Articles
Bench & Bar of Minnesota is the official publication of the Minnesota State Bar Association.

What You Don’t Know Can Hurt You: Computer Security for Lawyers

The burgeoning growth of electronic communications has offered lawyers convenience and efficiency previously unimagined. But the benefits have not come without costs, including heightened risks that data may be lost or confidentiality breached.  Knowing these risks and how to meet them is increasingly critical.

Over the past ten years, the landscape of consumer technologies has changed drastically.  Thanks to rapid development and innovation, computers as powerful as those that took us to the moon now we carry in our pockets. The resulting convenience and broad access to information is extraordinarily valuable, but easily blinds consumers—and oftentimes vendors—to the parallel growth of security risks.

Personal technology inherently is a container for confidential information.  This is especially true within the professional sphere, as lawyers, doctors, and other professionals have come to rely on such technology to manage business and personal information involving clients and private relationships.  Consequently, cyber criminals have seen opportunities with the popularity and capability of electronic devices growing.  This has left many individuals, corporations, and government organizations vulnerable.

In the legal profession, clients expect that their representation by a lawyer ensures the confidentiality of their digital information. But while future lawyers in law school learn much about the importance of maintaining client confidentiality, oftentimes digital information security is absent from the curriculum.  Although the learning curve associated with computer security is steep, understanding it is absolutely necessary—
especially as a legal professional.

Remote Intrusion

One primary concern in regards to computer security is remote intrusion, usually by way of malicious software, otherwise known as “malware” or a “virus.” Malware is diverse; different malware is designed with a variety of purposes and capabilities. While there is no such thing as “benign” malware, some types are less threatening. For instance, some malware collects data simply to advertise to you.  But this malware is easily detected because the user observes a rash of pop-up windows advertising the latest as-seen-on-TV product.

More often than not, however, the presence of malware is not immediately obvious by its design.  Several malware variants are able to suspend a system’s antivirus software to avoid detection.  The reason for this is simple: Cyber criminals want to be able to compromise your data for the longest time span possible.  Frighteningly, cyber criminals using malware can monitor a computer user’s activity without detection. Such malware can capture and transmit screenshots and keystrokes all without providing any indication to the user. Other variants are specifically tailored to wait for activity of interest, such as online login credentials and financial activity.  Some other strains can even delete, hide or lock your files.

Irrespective of its function and as its name suggests, malware always has the potential to be seriously detrimental.  Consequently, related data breaches can lead to catastrophic damage to your reputation and expose you to potential litigation.  Defending against malware and protecting your clients’ data should be a first priority when working from any electronic data storage device connected to the Internet.

Risks & Remedies

You can shield yourself from malware breach of both your and your clients’ data with a few simple preventative measures.  While there are a vast number of vehicles by which malware is downloaded, the following practices will lower your probability of introducing malware to your system.  Again, please note that this list is not all-inclusive.

Phishing. One of the most well-known tactics employed by cyber criminals is known as “phishing.”  Phishing is the process by which cyber thieves are able to lure unsuspecting victims to a malicious link that executes malware.  These malicious links are usually presented to a user through an email message.  Remember the message from that poor Nigerian prince?  By clicking on the link presented in such a message, the user unknowingly initiates the malware by accessing the hacker’s webserver.

Spear-Phishing. Even more unsettling than simple phishing is a “spear-phishing” attack.   Unlike phishing, which tries to entice a response from many email addresses, spear-phishing is a directed attack.  Cyber criminals gather information about a victim, which is then used to construct a fraudulent email, intended to trick the victim.  Rather than being obviously nefarious, these emails are very realistic.  For example, I recently assisted an attorney who had received an email purporting to be from the court.  The email indicated that the attorney had failed to successfully e-file his motion and that the court would dismiss his case with prejudice unless the attorney would “click here to complete your case e-filing.”  Unfortunately, the attorney clicked, and downloaded malware that allowed hackers remote access to the attorney’s computer. Due to their nature, phishing attacks are not problematic unless the user clicks on the link to the malicious webserver within the message.  Before you click, “hover” your cursor over the link to see the true URL—the link that appears in text as attorneyalert.com may in fact link to gotchasucker.ru or something similar.  In short, avoid clicking on web links contained in an email message, especially those that look “phishy.”

