davemarkowitz.net

Network Consulting and PC Support
dave@NOSPAMdavemarkowitz.net (Remove "NOSPAM" to send me mail.)
(610) 389-1724
Yahoo! Messenger: dave_markowitz
AOL Instant Messenger: dmarkowitz527

For a long time, attorneys had the reputation for being technophobes, resisting the urge to automate their practices with computers and networks. We are thankfully past that time, and now most attorneys, even if they don't use a computer themselves, at least have support staff who do.

With the increased adoption of computer networks, and especially with more and more law office local area networks (LANs) being connected to the Internet, comes an increased responsibility to secure these resources. As an attorney, you have the responsibility to maintain the confidentiality of your communications with your clients, and of the work you generate for them. So, the responsible lawyer will take reasonable steps to secure his network.

Some lawyers, especially those in solo practice or small firms, may be tempted to think that with all the big fish out there, hackers won't bother to look at them. This is unfortunately both untrue and shows a lack of understanding of what it means to secure one's LAN. So, we will discuss in this article both what "network security" means, and what steps you should take to implement it. We'll also discuss just who should be implementing network security in a law firm.

Let's first define "network security." It does not just refer to protection against outside intrusion. Rather, it is a broader concept, encompassing the protection of your data against loss or disclosure, intentional or otherwise, due to malicious acts, negligence, accidents, or "acts of God." Such data loss can come from:

• Outside threats
• Disgruntled employees
• Mistakes by employees
• Hardware or software failure
• Acts of God

Means to prevent data loss due to these causes broad fall into two categories: securing your data against threats, and having a tested backup in case your security fails. We'll now look at the threats, then see about security measures.

Outside threats, especially hackers, are certainly the security threat that gets the most press, although studies have shown that they are not actually the most serious one. For the sake of discussion, I'm going to lump into this category hackers who try to break into your network and computer viruses. Please note also that I'm going to use the term "hacker" to refer to malicious individuals who digitally trespass; true hackers don't go where they don't belong and refer to these people as "crackers." However, "hacker" is the term that is most widespread.

Hackers have various reasons for breaking into your LAN, most of which boil down to "because it's there and they can." It doesn't matter if your firm is big or small, rather, what matters is if you are vulnerable or not. This is partially due to the fact that the vast majority of hackers are "script kiddies," or relatively unskilled juveniles who use tools written by others to do their dirty work.

The other main outside threat, and the one which is more of a concern than hackers, is computer viruses. The vast majority of viruses are now spread through email, and take advantage of vulnerabilities in Microsoft applications. For example, the Melissa and ILOVEU viruses worked by taking advantage of insecure settings in Outlook, while Nimda attacked machines running Internet Information Server. Nimda could spread via email or Web connections between servers. Even worse from a lawyer's standpoint was the Sircam worm, which took advantage of Outlook vulnerabilities, and sent random files from an infected PC's hard disk as file attachments to emails in the victim's address book. Imagine what would happen if it picked a confidential memo to one of your clients as the file to send to everyone in your address book. Lest you think this is a far-fetched scenario, the author did receive a few such confidential documents in his inbox from infected PCs. And noted computer journalist Jerry Pournelle reported receiving over 400 Sircam-infected emails at the height of its rampage, many of which had confidential attachments from accounting and law firms.

Disgruntled employees are actually a bigger threat to your network than outside hackers, although not necessarily a greater threat than viruses. While they are still working for you they have inside access to your network, and once they leave, they may still be able to get in, depending on whether you've locked out their accounts or if they've left a back door way for them to get back in.

Mistakes by employees are another threat to your data. We've all accidentally deleted a file we later come to need, and even the most savvy network administrator sometimes goofs up.

Likewise, hardware or software failure can cause damage to your data. Hard disks develop bad sectors, Zip disks develop the "click of death," network cables get short circuited, and data gets corrupted by Windows. As long as computer networks are made by fallible humans, we'll experience all of these annoyances and more.

Finally, Acts of God can destroy your entire network. Your office could burn down, a hurricane could come through and smash your entire neighborhood, or there could be a flood. Maybe all of the above.

With all of these potential threats to our networks, one might be excused for wondering that they work at all. Luckily they do, and there are ways to help keep them working.

The only surefire way to prevent outside sources from breaching your security is to pull the plug on your Internet connection and not allow anyone from outside your firm to put a disk in one of your machines.

Alas, these are not feasible ways to protect your network in the Information Age. But, by taking a multi-tiered approach you can dramatically reduce your exposure.

First, if you have a permanent Internet connection, whether cable modem, DSL or T1, you need to have some kind of a firewall which allows you to access the Internet, but allows only authorized access to your LAN. Such a firewall can be in several forms:

• A commercial broadband router from a company like Linksys or Netgear.
• An old 486 that you recycle by installing two network cards and a firewall version of Linux, such as Freesco.
• A mid-range box like a Sonicwall Pro hardware firewall.
• A combination firewall and caching proxy server, such as WinProxy software running on a Windows server.
• A high end solution such as a Cisco PIX or Checkpoint Firewall-1.

Your choice will depend on the needs of your users and the size of your network, not to mention your budget.

