« January 2012 | Main | March 2012 »

February 2012

February 29, 2012

Our New Book - Locked Down: Information Security for Lawyers

I am happy to announce the upcoming publication by the American Bar Association of our new book, Locked Down: Information Security for Lawyers. Written with our friend and colleague, noted litigator and infosec expert Dave Ries, we hope this is a practical guide for lawyers in firms of all sizes.

We talk about how to:

  • Create secure passwords--and store them safely
  • Assess the existing security risks at your firm
  • Protect your mobile devices from theft
  • Encrypt your data
  • Secure your wired or wireless network
  • Effectively wipe data from a hard drive before disposal
  • Develop an information security exit checklist for departing lawyers and staff
  • Investigate, contain, and recover from a security breach

As you can imagine, there is much, much more - including some stories about real life data breaches that may convince you that your law firm may indeed be at risk. Lawyers are slowly losing the "it can't happen here" mentality that was always an illusion. Even a small firm take can take reasonable steps to protect its client data.

Though the book will be officially released late next month in conjunction with ABA TECHSHOW, the ABA is currently offering a 15% discount for pre-publication orders. Happy reading!

E-mail: snelson@senseient.com Phone: 703-359-0700

www.senseient.com

http://twitter.com/sharonnelsonesq

 

 

 

Posted on February 29, 2012 at 10:00 AM | | TrackBack (0)

| | Pin It! | | |

February 28, 2012

Hacking is Now Responsible for Most Data Breaches

Ah, for the innocent days of yore when lost and stolen laptops were to blame for the largest percentage of breach types. No longer - hacking has taken over in a big way according to SC Magazine.

Hacking was responsible for 83 percent of the total reported exposed records in 2011 and a third of the total breaches, according to the year-end "Data Breach Intelligence" report from Risk Based Security, affiliated with the Open Security Foundation, which records security incidents.

368 million records were breached last year, the highest total ever, and the all-time tally stands at 1.3 billion. The previous high was 191 million records in 2009.

Of course, we had some massive breaches in 2011, including the Sony Playstation breach which compromised 77 million records by itself.

But as John wryly noted, just because hacking has dethroned lost and stolen laptops as the cause of data breaches, that is NO EXCUSE for not encrypting your laptops!

E-mail: snelson@senseient.com Phone: 703-359-0700

www.senseient.com

http://twitter.com/sharonnelsonesq

Posted on February 28, 2012 at 10:00 AM | | TrackBack (0)

| | Pin It! | | |

February 27, 2012

What is "Reasonable" for a Law Firm With Respect to Protecting Client Data?

Inadvertent disclosures (and data breaches) are inevitable for law firms - we just have too much data to manage all of it well. Thank heavens the ABA's Commission on Ethics 20/20 revised draft proposals are really very practical.

The proposal revision of Model Rule 1.6 says that “a lawyer shall make reasonable efforts to prevent the unintended disclosure of, or unauthorized access to, information relating to the representation of a client.

The factors to be considered in determining the reasonableness of the lawyer’s efforts are:

  • The sensitivity of the information
  • The likelihood of disclosure if additional safeguards are not employed
  • The cost of employing additional safeguards
  • The difficulty of implementing the safeguards
  • The extent to which the safeguards adversely affect the lawyer’s ability to represent clients

Mere disclosure, by itself, does not trigger discipline. How will we determine what is reasonable? I think it will very likely be based on the size (and therefore presumed relative sophistication and resources) of the law firm. And that should make the smaller firms breathe a little easier, but they still need to fall within the definition of "reasonable," a definition that will emerge only over time.

E-mail: snelson@senseient.com Phone: 703-359-0700

www.senseient.com

http://twitter.com/sharonnelsonesq

Posted on February 27, 2012 at 10:00 AM | | TrackBack (0)

| | Pin It! | | |

February 23, 2012

Two Brute Force Attacks in One Week

Last week was interesting - we sustained two brute force attacks, hammered hundreds of times in a very short time frame. We traced one attack to a Reston, VA colo so we don't know where it was really originating from but the other we traced to China.

