SlideShare a Scribd company logo

Computer Security for Lawyers

Mark Lanterman, profile picture
Mark Lanterman

The document discusses computer security risks for lawyers and provides recommendations to protect against these risks. It notes that while lawyers rely on technology, computer security is often absent from legal education. It describes various types of malware and how they can access systems remotely to steal data like screenshots and keystrokes without detection. The document recommends practicing safe online habits like avoiding suspicious links and downloads, using strong passwords, keeping software updated, and installing antivirus software. It also recommends protecting mobile devices, encrypting data, using VPNs on public WiFi, and storing only encrypted files in the cloud. Regular backups are also advised in case of data loss or device failure. Following basic security practices can help lawyers protect client data both in and outside the office

1 of 4
Download to read offline
1
2
3
4
Bench&Bar of Minnesota s March 2014 www.mnbar.org What You Don’t Know Computer Security for Lawyers By Mark Lanterman Can Hurt YouCan Hurt You Illustration©JohnMartin,Illustrationsource.com
www.mnbar.org March 2014 s BenchBar of Minnesota O ver the past ten years, the landscape of con- sumer technologies has changed drastically. Thanks to rapid devel- opment and innova- tion, computers as powerful as those that took us to the moon now we carry in our pockets. The resulting convenience and broad access to information is extraor- dinarily valuable, but easily blinds con- sumers—and oftentimes vendors—to the parallel growth of security risks. Personal technology inherently is a container for confidential information. This is especially true within the professional sphere, as lawyers, doctors, and other professionals have come to rely on such technology to manage business and personal information involving clients and private relationships. Consequently, cyber criminals have seen opportunities with the popularity and capability of electronic devices growing. This has left many individuals, corporations, and government organizations vulnerable. In the legal profession, clients expect that their representation by a lawyer en- sures the confidentiality of their digital information. But while future lawyers in law school learn much about the impor- tance of maintaining client confiden- tiality, oftentimes digital information security is absent from the curriculum. Although the learning curve associated with computer security is steep, under- standing it is absolutely necessary— especially as a legal professional. Remote Intrusion One primary concern in regards to computer security is remote intrusion, usually by way of malicious software, otherwise known as “malware” or a “vi- rus.” Malware is diverse; different mal- ware is designed with a variety of pur- poses and capabilities. While there is no such thing as “benign” malware, some types are less threatening. For instance, some malware collects data simply to ad- vertise to you. But this malware is easily detected because the user observes a rash of pop-up windows advertising the latest as-seen-on-TV product. More often than not, however, the presence of malware is not immediately obvious by its design. Several malware variants are able to suspend a system’s antivirus software to avoid detection. The reason for this is simple: Cyber criminals want to be able to compromise your data for the longest time span possible. Frighteningly, cyber criminals using malware can monitor a computer user’s activity without detection. Such malware can capture and transmit screenshots and keystrokes all without providing any indication to the user. Other variants are specifically tailored to wait for activity of interest, such as online login credentials and financial activity. Some other strains can even delete, hide or lock your files. Irrespective of its function and as its name suggests, malware always has the potential to be seriously detrimental. Consequently, related data breaches can lead to catastrophic damage to your reputation and expose you to potential litigation. Defending against malware and protecting your clients’ data should be a first priority when working from any electronic data storage device connected to the Internet. Risks Remedies You can shield yourself from malware breach of both your and your clients’ data with a few simple preventative measures. While there are a vast number of vehicles by which malware is down- loaded, the following practices will lower your probability of introducing malware to your system. Again, please note that this list is not all-inclusive. Phishing. One of the most well- known tactics employed by cyber crimi- nals is known as “phishing.” Phishing is the process by which cyber thieves are able to lure unsuspecting victims to a malicious link that executes malware. These malicious links are usually pre- sented to a user through an email mes- sage. Remember the message from that poor Nigerian prince? By clicking on the link presented in such a message, the user unknowingly initiates the malware by accessing the hacker’s webserver. Spear-Phishing. Even more unset- tling than simple phishing is a “spear- phishing” attack. Unlike phishing, which tries to entice a response from many email addresses, spear-phishing is a directed attack. Cyber criminals gath- er information about a victim, which is then used to construct a fraudulent email, intended to trick the victim. Rather than being obviously nefarious, these emails are very realistic. For exam- ple, I recently assisted an attorney who had received an email purporting to be from the court. The email indicated that the attorney had failed to successfully e- file his motion and that the court would dismiss his case with prejudice unless the attorney would “click here to complete