LAW FIRM CYBERSECURITYPRACTICAL TIPS FOR PROTECTING YOUR DATA

In February, 2013, the FBI gave a keynote presentation on law firm security threats at LegalTech New York. In an article from Law Technology News, the special agent in charge of the FBI’s cyber operations in New York City is quoted as stating:

“We have hundreds of law firms that we see increasingly being targeted by hackers. …We all understand that the cyber threat is our next great challenge. Cyber intrusions are all over the place, they’re dangerous, and they’re much more sophisticated” than they were just a few years ago.”

WHY ARE LAW FIRMS AT RISK?

REASONS LAW FIRMS REPRESENT A CYBER TARGET:

• Many firms regularly maintain a tremendous amount of highly confidential information and information is the currency that cyber criminals trade in.

• You may not be the primary target. Many attacks are of the command and control variety where the objective is to use your environment as a beachhead for a secondary attack.

• Cyber criminals may be targeting YOUR CLIENT or ANOTHER FIRM and realize that you represent the means to get passed their existing infrastructure.

• As an industry, we make for a very easy target.

The measures in place for many firms are very far behind those in other industries.

But its not just about spending money. The Goldman Sachs data breach resulted in the discloser of 70+ million users accounts and over 7 million business accounts. Goldman Sachs spend over $250 million dollars A YEAR in cyber defense.

It’s about the focus security gets all the way down to the end users. End users are the single weakest point in any network.

LEGAL INDUSTRY CYBER THREATS, RISKS AND ATTACKS

• For two straight years, more than two thirds of Cyber Espionage has featured Phishing as its primary means of attack

• According to the Verizon 2015 DBIR, in 2014, users opened approximately 23% of inbound Phishing messages and 11% clicked on attachments.

• Historically, Phishing has been the means to target individuals and not businesses. This however is also changing dramatically.

• Enter “The Dyre Wolf”. This is a new campaign that utilizes the now popular Dyre, or Dyreza, malware directly targeting corporate banking accounts

• This phishing and malware campaign leverages spear phishing, malware (initial infection via Upatre), social engineering, complex process injections, the Deep Web and even Distributed Denial of Service (DDoS) sprees to complete an attack Dyre wolf is a perfect example of how most defenses are still only as safe is the weakest employee.

PHISHING / SOCIAL ENGINEERING ATTACKS

THE DYRE WOLF ATTACK

• Not your typical malware campaign

• Each attack cost companies $500,000 -$1.5 million

• Uses targeted spear phishing emails, malware and social engineering

THE DYRE WOLF ATTACK

Photo credit: IBM, 2015

THE DYRE WOLF ATTACK

Photo credit: IBM, 2015

THE DYRE WOLF ATTACK

Photo credit: IBM, 2015

THE DYRE WOLF ATTACK

Photo credit: IBM, 2015

THE DYRE WOLF ATTACK

Photo credit: IBM, 2015

THE DYRE WOLF ATTACK

Photo credit: IBM, 2015

THE DYRE WOLF ATTACK

Dyre wolf is a perfect example of how most defenses are still only as safe is the weakest employee.

Defending against Phishing attacks are largely centered on knowledge and training of the weakest link in your system – end users.

ACCIDENTS (AGAIN…USERS)

• Accidental disclosure of confidential information is a substantial reason for a data breaches with over 60% being initiated by system administrators.

Read “Biggest Cyber Security Threat to Law Firms is Not What You Think”

• Types of accidents often break down into 3 primary categories:

1) “D’oh!”: ever sent an email to a client and about .0009 seconds after hitting the send button, you realize you’ve sent information to the wrong recipient? DBIR reports this as being the single largest exposure point for data

2) “My Bad!”: According to the same DBIR reports, about 17% of the breach / disclosures are the result of users publishing nonpublic data to public servers. Sensitive client data does not belong on the Google!

3) “Oops!”: The last bucket of end user snafu’s is the insecure disposal of personal and medical data.

VULNERABILITIES…(WE DON’T NEED NO STINKIN’ PATCHES)

• CVE’s, or common vulnerabilities and exposures, is a worldwide list of known system vulnerabilities that is published to any and all who want to use it.

• Most companies performing vulnerability scans are leveraging this list to test a network for known weaknesses. Software and OS updates are leveraging this list to build fixes to vulnerabilities as fast as they are identified.

• Which brings up an interesting point – the vast majority of breaches in 2014 were initiated through known CVE’s that were at least a year old. AT LEAST A YEAR OLD!

• 97% of the known exploits were created with 10 CVE’s – ONLY 10!

• But before you ask – the remaining exploits were created with 7 MILLION CVE’s. So you cannot simply look for the top 10 and call it a day.

THE LONG-CON

• Ransomware has traditionally acted as a zero day attack; however, those same criminals are finding that a long, slow attack can yield even higher returns.

• The next phase of ransom are will likely sit in an environment for months before initiating action

• Possible scenarios now include server side attacks that can encrypt data moving to and from the server until the criminal feels they have sufficient amounts of data encrypted

• They simply hold your and your data hostage in return for payment

• No payment means they remove the encryption key and none of your systems will work until you do

THE INTERNET OF THINGS & BYOD(IT’S ONLY GOING TO GET MORE DIFFICULT…)

• Dramatic increase in the number of internet connected devices that could lead to accidently exposure of confidential information.

