Locked down information security for lawyers

Simek are also coauthors of Information Security for Lawyers and Law Firms American Bar Association 2006.. American Bar Association 2011 and Information Security for Lawyers and Law Firm

Free ebooks ==> www.Ebook777.com

Free ebooks ==> www.Ebook777.com

Locked Down

SHARON D NELSON, DAVID G RIES, AND JOHN W SIMEK

2

Commitment to Quality: The Law Practice Management

Section is committed to quality in our publications Ourauthors are experienced practitioners in their fields Prior topublication, the contents of all our books are rigorouslyreviewed by experts to ensure the highest quality product andpresentation Because we are committed to serving ourreaders’ needs, we welcome your feedback on how we canimprove future editions of this book

Cover design by RIPE Creative, Inc

Nothing contained in this book is to be considered as therendering of legal advice for specific cases, and readers areresponsible for obtaining such advice from their own legalcounsel This book and any forms and agreements herein areintended for educational and informational purposes only

The products and services mentioned in this publication areunder trademark or service-mark protection Product andservice names and terms are used throughout only in aneditorial fashion, to the benefit of the product manufacturer orservice provider, with no intention of infringement Use of aproduct or service name or term in this publication should not

be regarded as affecting the validity of any trademark orservice mark

Free ebooks ==> www.Ebook777.com

The Law Practice Management Section of the American BarAssociation offers an educational program for lawyers inpractice Books and other materials are published infurtherance of that program Authors and editors ofpublications may express their own legal interpretations andopinions, which are not necessarily those of either theAmerican Bar Association or the Law Practice ManagementSection unless adopted pursuant to the bylaws of theAssociation The opinions expressed do not reflect in any way

a position of the Section or the American Bar Association,nor do the positions of the Section or the American BarAssociation necessarily reflect the opinions of the author

© 2012 American Bar Association All rights reserved

Printed in the United States of America

16 15 14 13 12 5 4 3 2 1

Library of Congress Cataloging-in-Publication Data

Nelson, Sharon D

Locked down: information security for law firms / Sharon

D Nelson, David G Ries and John W Simek

p cm

5

Includes index.

ISBN 978-1-61438-364-2

1 Law offices—Computer networks—Securitymeasures—United States I Ries, David G., 1949-II Simek,John W III American Bar Association Section of LawPractice Management IV Title

www.ShopABA.org

AUTHORS NELSON AND SIMEK dedicate this book to ourever-growing family, having enjoyed two weddings last yearand the addition of two grandchildren to our family Withgreat love, we dedicate this book to Kelly and Jeff Ameen, JJand Sarah Simek, Sara and Rob Singmaster, Jason andNatalia Simek, Kim and Chris Haught and Jamie Simek aswell as grandchildren Samantha and Jordan

Author Dave Ries dedicates this book to his wife, Debbie,Dave Jr and Jenelle Ries, my granddaughter Ellie, and Chrisand Liz Ries Their love and support have made this book andmuch more possible

About the Authors

Sharon D Nelson, Esq.

Sharon D Nelson is the President of Sensei Enterprises,Inc Ms Nelson graduated from Georgetown University LawCenter in 1978 and has been in private practice ever since.She now focuses exclusively on electronic evidence andinformation security law

Ms Nelson and Mr Simek are the coeditors of the Internet

law and technology newsletter Bytes in Brief Ms Nelson,

Mr Simek and their Sensei colleague Maschke are thecoauthors of the 2008, 2009, 2010, 2011 and 2012 editions of

The Solo and Small Firm Legal Technology Guide: Critical Decisions Made Simple Ms Nelson and Mr Simek are also

coauthors of Information Security for Lawyers and Law Firms

(American Bar Association 2006) Additionally, Ms Nelson

and Mr Simek are coauthors of The Electronic Evidence and

Discovery Handbook: Forms, Checklists, and Guidelines

(ABA 2006) Ms Nelson is a coauthor of How Good Lawyers

Survive Bad Times (ABA 2009) Their articles have appeared

in numerous national publications, and they frequently lecturethroughout the country on electronic evidence and legaltechnology subjects

Ms Nelson and Mr Simek are the hosts of the Legal Talk

Network’s Digital Detectives podcast, and Ms Nelson is a cohost of the ABA’s The Digital Edge: Lawyers and

Technology podcast.

Ms Nelson will become the Vice President of the VirginiaState Bar in June 2012 and its 75th President in June 2013.She is the past President of the Fairfax Bar Association, aDirector of the Fairfax Law Foundation, past Chair of theABA’s TECHSHOW Board and past Chair of the ABA’sLaw Practice Management Publishing Board She currentlyserves on the Governing Council of the ABA’s Law PracticeManagement Section and as the Chair of its Education Board.She serves as a member of the Sedona Conference and ofEDRM She is a graduate of Leadership Fairfax and serves onthe Governing Council of the Virginia State Bar as well as onits Executive Committee She is the Chair of the VSB’sUnauthorized Practice of Law Committee and serves on bothits Technology Committee and its Standing Committee onFinance She also serves on the Virginia Supreme Court’sAdvisory Committee on Statewide E-filing She is a member

of the ABA, the Virginia Bar, the Virginia Bar Association,the Virginia Trial Lawyers Association, the Virginia WomenAttorney Association, the Women’s Alliance for FinancialEducation and the Fairfax Bar Association

David G Ries, Esq.

