44 AALL SPECTRUM | WWW.AALLNET.ORG

One of the most common questions o�en asked of information security professionals is, “How would you hack into ‘X’ system?” followed

rapidly by “How would you protect that system?” �e typical answers vary in details, but there is always a com-mon thread—successful attacks rarely target the system itself directly. In fact, the easiest way to hack any system is to avoid focusing on the computer systems in the �rst place, as the weak-est part of any organization’s security infrastructure is the human element.

What does the “human element” encompass within the information

security realm? Before proceeding, it is important to remember an old adage—garbage in, garbage out—or GIGO for short. What this means is that com-puters are unable to think for them-selves (yet!), and people have to be the origination point for any actions that computers execute. In other words, attack the computers by predicting the usage patterns of the users that access the computers.

What does this mean for law �rms, law schools, and law librarians in gen-eral? It means that staying one step ahead of the bad guys trying to hack into the computer systems requires an understanding of the fundamen-tal rules governing the technologies

INFORMATIONSAFEGUARDING SYSTEMS FROM HACKERSSAFEGUARDING SYSTEMS

SECURITY

Tips for securing yourvirtual environment.

BY QUINN KUZMICH

TECHNOLOGY

JULY/AUGUST 2016 | AALL SPECTRUM 45

available. It’s not necessary to be a certi�ed information technology (IT) professional, but understanding the importance of �rewalls, intrusion prevention systems, or even antivirus (AV) so�ware is essential. To wit, from Star Trek III: �e Search for Spock, “�e more they overthink the plumbing, the easier it is to stop up the drain,” said by Mr. Scott in response to Captain Kirk’s congratulations a�er a success-ful mission. In the movie, Mr. Scott is tasked with sabotaging the main computer onboard the one starship in port that can successfully outclass the Enterprise, enabling a dramatic get-away sequence.

No matter the size of the organi-zation, there are common tactics and tools that should be used to improve the overall security posture to protect critical systems and the information housed within them. Below is a list of best practices that can be imple-mented to create a relatively secure environment.

1. Incoming DataWhat data is coming into the network,and where is it going? A staggeringamount of data traverses the interneton an hourly basis, never mind dailyor monthly. Smaller organizationstypically have simple, or “�at” networktopologies. �is makes it far easier tomanage and work with, but at the sametime, makes it far easier for attackersto maneuver within the network. Aproperly segmented network withmultiple Virtual Local Area Networks(VLANs)—any broadcast domainthat is partitioned and isolated in acomputer network at the data linklayer—makes it much more di�cultfor someone with a hijacked accountto access a server as opposed to auser who just wants to surf the inter-net during their break. A well-setupnetwork with properly implementedprotections will not disrupt the legiti-mate activities of end users. However,it will make life more di�cult for anywould-be bad guys. �e downside is

that it’s a bit more hands-on, but con-sidering the cost of making repairs a�er an attack, it’s a sound business practice to put into place.

What about guest wireless net-works? When connected, can guests access information across the network that would be considered critical? If the answer is ‘yes’, a redesign of the network is in order. Wireless networks are increasingly becoming easier and easier to compromise and access without being obvious about it (think stranger in the corner of the lobby in a trench coat and fedora). If a guest wireless network is needed, be sure to segment that network o� so malicious hackers can’t access legitimate business resources while sitting in the co�ee shop across the street.

2. Implementing End PointProtectionIs there a working AV product installedwith regularly scheduled updatespushed to every machine, withoutexception? Is someone tasked withensuring these updates are being com-pleted? IT professionals are o�en askedto conduct a penetration test on anenvironment (an actual engagementwhere the client asks the IT team tobreak in like the bad guys would) onlyto discover that none of the systems arerunning a current AV product. �is isa massive problem that exists all tooo�en in large organizations. O�entimes,the mere presence of an AV product issu�cient to check o� a box for compli-ance purposes or to satisfy a nebulousdirective that came down from seniormanagement. However, unless that

AV product is being actively updated and managed by someone, it does more harm than good. Once a hacker breaks into a system, their �rst order of business is to escalate and assume administrator access. Without a human eye to keep track of the AV so�ware in the enterprise, it is easy to miss errors that creep up on each installation. A solid AV product that is functioning and updating can catch unseen attack-ers, preventing them from escalating an attack. It will also alert actual admin-istrators of suspicious activity so that a response can occur within minutes of an alert instead of several days later.