your case e-filing.” Unfortunately, the attorney clicked, and downloaded mal- ware that allowed hackers remote ac- cess to the attorney’s computer. Due to their nature, phishing attacks are not problematic unless the user clicks on the link to the malicious webserver within the message. Before you click, “hover” your cursor over the link to see the true URL—the link that appears in text as at- torneyalert.com may in fact link to gotcha- sucker.ru or something similar. In short, avoid clicking on web links contained in an email message, especially those that look “phishy.” Free Downloads. Be diligent when accessing material from any webpage. But be particularly wary of sites that of- fer free viewing or downloading of copy- righted material, such as those that offer free television programs, movies, and pirated software. These sites are often hosted within countries with lax com- puter security laws. As a result, these websites are able to deliver malware by exploiting a web browser, like Internet Explorer or Google Chrome. Once the web browser is compromised, additional malware can then be queued to down- load. So, resist the urge to search online for a pirated version of the latest episode of your favorite TV show. The burgeoning growth of electronic communications has offered lawyers convenience and efficiency previously unimagined. But the benefits have not come without costs, including heightened risks that data may be lost or confidentiality breached. Knowing these risks and how to meet them is increasingly critical.
BenchBar of Minnesota s March 2014 www.mnbar.org Outdated Software. Another criti- cal practice for ensuring the protection of your data is keeping any system you use up-to-date. Almost always, vendors update their products, including oper- ating systems, to patch known security holes. This is because the longer an iteration of a piece of software is avail- able, the more time cyber criminals have to develop malware to exploit potential vulnerabilities. As a result, older soft- ware often presents an easy target for cy- ber criminals wanting to gain unauthor- ized access to a computer. Therefore, updating all software regularly lowers the chance of a malware breakout. Simple Safeguards. So what safe- guards exist to protect yourself against malware infiltration of your computer? First, ensure that your system has a strong password. A “strong” password is considered to be a combination of 8-12 uppercase and lowercase letters, num- bers, and special characters. Try not to reuse passwords you use to access online sites to access your system or vice versa. If your password is easy to crack or guess, using it for multiple purposes enables cy- ber criminals to gain access to even more of your data. Second, install antivirus software and keep it up to date. Installing antivirus software is a logical, low-cost first step, but it is of little use if not maintained properly. It is considered best practice to regularly ensure that your antivirus software is functioning properly and is completely updated with the latest defi- nitions of known malware and unknown malware behavioral patterns. While antivirus software is certainly recommended and required by most standards, prevention is still the best medicine. Antivirus software is usually reliable for identifying known malware, but it can miss undiscovered strains. Furthermore, as previously mentioned, some malware is specifically designed to disable antivirus software to carry out data theft, so the best way of protecting yourself is by maintaining good comput- er security habits. But these preventative measures are only effective if all users of a computer adhere to them. It is the re- sponsibility of a legal professional to not only remain informed about computer security, but also to foster a culture of se- curity in her or his practice. Mobile Device Security Lawyers, like anyone else, greatly appreciate the convenience of mobile computing. It makes things like client communications fast and easy and allows work to be done anywhere. As such, it also exposes your data to risk anywhere. So it’s important to ensure the protec- tion of your own and your clients’ data, even when outside of the office. Risks of Loss or Theft. Mobile devic- es, such as laptops, smart phones, PDAs and other portable electronic storage devices pose distinct threats to data se- curity. First and foremost, these devices are easier to lose than a clunky 30-pound desktop computer. They are also attrac- tive to most thieves. Therefore, it is ab- solutely critical that they are protected against breaches that could occur as a result of loss or theft. Using strong passwords and enabling the ability to erase data remotely can achieve this.  Strong passwords or passcodes on cell phones may deter a would-be data thief from attempting to gain access to the device’s data.  But the preferable option is to use a mobile device that has the capability to be locked or erased remotely.   If used in a timely manner, this function bars a thief from accessing your data. Luckily, upcoming legislation may force phone manufacturers to include such capabilities in their mobile products so data can be protected in the event that a device is lost or stolen. Other than passwords and remote data protection capabilities, most phones leave much to be desired as far as security. Encryption. In the case of other forms of portable devices, like laptops and ex- ternal hard drives or thumb drives, en- cryption is an important tool that can ensure the protection of your data. En- cryption safeguards data by scrambling it, making it useless without a password or security token. Here again it’s impor- tant to always choose passwords that are not easily cracked or guessed. Without the password or token, the encrypted de- vice is completely inoperable and, con- sequently, access to the data is restricted. Full