[Start of recorded material 00:00:00]
Phil Brown: Hi, it’s Phil Brown and I’m here with David Whelan. And today we are reluctantly going to talk about Panama Papers and Patches.
David Whelan: The Panama Papers as you may have heard involve a huge data leak out of a law firm in Panama about two and a half maybe almost three TBs of data that somehow left their firm and included a lot of confidential information.
Phil Brown: And one of the controversies is: how did it leave the firm?
David Whelan: Right. And there are two things that most law firms have to worry about. One is their perimeter and so that’s things getting into your network. The other is your employees, who you have a duty to supervise and they are as likely to be a problem for you as external hackers are based on data from IBM and others who do research on threat security. So whether it’s internal or external, we don’t know but you’ve got two big pots of people.
Phil Brown: And we are a little skeptical on the external hack angle just because of the size of this breach.
David Whelan: Yes, I mean that’s a lot of information. I was saying to Phil earlier that you would know on your home ISP or your phone what your data usage was. And it just boggles the mind to think that someone would have that much, 2.6 TB of information disappear from your firm or go out over your network without anybody actually noticing it.
Phil Brown: And that’s a lot of movies if they were viewing movies at the firm, they’d notice a data bump that went up pretty significantly. But it seems odd that they didn’t pick this up right away until low and behold is published all over the world. So let’s talk about a couple of different scenarios and let’s talk about things like patches.
David Whelan: Patches are software that comes to you after you buy a piece of hardware or you buy another software program. And the software patch is supposed to patch it, it’s supposed to fix a hole, a gap that has been found in the original software. Some patches are improvements, they’re feature enhancements.
But in many cases, particularly in the case of things like Adobe Flash, they are fixing a security hole that hadn’t been seen when the software first came out or when the hardware was first released and now has to be fixed in order to make the software secure.
Phil Brown: Now I know with our phones and updating apps all the time, some of those are legitimate patches and updating it. And some of them are just getting back user statistics.
David Whelan: Yes, I think it will run the gamut and I’m not sure there is a good way to limit that. If you think about the different types of software patches that you need to be worried about, they sort of fall into different buckets and the most basic really are the kind of software called firmware and that will be on your hardware. It’ll be on your phone. Your phone’s got firmware, your wireless router’s got firmware.
Your computer has firmware in the sense that it’s got a BIOS software on it. So these are sort of the key software that tells the hardware how to run. In many cases, you will have that updated on a periodic basis maybe every couple of years. And it’s questionable in some cases whether you want to apply that update. It’s typically not a security update so much as a feature update. And sometimes it will brick your phone or your tablet or your computer so that the device no longer works. It resembles a brick.
Phil Brown: And some of those patches you’re not going to want to use and they stop updating them after a while with some of the firmware, which is why we’ve talked about in another podcast getting rid of the hardware after a couple of years because they’re just – it still might have security issues and no one’s updating it anymore.
David Whelan: Right. Yes, so the lack of a firmware update doesn’t mean that your system is secure. It just means that the vendor hasn’t typically moved on from your product to another product. So if you’ve got something that’s essentially disposable like a cheap consumer-based wireless antenna or a router from your home, I would throw those away after a year or two, even if they are continuing to work. Just because you can’t be sure that the software on them is still reliable.
Phil Brown: And normally when you get a software update notice, you can click on a tab for more information to tell you what’s included in that update.
David Whelan: Right. Windows 10 is a really good example and maybe a good example of good things and bad things. Windows 10 is the operating system that is replacing all the older Windows. It has a new way of delivering updates, essentially it’s automatic. You can’t opt out of them like you used to.
So on Windows 7, we have here at the Law Society, I can see more information. And if I don’t want to download one of those updates, I don’t have to. But with Windows 10, it’s now coming down. And there are some updates. In fact, I’ve just hidden 10 on Windows 7 that were all just to prepare me for an upgrade to Windows 10. So there really are some that you think, “Well, maybe I don’t really need to have those.”
Phil Brown: And they’re not really true updates.
David Whelan: Not really, no. They’re fixes and they’re patches and they may or may not apply to you. I think in most law firms where you have an IT staff, they will pick and choose which of those to apply because they won’t necessarily apply to everybody. And just like with firmware, they can stop your computer from running.
Phil Brown: And now there’s also – there would be patches available for your web browsers as well.
David Whelan: Exactly. So your firmware’s your hardware level of patching. Then you’ve got your operating system that gets patched and really, you should be patching your operating system. I would really not disallow any updates to my operating system.
But then on top of that, you have all your applications. And that really I think gets to the point where you pick and choose to a certain extent but there are some like web browsers in particular I think if you don’t take all those updates, then you do risk going to a website and downloading something that you didn’t intend to.
