Computer Counselor - October 1998
Network Security Measures to Help Foil the Enemy Within
Network and operating system software are not invulnerable to internal snooping
By Daryl Teshima
Daryl Teshima is editor-in-chief of the bimonthly magazines Legal Assistant Today and Law Office Computing. He can be reached at firstname.lastname@example.org.
In most law offices, network security has focused on protecting a firm's data from outside invaders, and with good reason, since Internet hackers can maliciously destroy not only critical computer files but also any legal privileges surrounding them. It is no wonder that many law firm administrators construct elaborate Internet barricades (known as firewalls) to keep firm data and networks secure from cybervillains.
These barricades, however, do not protect data when an unauthorized person has physical access to one of the firm's computers. Recently, a director of information services of a large Southern California law firm confided that a successful hack of his firm's network probably would originate not from the Internet but from within.
"Physical security in law firms is terrible," said the director. "A person wearing a phone uniform can often gain access to a firm's server and data without any questions asked. It's far easier and quicker to compromise data that way than hacking a firm's firewall."
Other information professionals agree. According to a recent survey by Ernst & Young LLP, 55 percent of the respondents did not believe that their network security measures could withstand an internal attack. Such attacks are not myths: two-thirds of the respondents reported losses from a security breach over the last two years.
The danger is even greater for attorneys who regularly use notebook computers. Last year, one insurance agency reported more than $1 billion in claims for stolen notebooks, an increase of 28 percent from 1996. Thieves understand that the real value of a stolen notebook is not its resale price but the confidential information stored inside. For attorneys, this information ranges from sensitive client documents to remote access to a firm's network. Within minutes, one stolen notebook can quietly compromise the network security of an entire law firm.
The first line of defense for most computer systems is access security, which usually consists of a logon prompt that appears whenever an attempt is made to enter a firm's network. Operating systems such as Novell Netware and Windows NT provide access security: without the right user name and password, a user cannot access firm files and data stored on the network. System administrators can also assign appropriate access rights to each user, ensuring that only authorized eyes view sensitive files.
Many small-to-medium-sized firms, however, rely on the peer-to-peer networking included in Windows 3.x, 95, or 98. Users should know that in these environments, the primary purpose of the logon prompt is not security but to allow different users of a single computer to maintain individual system preferences.
Windows 95 and 98, for example, store password information in a single file in the Windows directory. This easily accessible file is located in the Windows directory and has a .pwl extension. Those who do not know the password can simply go to a DOS prompt, delete the file, reboot, and set a new password when the computer allows them to log on. These systems can be made more secure by hiding the password files and by using the Windows system policy editor to prevent access to a computer desktop after a failed attempt to log on. But even if these steps are taken, a hacker can access files by simply booting up the computer with a floppy disk, or removing the hard drive and chaining it to another system.
Whether a firm is using Netware, Windows NT, or a Windows operating system with its security holes patched, logon prompts remain an all-or-nothing proposition. After the initial password is entered, no further security checks are made. Thus, if a user forgets to log out when finished or leaving the office, anyone who has internal or physical access to that computer can open that person's files. Network administrators can combat this problem by automatically logging users off after a certain period of inactivity, but constant prompts for passwords can cut into productivity as well as annoy everyone in the firm.
Network logon prompts are also ineffective for notebook computers, which by nature are often used unconnected to a network. Many notebooks (as well as some desktop computers) allow some form of password protection when first turned on, but savvy intruders can often override these protection schemes by changing an internal switch on the system's motherboard. In addition, the portability of notebooks allows thieves to employ more elaborate hacking methods in the comfort of their own lairs.
One common method used to protect key data is to encrypt sensitive files, which provides a level of security that logon prompts cannot match. Encryption is also readily available. A cursory search of the Winfiles Web site (http://www.winfiles.com) - the best single source for Windows utilities and programs) reveals more than 100 encryption applications. The most popular encryption engine, PGP (Pretty Good Privacy), is even free for noncommercial use (http://www.nai.com/products/security/pgpfreeware.asp). Encryption is also found in many popular utility packages, such as Nuts & Bolts 98 from Network Associates (http://www.mcafee.com), as well as plug-ins for e-mail clients such as Eudora, Outlook, and Netscape Mail.
