Thursday, November 5, 2015

Information Systems Security Primer 2015

A good friend of ours, who is an information security expert, shares their wisdom in this week's CTB post.


I. Introduction

The bookshelves are lined these days with tomes about secure computing but who has time to read a book? And all that jargon! Hard to tell a habeas from a corpus! So here’s a simple series of things you should know if you’re going to process information in a computer, tablet, cell phone, whatever.

One step at a time. Starting at the beginning. In this article we will talk about “computers” but everything in the series applies in much the same way to any similar device.

So first some terminology.  A computer is a machine that stores and processes information in binary form as 0s or 1s, strung together in groups of eight switches. A single switch in the off position is a zero; in the positive position is a one. Nothing fancy.

A computer can be a desktop, a laptop, a tablet, a smart phone, or any of several other nouns used to describe generally how big it is, how portable it is, and what else you can use it for besides computing. Doesn’t matter much which one you have; pay attention to security or you could lose all your information, lose your identity, or find your computer turned into someone else’s computing center.

At the simplest level: one computer, connected to nothing, being used by one and only one person. In this form, the only security issue is reliability, or as the security folks insist on calling, availability. Does it turn on when you tell it to turn on, is your information in there, and can you read it? Over time, the electronics inside can wear out, get dirty, get fried by a lightning strike or power spike, or just get out of sorts. Keep it in a relatively clean area, free of liquids, plugged into a hardware store quality power strip that has surge protection, and that’s pretty much it. You have security. Someday, 5 or 6 years down the calendar, your software programs will be obsolete and nobody will be able to help you reinstall them if something goes wrong, or the storage space inside the computer (techies call them “hard drives”) will die and your information will be lost. But you can’t catch a computer virus or be invaded by Trojan horses. Your only concern is what to do if the machine or the software just quit working. In the meantime, you’re secure.

II. Backup

The next step on the slippery slope of security is the desire to protect your information against the computer “dying” or the software becoming obsolete by making a copy of your information. Now, for those of us who live in the real world, backing up means going in reverse. But to the computer intelligentsia, backing up means making a copy of some or all of the information on your computer. The electronic equivalent of making a carbon copy of what you put through your typewriter or photocopying all the books in your library. That carbon paper was a pain and really messy and who has space to store two copies of every book. But with a computer, a copy of what’s in there fits on a piece of plastic no bigger than a travel pack of tissues. Very easy to handle and very easy to find a place to put it so you can’t find it when you need it.

The bad news is that somewhere along the line, you just might take that piece of plastic and put it in another computer to get a copy of something somebody else has agreed to share with you. Bingo. Now you’ve gone and done it. You’ve networked. Sneaker net we called it in the old days; meaning you moved the copy around using show leather. Problem is, that other computer – you don’t know where it’s been or how it’s been used. It might get out more than yours does and it might have picked up a bug somewhere along the line. Now your backup plastic is infected too. So if you do backups, or connect your computer to ANYTHING, you need to add a special program called “anti-virus software”. Not very expensive, and worth every penny. So if your computer ever has a backup device connected to it, or gets put on an electronic network, especially if it ever connects to the Internet or makes a phone call, you had better have anti-virus software or someday you’re going to find yourself unable to do anything with the computer you’ve been using. And your backup will be infected too, so you may never see your information again.

III. Networking

Okay, so we mentioned a network. What the heck is that? Well, in its simplest form, it’s two computers with a cable that connects them so they can move information back and forth between them without anyone walking around with a piece of plastic. A lawyer and his secretary; a judge and her law clerk. Now both computers are at risk of picking up whatever the other computer comes across; good or bad. So far, though a pretty simple network to protect. Anti-virus software is probably still all you need. Maybe a third cable to connect a printer to one of them so both people can share one printer. But still not much additional risk.

But wait! You know about legal research software. A sales rep from Lexis or West cornered you at a Bar Association meeting and convinced you life could not go on without a subscription. So now you want to connect your network to their system so you don’t have to go to the law library anymore; the law library comes to your computer. Good for efficiency and, if you learn to use it, good for effectiveness. This used to mean you called the phone company and ordered a second telephone line and went to Radio Shack and bought a modem and when you wanted to do research, you placed a phone call through your modem to their service. You were “on line”! And it was pretty safe and secure. As long as you or your modem dialed the phone number correctly, you always got the research service, not some hacker somewhere you’ve never heard of. And it was pretty easy to set your modem so that it never, ever answered when a hacker ran a program that dialed phone numbers at random looking for a modem that would answer. Of course, gas was a buck a gallon and a new Toyota was $2,500. Then life got complicated and speed became important and we all connected to the Internet! If you’re old enough to remember phone systems from the 60’s (a decade, not your age!), you just went from a private phone line back to a party line. Still good for efficiency and effectiveness but bad for security. Because everything is happening much faster, you can’t just run your anti-virus software once a week or even once a day; it should be running all the time.

IV. Antivirus

When you use the Internet to connect to the legal research service, a whole lot of people know you’re out there and they can find your network and your computer and they can do lots of ugly things to it and to your information. Now your computers can get infected without you even knowing anyone or anything is touching your computers. You need anti-virus software on steroids, something that watches which Internet sites you connect to, looks at what’s on them, and stops the ugly stuff from coming in by hiding in the middle of a stream of good stuff. Or pretending to be good stuff.

And when you went on the Internet, you probably also signed up for email. Really bad for security. So now your anti-virus software has to be smart enough to scan websites for what’s lurking there and check email for spam (junk mail) and phishing attacks (messages that try to trick you into giving up personal information (or worse, client’s personal information).

