chevron-down Created with Sketch Beta.
September 13, 2011 Articles

Securing Your Firm: Information Security from 30,000 Feet

Law firms need to adequately address new and growing areas of security involving their digital data.

By Josh Lippy

For years, security was an afterthought in an organization’s infrastructure design. Much of this was due to the fact that in the beginning operating systems and applications were developed for ease of use rather than subverting a security breach. By nature, security measures make computers less user-friendly, and adding security measures threatened growth and competitive advantage. During the early computing boom, to encourage adoption for as many users as possible, choosing this “ease of use” path gained large software and system-providers market share. Software companies eventually found out the hard way that what made their systems popular also created exposure to rampant attack.

Compliance issues and exposures resulting from Internet connectivity, both common to law firms, have driven cyber security to become one of the fastest growing segments of the information technology field. The worldwide web is the “wild west” of the digital frontier. As a law firm frequently handling extremely sensitive and proprietary information, we must not take digital security lightly. Protecting the attorney-client privilege electronically is an appropriate client expectation. Law firms must uphold this important relationship in all aspects of firm business. Law firms need to adequately address new and growing areas of security.

The Password Dilemma
Security starts with the most familiar and the most abused component of any user’s access: network credentials. Enforcing both strong password requirements and a regular password reset policy is a good place to start. Strong passwords require a combination of characters, including upper and lowercase letters, numbers, and symbols. A minimum password length should be set at 10 characters and can be controlled by your IT department. The firm should have a written policy that defines acceptable passwords for users.

The old adage that “passwords get passed around” has held true since the inception of passwords. User education and policies should be implemented to enforce password privacy. Further, the recording of passwords in any form that can be shared or viewed by others should be strictly prohibited. Passwords are the largest potential security hole in a network. This is because human behavior ultimately dictates whether a password policy is enforced or violated. The challenge with password requirements and enforcement is finding the balance between choosing a password easy enough for a user to remember (so they don’t write it down) yet strong enough to withstand a breach through guessing with automated tools and other attacks.

Data Encryption
If a thief wanted to sign into a computer on a firm’s network but did not know any valid network credentials, the operating system would deny access. On the surface, that would make it appear that the data on the computer’s hard disk would also be inaccessible. However, the typical file system is not encrypted. Therefore, in the event of physical system theft, the hard disk attached to the PC could be removed and connected to another system, thus compromising the data and making it completely accessible for manipulation and viewing.

Microsoft Windows has the built-in functionality of EFS, or encrypted file system. When implemented, EFS encrypts all data on a hard disk, making the contents inaccessible to anyone without proper login credentials. Alternatively, for a more robust solution, Windows 7 Enterprise includes a feature called BitLocker. BitLocker is another form of data encryption that is feature-rich and easier to implement than EFS. Most firms today have more portable computers than desktops, making encryption a key part of securing organizational data.

Antitheft Devices
Antitheft tracking devices are a popular add-on offered with the purchase of a new car. In recent years, these same antitheft solutions have become available for portable computers. Should a PC become lost or stolen, the antitheft tracking software can be utilized to locate it. Just like locating a car, a laptop location can be remotely identified and law enforcement notified to recover the stolen equipment. In addition to locating the lost equipment, the system can remotely wipe all data via a cloud service or disable the system by locking it up until the PC is returned to the owner. Mobile devices also have similar capabilities using cloud. These services allow you to track an iPhone or Android device’s location if it is misplaced and also allow the same type of data-wipe mentioned above.

Security Updates
Microsoft has done an effective job of correcting past security flaws in their products. To be more consistent with patch releases, they instituted Patch Tuesday several years ago. On the second Tuesday of every month, Microsoft releases critical security updates for their software. Automating the installation of these patches is critical to the security of any firm’s infrastructure. A simple solution is to set all PCs to automatically download and install patches. While this is very easy, it isn’t the best practice and lacks central management. One wrong patch can create serious support calls. Further, there is no insight into patch status on every system.

An automated tool should be utilized to manage, approve, and deploy all security patches within an environment. Microsoft has a free product called Windows Server Updates Services (WSUS), which is specifically designed to manage, apply, and report on security updates in the Windows environment. Alternatively, managed service providers typically include patch management as part of their IT service. In this scenario, all security patching is handled as part of the standard service using third-party remote management and monitoring tools.

Either solution presents an optimal way to keep up with the plethora of security patches Microsoft releases for all of its products every year.

Antivirus and Anti-Malware
Antivirus solutions are synonymous with safe computing today. All PCs ship with some sort of antivirus solution for free, at least for a trial period. In a corporate environment, similar to the WSUS server offered by Microsoft for patching, centrally managed antivirus is a required tool. Selecting a specific vendor for your antivirus solution is important. Making it work in a centrally managed and consistent manner is even more important. Often centrally managed antivirus is installed improperly, incompletely rolled out, and not properly reviewed for functionality. In short, corporate antivirus can be useless to protect your environment if someone isn’t keeping a watchful eye on it at least once a month.

With the proliferation of viruses in the past decade, security companies have perfected antivirus to a point where outbreaks are rare. Instead, what we see infecting our computers today is actually considered spyware or malware. Malware is a program that can be inadvertently installed by a user who thinks he is doing something useful. The user is lured by helpful looking web links that ultimately violate the system with unwanted software and spyware or malware. While antivirus programs include some protection from spyware and malware, programs such as Malwarebytes and Spybot were developed to assist with this growing threat and should be considered as extra protection for nuisance software in any organization.

Penetration Testing
In this article, critical components of infrastructure security have been presented to assist in creating dialogue with the appropriate resources that manage information technology at any firm. Once these items are properly addressed, regular verification of process and policy implementation can ensure that systems are secured to specifications set by the firm. Many technology-services firms specialize in “ethical hacking” and penetration testing to verify if a network is truly secure. These tests can be performed both internally and externally to thoroughly review a firm’s security measures capabilities. Once performed, a remediation report offers a road map to close any remaining gaps in a firm’s security posture. An annual audit by an independent third party also ensures the effectiveness of the security tools utilized by a firm.

Final Thoughts
Securing a firm’s infrastructure and data can seem like a daunting task. Depending on the size of the firm, it may very well be a full-time job. It requires more forethought and focus than the typical management mindset may expect to properly implement and maintain a firm’s security posture. Securing the right internal resources or outsourced services solution specializing in security can ultimately contribute to the successful implementation of a very important part of any law practice.

Keywords: security, information technology, encryption, passwords

Josh Lippy – September 13, 2011

Copyright © 2011, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).