1. WHY CLIENT DATA IS AT RISK;
HOW IT IS AT RISK;
AND HOW TO MITIGATE THE RISK
USING SOME SIMPLE SECURITY POLICIES AND
PROCEDURES
South University, CLE
December 19, 2014
Presented by:
Patrick J. Garrett, J.D.,
2. Why your client data is risk:
Attorneys have lots of PII (personal identifying
information)
Social Security #
Medical records
Driver's license #
You have client work-product and proprietary
information.
Trademark information
Business formulas and code
An attacker is using you to get to your client.
3. Why your client data is risk:
It will cost you more money to fix the infection
then the cost of the ransom:
IT professional
New Hardware
Software
Loss of data.
Many attorneys simply do not understand
information security so they do not take steps to
protect the data. They are easy targets!
4. What are Security Controls?
Policies and procedures that demand and direct
users to implement specific security features, or
mitigate potential vulnerabilities, that are
associated with hardware, software, or the
transportation of data; and, to conform behavior
and actions to support the three (3) general
goals of information security:
1. Confidentiality
2. Integrity
3. Availability
5. Why you must implement
security controls:
Civil Liability for negligence and malpractice.
Common law negligence or wantonness
HIPAA: requires “reasonable and appropriate” security.
PCI laws for financial and credit card companies and
processors.
Even if you are not obligated to provide certain
levels of security, your clients may be
obligated.
They may not be able to share their information with you
unless you implement and understand the security controls
Your clients will start expecting and demanding
that you have controls in place.
6. Why you must implement
security controls:
Ethical obligations to keep data secure:
Confidentiality –
Rule 1.6(a), Alabama Rules of Professional Conduct:
“A lawyer shall not reveal information relating to
representation of a client unless the client consents
after consultation, except for disclosures that are
impliedly authorized in order to carry out the
representation . . .”
Digital or electronic information is treated the
same as a paper file. (not just PDF's)
Applies to ALL information related to the
representation.
7.
Office of General Counsel, Alabama State Bar, Formal Opinion 2010-02,
Retention, Storage, Ownership, Production and Destruction of Client
Files
“Like documents that are converted, documents that are originally
created and maintained electronically must be secured and
reasonable measures must be in place to protect the
confidentiality, security and integrity of the document.”
“This requires the lawyer to ensure that only authorized
individuals have access to the electronic files. The lawyer
should also take reasonable steps to ensure that the files are
secure from outside intrusion.”
“Although not required for traditional paper files, a lawyer must
“back up” all electronically stored files onto another computer or
media that can be accessed to restore data in case the lawyer’s
computer crashes, the file is corrupted, or his office is damaged or
destroyed.”
“Lawyers do have an ethical obligation to prevent the premature
or inappropriate destruction of client files.”
8. Additional takeaways from 2010-02:
Using a Cloud provider for backup is ok – as long as the lawyer
exercises reasonable care in doing so.
Must keep client files for a mandatory minimum of 6 years from
the final disposition or date of closing the file, but . . . “special
circumstances may exist that require a longer, even indefinite,
period of retention. Files relating to minors, probate matters,
estate planning, tax, criminal law, business entities and
transactional matters should be retained indefinitely and until
their contents are substantively and practically obsolete and
their retention would serve no useful purpose to the client, the
lawyer, or the administration of justice.” # 2010-02, pg. 7
Must have ability to make the file available for the
client during this time as well.
9. Why you must implement
security controls:
Competence –
Rule 1.1, ABA Model Rules of Professional Conduct, Comment
[8]: To maintain the requisite knowledge and skill, a lawyer
should keep abreast of changes in the law and its practice,
including the benefits and risks associated with relevant
technology, engage in continuing study and education and
comply with all continuing legal education requirements to which
the lawyer is subject.
Alabama has not adopted this yet, its version states: “To maintain the
requisite knowledge and skill, a lawyer should engage in continuing
study and education.”
Potential current or future obligation to understand the technology that
you use.
10.
Ethical obligations in a nutshell:
Secure the data
Take “reasonable” measures
Risk Assessment
Cost-Benefit Analysis
Risk Mitigation
Protect confidentiality, security, and integrity of the
data.
Authentication
Encryption
Hashing
Availability – Must store files for at least 6 years.
Accessibility
Durability
Backups
11.
12. What are your goals?
Comply with your ethical obligations by
implementing practical security polices,
procedures, and actions that are reasonable for
your circumstances to help you ensure three
things:
1) Confidentiality
Authentication
2) Integrity
3) Availability
13. Factors to assist you in choosing
what controls are right for you:
Where and how is my data stored?
How am I transporting my data?.
Where are the vulnerabilities when my data is
transported and stored?
What threats can exploit these vulnerabilities?.
