Concordance Insecurity Andy Kass

Transcription

1 Concordance Tip Sheet August 2012 Concordance Insecurity Andy Kass Back in March, I commented on a report by Evan Koblentz in the March 7, 2012 edition of Law Technology News that a security weakness in the LexisNexis Concordance litigation support system could allow people to hijack database passwords. (See At the risk of sounding cavalier, I contended that while certainly not a good thing, this revelation was of minimal importance because, among other points, the password feature itself was barely ever used. That was, of course, not the last word on the subject; there were some responses on various forums (some along the lines of [W]ish I had that hack when I locked myself out of the Admin account. ), and further repartee between me and Mr. Koblentz. And here s the thing that keeps it stewing: we re both right. The Prosecution Case Mr. Koblentz stands by his source s contention that any application flaw that might lead to illicit access to private or privileged data is a problem that must be acknowledged and addressed. It is hard to argue with that assessment after years of revelations about sophisticated cracker networks going after government, corporate and, increasingly, law firm networks. Bloomberg Businessweek just last week quoted former FBI cyber division executive assistant director Shawn Henry as saying apropos of the so-called Comment Group, [T]his is the biggest vacuuming up of U.S. proprietary data that we ve ever seen. ( Hacked, by Michael Riley and Dune Lawrence, Bloomberg Businessweek, August 6-12, 2012, pp ) So if there is a Chinese consortium out there hacking Halliburton, the European Union s public mail servers, the Immigration and Refugee Board of Canada, Wiley Rein LLP and Locke Lord LLP (source ibid.), what chances do most Concordance shops have of locking down their clients (and their own) sensitive data?

2 Concordance Tip Sheet August That is a question that keeps IT directors, chief security officers, risk managers, network administrators and all manner of tech people up at night. Here are a few more of the goblins intruding upon their rest: (a) Security makes using computers more awkward or difficult. (b) Security is expensive (though not as expensive as failing to have proper security). (c) Security threats are hard to understand. (d) I have a freeware virus scanner. What more do I need? As you might have guessed from the above, any informed push for security can face a lot of push-back. No security initiative, no matter how well conceived technically, can succeed without the explicit approval and cooperation of top-level management. And that can be a problem. The Defense Speaks So how can I possibly respond to this with my dignity intact? I mean, I have certifications going back to Novell, Microsoft, Citrix and Cable & Wireless data networking from a lifetime ago. Sport is still made of my complex but easy-toremember passwords, and I still stand for giving users only the permissions required to do the job. My household is under several standing orders concerning security, under pain of loss of computer privileges. I don t take issue at all with the message of greater security standards. It is the intended audience that bears examination. Does anyone believe that litigation support managers enjoy broad discretion in the establishment and exercise of case security? To the extent that this is a fact, it is the product of firm management embracing a disciplined security model. (Anyone who sees a double-entendre here is reading the wrong blog.) It is an unfortunate fact that many if not most law firms (and many if not most corporations, for that matter) treat information technology as a cost center. Unless management has a vision of the firm as a technology leader and value-added vendor, processors and servers and firewalls and networks and the people who manage them are considered to be a necessary evil, to be outsourced to the greatest extent possible.

3 Concordance Tip Sheet August This view undercuts the specific knowledge and initiative the institutional memory and drive to improve of a firm s technology professionals. The techies in turn must make their case in language that leadership can understand. The lit support manager is stuck between these two poles. Litigation support is on the operations i.e., the billable side of the ledger. But rather than having greater influence on security, the litigation support manager is under greater pressure to deliver. This person is already working with the litigation team, vendors, and permanent or temporary reviewers, under deadlines and through shifting priorities. I believe that it is unreasonable to expect that, in addition to overseeing identification, collection, keyword collation and specification, processing, reviewing, quality control, and preparation for production and depositions, that the litigation support manager will manage, nay, demand application-level security above the litigation team s specifications or the default settings of an internally-hosted and accessed database. If you look at LAN-based (local) document review applications, none really offered robust security. Summation and Concordance both looked more at leveraging network login credentials to keep users to their own cases; most of the time, even this level of security was overlooked in the name of expediency. Concordance offers an additional level of security Logon Required which adds a separate layer of authentication unique to the database itself; this added security layer, which is part of the database, is what was opened by the Concordance Hack. I m happy to be challenged on this assertion, but it is my impression that this added security was used on maybe as much as 1% of all Concordance case databases. Why? -- Separate User accounts have to be set up for each user (no Default user backstop). -- The administrator has no control over user passwords users can even set <blank> passwords. -- Users often forget passwords, which cannot be reset by the administrator without knowing the original, so more work is required to delete and completely re-create the User account in the case database. -- In a concatenated set, security must be coordinated through all databases by hand.