drive encryption is a feature of some laptops and certain versions of Windows, and is available as add-on software. In short, encryption is an accepted tool for safeguarding data on laptops and exter- nal media when you need to take the device away from the office. Wi-Fi Risks. While physical protec- tion of your portable device is always im- portant, an alarming new hacker trend also may compromise data without prop- er safeguards. More specifically, there is always risk when using Wi-Fi networks. Wireless connections are vulnerable and can allow for the interception of your confidential communications. This method is more commonly used than device-specific malware for stealing data from laptops and mobile devices. With the help of a small, easy-to-build device known as a “rogue access point,” hackers are able to foil the encryption security of web pages. In this way the hacker, Bookmark your important sites by manually adding “https://www” to the URL, rather than by relying simply on the default “www.”
www.mnbar.org March 2014 s BenchBar of Minnesota unbeknownst to the user, can intercept usernames and passwords that are usu- ally encrypted as part of the webpage as they are entered. Having intercepted these data, the hacker can profile your computer usage and gain access to your confidential material on websites. In or- der to force this encryption, bookmark your important sites by manually adding “https://www” to the URL, rather than by relying simply on the default “www.” Note also that there is a risk in having devices set to automatically join known networks. Rogue access points are frequently used to spoof one of your known, trusted networks. Essentially, the rogue access point is able to accept the trusted Wi-Fi SSID (the “service set identifier” that allows devices on the wireless network to recognize and communicate with each other) and password broadcasted by your device. As a result, a hacker can monitor your network use. As a general rule, never transmit confidential data via public Wi-Fi networks, but rather through a cellular “hotspot” available from cellular network providers. Wi-Fi interception tactics can be inhibited by use of what is known as a VPN client. A VPN client or service automatically encrypts all network traf- fic flowing in and out of a given device and thereby disallows interception of your data. Cloud Storage: A New Frontier Related to web security is another service that attorneys often use, known as “Cloud” storage. Cloud storage ser- vices such as DropBox, SkyDrive, and iCloud make files accessible from any- where on any Internet-connected de- vice. But as is typical with widely used, convenient, file-storage solutions they also pose unique ethical considerations for data security. While these services themselves usually maintain strong secu- rity protocols, users should still be aware that breaches of Cloud services are pos- sible and have happened. Additionally, login credentials for these services could be compromised by the aforementioned malware or “rogue access point” attacks. Therefore, additional layers of security should be employed to take full advan- tage of the convenience of the Cloud. When using the Cloud, ensure that all your files are at least password-protected and ideally encrypted. This is a simple practice and can be accomplished with readily available software tools. Upload- ing only protected files to the Cloud thwarts a hacker’s attempt to access con- fidential data should they successfully compromise your Cloud account. Data Loss Corruption Technology, although usually reliable, is certainly not free from the risk of breaking down. Even the most diligent computer users can still fall victim to data loss. Sometimes data loss is accidental, other times it’s due to malware or physical device failure. Electronic storage devices have thousands of components and should any one of them fail, the data could permanently be lost. Further, modern malware is usually never solitary; it snowballs from an initial infection, which subsequently downloads progressively more advanced malware. As a result, some malware infections cannot be fully eradicated without a fresh installation of the operating system. In order to protect your own and your clients’ data it is important to maintain frequent, quality backups. The cost of many backup programs and external media has dropped significantly so this should not be an inordinate expense. If you ever become the victim of malware, disaster or other device failure, backups may be the only way to preserve your reputation and protect data entrusted to you by your clients. Conclusion Important documents no longer exist in a safe vacuum, thanks to the Internet. As online citizens, lawyers have heightened ethical obligations to consider how best to protect their own and their clients’ data. Following the basic security practices outlined above, you can protect yourself at the office and at home. Always keep your software updated, your passwords strong, and your online habits safe. But know your limits and recognize when you need professional help. As any lawyer will agree, continuing education is essential to staying effective in an ever-changing field. Computers have added a new dimension to the practice that should be carefully considered. s Mark Lanterman is CEO and Chief Technology Officer for Computer Forensic Services, based in Minnetonka, MN. He has over 11 years of law enforcement experience as a police investigator, culminating as a member of the U.S. Secret Service Electronic Crimes Task Force. Lanterman has successfully led thousands of forensic investigations with large legal organizations, Fortune 500 corporations, and governmental organizations. Uploading only protected files to the Cloud thwarts a hacker’s attempt to access confidential data should they successfully compromise your Cloud account.

