Desktop and laptop computers are the workhorses for virtually all attorneys today. Windows is the dominant operating system for lawyers, but Apple’s OS X has been gaining, particularly in the last few years. This chapter explores security basics for desktops and laptops. It also includes tablets with the Windows operating systems, which are basically another form of laptop. The basic steps for securing personal computers, whether at home, in a law office or on the road are:
Authentication and access control form the first line of defense for desktops and laptops. Desktops and laptops should, at a minimum, be protected with a password or passphrase. Major laptop manufacturers offer fingerprint readers as an option. More advanced authentication (two-factor authentication) should be considered for laptops. Authentication and access control are discussed in multiple chapters; please use the index to find all references.
A strong passphrase, like the following, is recommended:
IloveABATECHSHOW2012!
In Windows, local passwords are managed in User Accounts in the Control Panel. In OS X, passwords are managed in System Preferences. In networks, passwords are often managed centrally with tools like Microsoft’s Group Policy in a Windows environment.
Both Windows and OS X have multiple kinds of accounts for users. They include standard user accounts and administrator accounts. The standard user accounts have limited privileges. Administrator accounts have more privileges and can, accordingly, do more, like installing new software and devices. For routine use, computers should be operated in standard user account mode. Administrator accounts should be used only when necessary to perform functions that are limited to them. Operating in a standard user account provides better protection because some (but not all) malware and attacks need administrator access to be successful.
In Windows, local user accounts are managed in the Control Panel. In OS X, user accounts are managed in System Preferences.
Secure configuration or “hardening” is the process of setting up or adjusting the operating system, Internet browser and applications in a way that maximizes security. The approach should use the highest security settings that will allow the computer to perform necessary functions. Accordingly, services and functions that are not necessary should be disabled or blocked.
Current versions of operating systems and application software should be used because they are generally more secure than older versions. For example, the current versions of Windows and OS X have more security functionality than older versions. Microsoft Office 2010, Internet Explorer 9, and Adobe Acrobat X and Reader X all have much stronger security than older versions. Unless there are compatibility issues with other applications, upgrades should be promptly made.
During installation, the user is prompted for various security settings and enabling various services. When in doubt, choose the higher security settings and do not enable services that you do not need. For questions check the Help files or consult an individual with technical knowledge.
The following services should be disabled if you don’t need them: print sharing, file sharing, window sharing and remote login. They present unnecessary security exposure if they are not being used. If you use them, you will need to enable them and manage the risks. For example, remote login should be set to require strong authentication.
The first step is setting up user accounts, discussed earlier. Security software (including a firewall), patching and browser configuration, all important parts of hardening, are discussed below.
While the technical details of secure configurations are beyond the scope of this book, they are available on Microsoft’s web site www.microsoft.com/security/default.aspx (for nontechnical users) and http://technet.microsoft.com/en-us/security/bb291012 (for technical users). A good series of articles on secure configuration of Windows is available at www.windowsecurity.com/articles/windows-7-security-primer-part1.html. Apple has Security Configuration Guides for the various versions of OS X in the Support section of its web site at www.apple.com/support/security/guides/.
For those with technical ability, there are various tools to assist with secure configuration. Microsoft has tools like the Microsoft Baseline Security Analyzer (a tool that allows users to scan one or more Windows-based computers for common security misconfigurations) and the Security Configuration Wizard (to assist in creating, editing, applying or rolling back security policies with Windows Server). The National Institute for Science and Technology (NIST) has published security configurations for various operating systems and software as part of the U.S. Government Configuration Baseline. Compliance with them is generally required for federal agencies, and they can be used as guidance for others. The CIS Security Benchmarks Division publishes consensus security configuration standards. Automated tools are available to test computers for compliance with these standards.
One of the publishers of these kinds of tools is Belarc (www.belarc.com). Its Belarc Advisor builds a detailed security profile, including missing Windows patches and security configuration. It is a commercial tool but is available for free download for use on a personal computer. Additional tools are discussed in the Patching section below.
Security software should be used on all desktops and laptops. While there has been much debate about the need for security software on Macs, let it end here. Macs are vulnerable as has been demonstrated many, many times over the last couple of years. There is no reason to take a chance in light of the ready availability of security software and its low cost. The malware targeted at Macs is certainly going to increase as Apple’s market share grows. In Macs running both OS X and Windows, both operating systems should be protected. In recent years, the major security software vendors have moved from individual products, like antivirus and firewalls, to security suites that integrate multiple security functionality, like antivirus, software firewalls, spyware protection and spam filters. Some of them include advanced features like rootkit protection and basic intrusion protection systems. They offer the advantage of being a single integrated product, which is easier to install, configure and keep up to date.