David G Ries is a partner in the Pittsburgh office of ThorpReed & Armstrong, LLP, where he practices in the areas ofenvironmental, commercial and technology litigation He hasused computers in his practice since the early 1980s andchairs his firm’s e-Discovery and Records ManagementGroup He served two terms as a member and Chair of aHearing Committee for the Disciplinary Board of theSupreme Court of Pennsylvania Dave received his J.D fromBoston College Law School in 1974 and his B.A fromBoston College in 1971

Free ebooks ==> www.Ebook777.com

He has represented clients in a variety of technologylitigation matters, including major systems implementationcases, and has advised clients on a number of technology lawissues such as information security and privacy compliance,hardware and software agreements, electronic payments,technology use policies, domain name disputes, electronicrecords management, response to computer intrusions andelectronic contracting

He is a member of the ABA Law Practice ManagementSection Council and a member of the ABA Section of Scienceand Technology’s Information Security Committee Heserved on the ABA TECHSHOW Planning Board from 2005through 2008

Dave has frequently spoken on ethics, legal technology andtechnology law issues for legal, academic and professionalgroups, including the American Bar Association, theAssociation of Corporate Counsel, the Energy & Mineral LawFoundation, the Pennsylvania Bar Institute, the InformationSystems Security Association and Carnegie MellonUniversity He recently wrote “Safeguarding Client

Data—Your Ethical and Legal Obligations,” Law Practice

Magazine (July/August 2010) He is the editor of Discovery, 2nd ed (PBI Press 2011) and is a contributing

e-author to Information Security: A Legal, Business and

Technical Handbook, 2nd ed (American Bar Association

2011) and Information Security for Lawyers and Law Firms

(American Bar Association 2006)

John W Simek

John W Simek is the Vice President of Sensei Enterprises,Inc He is an EnCase Certified Examiner (EnCE) and a

10

nationally known testifying expert in the area of computerforensics.

Mr Simek holds a degree in engineering from the UnitedStates Merchant Marine Academy and an M.B.A in financefrom Saint Joseph’s University After forming Sensei, heended his more than 20-year affiliation with Mobil OilCorporation, where he served as a Senior Technologisttroubleshooting and designing Mobil’s networks throughoutthe Western Hemisphere

In addition to his EnCE designation, Mr Simek is aCertified Handheld Examiner, a Certified Novell Engineer,Microsoft Certified Professional + Internet, MicrosoftCertified Systems Engineer, NT-Certified IndependentProfessional and a Certified Internetwork Professional He isalso a member of the High Tech Crime Network, the SedonaConference, the Fairfax Bar Association, the InternationalInformation Systems Forensics Association and the ABA Inaddition to coauthoring the books cited in Ms Nelson’sbiography, he also serves on the Magazine and EducationBoards of the ABA’s Law Practice Management Section Hecurrently provides information technology support to morethan 250 area law firms, legal entities and corporations Helectures on legal technology and electronic evidence subjectsthroughout the United States and Canada

We are forever in debt to Tim Johnson, the formerExecutive Editor of LPM Publishing, for encouraging all ofour authorship efforts over the years Tim, your ability toencourage and apply the rod as deadlines slip a bit isunparalleled At least this time, we were “close” to thedeadline we set We appreciate your support and constantgood nature.

Thanks to our fantastic Production Manager, DeniseConstantine, and our Editorial Assistant, Kimia Shelby Weare delighted to be working with LPM’s gifted newMarketing Director, Lindsay Dawson As always, the PubBoard staff is a joy to work with and we thank our ProjectManager Jeff Flax, an old friend and valued colleague, andPub Board Chair Bill Henslee who has always given us hissupport and a great deal of encouragement

Sharon Nelson

Dave Ries

John Simek

INEVITABLY, WHEN WE LECTURE on information security

to lawyers, they describe themselves as being scared—usuallybecause they had no concept that there were so manybogeymen to be afraid of Sometimes, lawyers are frightenedinto absolute inertia and simply leave data security towhomever provides their information technology (IT)support

We embarked upon this book hoping to make security alittle more approachable There need to be some technicalexplanations of course, but we’ve tried to keep the technicalstuff to a minimum so that the average attorney can genuinelyunderstand the security demons that are out there and how todefend against them Forewarned really is forearmed

This is not a DIY sort of project, especially if you’vesuffered a security breach We make no attempt in this book

to document the myriad steps that a professional informationsecurity expert would take Our objective is to teach the datasecurity basics in language that can be readily understood bylawyers If you’re in over your head, you’ll hear us adviseyou again and again to seek professional help Even amongthose who called themselves experts, there is often a shockingknowledge shortfall or a failure to keep up with currentdevelopments, which happen with dizzying speed!

One of the greatest difficulties of information security isthat it is a moving target The landscape changes so quicklythat last year’s (and sometimes even yesterday’s) knowledge

is woefully inadequate to combat today’s threats “Eternal

vigilance” is absolutely required for those of us who deal withdata security issues.

