Florida State University College of Law Research Center

Report
Internet Security
Jon Lutz
FSU College of Law Research Center
Fall 2011
Florida State University College of Law Research Center
Antivirus
• Free for Windows
• AVIRA http://www.avira.com/en/avira-free-antivirus
• AVG http://free.avg.com/us-en/homepage
• Avast http://www.avast.com/en-us/index
• Windows Security Essentials
http://www.microsoft.com/enus/security_essentials/default.aspx
• Mac
• Sophos http://www.sophos.com/en-us/products/freetools/sophos-antivirus-for-mac-home-edition.aspx
Florida State University College of Law Research Center
Rogue Security software
Florida State University College of Law Research Center
Malware
• Malwarebytes http://www.malwarebytes.org/
Florida State University College of Law Research Center
iPhone Siri Security Flaw
• Siri can be used on the new iPhone 4S even
when it’s locked. This would allow anybody
to pickup your found and send messages to
your contacts.
• Change default setting: Allow access to Siri when
locked with a passcode to Off.
http://www.huffingtonpost.com/2011/10/20/siri-security-iphone-4s_n_1022194.html
Florida State University College of Law Research Center
Android Ice Cream Sandwich Security
Flaw
• Face unlock feature will unlock the phone
when it recognizes a users face
• Security flaw: pictures work too
Florida State University College of Law Research Center
Find My iPhone
Florida State University College of Law Research Center
Android Lost
Florida State University College of Law Research Center
Tips for Removing Metadata
from MS Word Files
• What can be in metadata
•
•
•
•
•
•
Shared Authors
Comments
Document revisions
Hidden Text
Tracked changes
Undo/redo history
Florida State University College of Law Research Center
Tips for Removing Metadata from
Word Files
•
•
•
•
Convert to RTF
Scan the file and convert to image or PDF
Print to PDF (doesn’t get rid of everything)
Microsoft Prepare/Inspect Document
Florida State University College of Law Research Center
Duqu Threat
http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit
Florida State University College of Law Research Center
What do you have on the Web
Caption: “Drunken Pirate”
Florida State University College of Law Research Center
Court Rules Against
http://www.msnbc.msn.com/id/18372103/#.Tp84XZuIk9o
Florida State University College of Law Research Center
Minnesota Court of Appeals
http://minnesota.publicradio.org/collections/special/columns/news_cut/archive/2011/07/
court_of_appeals_facebook_post.shtml
Florida State University College of Law Research Center
Twitter
Florida State University College of Law Research Center
What’s Your Web Identity
Florida State University College of Law Research Center
How can you find out?
• Spokeo
• http://www.spokeo.com/
Florida State University College of Law Research Center
Spokeo
Florida State University College of Law Research Center
Florida State University College of Law Research Center
Florida State University College of Law Research Center
Florida State University College of Law Research Center
Florida State University College of Law Research Center
Google Dashboard
From the Profile and Privacy page:
Florida State University College of Law Research Center
Google Dashboard
Florida State University College of Law Research Center
Google Security
Florida State University College of Law Research Center
Google Personal Information
http://www.google.com/support/webmasters/bi
n/answer.py?answer=164133
Florida State University College of Law Research Center
Mugged in Spain
• Hacked by James Fallows
• http://www.theatlantic.com/magazin
e/archive/2011/11/hacked/8673/
Florida State University College of Law Research Center
Google 2-Step Verification
http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html
Florida State University College of Law Research Center
Facebook
Florida State University College of Law Research Center
Facebook Privacy
Florida State University College of Law Research Center
Facebook Security
Florida State University College of Law Research Center
Facebook
Florida State University College of Law Research Center
Facebook Apps
Florida State University College of Law Research Center
Apps
Florida State University College of Law Research Center
Facebook Apps
Florida State University College of Law Research Center
Facebook Security Settings
Florida State University College of Law Research Center
Facebook Security
Florida State University College of Law Research Center
Login Approvals
Florida State University College of Law Research Center
Facebook Activity
Florida State University College of Law Research Center
Facebook Security
• Stop
• Think
• Connect
• http://www.facebook.com/security?v=wall
Florida State University College of Law Research Center
Facebook Security by Sophos
• Facebook Security Best Practices
• http://www.sophos.com/en-us/security-newstrends/best-practices/facebook.aspx
Florida State University College of Law Research Center
Facebook Security by
Sophos
• Facebook Security
Best Practices
• http://www.sophos.com/e
n-us/security-newstrends/bestpractices/facebook/accou
nt-settings.aspx
Florida State University College of Law Research Center
Cloud Computing
Florida
•
•
This committee concludes that the main consideration in file storage is that the appropriate documents
be maintained, not necessarily the method by which they are stored. Therefore, a law firm may store
files electronically unless: a statute or rule requires retention of an original document, the original
document is the property of the client, or destruction of a paper document adversely affects the client’s
interests.
