Protected From the Elements

Protected From the Elements
Security for small- and mid-sized law firms.
By Sharon D. Nelson, Esq. and John W. Simek

Aug/Sep '04 Issue

Robert Frost, in his famous poem “Mending Wall” noted that, “Before I built a wall, I’d ask to know what I was walling in and walling out.” It’s clear he didn’t agree with his unthinking neighbor’s refrain that “Good fences make good neighbors.” In the world of data security, it’s indeed important to know what you are walling in and walling out, but there is no question some barriers are needed to protect the confidentiality of law firm data. Fences separate areas so something (or someone) is kept inside and something (or someone) is kept outside. What can you do to secure your firm’s information in a similar way? A barrier around your office will not keep the hackers from attacking your data, but if the barrier is well constructed, they might turn their attention to less protected data elsewhere.

Large firms have an Information Technology staff that supports the computer and communications infrastructure, but how do small- and mid-sized firms secure their environments? As you will find in this article, it’s not difficult to take rudimentary steps to secure your information, at a reasonable cost.

The First Items on the List
The first thing you should do to secure your law firm is install antivirus software on your computers. Virus, worm and Trojan attacks have grown in epidemic proportions and protection absolutely is necessary. Your product choices depend on your law office environment. If you have one or more servers, you should choose products that protect the central devices and manage the connected workstations. Don’t forget to get the option that scans your e-mail server, if you have one on your network.

Symantec’s products are among the most popular. The server suites come in two varieties depending on whether there is a mail server. The Symantec AntiVirus Corporate Edition is used for server environments where there is not a mail server present. In contrast, the Symantec AntiVirus Enterprise Edition includes Symantec’s Mail Security for those with e-mail servers. Both products install to a central server and manage the connected clients. Virus signature updates are automated, as are scanning and centralized quarantine. A minimum purchase of 10 licenses is required for the Symantec products. Budget around $50 per license for the Corporate Edition and around $75 per seat for the Enterprise Edition. Both costs include access to technical support and updates for a year.

If you are running a peer-to-peer network or have standalone computers, then you should purchase the personal edition of Symantec’s product. This version costs $40 and comes with a one-year subscription for updates and virus signatures.

Networking 101
It’s absolutely necessary that today’s computers have access to the Internet. Product updates, technical support, e-mail and research are all provisioned via the Internet. There are several choices in securing the connections to the wild, wild Internet.

If you connect to the Internet via a dial-up connection, you are at less risk of attacks and compromise versus those law firms with persistent connections such as DSL, cable modem or fractional T-1 services. Using dial-up, you only are at risk when you are connected to the Internet. However, don’t think that you are immune to attack just because you use a modem. A personal firewall is the appropriate line of defense for a dial-up connection. One of the highest rated is ZoneAlarm by Zone Labs. The base level ZoneAlarm Pro will set you back $40, but it’s well worth the investment. If you are running Windows XP, then the personal firewall features of the operating system also is an option. However, it doesn’t have the flexibility or features ZoneAlarm has.

If you don’t use dial-up, persistent Internet connections are better served through the installation of a router. The products from Linksys, Netgear and D-Link are very popular for small-office installations. The router will translate the Internet Protocol address from the outside world to a private address for your internal network. This process is called Network Address Translation and provides a simplified firewall by hiding your internal services. Traffic from the “inside” (Local Area Network) is allowed to exit, whereas unsolicited traffic from the “outside” is blocked from entering.

Higher-end firewall products such as those from SonicWall or Check Point Software Technologies also are available, but cost $750 and up. Generally, they are deployed for larger networks and require a high degree of networking knowledge to take full advantage of their robust features. As a result, these high-end firewall appliances are better left to those firms that have an internal IT staff or outside consultants.