What controls exist to mitigate the threat and
what resources do I have available to me?
Based on all these factors, what controls must I
implement? In addition to the required controls,
what other controls can I implement?
14. How your client data is at risk:
Why do I need to know how data is stored,
transported, shared, and accessed?
Every link in the chain of communication is a
vulnerability.
Every other person or machine that you send
your information to is a vulnerability.
How you send or share your data or information
can cause vulnerabilities.
Everyplace you store your data is another
vulnerability that must be protected.
15. Vulnerabilities in the transport and
storage process:
Interception of your data while communicating
with someone else.
Unknowingly sending data to the wrong person
or a illegitimate website.
Accessing your data by breaking into your
computer or network.
Accessing your data using trickery or a
compromised password.
16. How your client data is at risk:
THREATS TO THOSE VULNERABILITIES
Attackers – outside parties trying to trick you or
by breaking into your computer network or
system without your consent and knowledge.
Malicious Software – viruses, spyware,
malware, etc.
Malicious insiders – disgruntled employees or
sometimes clients.
Negligent actions – by you or your employees.
Failure to take reasonable precautions.
17. Understand where and how your
data is stored:
Data at rest:
Hard drives, USB drives, servers, PC's, laptops,
smart phones, tablets, etc. This isn't just PDF's.
Data in transit:
Email, internet, web traffic, network traffic, etc.
Backup data
Locally or remotely
Data in the cloud
18. How your data is transported:
Internal network
Internet
19. Typical Small business
or home network
Free Public Wi-Fi
Internet
How your systems interact
and communicate.
21. Please send me the web
Page for Google.com
John
Smith
Web Server
Here
you go!
Typical request for an unsecured Http:// website.
1. The computer's browser sends the request (data packet) in clear-text.
2.The Web server also sends the response in clear-text.
Neither party knows if the other party is who they say they are.
Anyone who intercepts the packets can eavesdrop on the
communication because the data is in clear-text.
22. Where your data can be intercepted:
Internal network
Internet
23. How your data is intercepted:
Attacker uses software to scan for available
wireless networks and return the results along
with the kind of security (encryption) being used
(ie – WEP, WPA, etc.)
If network is unprotected or has weak encryption then
can easily crack it.
Once on the network, attacker uses “packet
sniffing” software to capture the data packets to
analyze, review, and cracking later.
24. How your data is intercepted:
Impersonation
“Man in the Middle” attack – During your session
with a website online, an attacker reads your
unprotected communication in real time.
They then change that information before it is
sent to the other party or they spoof their IP
address and pretend to be the website.
Browser hijacking or Set up a fake website that
looks like the legitimate website.
25. Anatomy of a network attack
Similar to interception, Attacker scans your
network first to determine what kind of security
you use.
Tries to guess what manufacturer your router
comes from. Then looks up the documentation
online that gives the default password for that
particular router or tries them all.
If the user never changed the password then
gets access to the whole network and can then
intercept all data that comes through the router
and can copy/steal/destroy data from any
unsecured computer/server on the network.
26. Anatomy of a network attack
If guessing the router password doesn't work
then use a “port scanner” software to see what
ports are open and/or being used on the router
firewall.
Attacker analyzes any captured packets and
knowledge of commonly used ports to infer what
kind of applications and operating system being
used.
Forms a profile about your system. Looks up
any known vulnerabilities about your OS or
applications. Launches specific attack based on
the hardware/software profile.
27. Anatomy of a network attack
May try to infiltrate a single vulnerable system on
the network and span out to other systems.
Privilege escalation. If infiltrate single system
then tries to get admin access on that system.
Admin access allows attacker to access
other systems on the network.
A virus works this way on single
computers
A worm spreads to other systems.
29. Password Guessing/Cracking
Attacker researches you or your staff to gain info
about you.
Social media pages, pictures, etc.
Follow you and learn your habits, kids names, pet
names, favorite sports teams, etc.
They then use that information and software to
try and guess your password.
Use Brute force attacks:
Dictionary attack.
Rainbow table attacks
Can also just try default passwords or typical passwords.
30. How to mitigate your risks using
security policies and procedures:
INTERCEPTION AND IMPERSONATION
Only use secure networks.
Free Wi-Fi (Starbucks) is not secure and you have
zero privacy.
If on an unsecured wi-fi then use a VPN provider.
On work/home wireless networks make sure you
use the right encryption protocol.
WEP can be cracked usually in under an hour.
WPA2 is best, but if not available then at least use WPA.
31. How to mitigate your risks using
security policies and procedures:
INTERCEPTION AND IMPERSONATION
Only use secure websites and restrict your
employees from accessing only trusted, secure
websites.
Secure websites start with HTTPS:// and they use
SSL (older) or TLS (newer) security protocols.