But is having an AV product really that big a deal? Yes, considering the legal liability that may be incurred for not securing assets properly. If an attacker compromises a machine in the environment—even if they �nd nothing of value to them on the sys-tem—they can use that system as a jumping o� point from which to attack other companies. Once they make those attacks, the trail will lead back to the original system, and that organi-zation will have to explain why system security was not a priority. Potentially, this could result in expensive legal fees if damages were incurred as a result of the attack. It pays to make a best e�ort to secure IT systems to mitigate being on the hook for indirect damages.

3. Implementing a Whitelist/BlacklistAlways implement a whitelist/blacklistfor internet access, either for adver-tisements or general web sur�ng.�is might seem complicated, but it

No matter the size of the organization, there are common tactics and tools that should be used to improve the overall security posture to protect critical systems and the information housed within them.

Imag

e ©

iSto

ck.c

om/K

irill

Sav

enko

/Mat

ej M

oder

c

SECURITY

46 AALL SPECTRUM | WWW.AALLNET.ORG

is actually far more important than it might seem. For instance, a company that was having issues with viruses and system crashes found itself dedicating more than a little e�ort and expense to cleaning up and restoring its systems. An IT consultant, an expense that should not have been necessary, was asked to quickly remedy the situation. �e consultant found a pattern among virtually all the incidents: drive-by virus installations. When users were on break, they would look up recipes online for dinner that night, or song lyrics for whatever was playing on the radio. A�er reviewing internet usage history, these websites did not trigger alarm bells. However, it was discov-ered that all the websites, without fail, had in-line advertisements on their pages. At �rst glance nothing seemed out of place. Sometimes, however, hackers and others with less than honorable intentions will insert ads containing malicious code that will install viruses and other malware onto the computers of unsuspecting users, resulting in breaches and crashes. �is could be easily avoided with a simple

a network, such as browser plugins and third-party applications. �ese are the �rst things attacked by hackers; alwayspush updates if possible.

5. Filter and Scan EverythingIt’s vital to implement a mail �lterto scan all incoming data and �les.�is is a big one, as email permeatesour personal and professional lives.We use it to communicate, keep intouch with family, and for a thousandother reasons. It’s also the easiest andfastest way to break into an organi-zation. Recently a major hospital inLos Angeles was compromised andtheir entire patient records databasewas encrypted by malicious so�warethat was able to enter the environmentthrough email. A user opened anattachment they should not have, andas a result, hackers were able to holdmission critical data hostage until thehospital administrators literally paid aransom to have the records decrypted.It is important to understand that inscenarios like this, even if a ransom ispaid, there is no guarantee the �les willbe decrypted. Situations like this canbe avoided by scanning everything thatenters an organization’s email servers.

Another important feature to dis-able in email clients across the entire organization is the default setting that will display emails in their entirety. �is neat little feature can result in a computer being compromised instantly and without warning. Recall in best practice 3 how web ads can be used to compromise your computer. Hackers o�en use fancy looking HTML emails that do the same thing. Disabling the full email display in email clients such as �underbird and Outlook is a very good idea. In the end, it only takes one errant click to ruin an entire organization’s day.

6. Educate Users�e human element is the single big-gest vector used by malicious hackersto break into an organization. Educateusers not to open links in emails frompeople they don’t know and to avoidopening attachments. Proper under-standing of what can happen with just

TECHNOLOGY

blacklist on the network for advertis-ing networks.

In this particular case, the company implemented whitelists and blacklists, signi�cantly reducing the number of virus outbreaks. �ese particular tools are not a panacea, but they go a long way toward eliminating another vector through which the bad guys can get access to systems and data.

4. System UpdatesAll computers should have regularupdates applied to their operatingsystems and installed programs. �elittle noti�cations in the corner ofcomputer screens that go o� onceevery week or so that say an update isavailable for Windows, Java, or Flash?�ey alert users to updates for a reasonand should not be ignored. �e fewerpatches that get applied to a system, themore vulnerable it becomes. Updatesare pushed out to help �x and preventso�ware problems, and the realityis that when so�ware isn’t updated,it is usually easily exploited. �is isespecially true for any so�ware thatinteracts directly with services outside

High-level account access is something that should be carefully controlled to prevent these problems from occurring; always keep data away from people that should not have access to it.