• Target proved this in spades

• As you look at your environment from a security perspective, have you considered everything?

• Traditional unmonitored vectors include fax machines and printers but, have you checked that new TV in the conference room?

• What about that new iWatch?

GETTING IN FRONT OF THE PROBLEM.

• First things first - the firm, its partners and directors, all must agree that security is a priority.

– First it needs to be a priority from the top down if the end users are to adjust their daily behavior to marry to security policies of the firm.

– The senior most people in any organization are typically the least likely to be willing to adjust their behavior!

• Any investments needed to properly build and maintain a security plan will require the people at the top to spend out of their own pocket.

• Must be a permanent part of the business plan

GETTING IN FRONT OF THE PROBLEM

STEP 1: PUT SOMEONE IN CHARGE OF CYBERSECURITY

• Many organizations set a course for failure almost from the start by not establishing responsibility for one person or a team of people to manage this process.

• Must also be responsible for moving the firm from compliance to security. These two are not the same thing.

• Even an ISO27001 certified firm may not be secure – they simply have the policies and procedures in place for an effective security program

STEP 2: HAVE SOMETHING FOR THEM TO ENFORCE

• Every firm should employ some form of a written security plan

• There are 4 core controls within to a proper plan – Physical, Policy, Detective and Corrective

• Key elements for a law firm security plan include:

– Identification - Identify the data your firm maintains, establish its location and identify which information is most sensitive and in need of monitoring.

– Encryption - Whether at rest or in transit, data should always be encrypted.

– Remote Access / Authentication - What information will you allow access to from outside the building?

– Password Policies - Will you be willing and able to implement a complex password policy that changes every 90 days?

– Social Media Policy - Use at work? Can you use the same log in for Facebook as you can for your company PC?

STEP 2: HAVE SOMETHING FOR THEM TO ENFORCE (CONT.)

• Key elements for a law firm security plan (con’t)

– Physical Security - Are you planning to restrict building access? Can you track when people come and go? Are there cameras to track access to critical information?

– Vendor Security - No one likes to do it but auditing your 3rd party vendors can be a critical piece to your security plan.

– Breach Response Planning - Each plan should contain critical pieces such as client notification plans, plan for notifying authorities, documentation plans, and overall decision-making ability.

STEP 3: CREATE & MAINTAIN A PROPER DEFENSE / MONITORING ENVIRONMENT

• Firewall with IDS or IPS - A firewall with intrusion detection (IDS) or intrusion prevention (IPS) is recommended for maximum protection against malicious traffic.

• Spam Filter – The majority of viruses that get into networks are from email phishing attempts.

• Patching - The greatest source of vulnerability comes from using software and application that are not properly patched (i.e. they lack the latest updates).

• Mobile Device Management – Allows you to manage, secure and monitor your firm’s mobile devices in real time.

• Encryption – Any device that can store sensitive information (i.e. phones, laptops, tablets) and is built to leave the building should be encrypted.

• White Listing Systems – For advanced defensive environments. This system keeps anything that you do not designate from being installed anywhere on your network.

• Logging Systems - Understanding where your data resides AND being able to establish patterns of users traffic can go a long way to knowing when something has gone wrong and you’ve been breached.

Read: 5 Basic

Cybersecurity Controls

Every Firm MUST Have

in Place

STEP 4: FORM A MILITIA

• Create a security policy and turn your employees into your cyber militia

• Employees represent one of your greatest defense opportunities, but they need to understand the importance of protecting your confidential data and the rules for keeping it safe.

• Training - Over 23% of people open phishing messages and 11% click on attachments

• Enforcement - It’s up to management to ensure that the policies and procedures are being followed

– Look to test users with false phishing emails to see who opens them

– Focus training on the types of campaigns that were most successful in your company

STEP 5: CONTINUAL MONITORING AND IMPROVEMENT

• Continual assessment and validation is necessary to verify the effectiveness of your security efforts.

– Many attacks happen from exploiting weaknesses in browsers, web applications, malicious websites, and other applications.

– Vulnerability Scanning is the most a cost-effective way to protect your environment from unpatched exploits, new threats and hackers.

• Penetration Testing - A penetration test provides a point-in-time snapshot of security gaps and should be done regularly to determine system vulnerabilities.

• Security Assessment - Have a qualified third party review your network and identify potential business implications of security threats and how they can be remediated to improve compliance and longevity.

ADDITIONAL RESOURCES• 5 Basic Cybersecurity Controls Every Firm MUST Have in Place

• My firm has been hacked, what do I do?

• Which type of hackers represent the biggest threat to law firms?

• Law Firm Cyber Security Threat Matrix [eBook]

• Should Firms Restrict Access to Personal Email?

• Law Firm Cyber Security: Protecting Your Client’s Data

• What your Law Firm Needs to Know About IT Risk and Security Audits

For further reading, visit our blog Legal Loudspeaker.

Discover how Accellis can help you stay in front of cybersecurity threats.

Whether it’s a security assessment, penetration test, or compliance evaluation – our team of certified security

experts can ensure you’re on the right track.

SCHEDULE A FREE CONSULTATION

Schedule a Consultation