Back to Articles

Protecting Yourself and Your Firm

By Tierra Interactive.
Tuesday, November 3, 2009.

By Peter Priel, CEO, Tierra Technology

  • Introduction
  • Anti-Spyware and Anti-Virus Packages
  • Phishing and Pharming Schemes
  • File Sharing and Working From Home
  • How Safe are Wireless Networks?
  • Portable Electronic Devices
  • Conclusion

Disclaimer

All content herein is provided as is. The usefulness of this paper depends upon you and your firm’s ability to manage IT and not simply upon following the cursory recommendations provided here. This paper is only a guide, and it is strongly recommended that firms work with an IT expert on a professional basis and follow their recommendations before attempting to implement any of these recommendations or drawing any conclusions. Not doing so may expose an office LAN or WAN to unpredictable harm with unpredictable consequences.

Introduction

The purpose of this paper is to discuss some tactically important steps that your firm can take to protect itself. After reading this paper and/or listening to the accompanying presentation you should have some actionable takeaways, but also realize that for these steps to be effective they should be taken with the assistance of an IT professional.

Anti-Spyware and Anti-Virus Packages

Spyware and viruses can bring your practice to a halt. Understanding the threat and acting accordingly is your best defense. Spyware is delivered through web enabling technologies like Java or ActiveX from compromised websites. Spyware infects the computer but that computer doesn’t infect others. Computers may also get viruses this way, but computers can catch viruses in other ways. Computers infected with viruses are able to infect other computers. Viruses are spread using the same delivery systems that hackers use to deploy spyware (web enabling technologies) but also by exploiting vulnerabilities in the computer operating system (usually some variant of Windows).

Trying one’s best to surf safely is not enough to protect a computer from spyware and viruses. Additionally, buying and correctly installing an anti-virus/anti-spyware (also known as anti-malware) solution is absolutely necessary. But even more important is maintaining a comprehensive approach toward the problem. A good place to start is:

  • Treat PC’s as BC’s — business computers, not personal computers
  • Don’t share files from computers (only servers at the office
  • Don’t give users full admin on BC’s
  • Host key software like email, CRM, time tracking, and accounting with an application service provider
  • Centrally manage anti-malware packages on PC’s with the assistance of an IT company or consultant

There are a lot of anti-malware/virus solutions to choose from, and the right choice depends on not simply effectiveness, but also usability and manageability. NSS Labs, Inc. rates anti-malware software for effectiveness. The latest ranking is as follows:
Trend Micro, Kaspersky, Norton, McAfee, Norman, F-Secure, AVG, Panda, ESET

Visit http://nsslab.com for more information.

Consult with an IT consultant in regards to how and what capabilities should be turned on when using the various packages. Resident, active scanning for both virus and spyware protection is the bare minimum configuration. It’s also recommended to enable the sharing of detection logs with the packages vendor. Privacy concerns may require opting out from this, but products that incorporate this practice in their software are able to improve the effectives of their solution.

Phishing and Pharming Schemes

Phishing is any attempt—via phone, email, instant messaging (IM), or fax—to procure personally identifiable information with the intent of identity, intellectual property, and — ultimately — financial theft. Most of these attempts are in the guise of a legitimate purpose; in other words, they appear to be valid, but instead are the actions of a criminal enterprise. A typical electronic phishing attack comprises two components: an authentic-looking email and a fraudulent Web page…*

Pharming is similar to phishing. Instead of directly soliciting personal or corporate information, however, pharming hijacks legitimate URLs—such as “www.mypayroll.com”—and redirects them, via the domain name server, to fraudulent IP addresses which spoof the originals. These spoofed URLs then collect, via a graphical user interface, protected information without a user ever noticing the difference. Because pharming requires a much higher degree of technical acuity to perform—and because the DNS is very difficult to manipulate—it is far less common than phishing. However, it is still possible that pharming will become an increasing threat in the near future.*

*http://us.trendmicro.com/us/threats/enterprise/threats-summary/phishing/index.html

The anti-malware software in the NSS Labs study also protects users from Phishing and Pharming schemes. However, Phishing and Pharming attacks are ones that users, personally, can beat.

Both Phishing and Pharming require either an unsophisticated web user or a web user who has dropped their guard and cooperates with an attempt to attain personal and confidential information. The best advice is:

Never directly respond to email or on-line solicitations to update your personal or credit card information. If you suspect the email or web page is legit, then call the requesting institution from a known good phone number and talk to customer service. Even if the request comes from a phone call with a good caller ID do not be forthcoming with information. Always call the institution using a known good phone number and verify the legitimacy of the request. Do this for all institutions, even institutions that request charitable donations. If it’s legitimate and you don’t have the callback number, look up the requesting party in the phone book.

Simply stated, always take painstaking steps to verify requests for changes of information when those changes are not initiated by you.
Still, we are human and remaining vigilant all the time, without error, is an unreasonable expectation. That’s why mainstream web browsers are starting to incorporate built-in features, as well, to protect you. IE 8 with its Smart Screen filtering caught 80% of phishing/pharming attacks in a recent NSS Labs testing regime. All other web browsers were far and farther back in the pack. Visit http://nsslabs.com for a more detailed discussion.