Still, there are guiding principles that remain largely thesame We have tried to break information security down intodigestible segments, knowing that some attorneys will pick upthis book with concrete questions about specific securityareas Common questions we hear include:

1 What constitutes a strong password today?

2 How do I secure my smartphone?

3 Do I need to encrypt my laptop?

4 Can I safely use my laptop at Starbucks?

If your interests are narrow, you should be able to findwhat you’re looking for by scanning the Contents We wouldurge lawyers, however, to take a broad interest in the security

of data because they have, unlike the general public, aprofessional and ethical requirement to safeguard client data.Although lawyers are all aware of ABA Model Rule 1.6(and we have an entire chapter on an attorney’s duties tosafeguard confidential data), the trick is how to keep clientdata secure in the digital era It isn’t easy The paper worldwas much simpler to lock down Computer security isexpensive—and it takes time to understand it—and you willnever finish learning because threats and technology morphconstantly

Are lawyers abiding by their ethical duty to preserve clientconfidences? Our opinion is that many are not Here are a fewreasons we hold that opinion

• Security expert Rob Lee, a noted lecturer from the securityfirm Mandiant, has reported to us that Mandiant spent

approximately 10% of its time in 2010 investigating databreaches at law firms

• Security expert Matt Kesner, who is in charge of informationsecurity at a major law firm, reports that his firm has beenbreached twice—and that he is aware that other law firmshave suffered security breaches—and failed to report them toclients.

• We have never performed a security assessment at a law firm(or for that matter, at any kind of business) without findingsevere vulnerabilities that needed to be addressed

Why do many otherwise competent lawyers fail somiserably in their duty to maintain the confidentiality ofclient data? Here are some of the reasons

• Ignorance—they simply need education

• The “it can’t happen here” mentality This is flatly wrong.Even the FBI issued an advisory in 2009 that law firms werespecifically being targeted by identity thieves and by thoseperforming business espionage—much of it originating fromChina and state sponsored, though of course the Chinesegovernment has vehemently denied involvement in suchactivities Matt Kesner, mentioned earlier as an expert, reportsthat the Chinese don’t bother using their “A-level” hackers toinfiltrate law firms; their security is so bad that the rookie “C-level” squads are able to penetrate law firms

• According to press reports, lawyers and law firms are

considered “soft targets”; they have high value informationthat’s well organized and frequently have weak security

• It’s expensive And it is Protecting the security of client datacan present a big burden for solos and small law firms Thisdoes not take away a lawyer’s ethical duty, however, and it isone reason the authors lecture so often on computer security.Once a lawyer sees the most common vulnerabilities, he orshe can take remedial steps—or engage an IT consultant to dothose things that are beyond the lawyer’s skill

• The need for vigilance never stops You cannot secure yourdata once and think you’re finished; the rules of informationsecurity change on close to a daily basis Certainly, someone

in the firm needs to keep up with changes on a regular basis

or the firm needs to engage a security consultant to do

periodic reviews The standard advice is that security

assessments need to be done twice a year While that is

desirable, it is in our judgment mandatory that assessments beconducted at least annually

In the paper world, keeping client data confidential waseasy and cheap In the digital era, abiding by this particularethical rule is often hard and expensive, but it must be done

We hope this book takes some of the “hard” away and alsohelps lawyers understand how many inexpensive steps exist

to protect data without breaking the bank

Often, this subject seems so dense and unapproachable thatlawyers have the Ostrich Effect and simply bury their heads

in the sand Brian Ahern of Ahern Insurance Brokeragereported in 2011 that law firms are ranked ninth in terms oforganizations with the highest risk of cyberexposure Aspreviously mentioned, even the Federal Bureau ofInvestigation warned law firms in November 2009 that theywere increasingly becoming the target of hackers

In the American Bar Association’s 2011 TechnologySurvey, 21.1% of large law firms reported that their firm hadexperienced some sort of security breach, and 15% of allfirms reported that they had suffered a security breach(Appendix A)

You would think that the magnitude of those numberswould be a wake-up call to the legal industry, but securityalways seems to take a backseat at law firms In part, lawfirms are not used to budgeting for information security, and

yet that is clearly mandated in a world where technology rules

us all The crown jewels of law firms are their electronic files,and yet many law firms guard them sloppily

For years, we’ve been warning lawyers that it’s not aquestion of whether law firms will become victims ofsuccessful hacking attacks; rather, it’s a matter of when Wepointed to incidents of dishonest insiders and lost or stolenlaptops and portable media, but there were not disclosedincidents of successful hacking attacks As the precedingexamples show, we’ve now reached the “when,” andattorneys and law firms need to address it

We have set out in this book to provide practical advice in

a condensed format We hope that sharing some of the infosec

“war stories” by way of examples will serve to make abusiness case for genuinely focusing on information security

on a regular basis and, depending on the size of your firm andyour area of practice, making sure that sufficient funds andtime are allocated to protecting your firm’s data

CHAPTER ONE

Data Breach Nightmares

and How to Prevent Them

Can Your Law Firm Be Breached?

In the paper world, it was remarkable when a law firminstalled glass-breakage sensors on the windows of its 43rd-floor conference room, where documents were compiled forbig cases and deals The firm wanted to ensure that no onecould rappel from the skyscraper’s observation deck andbreak through the windows to steal the information Boy ohboy, the times have really changed

So now you’ve read in the introduction to this book that theFBI has warned law firms that they are targets for hackers andthat security firm Mandiant has been spending 10% of its timeinvestigating data breaches in law firms In fact, Mandiant hasconfirmed that it has worked with more than 50 law firmsdealing with confirmed or suspected data breaches Clearly, itcan happen to any firm

Now consider the fact that most lawyers do not havecyberinsurance that will cover the expense of complying withdata breach laws, which now exist in 46 states, the District ofColumbia and the Virgin Islands A single data breach could

be a financial disaster for a small law firm

The last stumbling block for lawyers who are disinclined tofocus on security issues is their belief that it won’t happen to

them—particularly their belief that no one would beinterested in their data Most of us can understand whymerger and acquisition firms would be magnets for hackers;clearly, there is a great deal of money to be made on WallStreet with insider information.

