Essential Security
Stephen Bird*
Author’s Note: A November post to the TechnoLawyer Community by Zachary Price offers a number of essential security tips for law firms.1 This article, much like my earlier article on Security and Privacy (www.practicepro.ca/securitybooklet)2 that was based on the booklet by Dan Pinnington,3 will refer to Zachary’s helpful suggestions.
Regularly Update Your Software
Is there a more accurate statement than “no software is ever bug free”? Sometimes it seems we’re beta-testers for software delivered prematurely, although some companies, such as Microsoft with WinXP SP2 and smaller programmer/vendors like those who sell Vopt (defragger) and HyperSnap-DX (screen capture), seem to be offering more-stable software. While true that hackers exploit bugs for a variety of reasons including fun and profit, update security goes beyond the threat from hackers since a problematic product can result in lost productivity from unexpected crashes, unsaved work, and the loss of time trying to fix things.
I agree that software should be updated on a regular basis; however, when should this be done? If you are a lawyer, then you probably have more important things to do than keep track of updates. Configuring the operating system, firewall and antivirus programs to receive regular updates makes a lot of sense.4 Unfortunately, however, not all updates are improvements.
The Windows Secrets5 e-zine offers a Windows Patch Watch feature in the paid (very modest) version to assess the quality of patches. For example, in the November 10th issue, Susan Bradley discussed the MS05 0536 security bulletin and new Office patches, offered an example of when a second patch is needed to fix the first patch, suggested that Macromedia Flash player needs updating, alerted readers to Programs that install without warning, and listed her favorite 18+ security blogs. Whew!
A recent posting by a well-respected and knowledgeable (in my view) member of the Windows Home7 mailing list says: “Microsoft's new security product, OneCare, which will be sold as a subscription, has been released into public beta (free for now). It's pretty much a ‘security center on steroids’. It includes Antivirus, 2-way Firewall, Tune up (auto defrag and temp file cleanup), and Backup/Restore. So far I haven't found anything to dislike, when it's viewed as a product for consumers. As beta software goes, it looks like a finished product, but don't risk an important machine unless you have a good recent image backup.” Unfortunately I found, for whatever reason, the download of the OneCare Live product is large and thus slow to download via dial-up – I stopped after an hour or so with only about 25% of the download having been completed.8
Install Firewalls
Zachary tells us: “Firewalls separate one network from another and are frequently used to separate a company's internal network from the Internet. Firewalls not only mask the identity of the individual computers behind them, they also examine and filter potentially damaging data entering or leaving the network. It is good practice to install both perimeter and client side firewalls.” For more information about personal firewalls, visit Wikipedia;9 and to see if your firewall is effective, visit Gibson Research on the ‘net.10
Watchguard (http://www.watchguard.com), Cisco (http://www.cisco.com) and ZoneLabs (http://www.zonelabs.com) are three firewall providers listed by Zachary. ZoneAlarm Security Suite 6.011 is a frequent pick of the WindowSecrets newsletter as the best all-in-one software firewall,12 anti-virus program, and anti-spam filter (and now with anti-spyware scanning and Windows OS kernel protection).
Although I recall using ZoneAlarm a long time ago, my recent experience has been with firewalls from iolo (Kaspersky is bundled with System Mechanic 6), Panda (Platinum 2006 Internet Security), Symantec (Norton Internet Security), and VCom (Sygate is bundled with SystemSuite 6).13 PC World14 magazine recently gave Panda Platinum Internet Security 2005 the top score in the security suite category. Panda is installed on one of my Virtual PC WinXP operating systems. It was easy to install and seems to perform well. I like well-integrated utilities.