The committee agrees with other jurisdictions that have noted practical considerations involved in
electronic file storage. The committee cautions lawyers that electronic files must be readily reproducible
and protected from inadvertent modification, degradation or destruction. The lawyer may charge
reasonable copying charges for producing copies of documents for clients as noted in Florida Ethics
Opinion 88-11 Reconsideration. Finally, lawyers must take reasonable precautions to ensure
confidentiality of client information, particularly if the lawyer relies on third parties to convert and store
paper documents to electronic records. Rule 4-1.6, Rules of Professional Conduct.
From Professional Ethics of the Florida Bar – Opinion 06-1 ( April10, 2006) [Revised:
09-08-2011]
http://www.floridabar.org/tfb/TFBETOpin.nsf/b2b76d49e9fd64a5852570050067a7af/9d
8c4cf77b6a54278525718f005ab400!OpenDocument
Florida
College
of Law
Research
Center
FloridaState
StateUniversity
University
College
of Law
Research
Center
North Carolina 2010 Formal Ethics Opinion
• Proposed 2010 Formal Ethics Opinion 7
Subscribing to Software as a Service While Fulfilling the
Duties of Confidentiality and Preservation of Client
Property
April 15, 2010
http://www.ncbar.gov/ethics/propeth.asp
Florida
College
of Law
Research
Center
FloridaState
StateUniversity
University
College
of Law
Research
Center
Proposed opinion rules that a law firm may contract with a vendor of software as a service provided the risks that confidential
client information may be disclosed or lost are effectively minimized.
Inquiry #1:
Much of software development, including the specialized software used by lawyers for case/practice management, document
management, and billing/financial management, is moving to the "software as a service" (SaaS) model. In the article "Software as a
Service (SaaS) Definition and Solutions," Meridith Levinson, writing for the CIO website, explains SaaS as follows:
Generally speaking, it's software that's developed and hosted by the SaaS vendor and which the end user customer accesses over
the Internet. Unlike traditional packaged applications that users install on their computers or servers, the SaaS vendor owns the
software and runs it on computers in its data center. The customer does not own the software but effectively rents it, usually for a
monthly fee.1
The American Bar Association's Legal Technology Resource Center explains SaaS as follows:
SaaS is distinguished from traditional software in several ways. Rather than installing the software to your computer or the firm's
server, SaaS is accessed via a web browser (like Internet Explorer or FireFox) over the Internet. Data is stored in the vendor's data
center rather than on the firm's computers. Upgrades and updates, both major and minor, are rolled out continuously. And perhaps
most importantly, SaaS is usually sold on a subscription model, meaning that users pay a monthly fee rather than purchasing a
license up front.2
SaaS for law firms may involve the storage of a law firm's data, including client files, billing information, and work product, on
remote servers rather than on the law firm's own computer and, therefore, outside the direct control of the firm's lawyers. Given the
duty to safeguard confidential client information, including protecting that information from unauthorized disclosure; the duty to
protect client property from destruction, degradation, or loss (whether from system failure, natural disaster, or dissolution of a
vendor's business); and the continuing need to retrieve client data in a form that is usable outside of the vendor's product;4 may a
law firm use SaaS?
Florida
College
of Law
Research
Center
FloridaState
StateUniversity
University
College
of Law
Research
Center
Yes, provided steps are taken effectively to minimize the risk of inadvertent or unauthorized disclosure of confidential client
information and to protect client property, including file information, from risk of loss.
