UNIT 2

Computer and Network Security Issues

Thin Clients (By way of review…)

• Check out posted items in webliography

http://www.smallbusinesscomputing.com/biztools/article.php/3836486Click on the “Business Software” tab

Why is Information Security Important?

• Legal professionals and clients depend on computers and technology to communicate about their cases

• Because of this, law offices, courts, and clients depend upon computers to keep cases moving along

• It’s vital that the information that is disseminated via the computer remains as secure as possible so that client confidences are not revealed

Network Computers

• A single computer alone faces security issues only for that computer

• However, when a computer is on a network, a breach of security on one of the computers can affect other computers on the network

• Limiting access to the network can help to ensure that the system and files stored on it are not corrupted

Security Protocols

• The term “security protocols” refers to securing communications between points within a computer network and across the Internet.

• There are software programs that can limit the ability to access a file server, workstations, printers, etc. that are on the network.

Network Rights and Privileges

• Consider some of the ways access to the server and other devices be limited to maximize security:

• First, who has access can be restricted. Network administrators have the most rights.

• Second, it can be designated just what type of information can be stored on the server.

• Third, how the information is disseminated can also be restricted.

Passwords

• Restricting network access by requiring passwords can add security

• Writing down your passwords can increase risk of unauthorized use

• VPNs – or devices where the code changes frequently offer more security

• What about “thumbprint devices” and “retinal scans?”

Hacking

• Unauthorized access to computer networks in order to obtain information stored on the network or undermine how the network operates (viruses)

• This can happen when someone on the network surfs the web

• Liability can result when unauthorized material is stored on the network

Firewalls

• Firewalls serve to limit access to a computer or a system by those outside the computer or system with unauthorized access

• But sometimes firewalls can prevent you from accessing some information that you need or working from an offsite location

Antivirus Plus Firewall Example (FREE)

Viruses• Programs that destroy or compromise the running of

computer programs and operating systems are known as computer viruses

• Anti virus programs work to prevent viruses from attacking a computer beforehand

• Some viruses can cause a computer to be completely ruined or can slow a computer’s speed

Antivirus Example

Preventing Downloading Viruses

• Be careful when opening attachments on email. If the source is unknown, you may not want to open or download that.

• Update your antivirus software frequently. Most are set to expire or have automatic updates to remind you.

Windows Updates

Backing Up Data

• One of the most important things to remember to do is to back up your work while you are working and when you are done.

• USB sticks are great for storing data, but many computers also have an internal recovery system that works well too.

Data Breaches Mean More Than Bad Publicity

The following discussion comes from an article by Jim Walden – as found on www.law.com.

Over the last several years, corporate data breaches have

been regularly splashed across the front pages of the nation's newspapers, causing nightmares for corporate executives. Ever-increasing digitization in areas such as business, banking and accounting has led multinationals to collect and retain inestimable quantities of personal information about employees, customers and counterparties.

Data Breaches

• The negligent (or even innocent) loss of electronic data to cybercriminals inflicts billions of dollars of damage on our economy, as personal information has become a sought-after treasure trove for cybercriminals. These costs are likely to escalate as, in an increasing trend, corporations are also being pummeled with civil litigation related to data breaches.

Hannaford Brothers Co.

The recently announced data breach at grocer Hannaford Brothers Co. illustrates the trend. On March 17, 2008, Hannaford announced that cyberbandits had breached its system, obtaining access to personal-financial information of nearly 4.2 million customers. Just three days after the announcement, plaintiffs' lawyers filed four class actions against Hannaford. Since then, lawyers have filed an additional 12 complaints, requiring Hannaford to defend litigation from Florida to Maine.

TJX

TJX, a retailer that operates T.J. Maxx and Marshall's stores, faced a federal investigation and an onslaught of follow-on civil litigation after announcing a breach widely reported as the largest data-security breach in U.S. history where computer "hackers" stole at least 45.7 million credit and debit records.

Data Breaches

Although data breaches can occur in a wide variety of ways -- from lost or stolen employee laptops to hacked computer networks -- most companies face a similar array of implications following discovery of a breach. As an initial and immediate matter, a thorough forensic investigation is critical to ascertain the scope and nature of the data breach.

Civil Lawsuits

Corporations suffering data breaches are also routinely contending with follow-on civil suits -- private, often class, actions seeking damages for the potential economic losses and emotional distress allegedly caused by the potential misuse of the disclosed personal information. Increasingly, these suits are filed soon after the data breach is publicly announced -- much like "stock drop" securities class actions -- thereby adding negative publicity and causing further distractions.

Randolph v. ING Life Ins.In the recent case of Randolph v. ING Life Insurance &

Annuity Co., plaintiffs brought a consumer class action in District of Columbia federal court for invasion of privacy, gross negligence and negligence against ING following an announcement of the theft of an employee laptop from that employee's home containing the personal information of 13,000 government workers and retirees. Plaintiffs argued, inter alia, that the theft exposed them to "substantial risk of identity theft," and that as a "direct and proximate result," they "have been exposed to a risk of substantial harm and inconvenience, and have incurred or will incur actual damages in purchasing comprehensive credit reports and monitoring of their identity and credit for the definite future." However, none of the plaintiffs asserted that they had actually been the victim of any identity theft.

Randolph v. ING Life Ins.

The company succeeded on a motion to dismiss, arguing that plaintiffs lacked standing to sue because they proved no actual damages and, thus, no "recognized injury.“ The court agreed, citing a long line of "lost data" cases in which courts held that "an allegation of increased risk of identity theft due to lost or stolen personal data, without more, is insufficient to demonstrate a cognizable injury.“ Thus, plaintiffs failed to demonstrate the "injury in fact" necessary for the constitutional requirement of Article III standing. Moreover, the court also recognized that credit monitoring services, even if the plaintiffs were to have actually alleged payment for such services, cannot constitute actual injury.

Guin v. Brazos

Guin v. Brazos Higher Education Service Corporation Inc. had a similar result. There, plaintiff brought a negligence suit against Brazos after it announced the theft of a laptop containing personal information for 550,000 customers. Granting summary judgment in favor of Brazos, the court held that Brazos had no duty of protection (under the Gramm-Leach-Bliley Act),that Brazos acted with reasonable care in handling the information and that Brazos's inability to foresee and deter the specific theft was not a breach of a duty of reasonable care. Because neither of plaintiff's identity nor personal information was used in any fraud, the court also ruled that the absence of damages was likewise fatal to plaintiff's claim. Consequently, the court dismissed the case with prejudice.

State Laws

• State laws also help to guide how to proceed once a security breach has occurred.

• For a listing of every state’s laws on this subject, go to http://www.consumersunion.org/campaigns/Breach_laws_May05.pdf

Practice Questions

Practice Question # 1

• ABC Law Firm has 20 associates and 5 legal assistants. Every associate and secretary has a computer that is part of a network. To make things easy, they give everyone the same password, and the password never lapses or expires. What is wrong with this?

Answer to Practice Question # 1

• An outsider can readily obtain access to internal systems because password policies are weak.

• User accounts could be compromised and full access to network controllers can be had by some not authorized to use the network.

Practice Question # 2

• Suppose the ABC lawfirm gave everyone in the office administrator access. What is the problem with this?

Answer to Practice Question # 2

• Once on the network, attackers can easily obtain administrator credentials.

Practice Question # 3

• As a regular part of doing business, the ABC lawfirm sends and receives attachments via email without routinely running an antivirus program. What is wrong with this?

Answer to Practice Question # 3

• Viruses and worms can spread quickly to large numbers of computers.

• An intruder finding a hole somewhere in the network could easily jump straight to the core of the system.