Fewer people think about the money to be made by having

an insider’s knowledge of litigation, particularly in large suitsinvolving a major corporation, where the result is likely toinfluence the stock market

But what about small law firms? What attractive data dothey hold? Many small firms practice family law, and theircomputers contain Social Security numbers, birth dates, andcredit card and other detailed financial information This isprecisely the kind of data that identity thieves are looking for.They routinely scan for vulnerable systems seeking such data.Business espionage is another motivation for breaking intolaw firms Perhaps you represent a company and a competitorwishes to acquire business intelligence from you

There is also the press In 2011, the News of the World

notoriously hacked into cell phones to feed the public’sinsatiable appetite for gossip Consider all the interest in amurder trial—is it conceivable that a reporter might seekprivate information to get a scoop? Of course

Need More Convincing?

Take a look at the Privacy Rights Clearinghouse web site’sChronology of Data Breaches from 2005 (when the first bigbreaches were disclosed) to the present It may be found at

http://www.privacyrights.org/data-breach and there arevery sophisticated ways to sort the information

Those were not the first large data breaches They weredisclosed because of a new California law that required

Free ebooks ==> www.Ebook777.com

breach notification Business executives acknowledged incongressional hearings that there had been breaches in thepast, but they were not disclosed because there was norequirement to do so and it was not in their business interest

to make the breaches public As of mid-December 2011, theClearinghouse reported 535 breaches involving 30.4 millionsensitive records

The first thing you’ll note is that there are lots of data

breaches each month The second point you’ll note is that youdon’t see a lot of law firms there It is an open secret that lawfirms have played breaches very close to the vest and demandstrict confidentiality agreements from information securityvendors who investigate any compromise of their networks.This means, of course, that there probably are law firms outthere that have chosen not to comply with state data breachnotification laws, which frankly doesn’t surprise us

The third thing you’ll notice is that there are a ton of healthindustry breaches here Why? Because there is a federal lawrequiring that this industry report breaches, and the law hasteeth The Health Information Technology for Economic andClinical Health (HITECH) Act, which was enacted as part ofthe American Recovery and Reinvestment Act of 2009,contains several significant changes to the privacy rules in theHealth Insurance Portability and Accountability Act of 1996(HIPAA) HITECH requires that covered entities subject tothe HIPAA privacy rule and their business associates mustprovide notice when unencrypted protected healthinformation has been breached

In spite of the law and the number of breaches you seereported, a study by the Healthcare Information andManagement Systems Society found that only 17% ofmedical practices are likely to report an incident of medical

20

identity theft—in spite of all the federal and state lawsrequiring a report.

If a federal law is passed that covers personal informationgenerally and provides stiff penalties, you’ll be seeing a lotmore industries in the Chronology of Data Breaches—andyou’ll probably find that law firms, always seeking to keepembarrassing information private, may well be like themedical practices and take their chances with flouting the law

if they think they can “keep the lid on.”

What’s New in the Data Breach World?

The Ponemon Institute’s 2011 “Cost of a Data Breach”study found that data breaches cost organizations $7.2 million

on average in 2010 While this is a dreadfully high number,bear in mind that many of the data breaches that are reportedare breaches that have gone public, some of theminvoluntarily, and they tend to involve very large corporationswhich are far more likely to report breaches than smallerentities

With respect to smaller businesses, the National SmallBusiness Cyber-security Study, published in 2011, reportedthat almost one-fifth of small businesses don’t have or useantivirus software Three-fifths don’t use any encryption ontheir wireless networks, and two-thirds have no security planwhatever

Security software behemoth Symantec revealed inSeptember 2011 the results of its Small and Medium BusinessThreat Awareness Survey, and the numbers were disturbing

It surveyed 1,900 businesses worldwide with 5,499employees The key findings indicated that at least half of

these businesses continue to believe, in spite of all theevidence to the contrary, that they are not targets forcybercriminals; therefore, they are not taking actions tosecure their data.

Another 2011 Ponemon study showed that 90% ofbusinesses of all sizes reported a security breach in thepreceding year The majority had multiple breaches It wasstriking that the majority didn’t have much faith that theycould stop breaches in the future; according to 77% of thesebusinesses, the attacks were more sophisticated and severe.IBM published its X-Force® 2011 Mid-year Trend andRisk Report in September 2011 Here are some of the morenotable findings

• Political hacktivism, first noted widely in 2010, is on the riseagain in 2011, with hackers who have political objectives inmind The hacker group Anonymous is a prime example

• Attackers are becoming more sophisticated, developing betterand better tools They study their targets and wait for the rightmoment to try to enter high-value networks

• America (no surprise) experienced an unprecedented number

of high-profile data breaches in the first half of 2011,

including Sony, Epsilon, HB Gary, Citigroup, NorthropGrumman, Booz Allen Hamilton and RSA

• Mobile vulnerabilities and malware continue to soar and werepredicted to double by the end of 2011 A Deloitte poll of1,200 executives revealed that 28.4% believe they have

unauthorized devices on their networks and almost 87%believe their companies are at risk for a cyberattack

originating from a mobile device

• Critical software vulnerabilities have tripled since 2010, with7,000 vulnerabilities expected to be revealed by the end of2011

• Companies are beginning to ask themselves not “could ithappen?” but “when it happens, how will we respond?”

