Practice Tip<b>Get Smart and Be Protected: Common Security Mistakes and How to Avoid Them</b>

Despite the time, energy, and money that some large and small law offices funnel into products to maintain network security, their computer network's biggest threat is frequently from the uninformed computer users on the inside. A security program is only as strong as its weakest link, and that is where the human element comes into play.

Computers and Internet access are invaluable in the legal field, and although security software should be used in any office, attention should be focused on the potential threats that accompany the use of the technology. Even small legal offices or individual attorneys working out of their homes need to protect their computers and the sensitive information residing on them. Too many firms have already learned the hard way that security technology alone cannot completely secure a company network.

Being uninformed about security issues can expose computers and information to unnecessary risk that could have a direct impact on revenue, productivity and the costs of doing business. Although security tools such as antivirus software, personal firewalls and intrusion detection tools greatly reduce the security risks, any legal professional should be aware of common security mistakes and take measures to avoid them.

Social Engineering Tactics and Common Methods

Most internal threats to security can be traced back to social engineering tactics. Social engineering plays upon peoples' natural inclination to trust others and desire to help out. Attackers will succeed if they can get insiders to fall for their tricks, but social engineering tactics will not work if employees are informed and aware. Social engineering methods can take a number of different forms. Every method is intended to entice unsuspecting users into helping the attacker out – whether it is by opening attachments that will unleash a virus, or providing the attacker with sensitive information that will help their efforts.

Social engineering is the act of creating a computer security threat that invites users to activate it. Such attempts can include a virus inside a file that appears to be an official document. It may be a “joke” e-mail with an attachment that claims to be a game, when in fact it is a malicious computer worm. These types of attempts can pop up anytime during a normal workday, in a seemingly unthreatening manner. The insiders of any firm or legal group need to be aware of the following threats so they will not be easy prey for such attacks.

E-mail Threats: E-mail can cause several types of security breaches. Viruses and inappropriate e-mails (which may open up a company to legal liability) are two examples. One of the biggest threats from computer worms and viruses comes through e-mail. 'Mass mailers,' viruses that propagate and send themselves out to large numbers of other computers via e-mail, can spread very rapidly. The “Anna Kournikova” and “I Love You” viruses are successful examples of social engineering attacks, as the enticing subject lines piqued the recipients' curiosity and resulted in many people opening up the infected e-mail. The key to combating this threat is educating computer users.

If a person opens unsolicited e-mail attachments or does not scan attached documents for a virus before opening them, a computer or network becomes vulnerable to virus attacks. Computer users should be educated about viruses, the danger of opening unexpected or suspicious-looking attachments and also the potential damage that will occur if a virus is launched. Also, inadvertently allowing inappropriate e-mail, sexual in nature or otherwise offensive, to be sent within an organization is a threat and companies can be vulnerable to financial consequences or perhaps even legal action.

Antivirus software should be installed on each computer, including laptops, to help deal with e-mail threats. Virus definitions, or digital files that help identify and deal with viruses, should be updated frequently to ensure protection against the latest threats.

Surfing Dangers: The Internet is an amazing and useful tool for communication and research, especially in the legal profession. However, when surfing the Web, people might download more than they anticipated. People who use the Internet for work often spend time surfing the Internet for personal use as well. Non work-related surfing increases the chances that people will visit a site using ActiveX or Java. These languages can be used to create “malicious code” that can communicate directly with the user's machine, giving hackers access to data and, potentially, the network. If users download free software or screen savers from unknown sources, their systems may be infected with a virus or Trojan horse, which may inflict damage ranging from file deletion to stealing passwords. However, experts say that larger and more popular sites that use these computer languages are fairly safe because the sites employ security measures.

Instant Messaging (IM) and Internet Relay Chat (IRC): Legal professionals who use IRC and IM services such as Yahoo Messenger, AOL Messenger and others should know about ploys that might be used to lure them into downloading and executing malicious software that would allow an intruder to use the systems as attack platforms for launching distributed denial-of-service attacks.

Virtually all free instant message systems lack encryption capabilities, and most have features to bypass traditional corporate firewalls, making it difficult for administrators to control their use inside an organization. Many of these systems have insecure password management, and are vulnerable to account spoofing and potentially to denial of service attacks as well.