Download and use “HTTPS Everywhere” for Firefox
or Chrome browsers. Will force websites to use
Https by default if it is available.
Research website security if you will be providing it
with your personal / banking information.
32.
Uses Certificates to Authenticate and Encrypt
Uses Asymmetric and Symmetric encryption.
John
Smith
Typical request for an secured Https:// website.
Public key
Encrypted
symmetric key
33. Certificates: authentication
Used for Confidentiality because it authenticates
the person sending or receiving information.
Issued internally or a third party company known
as a Certificate Authority (CA).
CA verifies identity of website owner.
Digitally signs the certificate (akin to notarizing).
The CA has built up credibility, trust, and name
recognition so when the CA vouches for the
website, people will then trust the website.
34. Certificates: encryption
Used for Confidentiality because they are used
to encrypt communications.
Use asymmetric encryption: have a public key
listed on their certificate.
Users use the public key to encrypt information to
send to the web site.
Only the website has the private key to decrypt, so
if someone steals the data they can't read it.
Most often just use asymmetric encryption to
encrypt a symmetric key because its faster.
35. How to mitigate your risks using
security policies and procedures:
NETWORK ATTACKS
Change default password on router and make it
something complex.
Make sure the firewall on router is adjusted to
restrict what type of traffic can come into and
leave the network.
Use encryption on your hard drives, individual
computers, and mobile devices in case your
network is compromised.
36. How to mitigate your risks using security
policies and procedures:
NETWORK ATTACKS
Harden each individual computer on the
network.
Firewall and Anti-virus on and updated.
Good patch management: always make sure
most recent OS and application updates are
installed.
Remember “Patch Tuesday” for Windows: releases its
updates (if any) every 2nd
Tuesday of the month and
sometimes the 4th
Tuesday as well.
This is important because these often fix the “known
vulnerabilities” that attackers look for.
37. How to mitigate your risks using security
policies and procedures:
NETWORK ATTACKS
Use Restricted Access accounts to counter
malware and escalated privilege attacks.
Never actively use the administrator account.
When creating an account only give it the minimum
access needed.
Rename the admin account something else other
then “administrator” or “admin”.
38. How to mitigate your risks using security
policies and procedures:
PASSWORD CRACKING
Use long, complex passwords that include
symbols, numbers, and capital letters.
Never send your password / username through
email.
Change your password at least a couple times a
year. By the time an attacker figures out the
password, he will have to start all over with a
new password.
Set password settings to prevent using same
password that have previously used.
39. How to mitigate your risks using security
policies and procedures:
DATA THEFT OR DESTRUCTION
Always back up your data to a remote location.
You are required to keep the file for at least 6 years.
Use encryption on all devices, computers, and
hard drives in case the data is stolen.
Encryption will make it very difficult if to read
without the key.
When using cloud providers for storage make sure
they are using encryption on their servers as well as
the upload/download process.
40. How to mitigate your risks using security
policies and procedures:
DATA THEFT OR DESTRUCTION
Tips for using encryption:
Premium editions of Windows 7 have ability to
encrypt at file level using “Bitlocker”
File level encryption can store all your sensitive data.
Good if don't want to encrypt entire hardrive.
If use a commercial encryption software, go with
AES (Advanced Encryption Standard) or Twofish.
AES is used by government, banks, etc.
Twofish is strong as well and is generally faster.
AES-256 (AES with a 256 bit private key) is best
available.
41. Malware
Prevention:
Anti-virus protection
Only use reputable vendors: Avast, McAfee, Etc.
Firewalls – Windows, Apple OSX have built in
firewalls.
Also implement the ones on your modem/router.
Make sure your operating system (OS) is up to
date.
Often times, malware exploits vulnerabilities in
these in order to gain access.
43. Develop an overall security policy:
Put it in writing.
Educate your staff on it and then review it at least
twice a year.
It should address the following issues at
minimum:
Acceptable use of the computer
Which websites or type of websites are acceptable to visit
and which should not be used, etc..
Password policy.
Require at least 12 characters (with symbols and numbers)
No password shall be reused.
44. Develop an overall security policy:
How often backup should be done.
Where the backup will be stored (cloud provider,
removable harddrive, offsite computer or server)
Patch Management: all systems set to automatically
update or calendar patch Tuesdays for updates.
Email Policy: no opening emails from unknown
persons unless you are expecting it. No clicking links
within emails.
Network access: no free wi-fi in your office.
Password changing for routers.
Physical security: No one left with computers, etc.
45. Other non-technical things you can do
Draft a file retention policy. If you voluntarily
hold on to the file longer then you are required
to then you are increasing your cost of securing
the file and risk of a breach. (applies to Category 2 & 3,
see Formal Opinion 2010-02)
Take the same actions on your home office.
Train, Educate, and Enforce.