Unless your firewall incorporates virus scanning, you will also need antivirus (AV) software on each PC. Actually, I recommend having AV software on each PC anyway, since you don't necessarily want to depend only on one level of protection. As shown by the historical example of the Maginot Line, a single tier of defense can often be bypassed. Not only should each PC have AV software, you need to ensure that it is kept updated frequently, i.e., at least once a week. It is also not a bad idea to use different AV programs at each level. E.g., WinProxy's built-in Trend AV scanner on your firewalling proxy server, and McAfee Antivirus on your workstations. By employing different AV programs at the perimeter and the inside of your LAN, you minimize the risk that a weakness in one program will let a virus through.

An additional step that I recommend is that law firms (indeed anyone) not use Microsoft Outlook or Outlook Express for email. That's a pretty strong recommendation and I realize that it is not feasible for all organizations, especially those with a substantial existing investment in them. However, while they are both easy to use programs, and Outlook allows for use of the MS Exchange groupware applications, they are too insecure unless properly secured and used by technically savvy persons. This opinion is based on my personal experience watching a Fortune 500 company get nearly shutdown due to virus attacks exploiting until-then unknown Outlook vulnerabilities on more than one occasion, plus watching the almost daily flow of new Outlook viruses since that time.

Most viruses are targeted at Outlook and Outlook Express, so by merely avoiding their use you dramatically reduce your exposure. And unless you are using Exchange Groupware, you give up little if anything by moving to a different email client, such as Eudora, Netscape Messenger, or Pegasus Mail. If your firm needs a groupware application, then a safer alternative such as Lotus Notes, Novell Groupwise, or the open source phpGroupWare is a better choice.

The means for securing data against disgruntled employees and employee mistakes are mostly the same. You should ensure that your network is setup so that employees have access only to those resources that they need, that strong passwords are used, and that they are sufficiently trained on the technology they are supposed to use. Additionally, anytime that an employee leaves, whether under good circumstances or bad, his account should be locked and the password changed. Note that it is not necessarily a good idea to actually delete the account, since it may be the only one with access to needed data.

The way to safeguard your data against hardware or software failures and acts of God can be summed up in one word: backups. More specifically, tested and verified backups. Every firm will experience one of these threats to the integrity of its data at some point, so it is critical that the firm has in place a system for backing up data and verifying that it can restore the data from the backup. An untested backup is no backup at all. Remember Murphy's Law.

The size of the firm and the amount of data it has will influence the backup scheme chosen. For backing up extremely large amounts of data the only choice remains tape. Other firms may be able to backup data to CDs, DVD-RW/DVD-RAM, or other hard disks.

Aside from having a verified onsite backup, in order to protect against things like your office burning down, it is wise to periodically make an extra backup and keep it offsite. This can be an extra tape or CD, or a removable hard disk that your network administrator or other responsible party takes home.

Now that we've discussed what network security is, potential threats, and ways to combat them, we should talk about just who needs to actually implement all this. In most cases, it should not be you, the practicing attorney.

Attorneys are fond of reminding laymen that a professional should be consulted for legal advice. The same applies to network security. While a technically astute lawyer may be able to do a fairly good job of securing his firm's network, this isn't feasible for anything other than a small firm, for a number of reasons:

• Network security normally isn't an attorney's core competency.
• Time devoted to securing a law firm network takes away from actually practicing law.
• In any environment other than small networks, managing and securing the network is a full time or nearly full time job.
• The technical issues surrounding network security evolve rapidly, and keeping up with them requires monitoring a large number of sources.

So, it's generally a good idea to have a computer networking consultant who specializes in network security handle this for you. Such a professional can come in, audit your systems for vulnerabilities, recommend solutions, and keep on top of new developments to ensure that your now-secure system doesn't become unduly exposed as new threats develop.

Hopefully, this article has caused you to think about how you will ensure the security of your network. The prudent attorney will examine the risks to his network resources and takes steps to mitigate their impact , thus protecting the confidentiality of his work for clients, and thereby his own livelihood.

Resources:

Hacker news

• InfoWar.com - http://www.infowar.com
• AntiOnline - http://www.antionline.com/
• Yahoo! Hackers, Crackers, and Internet Attacks - http://dailynews.yahoo.com/fc/Tech/Hackers_and_Crackers

Virus Information

• Symantec - http://www.sarc.com
• McAfee - http://www.mcafee.com/anti-virus
• Trend - http://www.antivirus.com/vinfo

• Yahoo! News Computer Viruses - http://dailynews.yahoo.com/FC/Tech/Computer_Viruses

Firewalls

• Cisco PIX - http://www.cisco.com/warp/public/cc/pd/fw/sqfw500
• Checkpoint FireWall-1 - http://www.checkpoint.com/products
• Sonicwall - http://www.sonicwall.com
• Freesco - http://www.freesco.com or http://www.freesco.org
• Ositis WinProxy - http://www.winproxy.com
• Microsoft Internet Security & Acceleration Server - http://www.microsoft.com/catalog/display.asp?subid=22&site=10538&x=30&y=13
• Novell BorderManager - http://www.novell.com/products/bordermanager

Backups

• Nero Burning ROM - http://www.nero.com
• Seagate's guide to selecting a tape drive - http://www.seagate.com/products/tapesales/tapeselect
• Veritas - http://www.veritas.com
• Legato - http://portal2.legato.com
• Norton Ghost - http://www.symantec.com/sabu/ghost/ghost_personal/productmenu.html
• Powerquest Drive Image and DriveCopy - http://www.powerquest.com/products/desktop.html
• BRU - http://www.tolisgroup.com
• Arkeia - http://www.arkeia.com

Copyright 2003 - 2004 David S. Markowitz -- Back to Home