November 27, 2007
Addressing Laptop Data Vulnerabilities
Law.com has an excellent article discussing several workable approaches for securing data on corporate laptops. A quick look at one list of data breaches illustrates how sensitive data continues to be compromised by unsecured storage on laptops.
It's a particularly savvy article because its first piece of advice is not to overreact and go overboard -- "Draconian laptop-use policies may, ironically, increase an enterprise's vulnerability." Consider that employees often respond by finding other ways of circumventing security to make their jobs easier, which usually means making the data more accessible (i.e., less secure). For instance, blocking file saves to the laptop's hard drive or limiting e-mail inbox sizes can result in employees saving the data to unsecured thumb drives or forwarding sensitive e-mail to personal e-mail accounts. Where there's a will, there's a way. EMC was quoted as opting for a more blended approach, depending on the sensitivity of the data.
Another interesting suggestion was full hard drive encryption, rather than just encrypting the documents folder. This is often a highly debated solution. In my experience, some IT professionals will quickly suggest that doing so will entail a performance hit on the user and cause additional support problems. I'd say that noticeable performance hits are more likely with older, slower laptops. If this presents serious problems, consider phasing in encryption or issuing new laptops to those accessing more sensitive data.
Also keep in mind that when you are working on a laptop, it is likely creating a number of temporary file copies on the hard drive, sometimes in places outside the document folders. Full drive encryption therefore provides more complete protection for these additional copies of sensitive data. Naturally, such a solution would need to be thoroughly tested to determine the real-world impact on users and the IT support organization. Another issue to consider is segregation of the master keys -- do you allow one person or group to have them, or do you segregate them between two entities within the organization to avoid unilateral and potentially undesirable actions? I liked the allusion to the missile silo two-operator requirement.
Removable storage continues to be a major concern, such as flash thumb drives and external hard drives. And let's not forget iPods, which are either the former or latter type of devices. On one hand, these drives are very useful tools for mobile users. When unsecured (e.g., unencrypted), they can represent a larger security threat due to their tiny physical size and increasing storage capacities. For example, an 8GB thumb drive goes for less than $100 and can store a staggering amount of information. The article mentions products that control which devices can be plugged into which computers, and the best ones allow exceptions to be set when needed. If thumb drives will be used and supported, I'd suggest issuing employees with the following: only those models which support high-end encryption, such as AES, and make its entire capacity encrypted before it's issued to the employee. While a savvy user will likely know how to reformat the thumb drive to make it unprotected, the default encryption status is in your favor for the majority of users.
Many new laptops have built-in fingerprint readers, which can make security a bit more convenient. But as the article states, users often forget a key step: Register more than one finger with the device, so if you cut or burn your primary finger, you can use another one to gain access via the reader. Also, without the back-end drive encryption, keep in mind that a fingerprint reader only locks the front door. There are other ways to get to the unencrypted data on the hard drive, such as removing it from the laptop and accessing it from another PC.
Lastly, the article mentions lojack services for laptops, which hopefully reduce their recovery time. However, once the horse is out of the barn, it's too late to employ any of the above security measures. An unprotected hard drive containing sensitive data can be copied very quickly to a number of storage devices. The data contained on missing laptops is often much more valuable and/or costly to an organization than the cost of the physical laptop itself. An ounce of prevention...
November 26, 2007
Add Brett Burney's New E-Discovery Blog to Your List
In addition to my preceding post, be sure to add "ediscoveryinfo" to your list of useful e-discovery blogs. Prolific author and e-discovery consultant Brett Burney launched it several months ago, and he's populated it with excellent posts on e-discovery issues and vendor offerings. For example, he's already posted on vendor convergence via acquisitions, e-mail and storage issues, and various industry trends.
On a personal note, Brett and I discussed his plans for his forthcoming e-discovery blog at ILTA's annual conference back in August, and it's good to see him blogging about key issues and adding his savvy perspective.
November 24, 2007
Ambrogi on Keeping Up With EDD Blogs and Tools
Bob Ambrogi just published his latest list of useful e-discovery blogs and vendor sites on Law.com, which runs his Law Technology News column, "Web Watch". When Bob makes reference to legal blogs or web sites, it's very often worth the time perusing them. Bob has done great job pulling the list together along with providing succinct descriptions for each site, and it's worth noting that LawTech Guru is included.
Overall, it's a great resource if you're looking for an excellent collection of EDD blogs and other sites to keep you informed of e-discovery issues and developments.
November 20, 2007
Test Your Phishing IQ
Think you can tell the difference between a legitimate and a phishing e-mail? Take the SonicWALL Phishing IQ Test, a collection of ten e-mail screens. Read the helpful hints before taking the test, as they explain the links displayed.