Instant messaging systems also allow users to exchange files with each other, again, in an unencrypted form. Such file transfers can cause the spread of traditional viruses, worms and Trojan horses as well as blended threats.

The best protection against any threat spread through IM file transfers is to deploy up-to-date antivirus software on all client desktops – preferably with protection for IM applications.

Peer-to-Peer File Sharing: Peer-to-peer (P2P) networking has existed since the birth of computing networks. Recently, however, P2P networks have gained momentum with searchable P2P network file databases, increased network connectivity and content popularity. The use of file sharing applications is a practice that attackers often take advantage of. Many P2P programs, which allow people to swap electronic files over the Internet, contain “spyware.” Spyware allows the author of the program, and other network users, to see what a computer user is doing, where he or she may be visiting on the Internet, and even use the computer's resources without a user's knowledge. Other dangers include the risk of downloading a file that appears to be harmless, but contains a virus or worm. Some worms can disguise themselves by making the file extension appear as though the downloaded file is a common music file.

The Password Challenge: Some computers and networks are protected by passwords as a security precaution. Passwords are a major vulnerability in many offices. It's not unusual for people to try to save time by sharing passwords or choosing a simple password. Weak passwords make it easy for unauthorized users to gain access. A potentially weaker spot in your network security may not be the user passwords, but the users. A carefree attitude toward passwords is what social engineers are banking on. Weak passwords make it easier to break in to those networks (like leaving your doors and windows open in your house) and use your network for other illegal activity.

Request for Information: Attackers will not always try their tricks over the computer. Sometimes they also try to make contact with insiders over the phone or in person. An attacker might call an insider and imitate someone in a position of authority or relevance with an urgent need for information, and try to get that information out of the user. Help desk employees often are subjected to social engineering tactics and should be especially aware of this tactic. Employees should be made aware that if anyone asks them for their passwords, or any other sensitive information, to proceed with the greatest amount of caution.

In a law office, the most effective, yet often neglected, method for addressing the “human factor” is to establish a policy of regular and consistent user training, with a focus on the organization's security objectives. For individual computer users, the best protection is common sense and security software that will block common attacks.

Despite the time, energy, and money that some large and small law offices funnel into products to maintain network security, their computer network's biggest threat is frequently from the uninformed computer users on the inside. A security program is only as strong as its weakest link, and that is where the human element comes into play.

Computers and Internet access are invaluable in the legal field, and although security software should be used in any office, attention should be focused on the potential threats that accompany the use of the technology. Even small legal offices or individual attorneys working out of their homes need to protect their computers and the sensitive information residing on them. Too many firms have already learned the hard way that security technology alone cannot completely secure a company network.

Being uninformed about security issues can expose computers and information to unnecessary risk that could have a direct impact on revenue, productivity and the costs of doing business. Although security tools such as antivirus software, personal firewalls and intrusion detection tools greatly reduce the security risks, any legal professional should be aware of common security mistakes and take measures to avoid them.

Social Engineering Tactics and Common Methods

Most internal threats to security can be traced back to social engineering tactics. Social engineering plays upon peoples' natural inclination to trust others and desire to help out. Attackers will succeed if they can get insiders to fall for their tricks, but social engineering tactics will not work if employees are informed and aware. Social engineering methods can take a number of different forms. Every method is intended to entice unsuspecting users into helping the attacker out – whether it is by opening attachments that will unleash a virus, or providing the attacker with sensitive information that will help their efforts.

Social engineering is the act of creating a computer security threat that invites users to activate it. Such attempts can include a virus inside a file that appears to be an official document. It may be a “joke” e-mail with an attachment that claims to be a game, when in fact it is a malicious computer worm. These types of attempts can pop up anytime during a normal workday, in a seemingly unthreatening manner. The insiders of any firm or legal group need to be aware of the following threats so they will not be easy prey for such attacks.

E-mail Threats: E-mail can cause several types of security breaches. Viruses and inappropriate e-mails (which may open up a company to legal liability) are two examples. One of the biggest threats from computer worms and viruses comes through e-mail. 'Mass mailers,' viruses that propagate and send themselves out to large numbers of other computers via e-mail, can spread very rapidly. The “Anna Kournikova” and “I Love You” viruses are successful examples of social engineering attacks, as the enticing subject lines piqued the recipients' curiosity and resulted in many people opening up the infected e-mail. The key to combating this threat is educating computer users.