Various magazines, like PC Magazine, CNET and even Consumer Reports, rate security software from time to time. It is a good idea to look at current reviews before selecting a new product. Although opinions vary on which product is best at any given time, it is clear that any of the major security vendors’ current security suites, with up-to-date definitions, will make a desktop or laptop significantly more secure than one that is not protected. Some leading vendors include Symantec, McAfee, F-Secure, Sophos, Trend Micro and Kaspersky. Kaspersky now offers Kaspersky ONE Universal Security, a multidevice package that provides protection for up to five devices—desktops, laptops and smartphones—for both PCs and Macs. A good list of security software for Macs can be found at http://mac-antivirus-software-review.toptenreviews.com/. The authors personally prefer the Symantec and Kaspersky products. One of the ways that security software detects malware is through the use of signatures. A signature looks for a specific known pattern of code that has been found in the malware. In addition to specific malware signatures, some of the newer security software also reviews more general patterns of behavior to attempt to detect malware for which there are not yet signatures. Security software that is out of date is only marginally better than no security software at all.
In addition to security suites, there are software host intrusion prevention systems (IPS) that provide a more advanced level of protection to laptops and desktops. They have stronger capability to protect against unknown threats. They are generally centrally administered in networks rather than used as stand-alone solutions on individual computers or in small networks. Examples are IBM Proventia Desktop Endpoint Security, CA Host-Based Intrusion Prevention System and McAfee Host Intrusion Prevention for Desktop. At the network level, host IPS is often used to protect servers.
There is an ongoing arms race between security vendors and malware authors. Signatures are written to detect known malware, and then malware writers change their code to avoid detection. Because of this, it is critical to keep the security software up to date with new definitions, which are often available multiple times a day. Security software should be set to automatically receive updates.
A firewall is software or a device that controls the flow of data to or from a computer or network. It helps protect against attacks from the outside. Some firewalls also block or alert to outbound traffic. Both Windows and OS X now include built-in software firewalls. Many consider the firewalls in the security suites to provide better protection than the built-in ones. One or the other should definitely be used. In a law firm, firewalls in security suites should generally be used in addition to a hardware firewall for the entire network.
A vulnerability is a flaw in software. An exploit is code that takes advantage of a vulnerability to cause unintended or unanticipated behavior in the software. It can range from causing the software to crash to giving an attacker complete control of the computer. Software vendors prepare and distribute patches to address vulnerabilities. Patches frequently address security issues.
It is critical to apply security patches promptly. Until they are applied, a computer is exposed to the vulnerability. Where available, it is generally best to allow automatic downloads of updates. This feature is available from Microsoft and Apple. One caveat is that, in a network environment, it is sometimes necessary to test patches before they are applied. Although they have been tested for the vendor’s products, they may cause problems with other vendors’ products, including legal applications like case management and document assembly products.
With Microsoft products, the patching process is not difficult because Microsoft issues patches each month on “Patch Tuesday,” including patches for Windows, Internet Explorer and Microsoft Office. Apple issues patches less frequently, and OS X can be set for automatic download when they are issued.
The significant challenge is making sure that everything else is patched: applications, media players, browser plug-ins, and on and on. For example, as this book is being completed, Microsoft announced that its security software had stopped more than 27 million Java exploits from mid-2010 through mid-2011. Most of those exploits targeted vulnerabilities for which patches had been available for a long time. The most commonly blocked attack was for a vulnerability for which a patch was available for months. The second was one for which a patch had been available for almost three years.
A zero day attack, under varying definitions, is one that attempts to exploit a vulnerability not known to the software developer or to the security industry or for which a patch is not yet available. For this reason, they are particularly dangerous. Some of the zero day attacks in the past year have exploited vulnerabilities in Microsoft Windows, Microsoft Office, Adobe Acrobat and Reader, Adobe Flash and Java—all programs regularly used by attorneys. Zero day attacks are most frequently used in targeted attacks (against a specific victim or group of victims) but are sometimes used in more widespread attacks.
There are software tools available from major security vendors to search for vulnerabilities. Secunia has a Personal Software Inspector (PSI) that is free for home use. It scans the computer and reports on programs that are security threats because they are missing patches or are end of life and no longer supported. When this program was first released, a lot of security professionals were surprised when they ran it on their home computers that they incorrectly thought were up to date. The commercial version of this program, Corporate Software Inspector, is available for business use, including law firms. Other examples of enterprise vulnerability managers are tools by Symantec, McAfee and Qualys. Without a tool like these, it can be necessary to manually check everything for current updates. Patch management functionality is also bundled with some endpoint management software, which can be used to patch, configure and manage all desktops and laptops in an organization. Examples are IBM’s Tivoli Endpoint Manager (formerly BigFix), Dell KASE and LanDESK. These kinds of tools are used on networks, particularly larger ones, and require IT professionals to install and use. Attorneys should be aware that these kinds of tools are available and consult with qualified experts about the need for them.
