 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 
|
|
 |
||||||||||||||||
|
Bar News - September 19, 2003 Information Security for Lawyers: Protecting the Client's Goods By: Toby Brown Editor's note: The following is part one of a two-part article on computer security and how to ensure that your law office technology is protected. IN GERMAN, THE word "wenn" means both "if "and "when." When we talk about computer security, if and when are too often the same thing. If a security problem is possible, it will eventually occur unless you take active measures to prevent it. To help you take a more active role in information security, you should develop a basic understanding of the technology issues involved. This article is designed to help you do that. Given the special duty lawyers have to protect client information (à la model Rule 1.6), lawyers need to take a very active role in maintaining computer security. The threats to electronic information are many and growing daily. At the top of the threat list are what I call Alpha Hackers. These people write sophisticated programs (or scripts) for finding and exploiting security vulnerabilities. Next on the list are thousands of "script kiddies" who take the Alpha-produced programs and run them against random Internet addresses to see what they find. The result is that most attacks are random. Therefore, feeling safe by obscurity is a bad approach. And the day may come when you are a target, since a growing threat is organized criminal attacks on data, which are very sophisticated and persistent. The likelihood that you will receive attacks is very high. As an example, on any given day, the Utah State Bar logs around 800 attack attempts. Two things to consider when defending against computer security threats: First, threats are very dynamic. Everyday new threats and new methods of attack emerge. This state of affairs requires constant vigilance to maintain security. Second, as you review the various security issues, think in terms of policy. You will likely never be a security expert, but you can set and enforce policies that drive good security. Security Defined Computer security has three basic components. The first is physical security, the security of the building and the rooms where your computers are housed. Is the door locked to the server room? Are there adequate ventilation controls? Are the servers password-protected? These are simple is sues to address, but are often overlooked. The next component is human security, actually a very significant concern. People are unpredictable. Some become disgruntled. Some can be influenced easily by money (bribes) and many just don't pay attention. Have good policies in place for managing your personnel to limit security problems. Finally, there is technical security, the focus of this article. Technical security can be further broken down into: firewalls, virus protection, software holes, and back-ups Firewalls Firewalls are like the moat around a castle. They make it difficult (but not impossible) to enter the castle. Generally they come in two varieties: software and hardware. Simple software firewalls can be loaded onto a desktop or laptop.1 These are usually a second line of defense, which brings up a good policy point: Good security is security that fails well - that is, it allows the next line of defense to fall into place. Without layers of security, when a hacker gets past one line of defense, he/she has access to everything. Good security policies drive multi-layered defenses. Hardware firewalls are typically the major line of defense between a network and the Internet. These are more expensive and have more functionality.2 One functionality built into most firewalls, and also available separately, is intrusion detection. Going back to our castle analogy, even with a moat, you still place guards along the wall to watch for attacks. If you never check to see the types of attacks occurring, how can you expect to stay secure? Again think policy. Direct your IT staff (whether internal or out-sourced) to regularly check intrusion logs, make appropriate responses and report activity to management. Virus Protection Virus protection software has two components: the engine and the list of known viruses. The list needs to be updated regularly. A good policy is to automate updates once a week. I also do a manual update whenever I read a virus alert. Finally, be aware of virus hoaxes. A well-known one is the Teddy Bear virus. Typically you receive a forwarded 'alert' from a friend saying a specific file should be deleted to cure the problem. Prior to performing any remedial action on a virus, you should check to see if it is authentic. You can do this at www.symantec.com/search/ or other virus software providers' Web sites. Software Holes This category is becoming the black hole of security concerns. Primarily this type of security vulnerability occurs with the Windows™ operating system (OS). This type of vulnerability follows a hack - alert - patch routine. A hack method is discovered. An alert goes out. Then a patch is re leased. Unfortunately, it can take a week or two for these steps to transpire, so you may be vulnerable during that time. A good policy would be to keep close track of alerts so that patches are promptly installed once released. Microsoft has stated that its focus is now on "security over functionality." However, it will take a few years to fully integrate this new approach into its product line. Back-ups / Disaster Recovery / Business Continuation I like the term "business continuation" for this category, since the main focus should be on how you continue to operate your business after disaster strikes. We also have to again consider the lawyers' duty to properly protect client data. This protection means keeping the information intact and accessible. Issues here focus on when back-ups occur, how they occur and where they are located. Policy should dictate a solid back-up routine. Currently your back-up policies may be determined by geeks who care more about IT resources than legal obligations, so you may want to visit the back-up rotation. Next in line is how you back up, as in what sort of back-up media you use. Magnetic tapes are very popular, which (indirectly) brings up our next policy issue: How often do you test your back-up? Once-a-month testing is a good idea. With tapes, retrieving backed-up files is a slow and tedious process. Other media options include SANs (a.k.a. large external hard drives), CDs or even online services. Online services are an emerging tool that allows complete back-ups over the Internet to secure data centers.3 In the long run, I see most organizations going this way. Since everything is automated, offsite storage is implied, and you can access the backed-up data from wherever you are. Final business continuation words: Back up your data and test it regularly. In part two, Brown will discuss ethics issues, emerging threats and how to address your firm's computer security needs. Endnotes
Toby Brown wears a variety of technology and legal management hats. He is the president of Roberts Brown LLC, a legal technology consulting firm. In this role he provides advice and consulting on emerging technologies for bar associations and lawyers, including a consortium of state bar associations in New England, including the NHBA.
|
|
Home | About the Bar | For Members | For the Public | Legal Links | Publications | Online Store New Hampshire Bar Association |
