The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/7599
the quarterly magazine of ILTA 47 Peer to Peer Offense Is the Best Defense Against Security Vulnerabilities article, "Gartner: Seven Cloud-Computing Security Risks," which covers risk issues outlined in a 2008 Gartner report ((http://www. networkworld.com/news/2008/070208-cloud.html). No matter how good a piece of software is, there are always vulnerabilities. Around our office, we've become numb to receiving weekly updates from certain vendors. These often fix recently discovered security holes –– ones that could have left us vulnerable to attacks before the patch was released and installed. As long as there are hackers, we must remain vigilant; and since cloud computing takes control out of our hands, we must rely on third parties to maintain this vigilance. Social Butterflies Beware Social networking is great. (If you haven't reserved your Twitter name, jump over to www.Twitter.com and reserve your name before someone else grabs it.) Twitter is useful for marketing your firm, keeping up with ILTA members, following the industry and for just being in the know. LinkedIn is great for business, too, because you can use it for networking and staying in touch. That said, there are definite security risks associated with these types of sites. First, there is the lack of control by the firm over what gets posted by the individual. Too often people don't filter what they post, and those posts can come back to bite them. They can also reflect poorly on the firm. For this reason, some firms have started to distribute written employment policies regarding social networking. For an excellent article on the ethical risks and pitfalls of social networking sites, visit http://www.mygazines.com/issue/6117. Hackers have also found ways to compromise social networking sites. Often when accounts are compromised, messages are sent to all of the contacts for that account with an embedded link to click within the message. Once someone clicks the link, his device also becomes infected, and the virus spreads. This leads us to the next security concern. Pass the word In October 2009, Microsoft confirmed that phishers stole at least several thousand Hotmail passwords. This was bad news in itself, but what made it worse was that many of these victims used the same passwords for other accounts, such as their MySpace, Facebook and Twitter accounts, where they would be victimized again. Craig Ball, an attorney, forensic technologist and Certified Computer Forensic Examiner, was an administrator for a website with 47,000 lawyers who signed on with passwords they selected. He says, "I saw firsthand how little caution lawyers brought to their password choices. Sports teams, alma maters, children's names and birth dates were the norm." Based on his subsequent experience as a forensic examiner, Ball estimates that anywhere from a quarter to a third or more of the registrants used the same password for the website that they also used for their personal e-mail accounts. He explains that many don't know that forensic examiners rarely gain access to encrypted files by decryption because it takes so long; instead, they gather the passwords from less protected applications. These passwords are typically the same as, or closely resemble, the password used for the encrypted material. Firm administrators, in conjunction with the trainers and support staff, should educate all members of the firm regarding the need for robust password protection. Policies can also be set to provide a little more heavy-handed encouragement for compliance. For instance, consider setting policies such as: forcing a password change every • "x" number of days setting a minimum password length • Requiring that passwords meet complex and pre-defined • criteria (alphanumeric and special character mix) You would be surprised at how many passwords are simply set to 'password.' Even more surprising is that some IT professionals who use netbooks have no password set at all (the default). Password security is important, and it is something that you cannot be sure your users are applying correctly. A general rule of thumb is that if any firm document is sent, or if any e-mail connection is ever made, to any computer, netbook or device, it should have a resilient password applied. what You See Is not what You Get In the movie "Catch Me if You Can," Leonardo DiCaprio plays the character based on Frank Abagnale, Jr., who, before he turned 19, had posed as a Pan Am pilot, a doctor and a lawyer, and had stolen millions of dollars. He was adept at fitting into any environment by slipping on a uniform and blending into his surroundings. Criminals are good at this, and there are some unbelievable stories about law firms that have been victimized this way. For example, there is the story about one firm that had a telephone equipment room cleaned out because the receptionist let in a man with a service bag and telephone company uniform; he said he was there to repair the telephone system. Another firm had all the attorney laptops stolen by someone wearing painting coveralls who came in carting paint cans on a hand truck. Apparently he piggybacked through the door behind an attorney and didn't go through reception. "In preparation for writing this article, I called 10 clients and asked them if they had someone who was specifically tasked with the job of security. Only one firm had someone in this role."