion to phishing scams.

What's more, many of today's confidential-information threats arrive unsolicited via e-mail in-boxes. Spam is no longer just a nuisance. It has become the vehicle of choice for launching phishing attacks and delivering Trojan horses and viruses. Also, high volumes of spam can create denial of service (DoS) conditions that overload e-mail systems and prevent legitimate mail and network traffic from getting through. Spam made up more than 60% of all e-mail traffic during the last half of 2004.

That's not all. Vulnerabilities in popular software applications are being disclosed at an alarming rate. Vulnerabilities are design or implementation errors in information systems that can result in a compromise of the confidentiality, integrity or availability of information stored on or transmitted by the affected system.

During the second half of 2004, an average of 58 new vulnerabilities were disclosed per week. Worse yet, 97% of vulnerabilities disclosed were rated as moderately or highly severe, and 70% were considered easy to exploit. And the time between the announcement of a vulnerability and the release of an exploit for that vulnerability is, on average, a mere 6.4 days. The message for IT administrators is that they have their work cut out for them as they struggle to identify and patch vulnerable systems before those systems are compromised.

Faced with such challenges, many organizations resort to installing more software ' often, products that promise to eradicate or at least reduce their susceptibility to a portion of these threats. But such a solution represents yesterday's answer to the problem. Today's more complex challenges require organizations to take a more sophisticated and innovative approach to information integrity ' one that enables them to create the resilient IT infrastructure they need to protect the security and availability of the data they rely on every day.

A Flexible, Formidable Framework

A resilient infrastructure is built on a framework that provides a highly coordinated and prioritized strategy aimed not simply at protecting devices, but also at safeguarding information. It requires the integration of technologies, processes and policies that are traditionally viewed as separate and isolated components of a typical IT environment. In a resilient infrastructure, security management is tightly linked with device, systems and network management, while intelligence on external threats is combined with internal infrastructure knowledge.

To build this framework, organizations must understand and define their environment, assessing risks against the latest vulnerabilities, exposures and threats. Identifying risk requires organizations to evaluate what is at risk and why it is at risk, with the goal of singling out the 20% of risks that have 80% of the potential impact.

Risk analysis is next, wherein the organization assesses the probability that risks will occur, gauges their potential impact, and then determines the appropriate response to each risk.

They also need to detail which systems are authorized and connected to the network, which applications are deployed, and which personnel are logged on. They must understand the status of their patching efforts, and know whether system and data backup procedures are being followed.

Next, organizations must act to protect their information assets and minimize the risk of disruption. Information must be shielded from attacks, threats must be mitigated and errors must be fixed, even as organizations also ensure recovery from security incidents that do occur.

To that end, organizations must keep critical systems up-to-date, in compliance with relevant industry and government regulations, and they have to keep these critical systems restorable. Devices, applications and networks must be protected against emerging threats, and new technologies and processes must be easily integrated into the existing infrastructure.

Finally, organizations must be able to control their IT resources to prevent disruptions, reduce downtime and extend their capabilities. This requires organizations to understand the external threat environment as well as their own internal security posture. Remediation capabilities have to be in place to automatically deploy software and content updates and patches when a threat or vulnerability is discovered. Asset-management capabilities must also be implemented to ensure prioritized remediation, and selective restore capabilities must be in place to recover critical assets quickly and efficiently.

Competitive Advantage

Having a resilient infrastructure that balances information security with information availability delivers significant benefits to organizations. Information integrity increases operating margins by lowering costs, minimizing disruptions, improving operational effectiveness and reducing unit costs.

Information integrity also extends the efficiency of assets by reducing vulnerability and complexity, and by decreasing reactive problem solving. It increases the lifetime value of existing assets and enhances revenue growth by protecting and strengthening brand and reputation, helping attract and retain customers, and improving customer satisfaction.

Information integrity also improves expectations by boosting employee, partner, customer and investor confidence as well as by enhancing accountability and governance.

Back to the Desktop

The value of balancing information security and information availability is not likely to diminish any time soon. Threats to information continue to evolve as attackers leverage new hacking tools and methodologies to exploit mainstream software.

For most organizations, the focus on security strategies has been on the network perimeter, including servers, firewalls and other assets with outward-facing exposure. But as administrators have become more effective in establishing and adjusting security network perimeters, attackers have shifted their attention to vulnerable user desktops.

Indeed, a common threat that continues to warrant warnings from security experts is attackers' increased targeting of client-side exploits to compromise the integrity of information and information assets. Client-side vulnerabilities are directed at the computer systems of an organization's individual users rather than at its servers. They aim at applications such as Web browsers, e-mail clients, peer-to-peer networks, instant messaging clients and media players. Client-side vulnerabilities are often the result of logic errors or flaws in access-control systems, and they are frequently easily exploitable, particularly in browsers.

Among the vulnerabilities found on these systems are Web browser weaknesses ' and not just in Microsoft Internet Explorer. During the last half of 2004, 21 vulnerabilities affecting the Mozilla browsers ' Mozilla and Mozilla Firefox ' were disclosed. That's up from just one over the previous 6-month period. And 13 vulnerabilities affecting Microsoft Internet Explorer were disclosed, up from three documented during the previous 6 months.

By exploiting a single vulnerable workstation through a universally exploitable client-side vulnerability, attackers can penetrate the target organization from outside its perimeter defense.

Clearly, ensuring the integrity of information in the digital age is a serious challenge. However, by building a resilient IT infrastructure that leverages integrated security and availability technologies along with appropriate best practices and policies, organizations can have a flexible yet strong operating environment that preserves business continuity while enabling them to grow into new, profitable markets and services.

Shaun Catlin is a systems analyst at Ford & Harrison LLP, a national labor and employment-law firm based in Atlanta that has more than 140 lawyers in 15 offices. The firm represents employers in labor, employment, immigration and employee-benefits matters, including litigation, in issues involving national and international jurisdictions. Clients range from Fortune 500 corporations to midsized and smaller businesses. Ford & Harrison is on the Web at www.fordharrison.com.