Security Spotlight

ABC's of Computer Security

By Albert Barsocchini

	"At the heart of the Internet culture is a force that wants to find out everything about you. And once it has found out everything about you and two hundred million others, that's a very valuable asset, and people will be tempted to trade and do commerce with that asset." -- Andy Grove, Intel Corp

LAW OFFICE computer security is a term that we will be hearing more and more about as lawyers start using DSL, start using Web based applications offered by application service providers (ASPs), and start using e-mail more than the mail to send documents.

We have both a legal and ethical obligation to zealously protect client confidences and secrets by taking reasonable security precautions.

Additionally, there is case law to suggest that once we begin using technology there is a legal duty to use it properly i.e. use a virus scanner to protect client data, back-up your client data on a regular basis, and to keep informed of new technology that will impact your computer use in the law office.

What is computer security? It is the process, procedures, or tools which assure that data entered into a computer today will be retrievable at a later time by, and only by, those authorized to do so. Many experts have described computer security as a human problem and not a technology problem. Let's perform a security check-up for each security vulnerability.

1.Do you use passwords?

Passwords are the most under-utilized and effective security precaution that you can take.

Most computers offer several levels of password protection. You can password protect your hard drive, the operating system, file directories and key programs. If you are on a law office network and you share directories, you can easily password protect directories from other users in your office.

Tips:

* The minimum password length should be seven characters.

* Create passwords are difficult to guess.

* Passwords should contain both alphabetic and non-alphabetic characters and contain both upper and lower case characters.

* Never write down or share a password.

* Always change vendor default passwords.

To keep track of your passwords use shareware, such as Password Safe from www.counterpane.com.

2. Do you use a virus scanners?

It may be negligent for a law firm to not use virus-scanning software.

Many companies, such as McAfee.com Corp. now offer online scanning.

Another source: House Calls.

Tips:

Department of Justice List of 10 Worst Security Threats: 1. Opening unsolicited e-mail attachments. 2. Failing to install security patches. 3. Failing to see the consequences of poor security. 4. Failing to realize the value of the information stored on your computer. 5. Relying primarily on firewall for security. 6. Giving out passwords to users over the phone or change passwords without verifying the legitimacy of the request. 7. Failing to maintain and test backups. 8. Implementing firewalls that don't stop malicious traffic. 9. Failing to update virus detection software. 10. Failing to educate users about security problems.

* If you do find a virus on your system, never try to clean it yourself. Get a computer consultant to do it for you.

* Keep your virus definitions updated by using the automatic update feature in Norton Anti-virus or the McAfee product.

* Never open an unsolicited e-mail attachment.

* Never put any games or load unidentified programs on your law office computer.

3. Do you have a firewall to protect your computer from digital intruders?

Firewalls are virtual barriers to protect your data from intruders. Test your security by going to Shields Up! at www.grc.com.

Some recommended workstation firewalls include Zonealarm and NetworkICE.

For network protection try Esafe or SonicWall at SOHO.

Tips:

* Firewalls do not protect your computer from viruses nor does a firewall protect you from harmful browser based Java applets.

* Have a firewall for both dial-up and DSL connections.

4. Do you back up your data and store it in safe place?

Failing to back up your data is an act of negligence. Data back up is the act of copying to an archive directory, to external media such as a tape drive, to an online backup provider such as @backup.com or to a folder on the Internet.

After you have backed up your data always test the backup for problems or errors.

Tips:

* Have a written disaster plan and procedure.

* Design your systems to facilitate archiving.

* Rotate your back-up copy off-site.

* Properly handle and store archive media.

* Refresh tape technology every five years.

* Verify archive data.

* Limit access to original permanent data.

* Retain archive for legally required periods.

5. Do you secure your laptop and handheld devices?

Laptops and handheld are vulnerable to being stolen. Try Absolute Software's CompuTrace(TM) which identifies the phone number when a stolen computer goes on-line then coordinates the location with the local police or try PC PhoneHome at 914-627-0011. Also, returnme.com is a new service that might help.

Tips:

* Insure your equipment.

* Never let go of your laptop when traveling.

* Lock your keyboard with a password and use a hard drive password too.

* Scratch your initials into your notebook's casing.

* Use onscreen electronic personalization for identification.

6. Do you have a software, e-mail and Internet policy?

All law firms should have a written policy regarding the use of e-mail, the internet and software. The policy should discuss business purpose, inappropriate content, copyrighted material, and downloading and copying software, confidential information, document retention among other things..

For a further discussion of polices check out www.llrx.com and an excellent article on Internet use policy. Enforce your e-mail and Internet usage policy with content filters, such as Content Technology.

You should also conduct a software audit by going to BSA www.bsa.org/ freeware and downloading the GSAP software audit tool and the BSA Guide To Software Management.

7. Do you have Web browser security?

A firewall will not protect your Web browser from harmful Java applets, data collecting cookies or from spoofing. To add security to your Web browser, check out SurfinShield. To surf the Web anonymously try Zero Knowledge.

Tips:

* Read about the security properties in your browser.

* Empty your Web history folder and cache file on a weekly basis

* Update your Web browser security patches when notified to do so.

* Never download free software from the Internet without reading the license agreement very carefully because it may contain spyware that will track your Internet usage.

8. Do you encrypt client communications sent via e-mail as well as informa- tion on your hard drive?

Although there is no ethical obligation to encrypt your e-mail, there may be a legal obligation for sensitive e-mail.

Check out so-called digital couriers like www.private.express.com or www.hushmail.com, which is the encrypted version of the hotmail concept.

To prevent your e-mail from remaining on a mail server for long periods of time, try www.disappearing.com, which automatically makes the e-mail unreadable after a designated period of time. To encrypt an attachment or a directory try www.pcguardian.com or the password protection feature in Winzip.

To purge old files from your hard drive, try a shareware product called File Shredder at www.gregorybraun.com or Disk Clean-up at www.gregorybraun.com which wipes your hard disk clean of all old deleted files.

Tips:

* Ask your client before using e-mail to communicate client confidences.

* Put a disclaimer at the end of your e-mail messages like you do with faxes.

Calif. attorney Albert Barsocchini is a member of the LTN Editorial Advisory Board and principal of The LawTek Group, practice system consulting firm, based in San Anselmo.