4 Concordance Tip Sheet August It is not unknown for the Administrator password to fail, rendering administration of user security settings impossible. And, remember, this is a local area network (LAN) based application. It was designed to be used within a premises, which itself should be secured at the perimeter and regulated by local user permissions. The world has indeed moved on; the security model of Concordance (and of Summation iblaze and MS Office) really has not. That is where LexisNexis s announcement this week of the availability of hosted Concordance Evolution is significant. In the age of the Internet, the hosted review software model is now the mainstream. As such, hosted review software is designed to provide broader and deeper access control in a client/server model, where the full arsenal of data integrity, maintenance and security tools are in play at the back end. Clients use browsers with SSL encryption to the host site. This model presupposes the presence of database, network and security administrators around the clock to meet and exceed service level thresholds. After all, hosting is their business. This model also lifts the burden of security enforcement from the shoulders of the litigation support manager. Once the user accounts and access levels are specified and the database design completed, he or she can do the main job: supervise the trolling and production of data. Proposed Order So in releasing a product that meets modern standards, is LexisNexis justified in ignoring a hack on its older LAN technology? At very least, we should expect guidance as to a prospective fix or at least a work-around from LexisNexis. Some suggestions as to the latter: Counsel the use of Active Directory access controls and share permissions to enforce case access rules. If providing remote access to a Concordance Classic database using Citrix, secure Citrix access with SecureID tokens (which have also been cracked) in high-value cases, and cycling complex passwords otherwise. In Citrix, only publish the application, not a desktop. Restrict command-line access to the Citrix session.

5 Concordance Tip Sheet August Block passage of.sec files across the firewall. Block known script types at the firewall. Make a call on whether other remote access methods (RDP, LogMeIn, WebEx Access Anywhere) provide sufficient security for Concordance Classic. This does not require endorsement, merely a disapproval of a method that does not measure up to securing Concordance data. I m sure that people with current InfoSec credentials could tweak or add conditions. The point is, there is something that you can do (with a little help from your IT friends) to make your stuff a little harder to get at and thus a little less appealing than that of a less diligent person. Even if it cannot justify rewriting ancient case security code, LexisNexis needs to get out in front of this in a way that offers users a clear path and a clear choice. There are many firms that wish to continue using Concordance Classic. They don t want to see it disappear, but don t want to see their data disappear, either. This should be seen as an opportunity for LexisNexis to connect with its application user community. The company wants to be seen as a legal technology leader. Leadership starts with standing up and stepping forward. The views expressed in this Concordance Tip Sheet are solely the views of the author, and do not necessarily represent the opinion of U.S. Legal Support, Inc. NEWS YOU CAN USE Just in time for ILTA, Concordance Evolution has been released by LexisNexis as a hosted review platform. This is the summer release promised back at Legal Tech, making the review tools available to end users while the administrator tools are being refined through practical use by LexisNexis. I ll be looking at a demo in about a week, and will have more to report next month about this long awaited reimagining of Concordance... The Concordance Tip Archive (all the way back to October 2005!) is available on our Web Site at Feel free to leave me a note, a comment, a suggestion or a Tip request. While you re there, don t miss our Resources page, which lists the Tip Sheet Archive and our current CLE offerings (

6 Concordance Tip Sheet August and of course, check into all the other great things U.S. Legal Support can do for you. -- Andy Kass akass@uslegalsupport.com U.S. LEGAL SUPPORT, INC. Array Technology Group ESI & Litigation Services PROVIDING EXPERT SOLUTIONS FROM DISCOVERY TO VERDICT e-discovery Document Collection & Review Litigation Management Litigation Software Training Meet & Confer Advice Court Reporting Services Record Retrieval At Trial Electronic Evidence Presentation Trial Consulting Demonstrative Graphics Courtroom & War Room Equipment Worldox Document Management Deposition & Case Management Services Document Review & Contract Staffing Copyright 2012 U.S. Legal Support, Inc., 425 Park Avenue, New York NY (800) All rights reserved. To update your address or unsubscribe from these mailings, please reply to this with CANCEL in the subject line.