• We are seeing a continuing rise in what are known as

“advanced persistent threats” (APTs)—sometimes verycomplex—and after they compromise a network, they often

go undiscovered for months

• APTs (and this term is often too loosely used when the attack

is conventional) typically cannot be defended by keepingpatches current and running commercial security products.These attacks are specifically targeted as a rule and oftenexhibit careful long-term planning, also often using brandnew vulnerabilities and obfuscation techniques

• With APTs, it is sometimes advisable to let the attack

continue while you document it and run counterintelligence

on it Forensic analysis is going to be a key activity, adding tothe inevitable financial burden

• In spite of the fact that we know a great deal about how toprotect ourselves from things like SQL injections, we simplyaren’t doing it For those who were wondering, SQL injection

is a code injection technique that exploits a security

vulnerability in a web site’s software

A new development in 2011 was e-mails that appear tocome from your printer, scanner or all-in-one device Theyare a form of attack, using e-mails with false headerinformation to get users to click on the link contained in the e-mail Author Nelson got one as she was writing this chapter.Here’s what it looked like

From: support@senseient.com

[mailto:support@senseient.com]

Sent: Thursday, December 01, 2011 3:21 AM

To: Sharon D Nelson

Subject: Re: Fwd: Re: Scan from a Xerox W Pro #6979530

A Document was scanned and sent to you using a XeroxWork-

Verizon’s 2011 Data Breach report noted that, in 2010, theSecret Service arrested more than 1,200 suspects forcybercrimes The investigations involved more than $500million in fraud losses

Verizon also identified only 16% of the threats as comingfrom internal sources, with 92% coming from externalsources and less than 1% coming from third parties who had arelationship with the breached entity

Where do these external threats come from? Sixty-fivepercent come from Eastern Europe, which is notorious forcybercrime (and where many investigations “go to die”), 19%from North America, and 6% from South and Southeast Asia.Those are the top three culprits

The leading three threat agents are hacking, malware andexploitation of physical security vulnerabilities, followed bythe misuse of data to which someone had access, and socialengineering

While insider threats appear to be down, bear in mind thecase of Matthew Kluger, a lawyer who allegedly stole insider

information from the law firms he worked for during a17-year period At Wilson Sonini, his most recent employer,

he got the information from the firm’s document management

system As Law Technology News pointed out in a 2011

article, this underscored three law firm information securitychallenges:

• The need to balance security with the need to share

information;

• The importance of having security policies, with people inplace with enough authority to enforce and monitor the

policies, updating them as needed;

• The clear message that law firms need to focus on threatsfrom insiders, because the tendency is often to focus onexternal threats and ignore those in the office

Finally, Information Week reported in 2011 that a recent

survey of 300 IT professionals, two-thirds of them working incompanies with more than 10,000 employees, showed that25% of them knew at least one coworker who used privilegedlogin credentials to inappropriately access confidentialinformation There were 42% who indicated that the IT stafffreely shared passwords and access to multiple systems andapplications

There were also 25% who indicated that at least some ofthe superuser passwords granting God rights to the networkwere less complex than what was required of end-users Awhopping 48% reported that privileged account passwordshad remained the same for at least 90 days

While these are big firm statistics, we have no doubt thatthis sort of sharing, inappropriate access of data and poorpassword management are rife in small firms as well

The government isn’t doing any better than the privatesector The U.S Government Accountability Office released a

report in 2011 acknowledging that there has been a 650%increase in malware infections and other security incidentsover the past five years.

The Bad Rap Law Firms Get on Information Security

Security consultants consistently report that law firms are

“stingy” about spending money on data security and lag farbehind their corporate counterparts Only at the largest firmsdoes one find security specialists

Laws firms in general, and small firms in particular, are notvery likely to have vulnerability assessments done If they dohave an assessment done, they often don’t follow the bestpractice of repeating the assessments at regular intervals.Firmwide encryption is almost unheard of We forget howour mobility has opened up new vulnerabilities Flash drives,tablets, smartphones— all are easily lost or stolen, yet mostlawyers do not encrypt these mobile devices Sadly, many donot even go to the trouble to have a password or PIN on theirdevices

Social media sites have become wonderful places forcriminals and business espionage experts to set up shop Evendevelopers for social media sites have been found with theirhands in the cookie jar And yet, we find very few firms withsocial media policies, training about the safe usage of socialmedia or implementing technology which might interceptmalware before it is installed on the network

Engagement letters should note that security cannot beguaranteed and advise clients not to send unencryptedsensitive information electronically Unfortunately, we rarelysee that sort of language used by solos and small firms

A Recent Law Firm Data Breach

On October 10, 2011, it was reported in the press that theMaryland law firm of Baxter, Baker, Sidle, Conn & Jones hadlost the medical data of 161 patients in a malpractice suit.This was especially significant because it is so rare to hear

of law firm data breaches; understandably, law firms are loath

to have such stories become public So how did this one come

to light? The Baltimore Sun obtained a copy of one of the

notifications sent to the patients

Here’s what happened: One of the law firm’s employeesbrought home a hard drive containing backup data, which wasthe firm’s method of ensuring that it had an offsite backup.She took the Baltimore light rail system home and—youguessed it—left the drive on the train Though she returnedjust a few minutes later, the drive was gone And yes, thedrive was unencrypted

In any event, it should be clear that traveling withunencrypted backup data is a very bad idea The firm hasbegun encrypting its data and is looking into offsite datastorage

State Laws Protecting Personal Data

As we stumble toward a federal data breach law—a processwhich has taken years—the states have taken matters intotheir own hands By late 2010, the Practising Law Instituteidentified the following attempts by the states to safeguardpersonal data:

• Forty-six states had breach notification laws Generally, theserequire that an entity which reasonably believes that there hasbeen a breach involving unencrypted data acquired by anunauthorized person must provide notice to the affectedpersons.

