Free ebooks ==> www.Ebook777.com www.Ebook777.com Free ebooks ==> www.Ebook777.com Locked Down SHARON D NELSON, DAVID G RIES, AND JOHN W SIMEK www.Ebook777.com Commitment to Quality: The Law Practice Management Section is committed to quality in our publications Our authors are experienced practitioners in their fields Prior to publication, the contents of all our books are rigorously reviewed by experts to ensure the highest quality product and presentation Because we are committed to serving our readers’ needs, we welcome your feedback on how we can improve future editions of this book Cover design by RIPE Creative, Inc Nothing contained in this book is to be considered as the rendering of legal advice for specific cases, and readers are responsible for obtaining such advice from their own legal counsel This book and any forms and agreements herein are intended for educational and informational purposes only The products and services mentioned in this publication are under trademark or service-mark protection Product and service names and terms are used throughout only in an editorial fashion, to the benefit of the product manufacturer or service provider, with no intention of infringement Use of a product or service name or term in this publication should not be regarded as affecting the validity of any trademark or service mark Free ebooks ==> www.Ebook777.com The Law Practice Management Section of the American Bar Association offers an educational program for lawyers in practice Books and other materials are published in furtherance of that program Authors and editors of publications may express their own legal interpretations and opinions, which are not necessarily those of either the American Bar Association or the Law Practice Management Section unless adopted pursuant to the bylaws of the Association The opinions expressed not reflect in any way a position of the Section or the American Bar Association, nor the positions of the Section or the American Bar Association necessarily reflect the opinions of the author © 2012 American Bar Association All rights reserved Printed in the United States of America 16 15 14 13 12 Library of Congress Cataloging-in-Publication Data Nelson, Sharon D Locked down: information security for law firms / Sharon D Nelson, David G Ries and John W Simek p cm www.Ebook777.com Includes index ISBN 978-1-61438-364-2 Law offices—Computer networks—Security measures—United States I Ries, David G., 1949-II Simek, John W III American Bar Association Section of Law Practice Management IV Title KF320.A9N45 2012 340.068’4—dc23 2012007683 Discounts are available for books ordered in bulk Special consideration is given to state bars, CLE programs, and other bar-related organizations Inquire at Book Publishing, American Bar Association, 321 North Clark Street, Chicago, Illinois 60654-7598 www.ShopABA.org Dedication AUTHORS NELSON AND SIMEK dedicate this book to our ever-growing family, having enjoyed two weddings last year and the addition of two grandchildren to our family With great love, we dedicate this book to Kelly and Jeff Ameen, JJ and Sarah Simek, Sara and Rob Singmaster, Jason and Natalia Simek, Kim and Chris Haught and Jamie Simek as well as grandchildren Samantha and Jordan Author Dave Ries dedicates this book to his wife, Debbie, Dave Jr and Jenelle Ries, my granddaughter Ellie, and Chris and Liz Ries Their love and support have made this book and much more possible About the Authors Sharon D Nelson, Esq Sharon D Nelson is the President of Sensei Enterprises, Inc Ms Nelson graduated from Georgetown University Law Center in 1978 and has been in private practice ever since She now focuses exclusively on electronic evidence and information security law Ms Nelson and Mr Simek are the coeditors of the Internet law and technology newsletter Bytes in Brief Ms Nelson, Mr Simek and their Sensei colleague Maschke are the coauthors of the 2008, 2009, 2010, 2011 and 2012 editions of The Solo and Small Firm Legal Technology Guide: Critical Decisions Made Simple Ms Nelson and Mr Simek are also coauthors of Information Security for Lawyers and Law Firms (American Bar Association 2006) Additionally, Ms Nelson and Mr Simek are coauthors of The Electronic Evidence and Discovery Handbook: Forms, Checklists, and Guidelines (ABA 2006) Ms Nelson is a coauthor of How Good Lawyers Survive Bad Times (ABA 2009) Their articles have appeared in numerous national publications, and they frequently lecture throughout the country on electronic evidence and legal technology subjects Ms Nelson and Mr Simek are the hosts of the Legal Talk Network’s Digital Detectives podcast, and Ms Nelson is a cohost of the ABA’s The Digital Edge: Lawyers and Technology podcast Ms Nelson will become the Vice President of the Virginia State Bar in June 2012 and its 75th President in June 2013 She is the past President of the Fairfax Bar Association, a Director of the Fairfax Law Foundation, past Chair of the ABA’s TECHSHOW Board and past Chair of the ABA’s Law Practice Management Publishing Board She currently serves on the Governing Council of the ABA’s Law Practice Management Section and as the Chair of its Education Board She serves as a member of the Sedona Conference and of EDRM She is a graduate of Leadership Fairfax and serves on the Governing Council of the Virginia State Bar as well as on its Executive Committee She is the Chair of the VSB’s Unauthorized Practice of Law Committee and serves on both its Technology Committee and its Standing Committee on Finance She also serves on the Virginia Supreme Court’s Advisory Committee on Statewide E-filing She is a member of