More Related Content

PPTX
What is Phishing - Kloudlearn
KloudLearn
 
PPTX
What is a Malware - Kloudlearn
KloudLearn
 
PPSX
Technology Training - Security, Passwords & More
William Mann
 
PPTX
Information security
Laxmiprasad Bansod
 
PDF
Cyber Privacy & Password Protection
Nikhil D
 
PPTX
Security threats and attacks in cyber security
Shri ramswaroop college of engineering and management
 
PDF
A Guide to Internet Security For Businesses- Business.com
Business.com
 
PPT
At Your Expense
Dan Oblak
 
What is Phishing - Kloudlearn
KloudLearn
 
What is a Malware - Kloudlearn
KloudLearn
 
Technology Training - Security, Passwords & More
William Mann
 
Information security
Laxmiprasad Bansod
 
Cyber Privacy & Password Protection
Nikhil D
 
Security threats and attacks in cyber security
Shri ramswaroop college of engineering and management
 
A Guide to Internet Security For Businesses- Business.com
Business.com
 
At Your Expense
Dan Oblak
 

What's hot (19)

PPT
Ia 124 1621324160 ia_124_lecture_02
ITNet
 
PDF
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
MZERMA Amine
 
PDF
Five habits that might be a cyber security risk
K. A. M Lutfullah
 
PDF
Phishing
Deepak Kumar (D3)
 
PDF
How To Catch a Phish: User Awareness and Training
London School of Cyber Security
 
PPTX
Name parul
Parul231
 
PDF
Students, the internet and COVID-19 by Ayush Chopra | MAY 2020 | Issue 1
Ayush Chopra
 
PDF
Cyber Security in the Age of Globalization
Benjamin Morley
 
PDF
Axxera End Point Security Protection
Shawn Crimson
 
PPTX
Digital security
malebaseball20
 
DOC
Cyber crime final report
Shishupal Nagar
 
PPTX
Cyber crime social media &; family
Dr.Keshav Sathaye
 
PPTX
CYBER CRIME AWARENESS (Thematic Presentation)
AFROZULLA KHAN Z
 
DOCX
Cyber security.docx
saivarun91
 
PPT
Internet safety v 4 slides and notes
Linda Barron
 
PPTX
Phishing demo
Jennifer Leone Thompson
 
PDF
Cyber Crime Types & Tips
Deepak Kumar (D3)
 
PPTX
Cyber crime and its types
DINESH KAMBLE
 
PPTX
Security Threats to Electronic Commerce
Darlene Enderez
 
Ia 124 1621324160 ia_124_lecture_02
ITNet
 
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
MZERMA Amine
 
Five habits that might be a cyber security risk
K. A. M Lutfullah
 
Phishing
Deepak Kumar (D3)
 
How To Catch a Phish: User Awareness and Training
London School of Cyber Security
 
Name parul
Parul231
 
Students, the internet and COVID-19 by Ayush Chopra | MAY 2020 | Issue 1
Ayush Chopra
 
Cyber Security in the Age of Globalization
Benjamin Morley
 
Axxera End Point Security Protection
Shawn Crimson
 
Digital security
malebaseball20
 
Cyber crime final report
Shishupal Nagar
 
Cyber crime social media &; family
Dr.Keshav Sathaye
 
CYBER CRIME AWARENESS (Thematic Presentation)
AFROZULLA KHAN Z
 
Cyber security.docx
saivarun91
 
Internet safety v 4 slides and notes
Linda Barron
 
Phishing demo
Jennifer Leone Thompson
 
Cyber Crime Types & Tips
Deepak Kumar (D3)
 
Cyber crime and its types
DINESH KAMBLE
 
Security Threats to Electronic Commerce
Darlene Enderez
 
Ad

Viewers also liked (12)

PDF
Genossenschaftliche idee erfolgsgarant in der digitalen ökonomie
ADG Innovation
 