Free Downloads. Be diligent when accessing material from any webpage.  But be particularly wary of sites that offer free viewing or downloading of copyrighted material, such as those that offer free television programs, movies, and pirated software. These sites are often hosted within countries with lax computer security laws.  As a result, these websites are able to deliver malware by exploiting a web browser, like Internet Explorer or Google Chrome. Once the web browser is compromised, additional malware can then be queued to download.  So, resist the urge to search online for a pirated version of the latest episode of your favorite TV show.

Outdated Software. Another critical practice for ensuring the protection of your data is keeping any system you use up-to-date.  Almost always, vendors
update their products, including operating systems, to patch known security holes.  This is because the longer an iteration of a piece of software is available, the more time cyber criminals have to develop malware to exploit potential vulnerabilities.  As a result, older software often presents an easy target for cyber criminals wanting to gain unauthorized access to a computer.  Therefore, updating all software regularly lowers the chance of a malware breakout.

Simple Safeguards. So what safeguards exist to protect yourself against malware infiltration of your computer?   First, ensure that your system has a strong password.  A “strong” password is considered to be a combination of 8-12 uppercase and lowercase letters, numbers, and special characters. Try not to reuse passwords you use to access online sites to access your system or vice versa.  If your password is easy to crack or guess, using it for multiple purposes enables cyber criminals to gain access to even more of your data.

Second, install antivirus software and keep it up to date.  Installing antivirus software is a logical, low-cost first step, but it is of little use if not maintained properly.  It is considered best practice to regularly ensure that your antivirus software is functioning properly and is completely updated with the latest definitions of known malware and unknown malware behavioral patterns.

While antivirus software is certainly recommended and required by most standards, prevention is still the best medicine.  Antivirus software is usually reliable for identifying known malware, but it can miss undiscovered strains.  Furthermore, as previously mentioned, some malware is specifically designed to disable antivirus software to carry out data theft, so the best way of protecting yourself is by maintaining good computer security habits. But these preventative measures are only effective if all users of a computer adhere to them.  It is the responsibility of a legal professional to not only remain informed about computer security, but also to foster a culture of security in her or his practice.

Mobile Device Security

Lawyers, like anyone else, greatly appreciate the convenience of mobile computing.  It makes things like client communications fast and easy and allows work to be done anywhere. As such, it also exposes your data to risk anywhere.  So it’s important to ensure the protection of your own and your clients’ data, even when outside of the office.

Risks of Loss or Theft. Mobile devices, such as laptops, smart phones, PDAs and other portable electronic storage devices pose distinct threats to data security.  First and foremost, these devices are easier to lose than a clunky 30-pound desktop computer.  They are also attractive to most thieves.  Therefore, it is absolutely critical that they are protected against breaches that could occur as a result of loss or theft.

Using strong passwords and enabling the ability to erase data remotely can achieve this.  Strong passwords or passcodes on cell phones may deter a would-be data thief from attempting to gain access to the device’s data.  But the preferable option is to use a mobile device that has the capability to be locked or erased remotely.  If used in a timely manner, this function bars a thief from accessing your data. Luckily, upcoming legislation may force phone manufacturers to include such capabilities in their mobile products so data can be protected in the event that a device is lost or stolen.  Other than passwords and remote data protection capabilities, most phones leave much to be desired as far as security.

Encryption. In the case of other forms of portable devices, like laptops and external hard drives or thumb drives, encryption is an important tool that can ensure the protection of your data.  Encryption safeguards data by scrambling it, making it useless without a password or security token.  Here again it’s important to always choose passwords that are not easily cracked or guessed.  Without the password or token, the encrypted device is completely inoperable and, consequently, access to the data is restricted.  Full drive encryption is a feature of some laptops and certain versions of Windows, and is available as add-on software.  In short, encryption is an accepted tool for safeguarding data on laptops and external media when you need to take the device away from the office.