the ABA, the Virginia Bar, the Virginia Bar Association, the Virginia Trial Lawyers Association, the Virginia Women Attorney Association, the Women’s Alliance for Financial Education and the Fairfax Bar Association David G Ries, Esq David G Ries is a partner in the Pittsburgh office of Thorp Reed & Armstrong, LLP, where he practices in the areas of environmental, commercial and technology litigation He has used computers in his practice since the early 1980s and chairs his firm’s e-Discovery and Records Management Group He served two terms as a member and Chair of a Hearing Committee for the Disciplinary Board of the Supreme Court of Pennsylvania Dave received his J.D from Boston College Law School in 1974 and his B.A from Boston College in 1971 Free ebooks ==> www.Ebook777.com He has represented clients in a variety of technology litigation matters, including major systems implementation cases, and has advised clients on a number of technology law issues such as information security and privacy compliance, hardware and software agreements, electronic payments, technology use policies, domain name disputes, electronic records management, response to computer intrusions and electronic contracting He is a member of the ABA Law Practice Management Section Council and a member of the ABA Section of Science and Technology’s Information Security Committee He served on the ABA TECHSHOW Planning Board from 2005 through 2008 Dave has frequently spoken on ethics, legal technology and technology law issues for legal, academic and professional groups, including the American Bar Association, the Association of Corporate Counsel, the Energy & Mineral Law Foundation, the Pennsylvania Bar Institute, the Information Systems Security Association and Carnegie Mellon University He recently wrote “Safeguarding Client Data—Your Ethical and Legal Obligations,” Law Practice Magazine (July/August 2010) He is the editor of eDiscovery, 2nd ed (PBI Press 2011) and is a contributing author to Information Security: A Legal, Business and Technical Handbook, 2nd ed (American Bar Association 2011) and Information Security for Lawyers and Law Firms (American Bar Association 2006) John W Simek John W Simek is the Vice President of Sensei Enterprises, Inc He is an EnCase Certified Examiner (EnCE) and a 10 www.Ebook777.com threat and the harm it could to a system if it has a vulnerability Threat Vector—The method a threat used to get to the target Time to Live—A value in an Internet Protocol packet that tells a network router whether or not the packet has been in the network too long and should be discarded Tiny Fragment Attack—With many IP implementations, it is possible to impose an unusually small fragment size on outgoing packets If the fragment size is made small enough to force some of a TCP packet’s TCP header fields into the second fragment, filter rules that specify patterns for those fields will not match If the filtering implementation does not enforce a minimum fragment size, a disallowed packet might be passed because it didn’t hit a match in the filter STD 5, RFC 791 states: Every Internet module must be able to forward a datagram of 68 octets without further fragmentation This is because an Internet header may be up to 60 octets, and the minimum fragment is octets Token Ring—A local area network in which all computers are connected in a ring or star topology, and a binary digit or token-passing scheme is used to prevent the collision of data between two computers that want to send messages at the same time Token-Based Access Control—Access control that associates a list of objects and their privileges with each user (The opposite of list based.) 453 Token-Based Devices—A device that is triggered by the time of day, so every minute the password changes, requiring users to have the token with them when they login Topology—The geometric arrangement of a computer system Common topologies include a bus, star and ring The specific physical (i.e., real) or logical (i.e., virtual) arrangement of the elements of a network Note 1: Two networks have the same topology if the connection configuration is the same, although the networks may differ in physical interconnections, distances between nodes, transmission rates and/or signal types Note 2: The common types of network topology are illustrated Traceroute (tracert.exe)—A tool that maps the route a packet takes from the local machine to a remote destination Transmission Control Protocol (TCP)—A set of rules (protocol) used along with the Internet Protocol to send data in the form of message units between computers over the Internet While IP takes care of handling the actual delivery of the data, TCP takes care of keeping track of the individual units of data (called packets) that a message is divided into for efficient routing through the Internet Whereas the IP protocol deals only with packets, TCP enables two hosts to establish a connection and exchange streams of data TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent Transport Layer Security (TLS)—A protocol that ensures privacy between communicating applications and their users on the Internet When a server and client communicate, TLS 454 ensures that no third party may eavesdrop or tamper with any message TLS is the successor to the Secure Sockets Layer Triple DES—A block cipher, based on DES, that transforms each 64-bit plaintext block by applying the Data Encryption Algorithm three successive times, using either two or three different keys, for an effective key length of 112 or 168 bits Triple-Wrapped—S/MIME usage: data that have been signed with a digital signature, then encrypted