Rule 1.6 of the Rules of Professional Conduct states that a lawyer may not reveal information relating to the representation of a
client unless the client gives informed consent or the disclosure is impliedly authorized to carry out the representation. Comment
[17] explains, "A lawyer must act competently to safeguard information relating to the representation of a client against
inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or
who are subject to the lawyer's supervision." Comment [18] adds that, when transmitting confidential client information, a
lawyer must take "reasonable precautions to prevent the information from coming into the hands of unintended recipients."
Rule 1.15 also requires a lawyer to preserve client property, including information in a client's file such as client documents and
lawyer work product, from risk of loss due to destruction, degradation, or loss. See also RPC 209 (noting the "general fiduciary
duty to safeguard the property of a client"); RPC 234 (duty to store original documents with legal significance in a safe place or
return to client); and 98 FEO 15 (lawyer must exercise "due care" when selecting depository bank for trust account).
Although a lawyer has a professional obligation to protect confidential information from unauthorized disclosure, the Ethics
Committee has long held that this duty does not compel any particular mode of handling confidential information nor does it
prohibit the employment of vendors whose services may involve the handling of documents or data containing client
information. See RPC 133 (no requirement that firm's waste paper be shredded if lawyer ascertains that persons or entities
responsible for the disposal employ procedures that effectively minimize the risk that confidential information may be
disclosed). Moreover, the committee has held that, while the duty of confidentiality extends to the use of technology to
communicate, "this obligation does not require that a lawyer use only infallibly secure methods of communication." RPC 215.
Rather, the lawyer must use reasonable care to select a mode of communication that, in light of the circumstances, will best
protect confidential communications and the lawyer must advise affected parties if there is reason to believe that the chosen
communications technology presents an unreasonable risk to confidentiality. Id.
Florida
College
of Law
Research
Center
FloridaState
StateUniversity
University
College
of Law
Research
Center
Furthermore, in 2008 FEO 5, the committee has already held that the use of a web-based document management system that
allows both the law firm and the client access to the client's file is permissible:
provided the lawyer can fulfill his obligation to protect the confidential information of all clients. A lawyer must take steps to
minimize the risk that confidential client information will be disclosed to other clients or to third parties. See RPC 133 and RPC
21585A security code access procedure that only allows a client to access its own confidential information would be an
appropriate measure to protect confidential client information85If the law firm will be contracting with a third party to maintain
the web-based management system, the law firm must ensure that the third party also employs measures which effectively
minimize the risk that confidential information might be lost or disclosed. See RPC 133.
In a recent ethics opinion, the Arizona State Bar's Committee on the Rules of Professional Conduct concurred with 2008 FEO 5 by
holding that a law firm may use an online file storage and retrieval system that allows clients to access their files over the internet
provided the firm takes reasonable precautions to protect the security and confidentiality of client documents and information.4
In light of the above, the Ethics Committee concludes that a law firm may use SaaS if reasonable care is taken effectively to
minimize the risks to the confidentiality and to the security of client information and client files. However, the law firm is not
required to guarantee that the system will be invulnerable to unauthorized access.5 Note that no opinion is expressed on the
business question of whether SaaS is suitable for a particular law firm.
Florida
College
of Law
Research
Center
FloridaState
StateUniversity
University
College
of Law
Research
Center
Inquiry #2:
Are there any "best practices" that a law firm should follow when
contracting with a SaaS vendor to minimize the risk?
Software as a Service
Florida
College
of Law
Research
Center
FloridaState
StateUniversity
University
College
of Law
Research
Center
Yes, a lawyer should be able to answer the list of questions below satisfactorily in order to
conclude that the risk has been minimized. However, the list is not all-inclusive and
consultation with a security professional competent in the area of online computer security is
recommended when contracting with a SaaS vendor. Moreover, given the rapidity with
which computer technology changes, what may constitute reasonable care may change over
time and a law firm would be wise periodically to consult with such a professional.
The lawyer or law firm should be able to answer the following questions sufficiently to
conclude that the risk to confidentiality and security of client file information is minimal:6
Florida
College
of Law
Research
Center
FloridaState
StateUniversity
University
College
of Law
Research
Center
1. What is the history of the SaaS vendor? Where does it derive funding? How stable is it financially?
2. Has the lawyer read the user or license agreement terms, including the security policy, and does he/she understand the meaning
of the terms?