PPT
HTML
RickZam
 
DOCX
Janet Lauseng Resume
Janet Croal Lauseng
 
PDF
Abdulsalam Omar 2
Abdulsalam Deahaliah,CMA,certIFRS
 
PPTX
Pesti si reptile
Mihaiela Fazacas
 
PDF
fatigue_handbook_a5
Wessel van Leeuwen
 
PPTX
Diet Tips in ANEMIA MS. KOMAL BHANSALI MS. MEENU RAJORA MS. MILI SHARMA DR....
Lifecare Centre
 
PPTX
Curious look into Observational studies
Arete-Zoe, LLC
 
PDF
Patient guide for post stroke care
andrewmartin027
 
ODP
Hyaluronic acid
Andrea Lucio Pirani
 
PPSX
Reuters: Pictures of the Year 2016 (Part 2)
maditabalnco
 
PDF
Eclipse Capital Special Situations Presentation
Ronald Hoplamazian
 
Genossenschaftliche idee erfolgsgarant in der digitalen ökonomie
ADG Innovation
 
HTML
RickZam
 
Janet Lauseng Resume
Janet Croal Lauseng
 
Abdulsalam Omar 2
Abdulsalam Deahaliah,CMA,certIFRS
 
Pesti si reptile
Mihaiela Fazacas
 
fatigue_handbook_a5
Wessel van Leeuwen
 
Diet Tips in ANEMIA MS. KOMAL BHANSALI MS. MEENU RAJORA MS. MILI SHARMA DR....
Lifecare Centre
 
Curious look into Observational studies
Arete-Zoe, LLC
 
Patient guide for post stroke care
andrewmartin027
 
Hyaluronic acid
Andrea Lucio Pirani
 
Reuters: Pictures of the Year 2016 (Part 2)
maditabalnco
 
Eclipse Capital Special Situations Presentation
Ronald Hoplamazian
 
Ad

Similar to Computer Security for Lawyers (20)

PDF
ComputerSecurity-Brochure
Benjamin Vevang
 
PDF
IT Security.pdf
HugoReglezRodrguez
 
PDF
Week3-CyberSecurity 8th Semester important.pdf
MArshad35
 
PPTX
CYBER SECURITY AWARENESS TRAINING FOR FINANCE PROFESSIONALS
bayelsadata
 
PPTX
2nd Class PPT.pptx
SibyJames1
 
PDF
fundamentals of Cybersecurity Lesion 1.pdf
adamgaidam
 
PPTX
Internet security
rfukunaga
 
PPT
Cyber-Security-.ppt
karthikvcyber
 
PPT
Cyber Security-Foundation.ppt
ErAdityaSingh1
 
PPT
Cyber-Security.ppt
SeniorGaming
 
PDF
Don't Diligence Information Security for Lawyers
darrentthurston
 
PPTX
Today's technology and you: Safe computing in a digital world - Eric Vanderbu...
Eric Vanderburg
 
PPTX
Internet safety and you
Art Ocain
 
PPT
091005 Internet Security
dkp205
 
PPTX
Computer security risks
Aasim Mushtaq
 
PPT
Cyber-Security-20211013105857.ppt
visik2
 
PDF
In computer security, a vulnerability is a weakness which allows an .pdf
anandanand521251
 
PDF
Computer security risks
dison gapor
 
PPT
Cyber-Security-20211013105857.ppt
HArshMangasuli
 
PPT
Cyber-Security-20211013105857.ppt
mohan jena
 
ComputerSecurity-Brochure
Benjamin Vevang
 
IT Security.pdf
HugoReglezRodrguez
 
Week3-CyberSecurity 8th Semester important.pdf
MArshad35
 
CYBER SECURITY AWARENESS TRAINING FOR FINANCE PROFESSIONALS
bayelsadata
 
2nd Class PPT.pptx
SibyJames1
 
fundamentals of Cybersecurity Lesion 1.pdf
adamgaidam
 
Internet security
rfukunaga
 
Cyber-Security-.ppt
karthikvcyber
 
Cyber Security-Foundation.ppt
ErAdityaSingh1
 
Cyber-Security.ppt
SeniorGaming
 
Don't Diligence Information Security for Lawyers
darrentthurston
 
Today's technology and you: Safe computing in a digital world - Eric Vanderbu...
Eric Vanderburg
 
Internet safety and you
Art Ocain
 
091005 Internet Security
dkp205
 
Computer security risks
Aasim Mushtaq
 
Cyber-Security-20211013105857.ppt
visik2
 
In computer security, a vulnerability is a weakness which allows an .pdf
anandanand521251
 