and then signed again Trojan Horse—A computer program that appears to have a useful function but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program Trunking—Connecting switches together so that they can share VLAN information between them Trust—A determination of which permissions and what actions other systems or users can perform on remote machines Trusted Ports—Ports below number 1024, usually allowed to be opened by the root user Tunnel—A communication channel created in a computer network by encapsulating a communication protocol’s data packets in (on top of) a second protocol that normally would be carried above, or at the same layer as, the first one Most often, a tunnel is a logical point-to-point link (i.e., an OSI 455 layer connection) created by encapsulating the layer protocol in a transport protocol (e.g., TCP), in a network or internetwork layer protocol (e.g., IP) or in another link layer protocol Tunneling can move data between computers that use a protocol not supported by the network connecting them UDP Scan—Scans that perform scans to determine which UDP ports are open Unicast—Broadcasting from host to host Uniform Resource Identifier (URI)—The generic term for all types of names and addresses that refer to objects on the World Wide Web Uniform Resource Locator (URL)—The global address of documents and other resources on the World Wide Web The first part of the address indicates what protocol to use, and the second part specifies the IP address or the domain name where the resource is located For example, http://www.pcwebopedia.com/index.html UNIX—A popular multiuser, multitasking operating system developed at Bell Labs in the early 1970s Created by just a handful of programmers, UNIX was designed to be a small, flexible system used exclusively by programmers Unprotected Share—In Windows terminology, a share is a mechanism that allows a user to connect to file systems and printers on other systems An unprotected share is one that allows anyone to connect to it 456 User—A person, organization entity or automated process that accesses a system, whether authorized to so or not User Contingency Plan—The alternative methods of continuing business operations if IT systems are unavailable User Datagram Protocol (UDP)—A communications protocol that, like TCP, runs on top of IP networks Unlike TCP/IP, UDP/IP provides very few error recovery services, offering instead a direct way to send and receive datagrams over an IP network It’s used primarily for broadcasting messages over a network UDP uses the Internet Protocol to get a data-gram from one computer to another but does not divide a message into packets (datagrams) and reassemble it at the other end Specifically, UDP doesn’t provide sequencing of the packets that the data arrive in Virtual Private Network (VPN)—A restricted-use, logical (i.e., artificial or simulated) computer network that is constructed from the system resources of a relatively public, physical (i.e., real) network (e.g., the Internet), often by using encryption (located at hosts or gateways), and often by tunneling links of the virtual network across the real network For example, if a corporation has LANs at several different sites, each connected to the Internet by a firewall, the corporation could create a VPN by (1) using encrypted tunnels to connect from firewall to firewall across the Internet and (2) not allowing any other traffic through the firewalls A VPN is generally less expensive to build and operate than a dedicated real network because the virtual network shares the cost of system resources with other users of the real network 457 Virus—A hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting (i.e., inserting a copy of itself into and becoming part of) another program A virus cannot run by itself; it requires that its host program be run to make the virus active Voice Firewall—A physical discontinuity in a voice network that monitors, alerts and controls inbound and outbound voice network activity based on user-defined call admission control (CAC) policies, voice application layer security threats or unauthorized service use violations Voice Intrusion Prevention System (IPS)—Voice IPS is a security management system for voice networks which monitors voice traffic for multiple calling patterns or attack/ abuse signatures to proactively detect and prevent toll fraud, denial of service, telecom attacks, service abuse and other anomalous activity War Chalking—Marking areas, usually on sidewalks with chalk, that receive wireless signals that can be accessed War Dialer—A computer program that automatically dials a series of telephone numbers to find lines connected to computer systems and catalogs those numbers so that a cracker can try to break into the systems War Dialing—A simple means of trying to identify modems in a telephone exchange that may be susceptible to compromise in an attempt to circumvent perimeter security War Driving—The process of traveling around looking for 458 wireless access point signals that can be used to get network access Web of Trust—The trust that naturally evolves as a user starts to trust other’s signatures and the signatures that they trust Web Server—A software process that runs on a host computer connected to the Internet to respond to HTTP requests for documents from client web browsers WHOIS—An IP for finding information about resources on networks Windowing—A system for sharing a computer’s graphical display presentation resources among multiple applications at the same time In a computer that has a graphical user interface (GUI), you may want to use a number of