Wired or Wireless?
Keeping information confidential is paramount for any network. Should you jump on the wireless bandwagon or hard wire your machines together? Wired networks generally are more expensive to install and are not as flexible, particularly regarding equipment location. Despite the cost and flexibility issues, wired networks are inherently more secure since you know where the two ends of the wire are. Wireless clouds bleed over into the air and can be viewable to the firm in the next office or building, not to mention “wardrivers” (wireless hackers) on the street in front of your building or in the parking lot.

If wireless is your choice, there are several items that should be addressed at an absolute minimum to protect your data and unauthorized access to it.

Change the default Service Set Identifier, a unique set of characters that defines your wireless network.
Change the default identification and password for management of the Access Point. The AP and wireless network cards must have the same SSID to connect.
Change the default SSID to make it harder for someone to discover your network and establish an authorized connection. Obviously, default ID and password for the Access Points should be changed, but you would be surprised to find out how many wireless clouds are left at their default settings. The default values are well known and even posted on many Web sites.
Enable encryption for your wireless communication. Your devices might be able to encrypt via Wired Equivalent Privacy or Wi-Fi Protected Access and protect the data transmission from prying eyes. The encryption method is enabled by entering a passphrase. Make sure the passphrase is complex and not easily guessed. You will need to configure the passphrase for each device on your wireless network.
Disable the SSID broadcast. There are many free tools that allow for “sniffing” of wireless traffic. The SSID is the name of your network and makes it easy for devices to connect. This means your neighbor in the next office can see your network if you broadcast the SSID. Disabling the broadcast makes it more difficult to find your network and keeps it hidden from those free sniffing tools.
Enable Media Access Control filtration. Most wireless APs have the ability to limit connections through a process called MAC filtration. Each wireless device has a unique MAC address, which acts as a type of hardware serial number. This provides the layer necessary to communicate with the appropriate device. You can greatly improve security by configuring the APs to accept communication only from specific devices. MAC spoofing is fairly easy in the wireless world, but a would-be hacker would have to know the SSID, administration values to configure the AP, WEP or WPA key and the targeted MAC address to jump onto your network. While this is all doable, let’s face it — if you build a decent fence, you have built a deterrent, especially because there are so many unfenced networks to infiltrate.

Simplified Logon and Access
Do you need a password or user ID for your computer, but can’t even remember your own name? Or are you totally confused by the massive amounts of passwords you must remember? You are not alone. The reality is, human beings like to keep things simple. It’s a lot easier to just power on your computer and have it immediately go to the desktop with instant access to all of your information and applications. It might be easy for you when you power up in the morning, but it’s equally as easy for the evening cleaning crew.

If you are running Windows 98 as your operating system, don’t. Wait a minute. You have a user ID and password for your Windows 98 system. Doesn’t that make it secure? Not in the least. The next time you get to the logon for Windows 98, press the escape [Esc] key and watch how easy it is to gain access to your computer. Now would be a good time to replace that clunker machine and get Windows 2000 or XP.

On the subject of user IDs and passwords, make sure you require them. In addition, change your password on a periodic basis. By all means, don’t write it on a sticky pad and affix it to your monitor. Turn off the “AutoComplete” feature of Windows and don’t save your password for any application access such as e-mail retrieval. The “AutoComplete” option is accessible by selecting the “Content” tab in the “Internet Options” for Internet Explorer under the “Tools” menu choice.

In the same vein, don’t save your password for e-mail access. Configure your e-mail so you are prompted for the password whenever you need access to the messages. Use a screensaver password with a timeout. This will help keep your computer secure if you go to the bathroom or just run out to get something to eat. After all, you don’t want someone walking up to your computer and sending an e-mail message on your behalf, especially if it contains inappropriate material.

Physical Security
If you have a small office with a peer-to-peer network, you can’t physically secure the main computer that holds your data. However, if you have a server where the data is centralized, it should be physically secured. This means locking it up in a closet or in a room that can be secured. Disgruntled employees perform the vast majority of security breaches. Physically securing the server will help prevent unauthorized access and possible destruction of your data.