Computer security risks
dison gapor
 
Cyber-Security-20211013105857.ppt
HArshMangasuli
 
Cyber-Security-20211013105857.ppt
mohan jena
 

Computer Security for Lawyers

  • 1. Bench&Bar of Minnesota s March 2014 www.mnbar.org What You Don’t Know Computer Security for Lawyers By Mark Lanterman Can Hurt YouCan Hurt You Illustration©JohnMartin,Illustrationsource.com
  • 2. www.mnbar.org March 2014 s BenchBar of Minnesota O ver the past ten years, the landscape of con- sumer technologies has changed drastically. Thanks to rapid devel- opment and innova- tion, computers as powerful as those that took us to the moon now we carry in our pockets. The resulting convenience and broad access to information is extraor- dinarily valuable, but easily blinds con- sumers—and oftentimes vendors—to the parallel growth of security risks. Personal technology inherently is a container for confidential information. This is especially true within the professional sphere, as lawyers, doctors, and other professionals have come to rely on such technology to manage business and personal information involving clients and private relationships. Consequently, cyber criminals have seen opportunities with the popularity and capability of electronic devices growing. This has left many individuals, corporations, and government organizations vulnerable. In the legal profession, clients expect that their representation by a lawyer en- sures the confidentiality of their digital information. But while future lawyers in law school learn much about the impor- tance of maintaining client confiden- tiality, oftentimes digital information security is absent from the curriculum. Although the learning curve associated with computer security is steep, under- standing it is absolutely necessary— especially as a legal professional. Remote Intrusion One primary concern in regards to computer security is remote intrusion, usually by way of malicious software, otherwise known as “malware” or a “vi- rus.” Malware is diverse; different mal- ware is designed with a variety of pur- poses and capabilities. While there is no such thing as “benign” malware, some types are less threatening. For instance, some malware collects data simply to ad- vertise to you. But this malware is easily detected because the user observes a rash of pop-up windows advertising the latest as-seen-on-TV product. More often than not, however, the presence of malware is not immediately obvious by its design. Several malware variants are able to suspend a system’s antivirus software to avoid detection. The reason for this is simple: Cyber criminals want to be able to compromise your data for the longest time span possible. Frighteningly, cyber criminals using malware can monitor a computer user’s activity without detection. Such malware can capture and transmit screenshots and keystrokes all without providing any indication to the user. Other variants are specifically tailored to wait for activity of interest, such as online login credentials and financial activity. Some other strains can even delete, hide or lock your files. Irrespective of its function and as its name suggests, malware always has the potential to be seriously detrimental. Consequently, related data breaches can lead to catastrophic damage to your reputation and expose you to potential litigation. Defending against malware and protecting your clients’ data should be a first priority when working from any electronic data storage device connected to the Internet. Risks Remedies You can shield yourself from malware breach of both your and your clients’ data with a few simple preventative measures. While there are a vast number of vehicles by which malware is down- loaded, the following practices will lower your probability of introducing malware to your system. Again, please note that this list is not all-inclusive. Phishing. One of the most well- known tactics employed by cyber crimi- nals is known as “phishing.” Phishing is the process by which cyber thieves are able to lure unsuspecting victims to a malicious link that executes malware. These malicious links are usually pre- sented to a user through an email mes- sage. Remember the message from that poor Nigerian prince? By clicking on the link presented in such a message, the user unknowingly initiates the malware by accessing the hacker’s webserver. Spear-Phishing. Even more unset- tling than simple phishing is a “spear- phishing” attack. Unlike phishing, which tries to entice a response from many email addresses, spear-phishing is a directed attack. Cyber criminals gath- er information about a victim, which is then used to construct a fraudulent email, intended to trick the victim. Rather than being obviously nefarious, these emails are very realistic. For exam- ple, I recently assisted an attorney who had received an email purporting to be from the court. The email indicated that the attorney had failed to successfully e- file his motion and that the court would dismiss his case with prejudice unless the attorney would “click here to complete your case e-filing.” Unfortunately, the attorney clicked, and downloaded mal- ware that allowed hackers remote ac- cess to the attorney’s computer. Due to their nature, phishing attacks are not problematic unless the user clicks on the link to the malicious webserver within the message. Before you click, “hover” your cursor over the link to see the true URL—the link that appears in text as at- torneyalert.com may in fact link to gotcha- sucker.ru or something similar. In short, avoid clicking on web links contained in an email message, especially those