If a person opens unsolicited e-mail attachments or does not scan attached documents for a virus before opening them, a computer or network becomes vulnerable to virus attacks. Computer users should be educated about viruses, the danger of opening unexpected or suspicious-looking attachments and also the potential damage that will occur if a virus is launched. Also, inadvertently allowing inappropriate e-mail, sexual in nature or otherwise offensive, to be sent within an organization is a threat and companies can be vulnerable to financial consequences or perhaps even legal action.

Antivirus software should be installed on each computer, including laptops, to help deal with e-mail threats. Virus definitions, or digital files that help identify and deal with viruses, should be updated frequently to ensure protection against the latest threats.

Surfing Dangers: The Internet is an amazing and useful tool for communication and research, especially in the legal profession. However, when surfing the Web, people might download more than they anticipated. People who use the Internet for work often spend time surfing the Internet for personal use as well. Non work-related surfing increases the chances that people will visit a site using ActiveX or Java. These languages can be used to create “malicious code” that can communicate directly with the user's machine, giving hackers access to data and, potentially, the network. If users download free software or screen savers from unknown sources, their systems may be infected with a virus or Trojan horse, which may inflict damage ranging from file deletion to stealing passwords. However, experts say that larger and more popular sites that use these computer languages are fairly safe because the sites employ security measures.

Instant Messaging (IM) and Internet Relay Chat (IRC): Legal professionals who use IRC and IM services such as Yahoo Messenger, AOL Messenger and others should know about ploys that might be used to lure them into downloading and executing malicious software that would allow an intruder to use the systems as attack platforms for launching distributed denial-of-service attacks.

Virtually all free instant message systems lack encryption capabilities, and most have features to bypass traditional corporate firewalls, making it difficult for administrators to control their use inside an organization. Many of these systems have insecure password management, and are vulnerable to account spoofing and potentially to denial of service attacks as well.

Instant messaging systems also allow users to exchange files with each other, again, in an unencrypted form. Such file transfers can cause the spread of traditional viruses, worms and Trojan horses as well as blended threats.

The best protection against any threat spread through IM file transfers is to deploy up-to-date antivirus software on all client desktops – preferably with protection for IM applications.

Peer-to-Peer File Sharing: Peer-to-peer (P2P) networking has existed since the birth of computing networks. Recently, however, P2P networks have gained momentum with searchable P2P network file databases, increased network connectivity and content popularity. The use of file sharing applications is a practice that attackers often take advantage of. Many P2P programs, which allow people to swap electronic files over the Internet, contain “spyware.” Spyware allows the author of the program, and other network users, to see what a computer user is doing, where he or she may be visiting on the Internet, and even use the computer's resources without a user's knowledge. Other dangers include the risk of downloading a file that appears to be harmless, but contains a virus or worm. Some worms can disguise themselves by making the file extension appear as though the downloaded file is a common music file.

The Password Challenge: Some computers and networks are protected by passwords as a security precaution. Passwords are a major vulnerability in many offices. It's not unusual for people to try to save time by sharing passwords or choosing a simple password. Weak passwords make it easy for unauthorized users to gain access. A potentially weaker spot in your network security may not be the user passwords, but the users. A carefree attitude toward passwords is what social engineers are banking on. Weak passwords make it easier to break in to those networks (like leaving your doors and windows open in your house) and use your network for other illegal activity.

Request for Information: Attackers will not always try their tricks over the computer. Sometimes they also try to make contact with insiders over the phone or in person. An attacker might call an insider and imitate someone in a position of authority or relevance with an urgent need for information, and try to get that information out of the user. Help desk employees often are subjected to social engineering tactics and should be especially aware of this tactic. Employees should be made aware that if anyone asks them for their passwords, or any other sensitive information, to proceed with the greatest amount of caution.

In a law office, the most effective, yet often neglected, method for addressing the “human factor” is to establish a policy of regular and consistent user training, with a focus on the organization's security objectives. For individual computer users, the best protection is common sense and security software that will block common attacks.