6/15/2016
1
Claude DuclouxBoard Certified,
Civil Trial and Civil Appellate Law
Texas Board of Legal Specialization
Director of Education, LawPay,
Austin, Texas
FIVE EASY STEPS TO
BOOST SECURITY IN YOUR FIRM
James SparrowSoftware Architect
LawPay
Austin, Texas
6/15/2016
2
The Threat to Law Firms
CYBER SECURITY: WHAT ARE THE TYPES OF
LOSSES AND BREACHES THAT WE ARE
CONCERNED ABOUT?
1. Theft of intellectual property
2. Theft of sensitive information
3. Loss of reputation and trust, resulting in:- Loss of clients
- Loss of economic and competitive advantage
4. Business disruption and liability to third parties
6/15/2016
3
1. Fiduciary duty to keep client information secure
2. Constant handling of confidential information:- Financial
- Health Care
- Family
- Business
3. Law offices are the path of least resistance to obtain
sensitive information
WHY IS THIS IMPORTANT FOR LAWYERS?
Lawyers as Targets
6/15/2016
4
• CryptoWall “ransom-ware” is estimated to have cost users
over $325 million in calendar year 2015
• Spearfishing attacks – targeted attacks used to acquire
confidential information or install malware
• String of law firms breached in 2015-2016 to obtain data on
mergers and acquisitions and expose client information
• Now, more than ever, Lawyers need to take steps to protect
firms and clients
Malware and Hacking Threats
6/15/2016
5
In House Mistakes:
Losing or disclosing passwords, Losing laptops, iPhones, etc.
In House Mischief:
The "Insider Threat“ is the most significant risk that
companies face. Disgruntled employee alters or steals
company data: 1 in 5 attacks all across the country.
“Insider threat” is difficult to predict and prevent, due to
ease of copying files to a thumb drive, or e-mailing docs to a
personal email account.
WHAT OTHER TYPES OF SECURITY THREATS?
Insider Threats and Mistakes
6/15/2016
6
Universal Access Threat
1. Demand for 24/7/365 access
2. Results in access to confidential information- From anywhere
- On any device
3. Threats from:- Unsecure access (Wi-Fi access points)
- Greater likelihood for loss of devices containing sensitive information
6/15/2016
7
Most Lawyers get sued on a “negligence” Standard.
Typically that is:“Did the Lawyer act in accordance with what a prudent lawyer did or would have done in the same circumstances?”
At the present, there is no clear indication other than what a
reasonably prudent lawyer would do or not do under the
circumstances.
CHECK YOUR OWN STATE STATUTES!
Look also at state/federal Health and Safety Codes for “Duties
of Custodians of Confidential information.” Almost all lawyers
are “custodians”.
Standard of Care
IS THERE A STANDARD OF CARE FOR LAWYERS?
6/15/2016
8
WHAT ENTITIES ARE CREATING STANDARDS?
Privacy Standards
National Institute of Standards and Technology (NIST) at the
national level
Framework for Improving Critical Infrastructure
Cybersecurityhttp://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf
May establish baseline standard of care for legal liability
6/15/2016
9
Standards for Privacy Continued
Other entities include:
1. The Federal Trade Commission
2. Federal Laws:- HIPAA, the Health Insurance Portability and Accountability Act of
1996, regulates the use and disclosure of protected health
information
- www.hhs.gov/hipaa/
- HITECH Act, the Health Information Technology for Economic and
Clinical Health Act, has additional requirements that modify HIPAA
3. State Statutes - Always check your own State Statutes!
Additional Sources of Privacy Standards
6/15/2016
10
Step 1: Cyber Assets Inventory
1. Document the cyber assets in your practice- Use our template to get started
2. Necessary in the event of a breach
3. Covers your:- Networks
- Computers and Hardware
- Software and Data
- Users and accounts
6/15/2016
11
Inventory: Network
Your Network:
1. Wired? Wi-Fi?
2. What is connected to
which networks?
3. Who configured it?
4. Guest Wi-Fi?
5. Who has Wi-Fi access?
6/15/2016
12
Identity Office Systems and Hardware:
1. Computers
2. Laptops
3. Mobile devices
4. Printers
5. File servers and network storage
Inventory: Systems and Hardware
6/15/2016
13
Inventory: Software and Data
1. What applications are you using?- Critical to business or accessing confidential data
- Do you have licenses for each copy?
2. What is the application responsible for?
3. What information is managed?
4. Where is the information stored?- Local to computer or device?
- On your network?
- In the cloud?