applications at the same time (this is called task) Using a separate window for each application, you can interact with each application and go from one application to another without having to reinitiate it Having different information or activities in multiple windows may also make it easier for you to your work A windowing system uses a window manager to keep track of where each window is located on the display screen and its size and status A windowing system doesn’t manage only the windows but also other forms of graphical user interface entities Windump—A freeware tool for Windows that is a protocol analyzer that can monitor network traffic on a wire Wired Equivalent Privacy (WEP)—A security protocol for 459 wireless local area networks defined in the standard IEEE 802.11b Wireless Application Protocol—A specification for a set of communication protocols to standardize the way that wireless devices, such as cellular telephones and radio transceivers, can be used for Internet access, including e-mail, the World Wide Web, newsgroups and Internet Relay Chat Wiretapping—Monitoring and recording data that is flowing between two points in a communication system World Wide Web (the Web, WWW, W3)—The global, hypermedia-based collection of information and services that is available on Internet servers and is accessed by browsers using Hypertext Transfer Protocol and other information retrieval mechanisms Worm—A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network and may consume computer resources destructively Zero Day (Zero Hour or Day Zero) Attack—A computer attack or threat that tries to exploit computer application vulnerabilities that are unknown to others or undisclosed to the software developer Zero day exploits (actual code that can use a security hole to carry out an attack) are used or shared by attackers before the software developer knows about the vulnerability Zombies—A zombie computer (often shortened as zombie) is a computer connected to the Internet that has been 460 compromised by a hacker, a computer virus or a Trojan horse Generally, a compromised machine is only one of many in a botnet and will be used to perform malicious tasks of one sort or another under remote direction Most owners of zombie computers are unaware that their system is being used in this way Because the owner tends to be unaware, these computers are metaphorically compared to zombies 461 APPENDIX N Updates Data Breaches Another victim of a data breach was Stratfor, also known as Strategic Forecasting They were attacked by the collective hacker group Anonymous at the end of December 2011 Their servers were breached and the attackers had access to subscriber information, including about 75,000 credit card numbers Guess what? The credit card information was stored in clear text and NOT encrypted That’s a real big NO NO! How many stories of data compromise we have to hear before we start to encrypt all important information? Encryption is not that difficult By now you should know that we are huge fans of encrypting confidential data As a follow-up, the stolen subscriber list is now facilitating the transmission of malware Think about it With the information taken from Stratfor, the bad guys are now sending out malware-infested that are very targeted and customized for the individual recipient The messages arrive with an attachment titled “stratfor.pdf.” Opening the file warns the reader that they may receive a phishing message containing a virus To remedy the situation, just click on the link in the file, which attempts to infect the computer with a variant of the Zbot or Zeus Trojan Horse A Ponemon Institute study released in January 2012 revealed that 60% of data lost or stolen was not encrypted, 462 according to the IT professionals surveyed More than 60% of the respondents said that their company had increased their information security budget after the breach As we’ve said before “after the breach” is not the ideal time—“before the breach” is much better and may prevent the breach As we go to press, there have been some notable stories to add The hactivist group Anonymous has breached the emails of Virginia law firm Puckett and Faraj, exposing GB of law firm e-mails It was targeting e-mails about a Marine who admitted to killing Iraqi citizens but got off with a finding of “negligent dereliction of duty but also explosed the e-mails of sexual assault victims and a former law parter who had represented Guantanamo detainees In addition, seven Canadian law firms were breached by Chinese-based hackers according to Bloomberg Businessweek The January 2012 article said the hackers were looking to derail the $40 billion acquisition of the world’s largest potash producer by an Australian mining company The FBI revealed that it was so concerned about law firm breaches that it held a November 2011 meeting with the top 200 law firms in New York City to brief them on cybersecurity threats And just as this book went to the printer, one Pennsylvania law firm (Eliot Greenleaf & Siedzikowski)is suing ex-partner William Balaban and his new firm (Stevens & Lee) for alleging deleting law firm files before and left and taking 78,000 files with him, allegedly using Dropbox (the file syncing cloud software) We were unable to make sense of the allegation that Dropbox was used for ongoing access to the firm network, but look for an update on this case when the book is published Another data breach tool has strutted across the stage! 