that look “phishy.” Free Downloads. Be diligent when accessing material from any webpage. But be particularly wary of sites that of- fer free viewing or downloading of copy- righted material, such as those that offer free television programs, movies, and pirated software. These sites are often hosted within countries with lax com- puter security laws. As a result, these websites are able to deliver malware by exploiting a web browser, like Internet Explorer or Google Chrome. Once the web browser is compromised, additional malware can then be queued to down- load. So, resist the urge to search online for a pirated version of the latest episode of your favorite TV show. The burgeoning growth of electronic communications has offered lawyers convenience and efficiency previously unimagined. But the benefits have not come without costs, including heightened risks that data may be lost or confidentiality breached. Knowing these risks and how to meet them is increasingly critical.
  • 3. BenchBar of Minnesota s March 2014 www.mnbar.org Outdated Software. Another criti- cal practice for ensuring the protection of your data is keeping any system you use up-to-date. Almost always, vendors update their products, including oper- ating systems, to patch known security holes. This is because the longer an iteration of a piece of software is avail- able, the more time cyber criminals have to develop malware to exploit potential vulnerabilities. As a result, older soft- ware often presents an easy target for cy- ber criminals wanting to gain unauthor- ized access to a computer. Therefore, updating all software regularly lowers the chance of a malware breakout. Simple Safeguards. So what safe- guards exist to protect yourself against malware infiltration of your computer? First, ensure that your system has a strong password. A “strong” password is considered to be a combination of 8-12 uppercase and lowercase letters, num- bers, and special characters. Try not to reuse passwords you use to access online sites to access your system or vice versa. If your password is easy to crack or guess, using it for multiple purposes enables cy- ber criminals to gain access to even more of your data. Second, install antivirus software and keep it up to date. Installing antivirus software is a logical, low-cost first step, but it is of little use if not maintained properly. It is considered best practice to regularly ensure that your antivirus software is functioning properly and is completely updated with the latest defi- nitions of known malware and unknown malware behavioral patterns. While antivirus software is certainly recommended and required by most standards, prevention is still the best medicine. Antivirus software is usually reliable for identifying known malware, but it can miss undiscovered strains. Furthermore, as previously mentioned, some malware is specifically designed to disable antivirus software to carry out data theft, so the best way of protecting yourself is by maintaining good comput- er security habits. But these preventative measures are only effective if all users of a computer adhere to them. It is the re- sponsibility of a legal professional to not only remain informed about computer security, but also to foster a culture of se- curity in her or his practice. Mobile Device Security Lawyers, like anyone else, greatly appreciate the convenience of mobile computing. It makes things like client communications fast and easy and allows work to be done anywhere. As such, it also exposes your data to risk anywhere. So it’s important to ensure the protec- tion of your own and your clients’ data, even when outside of the office. Risks of Loss or Theft. Mobile devic- es, such as laptops, smart phones, PDAs and other portable electronic storage devices pose distinct threats to data se- curity. First and foremost, these devices are easier to lose than a clunky 30-pound desktop computer. They are also attrac- tive to most thieves. Therefore, it is ab- solutely critical that they are protected against breaches that could occur as a result of loss or theft. Using strong passwords and enabling the ability to erase data remotely can achieve this.  Strong passwords or passcodes on cell phones may deter a would-be data thief from attempting to gain access to the device’s data.  But the preferable option is to use a mobile device that has the capability to be locked or erased remotely.   If used in a timely manner, this function bars a thief from accessing your data. Luckily, upcoming legislation may force phone manufacturers to include such capabilities in their mobile products so data can be protected in the event that a device is lost or stolen. Other than passwords and remote data protection capabilities, most phones leave much to be desired as far as security. Encryption. In the case of other forms of portable devices, like laptops and ex- ternal hard drives or thumb drives, en- cryption is an important tool that can ensure the protection of your data. En- cryption safeguards data by scrambling it, making it useless without a password or security token. Here again it’s impor- tant to always choose passwords that are not easily cracked or guessed. Without the password or token, the encrypted de- vice is completely inoperable and, con- sequently, access to the data is restricted. Full drive encryption is a feature of some laptops and certain versions of Windows, and is available as add-on software. In short, encryption is an accepted tool for safeguarding data on laptops and exter- nal media when you need to take the device away from the office. Wi-Fi Risks. While physical protec- tion of your portable device is always im- portant, an alarming new hacker trend also may compromise data without prop- er safeguards. More specifically, there is always risk when using Wi-Fi networks. Wireless connections are vulnerable and can allow for the interception of your confidential communications. This method is more commonly used than device-specific malware for stealing data from laptops and mobile devices. With the help of a small, easy-to-build device known as a “rogue access point,” hackers are able to foil the encryption security of web pages. In this way the hacker, Bookmark your important sites by manually adding “https://www” to the URL, rather than by relying simply on the default “www.”
