Computer Security For Attorneys

An attorney's relationship with a client calls for the highest degree of privacy. Addressing the threat to an attorney's confidentiality of a computer with malicious code is therefore essential. There is a common perception that a computer is secured with the use of a firewall and virus protection program. Not so. The 2001 CSI/FBI Computer Crime and Security Survey of IT professionals reported only twenty-five percent of the respondents thought their companies' computers were not compromised during the last year, even with their almost universal use of proper security technologies. Most attorneys lack the resources of large companies and firms to address sophisticated computer issues. Microsoft itself has been the subject of several well-publicized intrusions into its network, and a Congressional subcommittee flunked sixteen federal agencies on their computer security efforts, including the Department of Defense and the Nuclear Regulatory Commission. The typical small attorney's office should do better?

While the sophistication of computer attacks has been increasing, the automation of freely available hacking tools has resulted in a reduction in the knowledge required of the hackers. Hacking tools can allow remote operation of a computer with all the privileges that the computer operator has, including file searches, alterations and export to an anonymous site. The use of monitors to record each keystroke negates many encryption efforts. Email scanning programs review all passing email looking for passwords on any attached network. Password cracking programs intelligently guess passwords. These programs typically alter the computer to remove evidence of their presence.

Viruses can be more than merely annoying. Opening an infected Word document, for example, activated the Melissa virus and emailed fifty infected copies of any Word document subsequently opened with the same template. The liability for such disclosure of a client’s correspondence is frightening. The code could have taken even more destructive actions had the author so chosen. A fault in Excel and PowerPoint 2000 and XP is typical in allowing an attacker to take without warning any action available to the user if a particularly malformed file is opened. This fault is probably present in earlier versions of these programs but Microsoft is no longer testing or fixing security flaws in programs they consider obsolete.

Computer security is a complex technical subject and a security audit by a qualified consultant is often worth the cost. There are assessments that all data users should undertake to determine what is to be protected and what the risks are. A survey of these issues and links to assessment forms can be found at http://www.eweek.com/article/0,3658,s%253D25132%2526a%253D17878,00.asp. Since computer security is an ongoing process, it is useful to review Microsoft's The Ten Immutable Laws of Security at http://www.microsoft.com/technet/columns/security/10imlaws.asp, which is available as a screen saver to give a persistent reminder. For a cursory examination of a system's weakness, a number of vulnerability scans are available. Most require a technical interpretation, but a free look can be had at http://www.securityspace.com/smysecure/index.html.

While we are a profession with ethics, some of our clients or our clients' adversaries are not. Hacking is available for hire. An attorney wants to know if his files have been exposed and to be able to show reasonable protective steps as a liability defense for any negligent disclosure. A properly configured firewall and regularly updated virus protection program for all computers are necessary but not sufficient. Programs should be monitored for upgrades and those upgrades installed. This should be done to all computers since often a network has been compromised by first compromising an 'unimportant' computer which itself contains no interesting data. This is then used as a base for further attacks. Applications that are no longer supported, like Office 97, should be replaced since their security flaws are not fixed. Unknown files should not be opened, and unknown executables should be especially avoided. Passwords should not be simple, and should be regularly changed. All data should be regularly backed up and kept where the computer itself cannot delete it. While few systems can withstand a determined attack by a professional, most attacks do not rise to that level. The vulnerabilities that are most often exploited have been well publicized and have known, readily available fixes. The failure to implement those fixes can easily rise to the level of negligence or malpractice

© 2008 Breakaway Systems LLC