• Forty-eight states have security freeze laws, allowing

customers who have been or believe they will be victims ofidentity theft to request that a consumer reporting agencyplace a “freeze” on their credit report, blocking any

unauthorized access to it

• Thirty-five states have Social Security protection laws thatdictate how Social Security numbers may be used or

displayed

• Twenty-four states now mandate the secure disposal of

personal information States that require secure destruction ordisposal of personal information often require the following:

◦ When disposing of or destroying records that contain personalinformation, entities must take all reasonable measures

necessary to protect against unauthorized access to or use ofthe records or the personal information contained in therecords;

◦ Measures may include burning, pulverizing or shreddingpaper documents so that personal information cannot be read

or reconstructed; and/or

◦ Contracts with a third party to perform the secure disposal orsecure destruction must ensure that the third party is

following the requirements of state security laws;

◦ Almost all state laws exempt encrypted information fromtheir personal information security requirements Nevada andMassachusetts have implemented much more stringent

security laws that require the encryption of personal

information, and such requirements may represent a trend

The Massachusetts law is particularly important for all states

to understand because it applies extraterritorially to all

Massachusetts residents whose information resides in thedatabase of any state

◦ Nevada, Massachusetts and Washington have encryptionstatutes which require businesses to protect customer data byencrypting it on mobile devices and whenever they are

transmitted electronically

Because the Massachusetts law is so strict and causesbusinesses (including attorneys) that do business withMassachusetts residents so many headaches, we haveincluded the regulations under it at the end of this book asAppendix B Attorneys’ legal duties are further discussed inthe following chapter

Spear Phishing—and a Data

Breach Avoided

Spear phishing is targeted phishing Phishing is a way ofattempting to acquire information such as usernames,passwords and credit card details by masquerading as atrustworthy entity in an electronic communication It is morelikely to succeed because it often appears to come fromsomeone you trust and the subject line is designed to engagethe recipient For instance, it might say: “Check thisout—you’re quoted in this article.” An appeal to ego is oftensuccessful Once in, the perpetrators will look foradministrator accounts and the accounts of managing orsenior partners to allow them to move freely within the largernetwork

In a smaller firm, the e-mail’s subject line might well read

“Referring a case to you”; that would certainly be appealing

in these uncertain economic times

In 2010, the Los Angeles-based firm Gipson Hoffman &Pancione survived an attempted spear phishing attack Thefirm had filed a $2.2 billion copyright infringement suit onbehalf of CYBERsitter LLC Shortly thereafter, the firmnoted a dramatic increase in suspicious e-mails

The e-mails appeared to be sent from lawyers at the firmand included a message requesting the recipients to open anattachment The firm’s internal investigation revealed that theattachment contained malware which appeared to come fromChina We can never say enough about the value of training,and training saved the firm from making an error in this case.Attorneys and support staff had been warned to be on thelookout for suspicious e-mails after the suit was filed becausethe suit accused the Chinese government and severalcompanies of stealing code from CYBERsitter’s Internetfiltering program No one clicked on the attachments, so nomalware bomb was detonated

A new kind of spear phishing was dubbed “whaling” in theIBM report referenced earlier Whaling specifically targetsbig fish or high-level personnel with access to critical data.The cybercriminals research the “whales” online—usuallythrough social media—and are able to construct messages topeople that genuinely appear to come from, say, their bosswhich dupes them into clicking on a malicious link It’s aneffective harpoon and is gaining traction with the bad guys

A Nasty Law Firm Data Breach

Another law firm was not so lucky In 2008, security firmMandiant discovered that the firm’s network had been

breached for more than a year after the law firm was tippedoff to the breach by law enforcement We don’t know howlaw enforcement knew, but more and more, we are seeingbusinesses warned by authorities, which is interesting.

The law firm could not be named due to Mandiant’sconfidentiality agreement, but Mandiant stated that the firmwas involved in litigation involving China, common in manybreaches in spite of the Chinese government’s manyprotestations of innocence when the words “state-sponsoredhacking” come up The intruders at the law firm were able toobtain more than 30 sets of user credentials and harvestedthousands of e-mails and attachments from mail servers; theyalso had full access to all servers and computers on thenetwork for an extended time The fact that this could happen

to a law firm should give lawyers a serious case of the willies

Okay, I’m Convinced: What’s

Next?

First, understand how data breaches happen Here are themost common ways:

• Devices with unencrypted data are stolen or lost

• Security patches (software fixes issued by manufacturers) arenot installed

• Lawyers and staff are not trained about social engineering.One example is when someone pretends to be your IT

provider and needs an employee’s ID and password to “fixsomething.”

• Malware comes in via an attachment or through social media(this would include the previously referenced spear phishing)

• Hackers, cybercriminals and even nations find vulnerability inyour network

Since the old, innocent days of script kiddies, youngsterswho copied malicious code easily available on the Internet,

we now have more sinister types trying to get yourinformation, and their skill set has vastly improved along withthe tools available Also, our networks are becoming moreinterconnected and complex all the time As Philip Reitinger,the director of the National Cybersecurity Center in theDepartment of Homeland Security, has said, “Complexity isthe enemy of security.” As he further pointed out, if someone

really wants your data, they stand an excellent chance of

getting it

The Department of Defense reports that its computers areprobed hundreds of thousands of times each day Now, yourlaw firm probably isn’t probed that often, but rest assured that

it is being probed Even the power of the cloud can be used byhackers to automate the probes

Here’s another reason to be wary from Alan Paller, thedirector of research at the SANS Institute: “If I want to knowabout Boeing and I hack into Boeing, there are a billion filesabout Boeing But if I go to Boeing’s international law firm,they’re perfect They’re like gold They have exactly whatI’m looking for You reduce your effort.”

