*How Do I Know What Computer Security Problems I Might Have?*
*Publication Date:* February 2006
*Volume:* 41-6
*Author:* Richard Schenkar
*Categories:* Practical resources, Computers, Internet, Security
The major frustrations in contemplating what computer security
challenges we face as lawyers are first, the massive quantity of data
available; second, the emotion that drives the threats and the spread of
data about them; and third, the ethical obligation that lawyers have to
keep client data confidential.

We cannot do much about the emotion or the ethical obligation, but we
can cut the data stream we monitor to a manageable mass.

A reasonable way to start is to define terms. To our rescue comes the
Common Vulnerabilities and Exposures (CVE) Name List at
_http://cve.mitre.org_. These definitions come from a number of credible
sources and give us a common vocabulary to use in encapsulating the
issues in words.

Self-analysis and assessment is essential in the management of security
issues. An effective checklist and guide is available in the U.S.
National Institute of Standards and Technology document Security Self-
Assessment Guide for Information Tech-nology Systems, available at
_http://csrc.nist.gov/publications/nistpubs/800-26/sp800-26.pdf_. The
checklist includes a questionnaire and an analysis and assessment
section that helps you integrate the data you find into your thought
process. The checklist allows you to know what is going on in your
practice, not just your computer system, because you will be considering
the relationship between your systems and the way you practice law. By
knowing more about your practice and your system, you will be able to
use the system more effectively in your practice.

Maintain a current list of the hardware and software products you are
using.

Use those product names as keywords to limit the firehose-like data
stream to the trickle that is relevant to you.

To find out what is going on right now, the Internet Storm Center from
the SANS Institute, at _http://isc.sans.org/index.php_, monitors
vulnerabilities and attacks from around the world and reports them
continuously. These materials are gathered and edited into a weekly
newsletter called @Risk: Consensus Security Alert that is available at
_http://www.sans.org/newsletters/risk_.

The U.S. National Institute of Standards and Technology (NIST) has a
National Vulnerability Database that is available at
_http://icat.nist.gov/icat.cfm_. For those of us who think we can avoid
these problems by using an open-source operating system such as LINUX or
FreeBSD (the Free Berkeley Software Distribution), there is the Open
Source Vulnerability Database at _http://osvdb.org_ that can bring such
delusions to an end.

Pulling a number of credible sources together is the Center for
Education and Research in Information Assurance and Security (CERIAS).
The database is available at
_https://cirdb.cerias.purdue.edu/coopvdb/public_.

Once you have all your data assembled and considered, you may then move
to the risk management of the security matters in your practice. You
will find guidance for this process in the NIST document Risk
Management for Information Technology Systems, available at
_http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf_.

Here, you will find guidance through a process of risk management
overview, assessment, mitigation, and evaluation.