This allowed us to join the ever-growing club of those who have suffered China-based attacks. It was also a targeted attack because they knew our names and tried them as IDs and passwords along with default IDs like "administrator."

Our guys quickly blocked all traffic from the attacking IPs, but I thought it was well worth mentioning that these attacks demonstrate two points we constantly underscore in our lectures.

  1. Change all defaults.
  2. Use complex passwords of 12 or more characters.

These relatively simple attacks were not going to work in our case - but the "door rattlings" came so fast that they actually acted like a Denial of Service (DoS) attack and bogged down the network until we blocked the offending IP addresses. Another reason we were able to quickly react is because we monitor network activity.

Just another day in the firehouse. Where IS that Dalmatian?

E-mail: snelson@senseient.com Phone: 703-359-0700

www.senseient.com

http://twitter.com/sharonnelsonesq

Posted on February 23, 2012 at 10:00 AM | | TrackBack (0)

| | Pin It! | | |

February 22, 2012

ABA TECHSHOW Early Bird Deadline Extended

If you haven't yet registered for ABA TECHSHOW, this is an excellent time to do since the early bird deadline has been extended until this Friday, February 24th. Just go to the website and peruse the amazing list of educational sessions. As always, when we are not speaking, our biggest problem is figuring out which session to go to!

The vendor expo is already sold out so you should have a great time walking the floor and exploring new products and services while collecting trinkets and food. There are always some choice raffle items too.

Don't forget to check out the Taste of TECHSHOW dinners. If you'd like to talk about e-discovery in small cases, join John and I, along with our co-author (and my co-presenter) Bruce Olson for a wonderful tapas dinner. I'm hungry already.

Why are you still reading this? Register now!

E-mail: snelson@senseient.com Phone: 703-359-0700

www.senseient.com

http://twitter.com/sharonnelsonesq

Posted on February 22, 2012 at 10:00 AM | | TrackBack (0)

| | Pin It! | | |

February 21, 2012

Predictive Coding: A Rose by Any Other Name

John and I are writing an article for the ABA's Law Practice magazine with the title of this blog post - and it struck me that we could get some help from readers.

Predictive coding was the first name we heard, but many folks chose not to use it, no doubt because it was connected to Recommind. At Legal Tech, it had a host of names. We reached out to our friends Craig Ball (he likes "enhanced search") and Ralph Losey (who is enamored of "computer-assisted review"). We have also heard technology-assisted reviewed and machine-assisted review.

So which name do you prefer and why? Drop me an e-mail and let me know.

Also, I keep hearing that there are folks who claim to be able to do predictive coding (or insert your name of choice) but that they really don't. So what are they doing instead?

All illumination welcomed!

E-mail: snelson@senseient.com Phone: 703-359-0700

www.senseient.com

http://twitter.com/sharonnelsonesq

Posted on February 21, 2012 at 10:00 AM | | TrackBack (0)

| | Pin It! | | |

February 16, 2012

AAML Says Family Lawyers Finding Powerful Evidence in Smartphones

The American Association of Matrimonial Lawyers recently released the results of a member survey.

Smartphone evidence is clearly on the rise in divorce cases, according to 94% of the respondents. This makes sense to us as we have seen something like a 500% increase in the number of smartphones in our forensics lab.

It was interesting to hear that the most common form of evidence taken from smartphones is text messages (62%) followed by e-mail (23%), phone numbers and call history (13%) and GPS and Internet search histories (1% each).

Our own anecdotal evidence is that lovers are addicted to texting one another so the survey numbers made perfect sense. And much of it is XXX rated - our eyebrows are perennially scorched. We are rarely bored. I love my job.

E-mail: snelson@senseient.com Phone: 703-359-0700

www.senseient.com

http://twitter.com/sharonnelsonesq

Posted on February 16, 2012 at 10:00 AM | | TrackBack (0)

| | Pin It! | | |

February 15, 2012

Another Law Firm Breach - This Time By An Ex-Partner???

Well, that's the allegation in a lawsuit by Elliott Greenleaf & Siedzikowski against former partner William Balaban and his new firm, Stevens & Lee.

