Confidentiality is one of the keystones of the legal profession.
It is critical that the information contained in a firm's digital
files and documents are protected. Additionally, with the onslaught
of identity theft, Massachusetts has enacted revised ID theft
regulations which will become effective March 1, 2010. The new
language aims to support the state's commitment to balancing
consumer protection with the needs of small business. The updates
take into consideration the size of a business and the amount of
personal information it handles when creating a data security plan.
This risk-based approach to protecting data however, does not
relieve any business, including law firms, of the obligation it has
to protecting the personal information of those it serves.
Actually, it may encourage more firms, especially smaller ones, to
re-examine their data protection plans.
Most companies recognize basic security as part of the cost of
doing business. However, leaving your information systems exposed
is a lot like leaving your front door unlocked 24/7. Even very
small firms can attract unwanted attention from those with the
skills to infiltrate their information systems, including servers,
applications and operating systems. And, chances are, if they've
been there, you may not even know it without the help of a forensic
expert.
Because many organizations are unaware of the risk of computer
attacks, technology security tends to be an afterthought in both
small and large companies. Information technology (IT)
professionals feel great pressure to maximize functionality and
speed, and security controls are often credited for slowing the
processes. However, when the proper security devices and procedures
are built into IT systems on the front end, they can become
seamless and efficient while also providing far greater protection
from hackers and other security risks.
As a Certified Ethical Hacker and Certified Information Systems
Auditor, I am trained to hack into my clients' systems, just as an
unauthorized hacker would. An ethical hacker is an individual who
is employed with or by an organization and who can be trusted to
undertake an attempt to break into networks and/or computer systems
to discover and address vulnerabilities in corporate, governmental
and institutional information systems. Hacking is a felony in the
United States and most other countries. When it is done by request
and under a contract between an ethical hacker and an organization,
it is legal. Ethical hackers help municipalities and other
government bodies, businesses as well as nonprofit organizations,
to become more secure.
Who's a hacker?
Hackers come in many forms, and their intent to harm can vary,
as well. So-called "black-hat hackers" break into Web interface
applications to gain access to servers to steal information or
vandalize systems. But malicious behavior can also come from people
you know by name, for instance, disgruntled employees. These
individuals can cause public relations problems, such as defacing
your Web site, or getting access to credit cards and Social
Security numbers. Hackers target all types of organizations,
including professional firms, private and public companies,
government, and nonprofit institutions - so all need to take
security precautions. The good news is that many of these
precautions are neither difficult nor expensive to implement.
Common weaknesses
Fortunately, some of the most common security weaknesses require
little to no cost to address. Using proper password complexity to
secure data is a perfect example. Lack of proper passwords or weak
passwords are considered "low hanging fruit" among hackers. By
trying a brute force automated attack software that attempts 150
passwords per second, a five character password can be cracked in
less than 24 hours.
Default password settings in hardware can also represent an open
window to hackers.
Often, the passwords associated with the hardware aren't changed
after purchase, so the manufacturer's default password is the only
protection against intrusion. For example, if your firm installs a
Cisco router and the password isn't reset, a hacker can easily
infiltrate your network because manufacturers' default passwords
are available to anyone on the Internet.
Poor access controls are also a common weakness within computer
networks. Creating policies and procedures to manage access to the
network and specific applications is essential to network security.
Many organizations fail to eliminate "phantom users," such as
former employees, from their systems, leaving the door open to
individuals who may wish to cause embarrassment or damage. We
encourage clients to implement User ID Auditing to ensure that the
right people are on the system at any given time, with the right
credentials and the appropriate security access.
Trends in hacking
Another trend in hacking should be of particular concern to
smaller businesses, municipalities and educational institutions.
Hackers who want to steal information or create damage at a
high-visibility target, like a major corporation, need to do so
under the cloak of anonymity to avoid being caught and prosecuted.
To do that, they hack first into smaller, more vulnerable
organizations and harvest that site's credentials - IP numbers and
other identifying information - and take on that identity when
hacking the primary target. This represents a problem for the
smaller organization because the larger company can argue that a
lack of proper security allowed the fraud to be committed.
Protecting your virtual assets
A vulnerability assessment is an effective way to protect your
organization against hackers and malicious intruders. In a
vulnerability assessment, a Certified Ethical Hacker attempts to
break into an organization's systems and identify areas of
weakness. This results in an analysis and specific recommendations
for implementing security technologies as well as policies and
procedures to control and monitor access to the system. After six
months, a follow-up benchmark analysis is conducted to ensure that
all recommendations were implemented and working properly. The
service offers a high return on investment, not to mention peace of
mind.
Facts and figures
Passwords protect (but only if you use
them)
- No passwords: Everyone in the organization should have a
password of more than seven characters. They should be alphanumeric
and difficult to guess. (No family names.)
- Change passwords regularly. Passwords should be changed across
the organization every 60 days.
- Hardware passwords. System administrators need to apply these
same password standards to hardware, such as routers, printers,
servers and other access-protected hardware.
244,794,916
Total number of records containing sensitive personal information
involved in security breaches in the United States since January
2005.
source: Privacy Rights Clearinghouse, Dataloss
$182.00
It is estimated that the average cost of a data breach is $182.00
per record.
source: Privacy Rights Clearinghouse
In a recent Verizon business study:
- 73 percent of data breaches resulted from external sources,
such as hackers.
- 66 percent of data breaches involved data the victim didn't
know was on the system.
The Author
Michelle D. Syc, a Certified
Ethical Hacker and Certified Information System Auditor, heads the
Information Technology Assurance Service Group at Kostin, Ruffkess
& Company LLC. She is responsible for evaluating information
systems to identify vulnerabilities and recommend solutions to
mitigate security weaknesses.