File Sharing and Working from Home

Tierra Technology has been primarily a mobile workforce based company since its inception in 2000.

The conservative business policy is not to allow your firm to issue laptops or mobile devices to you or your employees. The moment a computer is off-site it is exposed to security risk. Realize that forensics experts can get that data, even when a hard drive is encrypted. But also know any user with power-user ability or simply the correct rifle-shot knowledge can access all of your information.

In many cases law firms (that ignore our guidance) issue laptops to at least the partners without sufficient thought to exposure, privacy and security. And immediately following the decision to buy laptops, a patchwork solution is created to enable remote access, remote control and VPN access. Simply put, the organic approach is fraught with holes and inefficient to manage.

 

The top 5 traps we see in the field with mobile computing:

  • The laptop PC is used for family and/or personal activities and file sharing is turned “on”
  • The home Wi-Fi has no WPA2 encryption enabled or has a weak password
  • The laptop is setup to log in automatically
  • Passwords are very light or non-existent, even to protected documents and shared folders
  • VPN access connects the office, but users are also able to access the Internet through their home DSL or cable modem

Having a mobility solution for your firm is a decision of the partners. Keep in mind your goals with your ability to support those goals and weigh them against your needs.

An effective, low budget approach is to simply keep and require that the computing resources for the firm be at the office and only at the office or in a colocation facility and only at the colocation facility. Don’t entertain solutions that require infrastructure extensions like VPN’s, or making a home or remote connection a full LAN member of the main office environment.

With current technology there are effective and secure ways to achieve the productivity and possibly environmental goals of mobile computing. Consider the following approaches using an SSL 1024-bit encryption requirement in combination with a public/private key certificate authentication method:

  1. Remote control
  2. Hosted solutions (LEXUS, for example)
  3. Hosted applications (Exchange, Sales Force, for example)

A few of the advantages are: files remain at a centrally controlled location, the firm doesn’t have to go into the business of managing an extended office LAN, and users generally find the performance better and easier to use.

Setting up an encrypted VPN to 1, 2 or 3 at this point can add more protection but 1, 2 and 3 should be:

  1. Encrypted
  2. Strong password protected
  3. Need-to-know or need-to-use based

How Safe are Wireless Networks?

Wireless networks are not safe. At this time, every available protocol to encrypt wireless networks at a consumer level has been cracked. There are methods for the enterprise that can be made secure, but the resources required are usually too much for a small firm. These approaches involve certificate based systems that are bound at a hardware-level to the wireless NIC.

With that said, there are steps your firm can take to improve the security of the wireless network. The more steps you implement the harder it will be for a hacker to break in. They are:

  • Use WPA2 Encryption in conjunction with a several word phrase as an encryption key or a very long string of random letters. Each letter added to encryption key improves your security, the more the better.
  • When connected to your WiFi network, only access your LAN resources using an internal VPN connection. A VPN connection provides an encrypted path for your data to travel so even if the WiFi has been hacked, your transmissions are within another layer of protection.
  • Don’t broadcast the SSID of your WiFi. This means that users will have to type in the SSID because your WiFi network will not show up in the network list as a WiFi choice. Users will have to connect to the WiFi manually, but by requiring this you effectively put another password on the WiFi and thus another layer of protection.
  • Implement MAC address filtering. MAC address filtering ensures that only the physical devices with registered MAC WiFi addresses will be allowed.
  • Don’t allow guests to connect to your WiFi. If this is a requirement, setup a separate WiFi on a separate segmented LAN or on an additional DSL entirely.

Portable Electronic Devices

The primary purpose of a portable electronic device, or handheld, is to provide email connectivity or phone connectivity. The present reality is that handhelds are essentially little computers and as such can expose your firm’s information in much the same way an offsite laptop can expose the firm. Also, handhelds are used like thumb drives or even external USB hard drives. Would you let an employee wield an external hard drive and take it back and forth between work and the office? Is it a good idea for allow a partner to do this? Or would you let your employees and guests bring their devices onto your network?

A topic not covered here, but one which should also be taken up with your IT professional, is perimeter security. That is identifying the many ways that devices physically may enter your environment and cross the perimeter and become physically a participant in your network or interface with your network – a USB key picked up off the floor, or a prospect's iPhone bumping yours for contact information.

Be aware that most USB hard drives and PDA’s like the iPhone, Windows Mobile, and Palm Pre and some Blackberries are easily used as thumb drives and offer no built-in protection to prevent someone from taking the device and access the information. Be sure if you assign PDA’s to partners and employees that the service provider offers a remote wipe capability – that’s the ability to return a device to its factory settings via a phone call to the provider or to your IT consultant. In regards to thumb drives themselves, require that they be formatted NTFS with Microsoft EFS, with password encryption enabled. This will require that the computer be authenticated to your office’s Windows domain network before files can be accessed. Do not allow portable electronic devices to be integrated into your network if they can’t be remotely wiped or if some method of password plus encryption access is not supported.

Conclusion

Remember that the topics covered in this brief paper are not a blueprint for an IT security plan, but only provide a measure of guidance in regards to the concerns your firm should address. It is highly recommended that you consult an IT professional in order to develop and implement a bona fide IT security plan.

Copyright 2009 Tierra Technology. All Rights Reserved.

Back to Articles