Besides securing any server, don’t forget about the telecommunications equipment. It’s best to have your telephone and data communication equipment under your own control
and located in your office space. If your equipment must be installed in a common communications closet, consider installing a locked cabinet (with proper ventilation) to prevent unauthorized access.

To Encrypt or Not Encrypt
Should you encrypt your files and electronic communications? It depends. Certainly you would want to encrypt sensitive data such as patent documents. Electronic communications generally are not encrypted unless they are very sensitive or encryption is required by your client.

E-mail encryption is fairly simple to achieve. Probably the easiest place to start is by obtaining your own personal digital ID. You can obtain one from VeriSign (www.verisign.com/products/class1/index.html) for $14.95 a year. The installation is fairly straightforward and integrates with your browser and e-mail client. Once you have installed your digital ID, you will be able to digitally sign and encrypt message contents and attachments. To begin communicating in an encrypted form, you must send your public key to your intended recipient.

There are many choices for encrypting data on your computer or network. The simple choices include Windows 2000 and XP Professional, which have built-in encryption methods that are simple to implement. The Encrypted File System will encrypt data so nobody, other than the Windows user that encrypted the file, can view the contents. Reinstalling Windows with the same user ID doesn’t provide access to the encrypted data, so make sure you back up your private key. For Windows XP or 2000, right click on the file or folder and select properties. On the “General” tab, click on the “Advanced” button. Check the box for “Encrypt contents to secure data” and click “OK.” That is all there is to it. If you encrypt a folder, all files placed in the folder will be encrypted. Now that encryption is enabled, it would be a good time to back up the Recovery key. View the Microsoft Knowledge Base article number 241201 for instructions on exporting the private key.

PGP probably is one of the most familiar encryption products known. PGP Corporation now is a separate company and no longer associated with Network Associates. PGP Personal Desktop is $59 and includes the ability to secure messaging and information storage. Those with servers or needing more advanced features should select the Workgroup ($178) or Corporate ($281) versions.

Data About Data
Metadata is data about data. When you create a document, spreadsheet, presentation and so on, certain information about the file is contained within the file itself. This could include such information as the author, number of words, version number, tracked changes and a wealth of other information. Perhaps you send your clients a Word document for their review and modification. Using the “track changes” feature of Word would make it easy to see the modifications and approve or reject the changes. You certainly would not want the opposing counsel to see this data. Yet how many times have you unwittingly provided someone an electronic version of a document that contained information you didn’t want to show?

Metadata Assistant is a wonderful product by Payne Consulting that integrates with the Microsoft Office products. When sending an e-mail message from Outlook that contains an attachment, Metadata Assistant will prompt you to clean the data before transmitting. Of course you can change the default action to prompt, but it’s better left as a reminder lest you release unwanted data from your firm. Metadata Assistant will clean the metadata from Microsoft Word, Excel and PowerPoint files. Other similar programs include, Workshare Protect (www.workshare.com); iScrub Metadata Management Software by Esquire Innovations (www.esqinc.com); and BEC Legal Systems’ Metadata Scrubber (www.beclegal.com).

WordPerfect also saves metadata within its documents. There are manual ways to reduce the amount of metadata, but the best approach is to convert the document to Portable Document Format before transmitting.

Pesky Defaults
It’s impossible to overemphasize the need to change any default values for software or hardware in your environment. We already have identified the default items for wireless APs. Here are a few other places to consider changing the defaults.

Administrator account name
Domain name
Workgroup name
Outlook Web Access port
SQL account.

In the Windows world, the default administrator ID is “administrator.” Change the default name to something the rest of the world doesn’t know. Fortunately with the advent of Windows 2000 Server, there no longer is a default domain name. In Windows NT 4.0 Server, the default domain name is “domain.” However, Microsoft still has held on to defining default workgroup names. The default workgroup name can be “WORKGROUP” or you might see “MSHOME” as the default. Workgroups are used to connect computers in a peer-to-peer environment. Change the default workgroup name to something less well known, especially if you are in a shared office location and interconnect with other computers. As with the SSID for wireless, all computers must have the same workgroup definition to see each other and share files or resources.