There also are people out there looking for computers they can “borrow”. Why would they want to do that? Well, usually, because they want to do something they don’t want to get caught doing, so they want to do it from someone else’s computer. They want to store movies they stole from Sony, but not on their computers; they’ll use yours. Or pretty much anything illegal or unsavory. So when you download that stock quote program so you can watch your portfolio value plummet by the second, what you really downloaded was an infected file that is sending black market movies around the world from your computer!

So now you may want to add a box or a piece of software called a firewall. Just like the wall between two townhouses that keeps a fire in your neighbor’s unit from spreading into yours, a computer firewall keeps a flaming mess from getting into your computer from the forest fire of illegal activity that’s going on all over the Internet. It knows how to analyze traffic coming at you across the Internet and spot and stop the bad stuff. Files you don’t want on your computer.

V. Denial of Service Attacks

If you’re doing all these things from a court system that either handles large numbers of cases, or lots of high profile cases, there are people out there who might want to disrupt what you’re doing. Either to protect their interests by delaying a case against them from reaching trial, or as a political statement against courts in general, or your court in particular, or a judge whose decisions they don’t like. So they might try to flood your network connection to stop useful traffic from getting in our out: electronic filings, notices to or from the parties, stuff like that. This is called a denial of service (DoS: not the same as DOS, a very old personal computer operating system) attack. In a more sophisticated form, a DoS attack may try to get past your firewall and flood your network and all the computers on it so not only can you not communicate with the outside world, you can’t even run your own computers and network.

The good news is, that firewall we put in to protect you from the wild and woolly Internet can protect you from DoS attacks too, but you probably will need some help setting the firewall up to do that.

VI. The Cloud

But remember that tissue pack sized piece of plastic? If you succeed in protecting yourself against Internet evils, you’ll also probably discover that you don’t need that piece of plastic anymore. (fictitious name) will let you copy all the files on your computer to their computers. Real time backup without any plastic. Except the credit card you need to use to pay for it. This is what the latest round of hip with it folk call “going to the cloud”. But there’s a catch. There are some nice pretty fluffy clouds that look like your pet rabbit, and there are some really nasty ugly storm clouds that are really traps to steal that confidential memo you just wrote for the Chief Justice or all your client financials or anything else that might be worth something to them in the market place. And both types of clouds look very much alike from down here on terra firma. So conduct a careful due diligence about who it really is running this cloud and how reliable and security conscious they are. Remember that chain that’s only as strong as it’s weakest link? The cloud has lots of potential to be the weakest link in your security chain.

The “Cloud” also will let you buy not just the space to store your data but the right to use the software you want to use. No more installing that messy spreadsheet software on your computer; just pay a few bucks a month to use their version of it across the Internet. But there’s a catch.
For some reason (think market share!), the company you choose as your cloud provider isn’t very likely to tell you about all the storms a simple cloud can create when nobody is watching. Or that you aren’t allowed to look at the cloud to see what’s going on in there; only to put data in it or take data out of it. And when they sell you the privilege of using their cloud, read the contract carefully. You may have signed away any right to complain about what has happened to you because you connected to their cloud, or be forced to rely solely on arbitration, or some other form of restriction on your ability to get them to share in any loss you may have incurred using their cloud. So be careful about how you “go to the cloud”. That lovely, fluffy cumulus cloud drifting smoothly across the azure sky today may become a cyclone that destroys everything you’ve done for the last 30 years (yes, it’s been that long since we started using desktop computers- GenX and the Millenials didn’t really invent them).

VII. Action Items

So, what to do? Go back to the quill pen and an ink well? Get some of those floor to ceiling cages installed in your file room to store all the scrolls you’re using to avoid the travails outlined in this screed? A few simple steps.

A. Think about risk! What happens if your data disappears? Or worse, what happens if it shows up on the front page of the local newspaper? Do you still have one of those in your town? Or worse, on the lead page of the local newspaper’s online edition where the whole universe can read it? What is it worth to avoid that? Should you create the file in the first place? Do you need to hire someone to manage your systems to reduce the risk? How worried are you/how much will you pay? What else might you need beyond anti-virus software or a simple firewall? Depends on what you’re doing and how important your data is. Lots of folks out there to help you drive the cost of attacking you higher than the bad guys are willing to spend. But if you hire one of them, check them out carefully; only pay for GOOD help.

B. Make backups. Test them. Someplace, in some form. And from time to time, grab a file from the backup and make sure it still works. The storage media can go bad and the backup software can become obsolete. Your back up disk from 1999 probably won’t work on your current computer.

C. Scan your system. At a minimum, run a well-tested anti-malware program. The popular computer magazines test them from time to time. Install the one you chose. Make sure it’s update program runs to keep the tools sharp. Last week’s version won’t protect you this week. If you are highly connected to the outside world, you may want to get that company you hired to help you manage risk to scan your system from the outside. They’ll call it pen testing (penetration testing) or a vulnerability scan. But they’re pretending they’re the bad guys and probing where your weaknesses are.

D. Keep your systems current. It costs money and it takes time but the computer market is all about revenue and revenue is all about new versions of stuff. So that computer system you bought in 2005 and the software you have on it either can’t be supported anymore or it will cost you two arms and three legs to find someone willing and able to do it. Pay enough attention to the market place to know when your stuff is obsolete, bite the bullet, and upgrade. Else, expect your stuff to become inaccessible and unusable.

E. Pay attention! If you start seeing weird stuff happening on your system, the system very likely has a cold. Find it and get rid of it before it turns into pneumonia. If you get email from someone you never heard of, think three times before opening it! If you do open it and it asks you for ANY personal information, delete it! We call these messages Phishing. They get ugly really fast. Delete It Now! If it’s from a lawyer about a diamond mine in some obscure place, delete it.

Good luck!

1 comment:

  1. What a great post! I'll be sure to pass it around. Thank you!