New Hampshire Bar Association
About the Bar
For Members
For the Public
Legal Links
Publications
Newsroom
Online Store
Vendor Directory
NH Bar Foundation
Judicial Branch
NHMCLE

Support Of Lawyers/Legal Personnel All Concern Encouraged

Trust your transactions to the only payment solution recommended by over 50 bar associations.
New Hampshire Bar Association
Lawyer Referral Service Law Related Education NHBA CLE NHBA Insurance Agency

Member Login
username and password

Bar News - May 7, 2004


Safeguarding Law Firms by Securing Network Against Viruses and Hackers

By: Tim Platt
 

MYDOOM, NOVARG, DUMARA, Bagle (Beagle), and Mimail: even after Y2K, these pervasive computer viruses and worms could have been characters in a new science fiction novel entitled, 2003: An Internet Odysssey. Today, they are making headline news, yet the rapid rise of threats to computer and network security has caught many businesses, including law firms, by surprise and unprepared for the problems that occur.

Last year, the Slammer worm shut down Bank of America's ATM network but the damage from viruses and worms is not limited to large companies or financial institutions. Between 80-90% of businesses and government agencies have experienced a hacker attack within the past year, according to the Government Accounting Office (GAO) figures.

Essential elements of a law firm's operations rely on the premise of protecting information sensitive to operations and clients. These include:

  • Customer Information: Client records and data.
  • Operations/Business Processes: Creation, storage and retrieval of work product.
  • Productivity Tools: E-mail and other office suite applications (e.g., word processing; calendar).
  • Financial: Accounting and other financial applications, data and reports.
  • Administrative: Human resource and other records and data.

The Value of Your Network and the Risk

Viruses and worms exploit vulnerabilities in software code and can impair specific applications at the user or enterprise level, or even bring an entire network down. For example, the recent Doom viruses are programmed to unleash digital attacks aimed at overwhelming firms' networks and Internet sites. Additionally, these exploits open windows of opportunity for hackers and other malicious traffic to gain access to data, compromise it, or export confidential information.

Just a few weeks ago Microsoft Corp. acknowledged a "critical" flaw in most versions of its flagship Windows operating system that could allow hackers to break into personal computers and snoop on sensitive data. The flaw, assigned Microsoft's most severe rating, could allow a hacker to break into a computer running Microsoft's Windows operating system in several ways and then use the compromised machine to run malicious programs and steal or delete key data. Although a patch now exists to fix the flaw, Microsoft did not issue the patch until more than six months after Microsoft first learned of the vulnerability.

In a related development, the even more recent release and rapid, wide circulation of two compressed files of Microsoft source code raise the concern that virus writers and hackers could discover vulnerabilities in the software and use it to break into PCs running on Windows 2000 or NT to destroy or steal data.

Law firms should also be concerned about Peer-to-Peer (P2P) file sharing programs (such as Kazaa, Morpheus and Grokster) running on any device connected to their networks. Recent studies show numerous examples of Kazaa users unintentionally making sensitive information or documents available for download by others.

Risk Management

A proactive approach to IT security is relatively simple, in concept-block all attacks before they cause harm. This theoretical goal is virtually impossible to achieve, in light of constantly developing technology, software updates, administrative delays and mistakes, and rapidly improving and changing hacking tools.

The risk of a security breach can be managed. About 90 percent of today's security breaches can be prevented, according to technology analyst firm Gartner. The fundamentals for building a more secure network for your law firm should include a simple set of best- practice policies, processes and technologies.

Policies and Processes

Policies focus on codifying what your firm's processes and practices should be. At most law firms, these have been directed at human resources and physical security. Their focus has been on: maintaining confidentiality and establishing access control; identifying security processes; and setting limits on administrative rights to a lawyer's desktop computer. Historically, for digital security purposes, many law firms had policies that relied on user names and passwords to accomplish these objectives. But static passwords are easy to hack, so security is improved by requiring the use of longer (7-digit-plus) alpha-numeric passwords that change frequently. Similarly, a more stringent security policy would require the use of more reliable authentication methods such as biometrics, tokens, or certificate-free authentication using a random key generator.

Processes focus on business methods to reduce security exposures. These include regular assessments of your law firm's network, policies and practices. Also, processes often restrict access to particular applications, workgroups, and databases, or even take them off-line entirely, depending on the changing level of risk and the value of the information assets.

Best Practices: Layered Security

In the context of network security, best practices teach the use of "layered security." Simply put, this means having more than one defense against threats to your network and digital assets. Several years ago, many law firm administrators were content with a firewall at the perimeter of the network and anti-virus software on each lawyer's and staff person's personal computer.