Essential steps to take include:

• Have a security vulnerability assessment performed, at leastannually

• Remediate any vulnerabilities discovered

• Use enterprise-class antimalware, not single-function

products like an antivirus program (for small firms, we likeKaspersky, Sophos and Trend Micro)

• Have security policies and plans in place:

◦ Remote access policy;

◦ Incident response plan;

◦ Disaster recovery plan;

◦ Acceptable Internet and electronic communications policy;

◦ Social media policy More than 66% of small businesses donot have such a policy, and yet 18% of users have been hit bysocial media malware, according to a 2011 report by thePonemon Institute;

◦ Employee termination checklist (Appendix C);

◦ Password policy;

◦ Mobile device (includes smartphones) policy (critical if youallow the use of personal devices);

◦ Background checks for employees;

◦ Employee monitoring policy It is helpful to have a logonscreen that specifically says that there is no right of

privacy—that makes it hard for any employee to argue thatthey didn’t know the policy;

◦ Guest access policy Guests are frequently allowed on lawfirm networks, but they should not be able to reach clientdata, firm financial information and so forth—and they

should be given a password that expires quickly;

◦ Vendor access policy;

• Make sure critical security patches are promptly applied

• Map your network to identify devices and applications

running on the network (you can use a free tool such as

Nmap) Regular scanning will show you what and who shouldand shouldn’t be on the network Anything that looks

suspicious can be investigated

• Depending on the size of your firm, you may want to consider

an intrusion detection system (IDS) or intrusion preventionsystem (IPS)

• Larger firms may want to use a network behavior analysistool, which monitors network traffic and detects anomalies,but this is probably beyond the budget of small firms

• Consider using content filtering, which keeps employees fromvisiting sites (notably pornographic sites) where evildoers areapt to plant drive-by malware.

• Examine the security policies of business partners

• Verify that your firewall is properly configured

• Encrypt sensitive data in transit and in storage This is

especially important for mobile devices which are so

frequently lost or stolen Make sure they can be remotelywiped and that they will wipe themselves after a certainnumber of incorrect passwords are typed in

• Change all default passwords—these are plastered all over theInternet

• If you have bent to the pleas of employees to connect theirpersonal devices to your network, make sure you have amobile device manager (more on that in the smartphoneschapter) which can help manage security The new trend is tohave two instances of the phone, one for business and one forpersonal stuff, with the employer tightly managing the

business instance of the phone Since most small law firmsare not using mobile device managers, allowing personaldevices on the network is a Faustian bargain with a severesecurity risk It is very important that data be encrypted, thatpasswords be required and that the devices can be remotelywiped

• Verify that your wireless network is properly secured (more

on how to do that in the wireless chapter)

• Log remote access and limit access to sensitive data

• Make sure you know where all your data is actually located!

• Make sure you know which experts you would call in theevent of a breach

• Make sure your devices are physically secure (see the

physical security chapter)

Free ebooks ==> www.Ebook777.com

• If you accept credit cards, make sure you are following

applicable parts of the PCI Data Security Standards (DSS)which may be found at

https://www.pcisecuritystandards.org

• Get IT and partners to work together Firm culture is a bigproblem— it is often true that a partner can refuse an ITsecurity recommendation by simply saying, “I don’t want towork that way.”

• Have a plan for damage control to the firm’s reputation

• Train and keep on training both lawyers and staff Employeescontinue to fall for even easy-to-spot social engineering andthreats Lance Spitzner, director of SANS Securing the

Human Program (we love that name), tells of an employeewho submitted his resignation immediately upon receiving aphony e-mail about winning a lottery And each year, the IRStests its employees with a social engineering drill in which abogus system administrator calls and requests the employee’s

ID and password Each year, more than 25% of the employeesobligingly give out this information in spite of their annualtraining

When an incident is over, sit down and do some seriousMonday morning quarterbacking You may have policies orprocedures to change Whatever your incident response plan,

it probably did not wholly survive first contact with theenemy

Never think that you can handle a data breach withoutexpert involvement Only an information security specialistcan truly do that, which is one reason that we haven’tincluded a complicated set of technical instructions here Forone thing, they’d be obsolete as soon as written— and foranother, they would constitute a book in and of themselves

35

Secure Passwords: The Rules

Have Changed

Passwords might seem a tired subject to some, but the rules

of the security game have changed, and it is high time to saygoodbye to those wimpy, eight-character passwords If youare using fewer than eight letters, shame on you! Even in

2011, PC Magazine reported that the top five passwords are

123456, password, qwerty (the top alphabet row on thekeyboard, in case you’ve never noticed), abc123 and theoddly plaintive “letmein.” Not strong, not creative and aninvitation to a breach

Georgia Institute of Technology Report

The top five passwords listed above are dreadful of course,but even those who were using strong eight-characterpasswords received a shock when it turned out that thosepasswords are now insecure