Install Anti-Virus Protection
According to Zachary, “Hundreds if not thousands of new malicious software programs are released each month. These include viruses, worms, Trojan horses, and a host of other programs. Symptoms of infection range from the annoying to catastrophic.” These programs can slip through firewalls posing as a legitimate e mail (one, I recall, attached a password-protected zipped attachment, which defeated the anti-virus program scan) so user education is of major importance (that is, don’t open something you aren’t expecting – if in doubt, call the sender to confirm the message/attachment). Zachary tells users to install the latest version of client side anti-virus software15 and make sure to regularly update and scan the system. He lists a number of well established anti-virus products including Symantec’s Norton AntiVirus,16 AVG,17 Panda Software,18 and McAfee.19 My experience has been with iolo (Kaspersky), Panda, Symantec (Norton AV), and VCom (Trend Micro is the AV product bundled with SystemSuite 6 ).20
Protect the Content of Your Sensitive Files and E mail
Again, user education is critically important to avoid sensitive e-mail and files going astray – in other words, think before you send and protect your data. Zachary says: “E mail doesn't have to be a public announcement, yet private messages often turn out to be. E mail and files containing sensitive information, such as advice, contracts, financial information, and more, all too often spread beyond the individuals they were intended for. According to a recent report by the Computer Security Institute, loss of proprietary data was the third leading cause of financial damage to organizations last year.”21 In chapter 7 of the PracticePro booklet, Dan Pinnington talks about the dangers of metadata and in chapter 8 he describes ways to lockdown and protect your data.
Zachary talks about using “rights management” software22 to protect sensitive business data. He says such software, “not only encrypts files, but also serves to enforce access and limit usage privileges such as forwarding, editing, and printing.” Apparently this kind of protection remains with the file no matter where it goes. He concludes by saying: “Any business that frequently exchanges medical, financial, legal, or design data should make regular use of encryption and content rights management technologies.” My experience with rights management includes password protecting Word, WordPerfect and zipped files and change/print restrictions on PDF files. While these methods will keep out casual snoops, users should look for better protection from products such as those from PC Guardian.23
Establish a Periodic Data Backup Strategy
Periodic backups are required to ensure business continuity in case of an accident such as a hard drive failure or attack. In a networked environment full and incremental data backups can be programmed to take place at regular intervals. Small office environments should backup their sensitive data external hard drive or CD at least once a week. It is good policy for companies to backup e mail as well. Backup data should be stored off site in a secure location. Be sure to test your backup processes to ensure that indeed your data can be restored in case of operational failure.
Some secure off site data storage providers (especially important during the last hurricane season) include Iron Mountain (http://www.ironmountain.com), First Backup (http://www.firstbackup.com), and KastenChase (http://www.kastenchase.com). For my take on backups, see “Software for Back ups,” April 15, 2002, and “Better Backups, Part 1,” Hardware (December 15, 2004) and Part 2 Software (January 1, 2005) in The Lawyer’s PC.
Use Strong Passwords
“Passwords are used to authenticate the identity of an individual user. Unless otherwise protected, once a password is broken, your sensitive data is exposed. With free software that is readily available on the Web, most passwords can be broken in a number of minutes. These programs often use known words and phrases to break passwords frequently beginning with “password” and “admin.” For good password security, use a combination of upper case and lower case letters, numbers, and symbols (i.e. eR8!tJd). Make sure that your employees memorize their passwords and that these are not written down anywhere on the premises.” See also The Lawyer’s PC, May 1, 2005.
Hire a Security Consultant
Zachary notes that every business is different and requires its own security strategy. He suggests hiring an independent security consultant to assess your individual security situation and to create a comprehensive security policy that will meet your business needs.
If your law firm does not have an in house computer/security expert, then outside help should be hired. It makes more sense to hire an outsider who bills at $50 per hour than a lawyer whose time is worth $200 per hour. Either way, it is false economy to say the budget doesn’t allow for such help. How much will it cost if you lose critical data?
It is critically important that the outside “expert” completely understands your business so decisions are not made which may make perfect sense to the security/IT consultant, but fail to protect the law firm, its business, and its responsibility to both clients and the governing body for lawyers in your jurisdiction.
Educate Your Employees
No security plan is effective unless followed by staff. While measures can be taken to severely limit user privileges (internet browsing, reading e mail, or reading/writing of files from/to USB or CD drives), draconian security measures can interrupt workflow as well as damage productivity and morale. Zachary makes a good point when he says: “A better policy is to limit some user privileges while educating your employees about your company's security policies.” See the section of Dan Pinnington’s booklet “take care with current and departing employees” and see the advice from Law.com “Protect Your Network From the Enemy Within.”24
Final Thoughts
Zachary Price’s comments provide a good reminder and nicely complement Dan Pinnington’s booklet. Hopefully, the articles I referenced and my upcoming look at security software (in its broadest terms) will help keep your data secure. Windows Secrets subscribers were recently offered PDF eBook excerpts of two new books: Hardening Windows25 by Jonathan Hassell, 2nd Edition, and WindowsXP Security Solutions26 by Dan DiNicolo. Both books seem worthwhile – visit Amazon.com for more information and current prices. What was true last spring is still true now that it is winter: Law firms must actively manage their electronic data!