If you read the press version of the story, it is fairly clear that we don't yet have all the facts. It is alleged that Balaban and others deleted 5% of the backup tapes for Harrisburg, PA client files and took 78,000 files from the firm's computer system, installing Dropbox. It is certainly possible that a premium version of Dropbox was used to sync files to another computer.

However, it is alleged that Dropbox allowed continuing access to Elliott Greenleaf's computer network through remote access. Around here, we all scratched our heads and said "huh?" We even did some testing - without a third party app, Dropbox just doesn't do this. It is not, by itself, "spy software" as alleged in the complaint. So some pieces of the puzzle are missing, but it is still striking to see Dropbox at the heart of what looks like the theft of confidential data on a grand scale.

While we must wait for the facts to emerge, it is wise to be alert to this new methodology of obtaining firm files without authorization. In the past, virtually all such theft has involved e-mailing files or copying them to flash drives.

Just when you think you've covered all the information security bases, a new threat emerges. And this is why everyone involved with information security preaches "eternal vigilance."

E-mail: snelson@senseient.com Phone: 703-359-0700

www.senseient.com

http://twitter.com/sharonnelsonesq

Posted on February 15, 2012 at 10:00 AM | | TrackBack (0)

| | Pin It! | | |

February 14, 2012

Can You Be Jailed for Forgetting Your Decryption Password?

Sure, if the judge doesn't believe that you forgot - that would make you in contempt of court and, theoretically, you could be held until you rememberd it.

This question may come in a Colorado case where Romona Fricosu is being investigated for alleged mortgage fraud. Ruling the her Fifth Amendment right against self-incrimination would not be breached, U.S. District Judge Robert Blackburn ordered her to decrypt the laptop.

The defendant has not yet said that she has forgotten her password, but her attorney has talked about how easy it is to forget passwords, perhaps running that defense up the flagpole. She has until the end of the month to decrypt the laptop - if she doesn't and says that she can't remember the password, the judge is between a rock and hard place and must try to determine (though I can't see how unless there is evidence of which I'm not aware) whether she has genuinely forgotten or is refusing to comply with the court order.

Methinks that, as these cases pile up finding that decrypting computers doesn't violate the Fifth Amendment, it is more and more likely that we'll hear "I can't remember" as an attempted "get out of jail free" card. It will be fascinating to see how judges react.

E-mail: snelson@senseient.com Phone: 703-359-0700

www.senseient.com

http://twitter.com/sharonnelsonesq

Posted on February 14, 2012 at 10:00 AM | | TrackBack (0)

| | Pin It! | | |

February 13, 2012

Anonymous Hacks Syrian Presdient Assad's Office

So what are the consequences of using a password such as "12345?" The staffers in President Assad's office are no doubt wishing that they had paid more attention to the basic rules of creating a strong password after being hacked by Anonymous.

No one is likely to believe anything uttered by Assad anyway, but it was interesting to read the e-mails of his staffers carefully trying to prepare him for his interview with Barbara Walters. To say that they were trying to "spin" the interview in light of how it would play in American is an understatement. A total of 78 Inboxes of advisers and staff members were hacked according to press reports.

Repeat after me: I will create alphanumeric passwords of at least twelve characters.

And why? Because they take (currently) more than 17 years to crack. Hackers are going to find easier targets - so get that inviting bulls-eye off your network!

E-mail: snelson@senseient.com Phone: 703-359-0700

www.senseient.com

http://twitter.com/sharonnelsonesq

Posted on February 13, 2012 at 11:30 AM | | TrackBack (0)

| | Pin It! | | |

Next »
Like Us on Facebook
Sensei Enterprises, Inc.
Digital Forensics
Information Technology
Information Security
Sensei Enterprises, Inc.
Click here Complimentary IT Assessment in the D.C. Metro Area

About

My Photo

Subscribe



  • Powered by FeedBlitz

Twitter Updates

    follow me on Twitter

    Recent Posts

    Archives

    C O P Y R I G H T   N O T I C E
    © 2012 Sensei Enterprises, Inc. All Rights Reserved.

    Disclaimer

    • This blog is intended to impart general information and does not offer specific legal advice. Use of this blog does not create an attorney-client relationship. If you require legal advice, consult an attorney.