Phil Brown: And we’ve talked before about browsing and turning on and off permissions. When it comes out of the box, I think it’s just set a moderate and it’s a virtual box because you don’t have to go out and buy a browser anymore. But if you’re using Google Chrome or something like that, you really should go into the settings and change some of the security settings so you don’t have things just opening automatically and doing things in the background without you knowing what’s going on.
David Whelan: The nicest thing that’s probably happened over the last couple of years and Windows 10 – I mean in a sense, Windows 10 is doing this and the lack of control I think bothers a lot of people but the automated updates is something that we’ve been seeing. And Mac for a long time, we’ve been seeing it, Linux for a long time.
And so this sort of regular periodic update rather than a big hunk of updates will mean that your computer’s patched much more frequently without you being involved. So these automatic updates will trick a lot as a company releases them rather than one at a time.
So if there has been a breach or a problem with the Firefox web browser for example, as soon as they have that patch release, they’ll release it and they’ll push it out to all the browsers. The browsers will then update itself so there isn’t really a better way for you to get that patch then to just let the browsers and the other tools update themselves.
Similarly, with Microsoft Office, if you have Office installed on your computer, Windows 10 certainly and I believe with the older versions of Windows, you can set this up, it will look for updates to Office so that it will keep those programs up to date.
Phil Brown: So let’s talk about the things you can’t patch that also might be responsible for something like a Panama Papers breach and that’s the staff working in your law firm.
David Whelan: Yes, the only patch really for staff is training. And as long as they are trained on how to use their tools, that’s probably the best you can do. But otherwise, it really is a matter of trusting them to use good judgment on which links to click and which applications to install on their computer.
Phil Brown: And I think it’s important at the outset before you take on new staff to consider doing a background check, which would consist of some sort of a financial audit like activity like a credit check and a criminal record check just to see who it is you’re bringing into the firm.
David Whelan: For sure. And if you have a sense that you’ve got a disgruntled employee, then you probably should be aware of the potential access they have. Now if your network and your environment has been set up so that everybody only has access to what they need to have access to, which is the ideal way to have a network setup, then your expose is relatively limited.
But in reality in a solo practice or a small firm, everybody has access to pretty much everything because in order to get things done, you often to have wear multiple hats. And I think that’s where you need to be aware that you could potentially lose a lot of information onto a USB drive or a portable drive because you can make everything portable now and you can copy everything to places where then it can walk from your firm.
Phil Brown: And those also security permissions you can set up in your office with your services and your computers so that people can’t for instance plug in a USB key or an external drive.
David Whelan: Right. And that’s not a bad idea. Again, depending on what you do and how you practice, at least knowing what your options are to secure your hardware from things walking from the inside but also to keep you protected from potential invasions from outside.
Phil Brown: So a good idea to have a policy in the office about what people can use the computer for, can they pay their utility bills, can they plug in USB devices, things like that should be written policy. And it should have some form of enforcement and auditing as well.
David Whelan: Yeah. You can be sure that once the firm down in Panama wishes that whatever happened in Panama stayed in Panama. And you don’t want to be in the position where your information is then being discussed by journalists and others who would have interest in whatever your clients are up to.
Phil Brown: And just very briefly, we did talk a bit about earlier how – whether or not you could actually see what the information was that was leaving the firm and why you wouldn’t necessarily know what was leaving.
David Whelan: Yes, you obviously would be able to see what your data is because your internet service provider should be able to show you how much data’s going into your firm and how much data is going out. And in many cases, you can look at that on your own devices and see what your data usage is.
The interesting thing is as we’ve moved further and further towards encrypting more information, now when you send a request from your web browser or you upload a file, that file is often encrypted itself and it’s traveling over an encrypted connection. And so it’s very difficult if you’re monitoring that connection to see what that information is because it’s inside an encrypted shell.
So where before we might be able to see what the files were because they were flying by in clear text or plain text. Now with encryption, it’s actually making it harder for us to get a sense of the information that’s going in and out of our firm and whether it should be going outside.
Phil Brown: And it’s still a good idea to have a look at your data usage and see if you have any data bumps either from a home office or using Wi-Fi somewhere or using it in the firm. I mean someone should be aware of what’s going on.
David Whelan: Yeah, it’s a little like your bank account. It’s something if you’ve got an unusual transaction, your bank will call you. You can set up those sorts of alerts for yourself so if you see unusual data usage, someone gets an email.
Phil Brown: Great. Thanks, David.
David Whelan: Thanks, Phil.
[End of recorded material 00:11:28]