There are two methods to encrypt files. Symmetric key encryption uses the same password to encrypt and decrypt data. This type of encryption has one major shortcoming. In situations in which the encrypted data is shared, a secure channel is required to give the password to the recipient. This defeats the purpose of encryption, because if users had a secure channel, they would not need to encrypt their data. To overcome the problem of sharing secured data, public-key encryption was developed. With public-key encryption, the encryption software generates two keys, a public key that encrypts data and a corresponding private key that decrypts data. Thus, anyone who knows the public key can encrypt files, but only the person with the private key can unlock them.
Depending on the level used (the greater number of bits used in the encryption routine, the more secure the data), encryption provides airtight security for files. Encrypted files are useless without the right password, which protects sensitive information that falls into the wrong hands.
Encryption also has its weaknesses. Passwords can be forgotten, transforming a critical document into a random collection of bits that all the king's men cannot put back together again. Many encryption schemes also do not disguise directory content and file information. In many situations, the mere fact that a file exists may in itself be a release of sensitive information. Encryption also requires that all users employ the same encryption engine used to scramble the file. This limitation, however, may be eliminated in the future. With encryption standards such as S/MIME, all users need is a S/MIME-compliant e-mail client.
The security of encryption is also heavily dependent on the particular scheme employed. Avoid encryption features found in programs whose primary purpose is not security. For example, both Word and WordPerfect allow users to password protect word processing files. The protection afforded by this feature, however, is slight. WordPerfect 5.1 for DOS stores the password in the file header, which can be viewed with a simple hex editor. There are also several utilities available on the Internet that can decrypt password-protected Word and WordPerfect files. A better alternative is to use encryption schemes solely devoted to security.
Encryption's biggest weakness, however, is that it requires users to encrypt files. If users fail to encrypt sensitive files, then no protection exists. As most system administrators can attest, data theft stemming from the laziness or forgetfulness of authorized users is a more likely scenario than someone's cracking the encryption scheme. Several off-the-shelf products are available that make encryption easier to use. For example, Network Associates, the owners of PGP, offer PGP Disk ($39 retail). This application makes a section of a user's hard drive a secure volume and assigns it a drive letter. Anything stored on this secure volume is encrypted and can only be accessed with the correct password. After a specified period of inactivity, the program will automatically close the secure volume, thus preventing unauthorized use of unattended systems.
Another powerful security utility is Norton Your Eyes Only from Symantec Corporation ($79 retail, http://www.symantec.com). NYEO provides two levels of security. Its BootLock component encrypts the critical system areas of a computer, which prevents intruders from accessing the hard drive even if they boot from a floppy disk. BootLock requires a proper user name and password before it will even allow Windows 95 or 98 to start. NYEO also provides on-the-fly encryption for designated SmartLock folders, the contents of which are automatically encrypted. These two features can provide small firms running a peer-to-peer Windows network with the advanced security features of a Novell or Windows NT network.
One innovative approach that combines all these security methods is the IntelliGard Security System developed by Irvine-based Maz Technologies (http://www.maztechnology.com).Like other encryption packages, IntelliGard makes encryption a matter of a right-key click of the mouse. In addition, its iWatch feature allows users to encrypt only a portion of a document. A user can encrypt confidential text within a document simply by highlighting it. Only users with the appropriate decryption keys will be able to unscramble the text. Think of this feature as smart redacting.
To limit access to firm data, IntelliGard requires users to insert a SmartCard into a reader attached to the computer. Similar in size and appearance to a credit card, a SmartCard has a data strip that contains a user's identification, password, and encryption keys. Without this card, a user cannot access files or the computer's desktop. This approach is particularly effective for notebook users. A SmartCard reader conveniently fits into a PC Card slot on the notebook and makes the data inaccessible without the appropriate SmartCard.
IntelliGard shines in conjunction with a document management system. Currently, IntelliGard incorporates directly into DOCS Open from PC DOCS, which is currently the most popular large firm document management system. When a user attempts to retrieve a document, an integrated module verifies whether the requestor has the appropriate authority to view the document. If the requestor does, the data is decrypted and the request is processed. This integration makes encryption completely transparent to the user and greatly reduces the possibility that unauthorized eyes will see confidential data. Officials from Maz Technologies indicate that this system will be available for other document management systems in the near future.
The cost of the IntelliGard system depends on the security options chosen by the firm and the number of users. A software-only approach used for encrypting e-mail, without the SmartCard feature, is available for approximately $35 per user. A system with SmartCards that incorporates into a firm's document management system costs approximately $175 per user.
Although the drawbridge may be raised and the ramparts guarded, the treasure may not be safe if there are thieves in the castle. User groups and passwords are already in widespread use but can be circumvented, especially from within. Law office managers should consider internal as well as external security measures.