Firms must actively pursue security

Listen to this article

Kelly Hansen

As computers have become a major tool for legal research, document production and storage, communication with clients and more, the problems associated with assaults on those systems have also risen.

That makes it essential for law firms to take an active role in ensuring that their network keeps operating and that their data is not compromised, according to security specialist Kelly Hansen.

“It used to be when our phones went out, we’d all freak out and go home because there was nothing to do. Today, when our computer goes down, we don’t know what to do,” said Hansen, the CEO of Neohapsis, an information security consulting company.

Speaking to a group of attorneys during a Milwaukee Bar Association technology seminar, Hansen warned of the dangers that arise from being connected to the Internet. She pointed to the threats posed by worms attacking computers through e-mail or while people are simply surfing the Internet.

A worm is a program that can replicate itself between computer systems. It can cause damage by itself or serve as a method of delivering a virus.

Every day, companies face the hazards of distributed denial of service attacks (DDoS), Hansen said. During a denial of service attack, a computer or network user is unable to access resources such as e-mail or Internet. A DDoS occurs when an attacker loads malignant code onto a host machine. This causes more damage than an attack on a single machine because the company has to block dozens or hundreds of IP addresses.

Having computers and networks fail to operate is one problem. Worse yet is the prospect of having confidential records compromised. Hansen warned the group of a worm last year that mined information from computers and distributed it randomly across the Internet.

She noted that there is no way to protect everything from hackers. The goal is to take the appropriate steps to secure as much as is possible.

“Your e-mail will probably get whacked once in awhile,” Hansen said. “But what about your client data? That really needs not to get whacked.”

That means protecting the servers responsible for storing that information.

Securing the Gates

Often, companies will purchase some security hardware or software and assume their protection measures are complete. Not true, Hansen said. Security is an ongoing process that involves preparation, detection, quarantine, examination, remediation, recovery and review.

“It needs to be continually reviewed and updated,” Hansen said.

Preparation goes beyond purchasing a firewall or virus protection to developing policies for Internet and e-mail, along with determining who will handle security issues internally.

Although lawyers often help their business clients develop Internet policies, Hansen said, “I’m always completely staggered at how few law firms actually have policies for their own Internet use.”

Someone within the firm should be designated as a security office, to serve as the point person on security issues. Like it or not in a solo practice, that responsibility falls on the practitioner’s shoulders.

Preparation also involves developing security protocols and listing who gets contacted when security issues arise. Including contact information for a third party resource should be part of that process.

Detection is the next important aspect, Hansen said. She cited a study by CSI and the FBI showing that 27 percent of the participants did not even realize they had been hacked.

“How do you not know?” Hansen asked. The answer, “You’re not monitoring.”

After the Breach

Once the security technology is in place, it needs to be monitored and updated. Someone at the firm needs to be responsible for monitoring firewall logs, updating servers, patching applications and reviewing software logs.

If
an incident occurs, it is important to have quarantine procedures in place. Make sure that the security officer is on the scene and call in the support team as needed. Review the activities surrounding the incident. Call in a third party for assistance as needed.

It’s important to quarantine the affected devices from the system. Make bit stream copies of the affected systems, review log files, and document what might have caused the problem.

“Make sure everything is logged from the time it has been hacked,” Hansen said.

Once that has been done, the examination begins. Look at event logs or audit records. Systems like UNIX, Windows NT and 2000 can contain a wealth of information about what took place. Additional clues can be found in raw data on disks or hardware data residue.

Next comes remediation. Review servers, routers and switches for changes. If changes are found, they must be reset to their last configurations. Remediation may require taking some systems offline for an extended period of time.

Eventually, it is time to bring the systems back online. Everything that has been done to this point should be documented. Hansen also suggested bringing in a third party to review things. Given what’s at stake, money spent on security can be an important investment. She noted the potential costs associated with lost data or the potential ethical problems arising from the breach of confidential records.

	Links Neohapsis

Finally, conduct a post-mortem with the security team or an outside consultant to determine what could have been handled better, what tools were missing, whether a civil action might be necessary, or what additional policies and procedures might have helped avoid the problem in the first place.

Companies need to take the time and effort to address technology security, Hansen said. Hacking has never been easier than it is today, she added, noting that there are an estimated 30,000 Web sites dedicated to providing tools for hacking.

“It used to be that you needed two things to be a hacker — you needed motive and you needed skills. Today, you just need motive.”

Tony Anderson can be reached by email.