* Stephen Bird is a lawyer and long time contributing editor of The Lawyer’s PC newsletter. He can be reached at StephenBird@lawyer.com.
1 The TechnoLawyer post, Essential Security Tips for Law Firms, is an expanded version of IT Security Tips For Small Business found at http://tinyurl.com/dbbf7. Used with permission of the author.
2 The Lawyer's PC, May 1, 2005.
3 http://tinyurl.com/5y9gg.
4 See the 16th November 2005 Editorial, "Is Your Windows Update Working?" and the useful tips offered in the Support Alert Newsletter, Premium SE Edition B an eZine found at http://tinyurl.com/793lp. To update MS Windows visit: http://tinyurl.com/gedj and to update the Mac OS visit: http://tinyurl.com/2jzxr.
5 http://windowssecrets.com.
6 http://tinyurl.com/bmznr.
7 http://tinyurl.com/7ql8n.
8 Sign up and download it here: http://tinyurl.com/a6ozr. Microsoft is also offering a Windows Live Safety Center (http://tinyurl.com/a5pmn) where users can check for and remove viruses, learn about threats, improve a PC's performance, and get rid of "junk" on the hard drive.
9 http://tinyurl.com/bqpta.
10 https://www.grc.com/x/ne.dll?bh0bkyd2 for Shields Up! (grc restricts tinyurl redirection or refreshing sensitive security areas) and a firewall LeakTest at http://tinyurl.com/4k3fk.
11 Installation problems with version 6.0.631 (July 21) were reportedly corrected with an updated version 6.0.667 (September 6) of the ZoneLabs product line, which includes ZoneAlarm Pro and ZoneAlarm Security Suite.
12 WindowsSecrets likes offerings from Linksys for hardware firewalls.
13 VCom's SystemSuite Pro 6 was reviewed in The Lawyer's PC on October 1, 2005.
14 http://tinyurl.com/9kk5o.
15 I've read that antivirus "engines" don't significantly change that often, so it is possible to use program versions that are a year or two old provided you know how to obtain and update the virus/data signatures. Sometimes it is less expensive to purchase a new version than to renew one's subscription, which tend to be for a year. It is important to follow installation instructions, especially if one must first uninstall an older version before installing a new version. Hopefully the program is "smart" enough to detect an earlier version and then ask if you want to first uninstall it before installing the new version.
16 http://tinyurl.com/88qj3.
17 http://www.grisoft.com.
18 http://www.pandasoftware.com.
19 http://tinyurl.com/4epxt.
20 Unfortunately the TrendMicro updating function is not kind to those of us with dial-up connections because it requires a download of the entire virus database rather than just the new signatures by way of an incremental update used by the other AV programs.
21 See, for example, http://tinyurl.com/ccd7h.
22 His list of established providers includes: Authentica (http://www.authentica.com), Essential Security Software (http://www.essentialsecurity.com), and Microsoft IRM (http://tinyurl.com/tv9d).
23 GuardianEdge (http://www.guardianedge.com) is the encryption software spin off from PC Guardian (http://www.pcguardian.com) which has been making and selling anti theft devices since 1984. See also my "Data Lock down" article in the May 15, 2005 issue of The Lawyer's PC.
24 http://tinyurl.com/9r6rg.
25 Published October 2005 by Apress, includes Chapter 4, WindowsXP Security, and Chapter 7, Patch Management, ISBN: 1-59059-539-4, 216 pages. Chapter 4 and more information can be found at the Publisher's web site: http://tinyurl.com/7r2f2.
26 Published November 2005 by Wiley (for PC Magazine), includes Chapter 3, Using Built-In Tools and Settings to Improve Windows XP Security and Chapter 4, Security Your Web Browser, ISBN 0-471-75478-1, 400 pages. A visit to http://tinyurl.com/cg5lv will get you more information as well as Chapter 1, Implementing User Accounts, Groups, and Logon Security.