Because every installed program can be a platform for attack, only necessary programs should be installed on computers used for the practice of law. The more software that is installed, the more that needs to be kept up to date.
A hardware firewall is a network device that controls the flow of traffic. It helps block unauthorized access from the outside and helps hide the identity of individual computers from outside the network. Whenever possible, a desktop or laptop should be used in a network protected by a hardware firewall.
Encryption is a process that translates electronic data into a secure electronic format. Anyone trying to read or view the data must use a decryption key to make it readable. Encryption can be used on any computer to protect confidential data. It is particularly important for laptops. A lost or stolen laptop that is encrypted is protected unless the decryption key has also been compromised. There are two basic approaches to encrypting data on hard drives: full disk encryption and limited encryption. As its name suggests, full disk encryption protects the entire hard drive. It automatically encrypts everything and provides decrypted access when an authorized user properly logs in. Limited encryption protects only specified files or folders or a part of the drive. With limited encryption, the user has to elect to encrypt the specific data.
Some commonly used third-party encryption software products for hard drives include those offered by Symantec (PGP and Symantec Endpoint) (www.symantec.com), McAfee (www.mcafee.com), Check Point (www.checkpoint.com), Guardian Edge (www.guardianedge.com) and Utimaco (Sophos) (http://americas.utimaco.com). All of the hard drive manufacturers now offer hard drives that have hardware full disk encryption built in. Hardware encryption is generally easier to use and administer. Some examples are Seagate Secure (http://www.seagate.com/www/en-us/products/self-encrypting-drives/)and Hitachi Self-Encrypting Drives (http://www.hitachigst.com/internal-drives/self-encrypting-drives). Many observers believe that hardware-based encryption, either disk based or chip based, will ultimately replace software encryption products.
Since most encryption programs are tied to a user’s password, secure passwords or passphrases are essential, and a forgotten password can lead to lost data. Automatic logoff, after a specified time, is critical so that unencrypted data will not be exposed if a user goes away from a computer or forgets to turn it off. In an enterprise environment, like a law firm, access by an administrator, ability to reset passwords, backup and key recovery are essential. Installing encryption and administering it, particularly in a large enterprise, can be a challenge. The business versions of Windows include an encryption function called Encrypted File System (EFS). It allows encryption of files and folders. An authorized user who is logged in has access to decrypted data. It is encrypted and unreadable to anyone else (unless they can defeat the login process). EFS is considered a fairly weak encryption method that is easily cracked using forensic tools. You are better off using one of the other encryption products previously mentioned or BitLocker, discussed below.
Windows Vista Enterprise and Ultimate and Windows 7 Enterprise and Ultimate include an encryption feature called BitLocker. BitLocker works below the operating system and encrypts an entire volume on the hard drive. BitLocker requires either a computer that is equipped with a Trusted Platform Module (TPM) chip on the motherboard or use of an external USB drive to hold the decryption key. If an intruder gains access to a USB key, the encryption can be defeated. Setup of both EFS and BitLocker is fairly technical. For most attorneys, it will be necessary to obtain technical assistance to implement them.
OS X has built-in file encryption in FileVault. Newer versions have full disk encryption available in FileVault 2.
To avoid the loss of data, it is important to understand how the encryption works, to back up data that is encrypted, and to keep a copy of the recovery key in a secure place. Enterprise controls are available to centrally manage encryption.
Backup and disaster recovery are critical steps to protect data on any computer, network or portable media. These topics are discussed in this book’s backup chapter.
It is important to exercise care in selecting and installing programs. In a law firm, only necessary programs should be used. Every installed program increases the surface for potential attack and must be managed and kept up to date.
When downloading programs from the Internet, use only trusted sources and pay attention to warnings about certificates. On the Internet, code signing with certificates verifies the source of the code and shows that it has not been tampered with. If a warning pops up that the certificate is invalid, don’t install the program.
Peer-to-peer file sharing should not be used on law firm or business computers. It has the potential to expose all files on the computer and potentially other data on a network.
Internet browsers, like Internet Explorer and Firefox, are great productivity tools for attorneys because they are the gateway to the vast information resources of the Internet and serve as the interface to access cloud resources like software as a service. Unfortunately, they also are the gateway to the dark side of the Internet where criminals are trying to do nefarious things like stealing information or taking over vulnerable computers.