The recent gains achieved in marketing and productivity (i.e., law firm websites, Internet-based legal research, and e-mail) have come at a cost. Traditional firewalls - when properly configured and managed - stop only a very small percentage of actual network-based attacks and do even less to address gaping holes in Web and e-mail applications.

Similarly, anti-virus software is only effective if a new virus is covered by the vendor's filter and signature updates. Zero-hour protection has yet to be achieved because the first victim of a new virus must supply antivirus vendors with signatures before they can provide anti-virus updates to other customers. In any event, anti-virus software does not protect a network from hackers.

Fortunately, security practices have evolved to counter these risks. In addition to new perimeter technologies, there are security products to protect the "host" (i.e., servers, PCs, laptops and other devices), your software applications, client information and other data, and the law firm's network.

Network Security

Besides firewalls, one of the most basic methods of network defense is called the Intrusion Detection System (IDS). The IDS is a device that is placed on the inside of your network, "in front of" any user computers or servers. It operates on the premise of "passive alert." When an intruder is detected on the network, the IDS sends an alert to the network administrator, who must respond to the alert.

Although helpful, IDS tools have several drawbacks:

  • They are labor-intensive. Someone must review the logs daily, or worse yet, be oncall 24/7, responding to every alert (there are generally thousands per day in even the smallest home network).
  • They require increasing degrees of specialization. IT staff must stay abreast of the rapidly changing security market.
  • They require human intervention and response to the "attack."
  • They are not timely. Law firm PCs, servers, applications and data are at risk until proper remediation is completed.

Network-based intrusion prevention systems (IPS) overcome these drawbacks by actually stopping known viruses, worms, hackers or other malicious traffic from accessing the law firm's network. The newer IPS products operate at wireline speeds and conduct deep-packet inspection to block offending traffic. The best IPS solutions also provide outbound content filtering, to prevent the inadvertent or unauthorized export of client data or lawyer work product, whether as the result of P2P programs or otherwise.

Network IPS solutions also serve the critical function of protecting the law firm network during the time period between awareness of the software vulnerability and the completion of development, testing, distribution, and installation of a new software patch (at least 200 days in the case of the latest Microsoft "critical" flaw); and between the breakout of a new virus or worm and the development, distribution and installation of a virus signature update.

Another important element of network protection is patch management. This refers to the process of updating all operating system and application software with all "hot" fixes, patches, updates and other releases to maintain productivity and reduce vulnerabilities. The burden is exacerbated by the large variation of hardware vendors, operating systems, and versions of application software in many firms.

In the past months, this practice has evolved into a labor-intensive problem, and requires IT staff to devote time and specialization to a new task. For example, since September 2003, Microsoft has announced 24 vulnerabilities in its popular Windows and Office software products-14 of which have had "critical" security flaws.

Patch management point solutions are now available from several vendors that automate this practice and return the firm's IT staff to more productive uses, while remediating critical security vulnerabilities.

Other Security Layers

Additional layers of security may also be appropriate to secure the law firm infrastructure:

  • Perimeter defenses still include firewalls, but have expanded to include virtual private networks (VPNs) to permit remote access to your network by authorized users (for examples, lawyers working on the road or telecommuting).

  • Host-based protections have supplemented traditional anti-virus software, host-based IDS and IPS tools, and access controls and user authentication for each device.

  • Protection of specific software programs includes such technologies as tools that perform input/output validation, application-specific access controls and user authentication.

  • Data security can include various types of encryption and encryption algorithms, with or without key agile encryption engines, in addition to data-specific authentication and access controls.

The Big Picture

A secure IT network has become mission-critical for many law firms. Lawyers cannot manage their businesses without safeguarding their clients' confidences, and preserving the integrity and productivity of their IT networks and related data. The damage to a firm's professional reputation from a security breach could be inestimable.

The affordability of many leading security products should make it easier for most law firms to achieve the essential objective of secure IT networks. Also, the availability of managed (outsourced) security services should help burdened IT staffs utilize best-of-breed solutions with lower acquisition costs.

Tim Platt writes frequently about IT security. He is a co-founder of Beadwindow! Corporation, a network security firm, and a principal of Arete Capital Group, an investment bank located in Manchester. Copyright Beadwindow! Corporation 2004.

 

 

NHLAP: A confidential Independent Resource

Home | About the Bar | For Members | For the Public | Legal Links | Publications | Online Store
Lawyer Referral Service | Law-Related Education | NHBA•CLE | NHBA Insurance Agency | NHMCLE
Search | Calendar

New Hampshire Bar Association
2 Pillsbury Street, Suite 300, Concord NH 03301
phone: (603) 224-6942 fax: (603) 224-2910
email: NHBAinfo@nhbar.org
© NH Bar Association Disclaimer