  • 4. www.mnbar.org March 2014 s BenchBar of Minnesota unbeknownst to the user, can intercept usernames and passwords that are usu- ally encrypted as part of the webpage as they are entered. Having intercepted these data, the hacker can profile your computer usage and gain access to your confidential material on websites. In or- der to force this encryption, bookmark your important sites by manually adding “https://www” to the URL, rather than by relying simply on the default “www.” Note also that there is a risk in having devices set to automatically join known networks. Rogue access points are frequently used to spoof one of your known, trusted networks. Essentially, the rogue access point is able to accept the trusted Wi-Fi SSID (the “service set identifier” that allows devices on the wireless network to recognize and communicate with each other) and password broadcasted by your device. As a result, a hacker can monitor your network use. As a general rule, never transmit confidential data via public Wi-Fi networks, but rather through a cellular “hotspot” available from cellular network providers. Wi-Fi interception tactics can be inhibited by use of what is known as a VPN client. A VPN client or service automatically encrypts all network traf- fic flowing in and out of a given device and thereby disallows interception of your data. Cloud Storage: A New Frontier Related to web security is another service that attorneys often use, known as “Cloud” storage. Cloud storage ser- vices such as DropBox, SkyDrive, and iCloud make files accessible from any- where on any Internet-connected de- vice. But as is typical with widely used, convenient, file-storage solutions they also pose unique ethical considerations for data security. While these services themselves usually maintain strong secu- rity protocols, users should still be aware that breaches of Cloud services are pos- sible and have happened. Additionally, login credentials for these services could be compromised by the aforementioned malware or “rogue access point” attacks. Therefore, additional layers of security should be employed to take full advan- tage of the convenience of the Cloud. When using the Cloud, ensure that all your files are at least password-protected and ideally encrypted. This is a simple practice and can be accomplished with readily available software tools. Upload- ing only protected files to the Cloud thwarts a hacker’s attempt to access con- fidential data should they successfully compromise your Cloud account. Data Loss Corruption Technology, although usually reliable, is certainly not free from the risk of breaking down. Even the most diligent computer users can still fall victim to data loss. Sometimes data loss is accidental, other times it’s due to malware or physical device failure. Electronic storage devices have thousands of components and should any one of them fail, the data could permanently be lost. Further, modern malware is usually never solitary; it snowballs from an initial infection, which subsequently downloads progressively more advanced malware. As a result, some malware infections cannot be fully eradicated without a fresh installation of the operating system. In order to protect your own and your clients’ data it is important to maintain frequent, quality backups. The cost of many backup programs and external media has dropped significantly so this should not be an inordinate expense. If you ever become the victim of malware, disaster or other device failure, backups may be the only way to preserve your reputation and protect data entrusted to you by your clients. Conclusion Important documents no longer exist in a safe vacuum, thanks to the Internet. As online citizens, lawyers have heightened ethical obligations to consider how best to protect their own and their clients’ data. Following the basic security practices outlined above, you can protect yourself at the office and at home. Always keep your software updated, your passwords strong, and your online habits safe. But know your limits and recognize when you need professional help. As any lawyer will agree, continuing education is essential to staying effective in an ever-changing field. Computers have added a new dimension to the practice that should be carefully considered. s Mark Lanterman is CEO and Chief Technology Officer for Computer Forensic Services, based in Minnetonka, MN. He has over 11 years of law enforcement experience as a police investigator, culminating as a member of the U.S. Secret Service Electronic Crimes Task Force. Lanterman has successfully led thousands of forensic investigations with large legal organizations, Fortune 500 corporations, and governmental organizations. Uploading only protected files to the Cloud thwarts a hacker’s attempt to access confidential data should they successfully compromise your Cloud account.