Some Dangers of the Internet-Hackers, Crackers and Other Nefarious People

A few months ago in this column I discussed the need for law firms to be aware of the liability implications of potential loss of client information following a substantial disaster that destroys data stored in the firm's computer system. My concerns in that column were focused on the physical destruction of the media upon which that information was stored and backed up. In this column I will direct my attention to professional standards of care relating to other kinds of security issues. I will not here be concerned with ordinary virus protection or regular offsite backup. Today I will talk about attacks from others outside the firm who seek to destroy data and raise havoc with your office system, sometimes just for the fun of the break-in. This is what Watergate would have been in this century and it is happening with frightening regularity. Many times, the victims are totally unaware of the damage to their system and data.
A recent CSTB Report notes that U.S. computer systems are increasingly vulnerable to cyber attack primarily because computer users are not implementing easily available security techniques. The Computer Science And Telecommunications Board (www.cstb.org) noted in that report that "from an operational standpoint, cyber security today is far worse than what . . .. best practices can provide"

The Board made particular note of the fact that currently available technology can provide relatively simple and cost-effective levels of security well beyond that implemented in most offices. Law offices are particularly vulnerable to cyber attack from hackers, viruses and such things as Trojan horses and DOS (denial of service) attacks because the nature of the data they store is often highly sensitive client information. In one of the most common attacks a hacker using a variety of techniques actually enters a computer system and places a small application or program on the victim's computer. One of the simplest and very common programs uses the victim's contact list to send a destructive virus to each contact in the victim's phonebook. These "collateral victims" end up receiving an email that appears to have been sent from the primary victim's computer. Many computer users will assume that because the email appears to be from a known source that it is safe to open the attachment. When the attachment is opened, however, it implements a hidden program that can destroy the victim's computer or result in the total loss of important information.
Using the above scenario as one very common example, what would your clients think if they received a destructive virus that appeared to come from your office? To put a finer point on it, ask yourself whether your potential liability is dependent upon the fact that the destructive force came from a source that was masquerading as your computer system? I think the answer to that question is that you have potential liability if it was reasonably possible for you to avoid an event that is increasingly ordinary. In other words, I believe that lawyers have a professional obligation to implement adequate and easily available security on our computers and computer networks. I know that most of us have not done that and I have become alarmed.

To the extent that our computer systems utilize the Internet we are at great risk. Even if a firm does not have Internet connectivity, data is at risk from persons who may have access to the firm's network inside the office itself. In other words, your in-house security is dependent upon the trustworthiness and integrity of all who have access to your computer system, including repair persons, vendors and others who come in from the outside. If you connect to the Internet the risk is even greater.
At the recent ABA TechShow 2002 Steve Gibson, one of the top two or three network security experts in the world delivered the keynote address. Steve's point was simple and direct. He said it is virtually impossible to completely protect yourself from hackers and crackers that are about on the Internet but that there is much you can do to reduce the risk by utilizing fairly simple techniques and tools. You will probably be surprised to learn that your computer system is vulnerable because you have left secret backdoors open on the Internet. You can go to Steve's web site at www.grc.com and run his "ShieldsUp" program to test the vulnerability of your computer system. I believe that you will be shocked at what you find. If you are using a modem to dial-up to the Internet your vulnerability is somewhat reduced by the fact that you are not online all of the time. But if you have a persistent IP connection via a T1 line, a DSL line or a cable modem, you are very much at risk unless you implement basic security devices that are available immediately and at low cost.
The first thing you should do is to download a free software firewall from Zone Labs at www.zonelabs.com. The firewall is called ZoneAlarm. It is discussed in detail on Steve Gibson's web site noted above. ZoneAlarm requires some time spent configuring the software to selectively allow control various applications on your computer system. While this is not rocket science it is something that should be done by a relatively sophisticated computer user or support person. There are other software firewalls that are for sale from various vendors. I have tried most of them and for variety of reasons I totally concur with Steve Gibson's recommendation. If you want to spend money Zone Labs has a substantial upgrade of its free firewall product that you can buy. But the free product is very, very good and of course the price is right. You can go to www.pcmag.com [Home > Product Guides > Software > Firewalls] for more detailed information on all such products.

If you have a persistent ("always on") connection to the Internet I would suggest that you consider a variety of hardware tools available from such manufacturers as LinkSys, D-Link, NetGear and others. These hardware "firewalls" serve two purposes. First, they provide a physical barrier to the Internet that, while it is not totally impenetrable, vastly reduces the risk from outside your network. The other thing that these products do is to allow you to share your cable modem or DSL connection over your network. Indeed, these devices, called" routers", are primarily designed as Internet distribution devices. But the built-in "firewall" capabilities are perhaps their most valuable characteristic. When a router is used in conjunction with a software programs such as ZoneAlert you have a high level of security. Since ZoneAlert is free and the routers typically cost under $200, it makes very little sense to take the known risk that somebody will break into your computer system and either destroy client information or send viruses to your clients that will destroy their systems in your name. Again, you can go to www.pcmag.com [Home > Product Guides > Networking] for more detailed information.
If you have secured yourself from the evildoers of the Internet you must also secure your computer system in the office. The most common method of doing that is to use a password. Passwords, however, are extremely insecure and easy to crack. There are now available hardware devices that utilize a personal identification number that is more secure than a password. There are even "biometric" devices that can provide a very high-level of internal security inside your physical office. Again, these kinds of devices are relatively inexpensive and easy to obtain. The CSTB concluded in the Report noted above that:

"System security is a holistic problem, in which technological, managerial, organizational, regulatory, economic, and social aspects interact. Weaknesses in any of these aspects can be very damaging, since competent attackers seek out weak points in the security of a network or system."

In January, Bill Gates, chairman of Microsoft Corp., announced a critical new initiative within Microsoft called" trustworthy computing" which marked a dramatic departure from the Microsoft tradition of emphasizing new features at the expense of security. That process will now be turned on its head and Job One will be to emphasize the security of Microsoft products above all else. It will be a long road because Microsoft has not been careful to recognize security issues with its software. Since you undoubtedly have Microsoft software on your computer you may be vulnerable because of their longstanding lack of attention. But it will not do to build your liability defense around Microsoft's culpability. You have available to you today easily utilized and relatively inexpensive tools that can minimize your risk. It is of the essence of professional responsibility that you undertake those steps necessary to secure your system to a reasonable level.

If you want to talk more about this look for me at the Cyber Café at the 2002 SBA Convention in June.