JULY/AUGUST 2016 | AALL SPECTRUM 47

one errant click helps users realize their critical role in keeping their systems and environment safe. Bad actors and hack-ers are constantly trying to play o� the good nature of people on the internet, trying to trick them into doing things they would not ordinarily do. Educating users will go a long way toward prevent-ing breaches from happening.

Another important step is to make sure users are aware of what personal information about them is available online. It’s sometimes an interesting game to ask people to Google them-selves. For some people there won’t be much, but for others this can be an eye-opening experience. Recently, for example, an IT professional was asked to attempt to compromise a small wealth management �rm to determine what vectors malicious hackers might utilize to get in and steal valuable assets from the �rm’s clients. A�er doing a fair bit of information gathering and reconnaissance, the consultant determined that a straight-forward attack against the �rewalls and web applications wouldn’t get very far. Next, he looked at the company’s website and realized it contained short biographies on each of the company’s eight employees. While useful for mar-keting purposes, bios can also provide information that can be used to target speci�c individuals. Information such as hobbies and job titles can be used to create “spear phishing” attacks, or emails designed to elicit a user to click a link or open an attachment that they would not ordinarily open. In the end, the consultant compromised three sys-tems in short order using information

from the bios. As a result, users were educated on how to spot and avoid these types of attacks.

Sometimes, though, users fail to see the implications. In the case above, once it was explained that a hacker could access client assets just as easily as employees could, or move money into an o�shore account, they quickly made the necessary operational changes. Although these attacks may seem minor, remember that a compro-mised system can potentially do a great deal of damage to an organization, regardless of size.

7. Apply the Principle ofLeast PrivilegeOne of the most important principlesbehind designing and implementing aproper security program is to alwaysgive users the least amount of accessnecessary for them to do their job. �ismeans providing user-level access, notlocal or domain administrator privi-leges. Typically, every program usersrun on their local machines, such asweb browsers, runs with the same levelof privilege as the user who originallyinstalled them. �e problem ariseswhen a remote hacker manages to takecontrol of one of those programs. Oncein, the hacker can then execute com-mands at the same level as the systemsadministrator who originally installedthe program. �e last thing anyoneneeds is a hacker with the ability torun commands all over the networksimply because a user demanded (andgot) administrative access. High-level account access is somethingthat should be carefully controlled to

prevent these problems from occur-ring; always keep data away from peo-ple that should not have access to it.

If a law library has public access computers for looking up information, make sure that’s the only thing those users can access. Do not allow them to execute system commands or access other resources across the network. If you’re working in a large law �rm, ensure that users have access to run the so�ware they need, but do not have the ability to install so�ware—that’s what the help desk is for. Once you start letting users have “special privileges” it’s only a matter of time before one of those special cases does something unfortunate. �e resulting breach will be costly, whether in man-hours spent cleaning up the system or in real dol-lars defending the organization from angry clients in court.

A great deal more can be said about these topics, but the most important thing to remember is that today, properly designing and imple-menting a solid information security program isn’t terribly di�erent from restoring that classic car that’s been sitting in the garage for years—it’s fast, reliable, and cheap. ¢

QUINN KUZMICH SECURITY CONSULTANT AND RESEARCHER Huntsville, AL lostinmoscow@gmail.com

© 2

016

BY

QU

INN

KU

ZM

ICH

AALL 2016 ALERTDon’t miss “iSpy: Hot Topics in Internet Privacy,” Monday, July 18 from 2:00 p.m. to 3:00 p.m. For more infor-mation visit bit.ly/AALL16Privacy.

AALL2go ExtraWatch the “Privacy in the Law Library—What You Don’t Know CAN Hurt You” webinar at bit.ly/AALL2go11142.

Quinn Kuzmich, whose catchphrase is “I break things,” is a security professional, technology enthusiast, and researcher. He is a 20-year IT and security professional veteran with experience in complex enterprise environments as well as small/medium businesses. He has built a long and successful career focused around his attention to detail and consistent efforts to bring excellence to whatever problems have presented themselves. Kuzmich specializes in applying his expertise with a perspective for the unconventional. He received his MS in information security and assurance from Western Governors University. His certifications include Offensive Security Certified Professional, Offensive Security Certified Expert, and Offensive Security Wireless Professional, as well as Cisco Certified Network Professional, Cisco Certified Design Professional, and Microsoft Certified Solutions Expert. In addition to his experience in the security field, he has worked as a network engineer within the Department of Defense arena and as an IT generalist for several years.