According to a report recently published by the GeorgiaInstitute of Technology, it is time to move to 12-characterpasswords In essence, Institute researchers were able to useclusters of graphic cards to crack eight-character passwords inless than 2 hours And trust us, if researchers are doing this,

so are the cybercriminals of the world

The researchers discovered that, when they applied thesame processing power to 12-character passwords, it wouldtake 17,134 years to crack them Cybercriminals, even whenhighly motivated, are going to bypass 12-characterpasswords; there are just too many folks out there asking fortheir security to be violated with less secure passwords.Richard Boyd, a senior research scientist who worked onthe project, says that 12-character passwords should be the de

facto standard we all use It is simply too clear that the degree

of your vulnerability is dictated in large part by the length ofyour password Sad, but true

The recommendation really strikes a balance betweenconvenience and security, and it assumes that password-cracking capabilities will continue to increase, as hascertainly been true since computers became an integral part ofour lives

Here’s how they came to their recommendation: Theyassumed a sophisticated hacker might be able to try 1 trillionpassword combinations per second If that were the case, itwould take 180 years to crack an 11-character password Ifyou add just one more character, it would now take 17,134years to break the password Given that the computing power

of those with evil intent continues to accelerate, that addedcharacter gives (for the foreseeable future) a pretty good level

of security We are always asked, “When will the ruleschange again?” We sure wish we could tell you, but that’s amystery even to the experts It’s not just an increase inprocessing power that makes it hard to predict, but it is alsoharnessing the power of the cloud—something that thehackers are beginning to exploit

Lawyers and Passwords

For many years, we have lectured about passwords toaudiences of lawyers In the beginning, it was veryfrustrating, as lawyers wanted “instant-on” information andwere unwilling to take passwords very seriously This is stilltrue in the case of smartphones Consistently, when we polllawyer audiences, more than half do not have a personalidentification number (PIN) on their smartphone They simplywant that instant-on access That’s fine until you lose your

phone, which is a tremendously common experience Now theperson that finds your smartphone also has instant-on access

to all your data Not a terribly effective way to safeguard yourconfidential data

Make no mistake about it, without a PIN, someone withevil intent will have access not only to data that you yourselfcould see on your phone but also to whatever deleted datamay reside within its memory This is precisely what we do in

a computer forensics lab when phones come in as part of thediscovery process, albeit without the evil intent!

Apart from smartphones, lawyers have generally gottensmarter about passwords over time and tend not to use thenames of children, sports teams and so on as their passwords

We still find passwords on sticky notes on monitors or in deskdrawers That is an unending source of despair to all securityexperts, but apparently, most of us cannot remember ourpasswords—and indeed, we have a lot of sympathy for thefact that lawyers have so many passwords that it is hard toremember them all

Passphrases as Passwords

In response, over the last few years, we have joined otherswho lecture on security and recommended the use of fullsentences or passphrases as passwords They are so mucheasier for all of us to recall

“I’msickofLindsayLohan!” is simple enough to rememberand complex enough to confound a would-be passwordcracker Using characters that are not letters helps add to thecomplexity and therefore to your security The Englishalphabet contains just 26 letters, but there are 95 letters andsymbols on a standard keyboard “Mixing it up” makes it

even more difficulty for cybercriminals to break yourpassword.

Some, including Microsoft, will argue that users should notuse real words or logical combinations of letters because theymay be guessed by a “dictionary attack” using a database ofwords and common character sequences Maybe, but we thinkthat is overkill unless you’re dealing with national securitydata or the formula for Coca-Cola®

The research by Georgia Tech was a “brute force” attack,meaning that they tried all possible combinations ofcharacters The computer graphics cards they deployed arevery cheap and easily programmed to perform these sorts ofcomputations We have software in our forensics lab that willnatively use the graphics processing unit (GPU) to attackpasswords so the tools are freely available The processors inthe cards all run simultaneously, working to crack thepasswords Amazingly, these processors, running together,now have the processing power of what we used to call

“supercomputers.”

Practical Password Problems

So let’s say you accept the need for 12-characterpasswords Several issues arise One is that your bank, yourstock brokerage and others may not allow for 12-characterpasswords There are a lot of web sites out there that still donot permit long passwords, though with each passing day, that

is changing

More problematic is that many sites do not enforce the longpasswords They may accept a six-letter password, or theymay not insist that you use nonletter characters This remains

a significant problem, as many sites containing sensitive data

Free ebooks ==> www.Ebook777.com

have not yet caught up with security requirements for thecoming decade

Remembering and Storing Your Passwords

Perhaps the greatest problem is remembering all thesepasswords One solution is to use an encrypted flash drivesuch as the IronKey, which includes a password “vault”application that remembers all the characters for you This hasbeen our solution, which is great—until we forget theIronKey We can only sigh remembering how many timesthat has happened; fortunately, we’ve always been in thesame city as the IronKey We haven’t managed to lose ourIronKeys yet, but as small as they are, that would also beeasy There is an insurance policy: You can store yourpasswords (encrypted) on the IronKey site But you can sensethat there is a nuisance factor here

There are web sites which will store your passwords foryou, but then you must trust the security levels (andemployees) of that web site

Particularly dangerous are social media passwords, whichare often used to login all over the Web Adding to the danger

is the fact that third-party applications regularly require you

to turn over your social media ID and password so that theycan have interaction between say, Facebook, and the popularapplications Mafia Wars and Farmville This makes thingseasy for the user, but now a cybercriminal with a single set ofcredentials may be able to access multiple sources ofinformation

For $19.95, you can turn to a product like eWallet(http://www.iliumsoft.com/site/ew/ewallet.php), which willstore your passwords in encrypted format and allow you tosync access to it from multiple devices, including

40