After you identify each e-mail as "Phishing" or "Legitimate", the final scoring page includes links to explanations. In each e-mail explanation, the comments in green relate to legitimate e-mail indicators, while the comments in red highlight why that item may be indicative of a phishing e-mail. Be forewarned that several e-mails took more than a cursory look to identify them properly -- which is exactly why phishing works.
I happened to score 9 out of 10. I took some issue with Question #5 as it's not a particularly valid test in this format for the following reasons: The links matched in the example, but the static screen capture prevented any further investigation of the underlying link -- i.e., the html source code of the e-mail was not accessible. Also, you would be able to confirm the last four numbers of your own credit card matched those in the e-mail. With that said, I very much agree that you cannot rely solely upon what is displayed in the status bar due to scripting tricks. The explanation for Question #5 also failed to mention the lack of a secure "https" link as another potential indicator. It's important to note this example was the most subtle of the ten in my opinion, and therefore more likely to succeed in "phooling" people.
Overall, it's a good test, and ten minutes of your time could help you avoid disclosing sensitive information online. On a personal note, it's good to see that Outlook 2007 has more features to help users in this regard. It's not perfect, of course, but it's definitely a step in the right direction. Every bit helps.
Browser Beware: Web 2.oh.oh?
As the web has become more feature rich, new security exploits are popping up all over. CTO and Chief Researcher Roger Thompson over at Exploit Prevention Labs has posted half a dozen short videos showing how sites have been compromised or are otherwise serving up some bad content due to embedded advertisements.
November 01, 2007
ACC Survey Reveals Key Trends with In-House Counsel
Law.com has a great AP write-up on the 2007 ACC/Serengeti Managing Outside Counsel Survey, a collaboration between the Association of Corporate Counsel (ACC) and Serengeti Law, released at ACC's Annual Meeting on Monday in Chicago.
From my perspective, here are some of the key take-aways:
1. In-house counsel are utilizing more systems, such as e-billing and matter management, to perform more business intelligence (BI) and metrics-based evaluations of their outside counsel's performance.
This should come as no surprise to anyone working with corporate legal technology. Better tools exist today, and law departments are able to either consolidate some of their data silos or at least push/pull data more meaningfully from various sources. More comprehensive reporting tools and dashboards enable more insightful analyses and comparisons of outside counsel performance on a number of key indexes. In addition, matter-centric systems allow better data normalization, data integrity, and integration of workflows.
In addition, in-house counsel are much more likely to use these systems to maximize discounts for early payments, also known as fast-pays. When outside counsel budgets are in the millions, or hundreds of millions, even a small discount adds up to significant dollars. In return, outside counsel benefit by having on-time and reliable positive cash flows with little or no collection effort.
2. Law firm extranets are declining as in-house counsel prefer to utilize client-centric systems.
It's difficult to do proper BI and pull your data together if it's spread among both in-house and a number of outside firms' systems. A common complaint among in-house counsel is having to log into multiple outside counsel and in-house systems to gain access to all their information. Depending upon the number of outside firms, it can be inefficient for in-house counsel to learn how to navigate different outside systems and manage multiple logins. In my opinion, internal (or alternatively, some ASP-hosted) web-based systems are on the rise for ease of access and collaboration while reducing desktop support.
3. As a result, corporate counsel are setting more rules for their relationship with outside counsel.
This goes beyond setting billing rates, as corporate counsel are including requirements for early assessments and regular updates, as well as technology expectations and data formats. In-house counsel are likely to continue increasing the number of rules in their outside counsel guidelines.
4. Corporations have heightened legal compliance concerns.
The complexity of regulatory requirements is increasing, along with high-profile investigations and trials involving executives and in-house counsel. While other costs are being managed more tightly, this is an area where in-house counsel are likely more willing to engage outside counsel and potentially increase budgets for this work. This presents outside counsel with additional client service and revenue opportunities, along with opportunities to further cement their relationship with upper-ranking corporate counsel.
5. Convergence of outside firms continues, but is not exceeding expectations.
About a quarter of corporate law departments surveyed use convergence (working with a smaller number of firms) to achieve better rates, efficiencies, and consistency of work. However, most companies reported that it only met (i.e., did not exceed) their expectations. Even though there was a drop from the previous year, the AP article also reported the median number of outside firms remained fairly steady when looking at past years' data overall. This suggests to me the following:
From my experience, none of these should have presented any real surprise. However, it's good feedback to validate where in-house counsel are headed both technologically and in managing their outside counsel. Overall, in-house counsel are becoming more information-driven, are updating their technological tools, and are taking greater interest and participation in their outside counsel relationships. For the corporations they counsel, that's good news.