...
Finally, there is the tried and true approach of break-and-enter. A Wise Owl Legal Appliance is small, easily transportable, and could easily be stolen by a malicious attacker if they thought it brought enough benefit.
Wise Owl Legal has taken steps in all the above areas to prevent data being stolen.
...
Offline appliances simply reject any login attempts from outside your network (technically, they reject any network connection at all). However, this is not particularly convenient when you are at client's premises or in a courtroom. Online access allows full access to Wise Owl Legal from anywhere on the Internet. To reduce the possibility of a malicious hacker gaining access, the following procedures are implemented:
Only trusted computers and web browsers are allowed to login. When you first login from an untrusted computer or browser, you will be required to enter a code.
Codes are generated either on your mobile phone or sent via email. If a hacker attempts to access your account, even if they know your password, they need access to your email or phone as well. This is called two factor authentication, because you need two things to login (your password and access to your email / phone).
SSL Certificates and HTTPS
...
Depending on how your Appliance is configured, you may have an SSL certificate issued by a 3rd party such as VeriSign or one issued by Wise Owl Legal. There is no difference in security between the two, however 3rd party certificates have an annual cost, while Wise Owl certificates require an additional step to configure web browsers (TODO: doco for trusting the Wise Owl root cert, similar to Installing Wise Owl SSL Certificate /wiki/spaces/IN/pages/228264241).
Whole Appliance Encryption
...
Appliances in our data centres are also encrypted using the same technology, but to ease administration, may use a network based key rather than the physical USB key.
Passwords
Secret passwords are the main defence any website or appliance has to ensure only authorised users get access to it. Unfortunately, a bad password is only slightly better than no password (and provides a false sense of security).
...
Poorly chosen passwords are the number one cause of accounts being compromised (with re-using passwords between multiple accounts a close second), rather than imposing complicated rules of upper case, lower case, number, length and so forth. We maintain a large list of black listed passwords (there are several million bad passwords on the list). This list is derived from a variety of sources including dictionaries and lists of names, but most importantly, we include long lists of leaked passwords from sites such as LinkedIn and RockYou. Finally, we use the same tools password hackers do to verify that passwords are not easily guessable. How to make a strong password.
Two Factor Logins
All Online Appliances require two-factor logins to gain entry to them. This means you need to enter a code generated by a smart phone app, or emailed to you to login as well as your normal password. This means that even if an attacker can guess a password, they cannot login.
...
Finally, in the event an attempted or actual security breach does occur, Wise Owl Legal appliances keep multiple logs of resource access. In particular, we are very careful to log information about login attempts (successful or otherwise) including the web browser used, and IP address.
Logs include:
Low level web server logs (only accessible by Wise Owl Legal Helpdesk staff)
Appliance level system logs (accessible from the Tools page)
Audit logs (accessible from the Tools page)
Profiling and metrics (access level TODO)