Wi-Fi Risks. While physical protection of your portable device is always important, an alarming new hacker trend also may compromise data without proper safeguards.  More specifically, there is always risk when using Wi-Fi networks.  Wireless connections are vulnerable and can allow for the interception of your confidential communications.  This method is more commonly used than device-specific malware for stealing data from laptops and mobile devices. With the help of a small, easy-to-build device known as a “rogue access point,” hackers are able to foil the encryption security of web pages.  In this way the hacker, unbeknownst to the user, can intercept usernames and passwords that are usually encrypted as part of the webpage as they are entered.  Having intercepted these data, the hacker can profile your computer usage and gain access to your confidential material on websites.  In order to force this encryption, bookmark your important sites by manually adding “https://www” to the URL, rather than by relying simply on the default “www.”

Note also that there is a risk in having devices set to automatically join known networks.  Rogue access points are frequently used to spoof one of your known, trusted networks.  Essentially, the rogue access point is able to accept the trusted Wi-Fi SSID (the “service set identifier” that allows devices on the wireless network to recognize and communicate with each other) and password broadcasted by your device.  As a result, a hacker can monitor your network use.  As a general rule, never transmit confidential data via public Wi-Fi networks, but rather through a cellular “hotspot” available from cellular network providers.

Wi-Fi interception tactics can be inhibited by use of what is known as a VPN client.  A VPN client or service automatically encrypts all network traffic flowing in and out of a given device and thereby disallows interception of your data.

Cloud Storage: A New Frontier

Related to web security is another service that attorneys often use, known as “Cloud” storage.  Cloud storage services such as DropBox, SkyDrive, and iCloud make files accessible from anywhere on any Internet-connected device.  But as is typical with widely used, convenient, file-storage solutions they also pose unique ethical considerations for data security.  While these services themselves usually maintain strong security protocols, users should still be aware that breaches of Cloud services are possible and have happened.  Additionally, login credentials for these services could be compromised by the aforementioned malware or “rogue access point” attacks.  Therefore, additional layers of security should be employed to take full advantage of the convenience of the Cloud.

When using the Cloud, ensure that all your files are at least password-protected and ideally encrypted.  This is a simple practice and can be accomplished with readily available software tools.  Uploading only protected files to the Cloud thwarts a hacker’s attempt to access confidential data should they successfully compromise your Cloud account.

Data Loss & Corruption

Technology, although usually reliable, is certainly not free from the risk of breaking down.  Even the most diligent computer users can still fall victim to data loss.  Sometimes data loss is accidental, other times it’s due to malware or physical device failure.  Electronic storage devices have thousands of components and should any one of them fail, the data could permanently be lost.  Further, modern malware is usually never solitary; it snowballs from an initial infection, which subsequently downloads progressively more advanced malware. As a result, some malware infections cannot be fully eradicated without a fresh installation of the operating system.

In order to protect your own and your clients’ data it is important to maintain frequent, quality backups.  The cost of many backup programs and external media has dropped significantly so this should not be an inordinate expense.  If you ever become the victim of malware, disaster or other device failure, backups may be the only way to preserve your reputation and protect data entrusted to you by your clients.

Conclusion

Important documents no longer exist in a safe vacuum, thanks to the Internet. As online citizens, lawyers have heightened ethical obligations to consider how best to protect their own and their clients’ data.  Following the basic security practices outlined above, you can protect yourself at the office and at home.  Always keep your software updated, your passwords strong, and your online habits safe. But know your limits and recognize when you need professional help. As any lawyer will agree, continuing education is essential to staying effective in an ever-changing field.  Computers have added a new dimension to the practice that should be carefully considered.

Mark Lanterman is CEO and Chief Technology Officer for Computer Forensic Services, based in Minnetonka, MN.  He has over 11 years of law enforcement experience as a police investigator, culminating as a member of the U.S. Secret Service Electronic Crimes Task Force. Lanterman has successfully led thousands of forensic investigations with large legal organizations, Fortune 500 corporations, and governmental organizations. 

 

Leave a Reply

Articles by Issue

Articles by Subject