Previous month:
April 2009
Next month:
September 2009

Reviewing your law firm network security - a framework

    I was asked by our managing partner to outline possible steps to enhance our network security, and I thought I would share them more widely.
I.  At the individual work station level
        1. Use stronger passwords for system login, and change them quarterly. 
        2. Encrypt client files on laptops with Truecrypt, which is free, opensource and highly recommmended.  It would be possible to encrypt only the folder(s) that contain confidential materials.  This would be protection not only against malware threats but also against breach of confidentiality following the theft or loss of the laptop.
        3. Make sure that most users are operating with limited accounts. not admin accounts.  E.g., I can't see any reason why a legal secretary should be logging in daily as an admin account user.
        4. Make sure software firewalls are enabled on all machines. This will help prevent malware from spreading through internal network.
        5. Regularly scan for malware with one of the top rated products.
        6. Keep all software updated. It is now said that applications are a more significant security vulnerability than Windows. A good example is adobe acrobat reader, which is used to view pdfs. Recently Adobe has issued a whole slew of security patches.  All of the firm computers should be running the latest patched version of Adobe Acrobat Reader.
        7. Use firefox browser running noscript addon except when you absolutely need ie.  It is said that Firefox is more secure than IE.  Noscript is a free addon to Firefox that prevents websites from running javascript or activeX sc
        8. Use roboform, or a cheaper equivalent, to manage passwords. This will facilitate use of strong passwords, and will be some protection against keylogging malware (since the passwords will not be typed in).
        9. Use special diligence to secure and regularly scan any firm computers used for internet banking.  Special diligence now means more than you probably think.  Basically, a small business ideally should have a highly secure, dedicated computer for online banking chores, that is not used for emailing or web surfing or anything else.  That probably means a non-Windows operating system too.
        10. Periodic training of all employees never to open an attachment to any email unless it was expected.  Even if from a known person, an attachment should not be opened without confirming that that person sent one.  E.g., we have had malware attached to emails that were "spoofed" to look like they came from members of our law firm.  Also, there should be training to never click on a hyperlink in an unexpected email.  Aside from infected attachments, internet criminals want to trick you into visiting a website that is infected with malware set up to exploit known security vulnerabilities in Windows, IE, and common applications.
        11. As we upgrade computers, move to windows 7 which has more powerful security, or apple machines.
        12. Use a commercial email scanning and filtering service.  On one day recently, our service (AppRiver) picked off 5 emails containing viruses that were addressed to me, and it is picking off about 50 spam emails a day.  
        13. I don't think it is necessary for all machines to run the exact same antivirus and antispy software.  I think there is value to having "biodiversity", since not all software catches all the threats.  However, all the AV software that we run should be set to update daily on an automatic basis.
        14. Turn desktop computers off at night, unless there is a specific reason to keep it on.  Used to be that people thought turning the computers on and off each day would cause them to wear out quicker.  Now, leaving a machine on all night just makes it a valuable target for hackers.
        15. No file sharing software, such as LimeWire or bittorrent,should be allowed.  Too risky.
II.  Network Security
        1. Use opendns as the network dns server to limit exposure to dns hijacking and phishing attacks. Use opendns settings to deny access to known porn and gambling sites, at minimum.
        2. Need to keep servers and router patched.
        3. Consider a network security appliance, such as Astaro.
III.  Website security
        1.  Again, there is a need to use a strong password.
        2.  Do you know whether the software that runs your website has vulnerabilities?  Better look into it.  The most prevalent form of malware is now trojan horse programs served up by legitimate websites that have been infected by malware.  If and when you visit such a website, you will be bombarded with scores of different types of malware, testing every sort of vulnerability.  You do not necessarily have to click on anything or download anything there to pick up a malware infection, but clicking on links on such a website would increase the chances of infection.  Again, this situation can exist on any legitimate website which has been hacked into, including your own law firm website.  As aptly quoted by Brian Krebs in his excellent Security Fix blog on the Washington Post website:

"There is no such thing as safe browsing today and it is no longer the case that only the red light district sites are responsible for malware," writes X-Force Director Kris Lamb. "We've reached a tipping point where every Web site should be viewed as suspicious and every user is at risk."

See Brian Krebs, Phishing Attacks on the Wane, Security Fix, Aug. 27, 2009.  Krebs recommends using the Firefox browser with the Noscript add-on as one means of reducing this risk. 

IV      Wireless security
        1.  Wireless routers are a huge security risk. If there are patches to the router operating software, the patches should be downloaded and installed.  The routers should be checked periodically to make sure they do not have the default passwords (like "admin") to access the router.  If someone does a hard reset to the wireless router, that could result in the default password being enabled again, and the wireless router could then be easily compromised.
        2.  The encryption for the wireless router should be the highest level.  By the way, in recent news reports it has been said that the basic form of WPA encryption has been cracked in 60 seconds.
        3.  Smart phones.  Do you realize that smart phones can be set up to access everything on a Windows Exchange network, by remote access to a computer on the network?  For instance, there is an application for the IPhone that allows such access, called  "WinAdmin."  But there are others too.   This capability would add a whole new level of freakout if your Iphone is stolen.  I would recommend thinking twice or thrice about security before setting up your Iphone to do this.