3. Does the SaaS vendor's Terms of Service or Service Level Agreement address confidentiality? If not, would the vendor be
willing to sign a confidentiality agreement in keeping with the lawyer's professional responsibilities? Would the vendor be
willing to include a provision in that agreement stating that the employees at the vendor's data center are agents of the law firm
and have a fiduciary responsibility to protect client information?
4. How does the SaaS vendor, or any third party data hosting company, safeguard the physical and electronic security and
confidentiality of stored data? Has there been an evaluation of the vendor's security measures including the following: firewalls,
encryption techniques, socket security features, and intrusion-detection systems?
5. Has the lawyer requested copies of the SaaS vendor's security audits?
6. Where is data hosted? Is it in a country with less rigorous protections against unlawful search and seizure?
7. Who has access to the data besides the lawyer?
8. Who owns the data—the lawyer or SaaS vendor?
9. If the lawyer terminates use of the SaaS product, or the service otherwise has a break in continuity, how does the lawyer retrieve
the data and what happens to the data hosted by the service provider?
10. If the SaaS vendor goes out of business, will the lawyer have access to the data and the software or source code?
11. Can the lawyer get data "off" the servers for the lawyer's own offline use/backup? If the lawyer decides to cancel the
subscription to SaaS, will the lawyer get the data? Is data supplied in a non-proprietary format that is compatible with other
software?
12. How often is the user's data backed up? Does the vendor back up data in multiple data centers in different geographic locations
to safeguard against natural disaster?
13. If clients have access to shared documents, are they aware of the confidentiality risks of showing the information to others? See
2008 FEO 5.
14. Does the law firm have a back-up for shared document software in case something goes wrong, such as an outside server going
down?
Florida
College
of Law
Research
Center
FloridaState
StateUniversity
University
College
of Law
Research
Center
Why Use Cloud Computing
•
•
•
•
•
•
•
Client Independent
Lower Cost
Skilled Resources
Disaster Recovery
Improved Network Access
Better Application Development Tools
Better Security !!
Florida State University College of Law Research Center
Better Security
• Major Cloud Services hire the best of the best
• Distributed data safe from a local disaster
• Employees accessing info from the cloud
better than having sensitive data on a laptop
• The leading cyber organization in the U.S.
Military, the U.S. Cyber Command advocates
migration to the cloud to improve security
• http://www.stratcom.mil/factsheets/Cyber_Command/
Florida State University College of Law Research Center
Cloud Concerns
• Exposure of authentication interface
• Unclear trust boundaries
• Data segregation
• Isolation failures
• Shared encryption keys
• Data mobility
• Could reside in a different country
• What are their privacy laws
• Government seizure of data
Florida State University College of Law Research Center
Cloud Concerns
• Increased consolidation
• Mirroring
• Multiple copies may exist
• This is good for retention but may be bad in accounting
for all copies, deleting
Florida State University College of Law Research Center
Cloud Computing and Privacy
• Legally Privileged Information
• Third party access
• Loss of confidentiality
• Bankruptcy of CSP
• Private data may be sold
• Mergers or acquisitions may require disclosure of
information for due diligence
Florida State University College of Law Research Center
Cloud Computing and Privacy
• Legal Seizures
• May also seize private information of co-tenants
• Compelled disclosures
• Consumer privacy
Florida State University College of Law Research Center
eDiscovery
• Information Management
• Records retention/destruction policies
• Identification
• CSP employee will probably participate in finding
data
• Preservation
• Who’s liable for loss of information
• Collection
Florida State University College of Law Research Center
eDiscovery
• Presentation
• Is data in the possession and control of the
organization or the CSP
• Metadata and log data
• Can a CSP be compelled to produce data from an
organization without their consent?
• Under the Stored Communications Act content should
not be provided to a third party.
• CSP might not be bound to answer discovery questions
• But the organization should know how they will respond to
discovery request.
Florida State University College of Law Research Center
Cloud Computing for Lawyers and
Executives
http://www.amazon.com/Cloud-ComputingLawyers-Executives-Approach/dp/0615487238/
Florida State University College of Law Research Center
eDiscovery for Dummies
http://blog.sonian.com/bid/56118/eDiscovery-for-Dummies-What-You-Need-to-Know
Florida State University College of Law Research Center
http://www.kazeon.com/solutions2/legal-discovery.php
Florida State University College of Law Research Center

similar documents