463 Smartphones As discussed in the main text, comparing mobile operating systems is a challenge because comparison is a moving target After the Symantec analysis, the iPhone 4s and iOS were released in October, although they not appear to include any major security upgrades Android’s new version, Ice Cream Sandwich, was also released in October of 2011 It adds hardware encryption and functionality for additional security controls Apple seems to keep stepping in it when it comes to security issues for mobile devices For some reason a lot of iPhone users are obsessed with Siri, the voice recognition application introduced with the iPhone 4S Siri may be the latest cool feature for the iPhone, but it is also a dangerous security risk How is that? The problem is that Siri is enabled by default even if your phone is locked This means that you can talk to a locked phone and have Siri happily tell you what you asked Perhaps you ask Siri who last called or to read the contents of tomorrow’s appointments Siri will even read back the details of your contacts Even though Siri can divulge a lot of personal information, it is easy to secure Siri’s “big mouth.” Just configure Siri to be disabled if the phone is locked In February, 2012, Google announced the addition of a security tool called Bouncer to the Android Market Bouncer screens apps for malware signatures and runs them to test their as-installed behavior This should go a long way to limit or control malware in the Android Market It will not affect apps from other sources In January of 2012, Veracode, a respected provider of application security services, published an excellent infographic, “Mobile Security: Android v iOS.” It compares 464 • • • • • • • the security features and limitations of each of them and lists recommended security practices Available at http://www.veracode.com/resources/android-ios-security It is already outdated because it predates Google’s announcement of its Bouncer application screening in the Google Market It was reported last year that the National Security Agency (NSA) and Google were working on a modified version of the Android OS that would meet federal security standards for classified information A recent article reported that these “hardened” Android smartphones are now being deployed in the field See, www.cnn.com/2012/02/03/tech/mobile/ government-androidphones/?hpt=hp_t2 For Android smartphones, follow the security set up instructions in the handset manufacturer’s manual They should include: Set Screen Lock (password or PIN) Set Screen Timeout Encrypt Phone (Honeycomb and Ice Cream Sandwich only— earlier versions require a 3rd party app) Secure Internet browser settings In addition, Add a 3rd party find/lock/wipe app Add a 3rd party security app (malware and browsing protection) See, “Android Security: Six Tips to Protect Your Google Phone,” www.cio.com/article/675129/ Android_Security_Six_Tips_to_Protect_Your_Google_Phone, and”Android Security: 10 Tips and Settings,” http://resources.infosecinstitute.com/android-tips-andsettings For iPhones, follow the instructions in “Security Features” in “Chapter 3: Basics” in the iPhone User Guide, current 465 • • • • version at http://manuals.info.apple.com/en_US/ iphone_user_guide.pdf They include: Set Auto-Lock Set Passcode Lock (enables encryption) Turn on “Find My Phone” (in Mobile Setting or iCloud) Secure Internet browser settings In addition, • Set Siri to off when the phone is passcode locked, see • http://www.pcworld.com/article/242253/ siris_security_hole_the_passcode_is_the_problem.html Voice Communications—Video Conferencing It has been recently reported that video conference equipment is prone to eaves dropping just like a wiretap How is this possible? Apparently, some manufacturers have a default configuration value of auto-answer A security researcher performed a port scan across the Internet looking for devices that understood the H.323 (video conferencing standard) protocol In about two hours, he discovered approximately 250,000 IP addresses that supported H.323 He then attempted to connect to the identified addresses His research showed that he was able to connect to about 5,000 video conferencing systems This was possible because the systems were configured to automatically answer an incoming call When a system is configured to auto-answer, it can be turned on externally This means that someone outside your office can listen in on any meeting being held in the room just 466 Free ebooks ==> www.Ebook777.com as if they were sitting at the conference room table Be particularly wary if you equipment made by Poly-com since they are shipped configured for auto-answer So is there any hope of securing your video conferencing system, especially since you paid so much for the equipment? There are some simple steps to help ensure the security of your equipment and stop unwanted eaves droppers First is to make sure that your equipment is fully patched and running the latest version of the software and firmware available from the manufacturer Next is to configure the system to NOT auto-answer and finally to make sure that your video conferencing system is behind some sort of firewall 467 www.Ebook777.com ... and is a contributing author to Information Security: A Legal, Business and Technical Handbook, 2nd ed (American Bar Association 2011) and Information Security for Lawyers and Law Firms (American... D Locked down: information security for law firms / Sharon D Nelson, David G Ries and John W Simek p cm www.Ebook777.com Includes index ISBN 978-1-61438-364-2 Law offices—Computer networks? ?Security. .. this underscored three law firm information security challenges: • The need to balance security with the need to share information; • The importance of having security policies, with people in