Just visiting a malicious web site or a compromised legitimate site may be enough to compromise a computer. A scary example is that The New York Times web site was reportedly infected through the compromise of a third-party service that fed ads to the site. Just a visit to the site was enough to expose a computer to malware.
Be very careful about visiting web sites with which you are not familiar. Malicious sites have frequently appeared high in search engine results. Some security products provide warnings about known malicious sites. Fortunately, the security of browsers has improved greatly over the years, and today’s browsers are more secure than older ones. For this reason, it is important to use the latest version of the browser and to stay current with patches.
If the security software or browser provides a warning, pay attention to it. Don’t blindly click OK.
As mentioned above, routine operation of a computer should be in a standard user account and not an administrator account. This is particularly important when surfing the web. Secure configuration of the browser is also a key step. In Internet Explorer, this is controlled by clicking on Internet Options, under Tools, and then clicking on Security. It should be set to Medium-High or greater. Custom levels may also be set, but this is better left to someone with technical knowledge. Disabling of functions like ActiveX, Flash, Java and JavaScript provides greater security but also affects functionality. Do not install or enable browser plugins unless you need them. Use current versions and keep them patched. A vulnerability in a plug-in still leaves you exposed even if the browser itself is up to date.
Some businesses are putting the browser in a sandbox that isolates it and helps protect against attacks. If the browser is partitioned off, data elsewhere remains safe.
When you visit a site where you have to enter a username and password or provide any confidential information, make sure that the displayed web address starts with https. In Internet Explorer, a picture of a lock is also displayed. The “s” means that it should be a secure connection. It’s not an absolutely sure thing, though, because web sites can be spoofed, and you may have a secure connection to a malicious web site.
Attachments are frequently used to install malware. Embedded links are often used to take the user to an infected web site. Don’t open attachments from unknown sources and scan attachments for malware before you open them. Be very careful of clicking on links unless you are sure of the sender and are familiar with the site. Phishing (falsified e-mails purporting to be from banks, PayPal, eBay, and other legitimate sites) is now a common form of attack. It attempts to steal information either by trying to trick people into sending it or by planting malware that steals it. Some malware can be installed by opening an infected attachment or just visiting an infected web site. The Anti-Phishing Working Group is a helpful source of information in this area (www.antiphishing.org). Attorneys and law firm staff should be periodically trained about this risk.
A particular area of current concern is the security of laptops. There have been a number of recent high-profile incidents in which confidential data has been compromised by theft or loss of laptops from businesses, accounting firms, nonprofits and government agencies. As previously noted, one survey reports that 70% of data breaches have been from the loss or theft of laptops and other mobile devices and media.
As a starting point, laptops should be protected by the basic security measures, discussed above, which apply to all computers. Some additional recommendations for protecting laptops include:
Encryption is particularly important for laptops and portable media. After the high-profile theft of a Department of Veterans Affairs laptop and external hard drive containing personal information on more than 28 million veterans in 2006, security guidelines for federal agencies added the requirement of encryption of all data on laptops and hand-helds, unless it is classified as “non-sensitive.” This was contained in the Office of Management and Budget (OMB) memorandum dated June 23, 2006. In January 2007, 18 laptops were stolen from the offices of a law firm in Orlando. The laptops were reportedly protected by encryption, and the incident received very little publicity. In discussing this incident, the SANS Institute, a leading information security organization, noted, “[l]aptop thefts aren’t going away, but by this time next year, this type of item (laptop stolen, but the data was protected) shouldn’t even be newsworthy.” That was five years ago. Encryption of laptops and portable media is now a standard security measure that should be used by attorneys.
Tracking programs are available to report the location of lost or stolen laptops to security centers when the laptops are connected to the Internet. Some examples include Computrace (consumer and small business version: LoJack for Laptops) for PCs and Macs (www.computrace.com), CyberAngel (www.thecyberangel.com) and zTrace (www.ztrace.com). Some of these programs include remote wiping of the data on a laptop if it is reported as lost or stolen. Orbicule (www.orbicule.com) has a product for Macs which repeatedly transmits network information, screenshots and photos from the laptop’s built-in camera after a laptop is stolen. It then makes the laptop malfunction and displays a message that it has been stolen when it is connected to a different network.
Physical security is important because laptops are portable. Laptops are frequently stolen from cars and airport security checkpoints. New laptop bags, called “checkpoint friendly,” are available for use in air travel. They allow the laptop to remain in the bag during screening. You can find them at vendors such as Targus, Aerovation, Eagle Creek and MobilEdge.