To change or specify the workgroup for Windows XP, go to “Control Panel” and then “System.” If you don’t see “System,” select “Performance and Maintenance” and then select “System.” Click on the “Computer Name” tab and then click “Change.” Enter the desired workgroup name. Remember, this has to be done on all computers in your peer-to-peer network. To change the workgroup in Windows 2000, go to “Control Panel” and then “System.” Click the “Network Identification” tab and then select properties. Enter the desired workgroup name in the workgroup box. For ME or 98, go to “Control Panel” and then select the “Network” icon. Click on the “Identification” tab and enter the desired name in the workgroup box.

If you are running an Exchange server or have installed Microsoft’s Small Business Server, there are a couple of other default values that should be changed. Exchange has the ability to remotely access a user’s mailbox via a Web browser. Outlook Web Access uses the default TCP/IP port 80, just like most Web sites. This means you have to allow port 80 to pass through your firewall to gain access to your e-mail on the Exchange Server. Unfortunately, port 80 is one of the most exploited ports by viruses, worms and just plain bad guys. The default port for OWA is the same as the default Web site on your Windows server. From the server, go to the “Administrator Tools” and select the “Internet Services Manager.” Right click on the default Web site and select properties. Change the TCP Port value to something other than 80, and make it easy for your employees to remember. A ZIP code or last four digits of a fax number are good choices. The firewall will have to be changed to allow the port that you configured for OWA. Assuming you changed the port number to 9902, you would gain access to your e-mail by entering a URL in your browser that would look something like this http://mail.yourdomain.com:9902/exchange.

Pests, Bugs and Other Nasty Web Elements
Virus protection is the No. 1 item to install, but there is another form of prevention now becoming a requirement. Spyware and adware are invading our computers with increased regularity. The annoying pop-ups can merely produce merchandise advertising or offensive pornographic images or worse yet, send personal information from the computer to an external source. These nasty bits of program code can come from the installation of free software such as screen savers, Internet search aids or by merely clicking on a link in a Web page.

Products such as PestPatrol and Ad-aware by Lavasoft are good for discovering and removing these pesky critters. Each will cost about $40 and is a worthwhile investment. Note that Ad-aware is free for noncommercial use only.

Finally, install the free Google Toolbar (http://toolbar.google.com) to augment the pest scanning products. We have found the combination of Symantec’s AntiVirus, Google Toolbar and PestPatrol’s Corporate Edition have virtually eliminated the pop-ups and malicious code.

Update, Update, Update
Keep your operating system up to date by running the Windows Update on a periodic basis. This will help with performance issues, but also will patch the operating system for known security vulnerabilities. In addition, you might want to subscribe to newsletters at SecurityFocus. You can register to receive weekly notices security issues by subscribing at www.securityfocus.com/newsletters. Another good source of security notifications is SANS (SysAdmin, Audit, Network, Security). A subscription to its newsletters is at www.sans.org/newsletters.

Backup and Disaster Recovery
An entire article can be written about preserving your data through backups and devising disaster recovery plans, but a brief note is worthy here. Implement some sort of backup method for your critical and confidential data. External universal serial bus hard drives, CD/RW and tape are some of the options for backup. Make sure you take your backup data offsite. Should you experience a security compromise, flood or just a general meltdown of hardware, your data can be restored.

Following Protocol
If you follow these protocols, you will have built a sturdy barrier to secure your firm’s data. Failure to do so gives the bad guys a “get out of jail free” card. Stay ahead of those who might infiltrate your technology by keeping abreast of security developments and periodically reviewing your defenses for needed upgrades. Safe computing requires constant vigilance.

ABOUT THE AUTHORS

SHARON D. NELSON AND JOHN W. SIMEK are the president and vice president of Sensei Enterprises Inc., a legal technology and computer forensics firm based in Fairfax, Va. They can be reached at (703) 359-0700, sensei@senseient.com or www.senseient.com.