5. Include data backups- What is backed up, and where it is located?
6/15/2016
14
Inventory: Users and Accounts
1. Identify all the users with accounts on your system
2. What privileges does each user have?
3. Are these privileges necessary?
6/15/2016
15
Inventory Goal: Securing Systems
1. Each asset in the inventory must be strengthened- Asset is secured
- Accessible only to people or systems with need
2. Examples of strengthening include:- Replacing weak passwords
- Updating Wi-Fi configuration and securing connections
- Ensuring systems are up-to-date and less prone to viruses
6/15/2016
16
Step 2: Password Management
LET’S START WITH
PASSWORDS
Passwords are the
easiest way in to hack
our systems. This
includes passwords
to:
1. Networks and Wi-Fi
2. Email and other
accounts
3. Common websites
4. Clerk’s Office, E-
filing systems, etc.
6/15/2016
17
Use a Password Manager
1. Use a password manager- Provides secure storage for all your password
- Depending on which you choose• Works on single computer only, no sharing
• Secure shared access across computers and devices
2. What is a password manager?- Separate application downloaded and installed on computer or
device
- Easy to create a different, strong password for every site
- You only remember the passphrase for the password manager
- This one password must be strong and complex. Avoid:• Dictionary words (with or without numbers at either end)
• Foreign words
• Slang or jargon
• Names or dates associated with you
- Use:• 12 or more characters
• Upper and lowercase
• Numbers and symbols
6/15/2016
18
Multi-Factor Authentication
Other steps to secure access: Use MFA
1. Multi-factor authentication
2. Requires password + code to access account
3. Code is texted or accessed from smartphone application- Example: Google Authenticator
4. Codes change each use
5. Substantially reduces account hijacking
6. But don’t stop using strong passwords
even when MFA is enabled!
6/15/2016
19
Step 3: Fortify Your Network
You can significantly reduce the risk of access through your Office Wi-Fi:
1. USE YOUR PASSWORD MANAGER to generate a strong passphrase for
your wireless network.
2. REQUIRE NETWORK AUTHENTICATION, selecting WPA2-Personal (Wi-Fi
Protected Access 2) for most small practices
- May appear as WPA2-PSK or just WPA2
- Do not use WEP or plain WPA
3. USE A SEPARATE GUEST WI-FI NETWORK for clients or visitors who need
Internet access.
- Most Wi-Fi routers today support one or more guest networks
- Enable WPA2-Personal authentication for your guest network as well
4. PROVIDE ACCESS to your private network (as opposed to guest network)
and intranet/LAN only to those with a clear and ongoing need
5. CONNECT YOUR OFFICE SYSTEMS, printers, file servers, etc to your private
Wi-Fi network or LAN, not the guest Wi-Fi network
6/15/2016
20
Wireless Router Settings
6/15/2016
21
Step 4: Protect Office Systems
Your office computers can be a treasure trove for an attacker,
and there are multiple routes in, from open network
connectivity to targeted malware. Fortunately there are a few
key tools at your disposal to counter these threats:
1. Automatic updates
2. Antivirus/Anti-Malware
3. Firewall
6/15/2016
22
Enable Automatic Updates
Enable your
operating system’s
automatic updates
and apply
application updates
as they become
available. Many
active viruses take
advantage of
problems for which
fixes have long been
available.
6/15/2016
23
Install Antivirus/Anti-Malware
Install anti-virus/anti-malware on all systems, enable real-time
checking, and schedule full computer scans weekly at a
convenient time
6/15/2016
24
Enable Your Firewall
Enable your operating
system’s firewall to
prevent external
connections. Some
software applications
may require specific
exceptions to be
configured to allow
access from other
computers on your
network, but the vendor
documentation should
make this clear.
6/15/2016
25
Step 5: Secure Confidential Info
Lawyers have both an Ethical responsibility and a legal
responsibility to secure confidential information. Here are
some tips to assist you:
1. USE OF HTTPS ADDRESSES: When handling sensitive information within a
web browser, always make sure the address starts with “https”. Most browsers
will highlight the address bar and let you know the connection is secure
(Eg., thus a website which reads “County Court Records” in the email, may be
disclosed as “PhishingExpedition.ru” when running the browser over the website).
Data transmitted over a properly secured connection is encrypted and prevents
an attacker from tampering with or accessing the information sent.
2. WHOLE-DRIVE ENCRYPTION: Data stored on your computer or a network
storage device also needs to be secured. Most modern operating systems
support whole-drive encryption. Once enabled, you can be comfortable that if
your computer were lost or stolen, the data stored on it cannot be accessed by
anyone else. Learn How to Enable this encryption!
6/15/2016
26
User Training
Always remember that insider threats and human error are the
prime avenues of data breach and privacy loss.
Train your staff:
1. Use password manager
2. Never disclose passwords- Exception: Client access to secured
Guest Wi-Fi network
3. Never disclose confidential
information over the phone
4. Immediately report any possible
disclosure of confidential
information
6/15/2016
27
HOW DO I ENSURE MY CLIENTS CAN OBTAIN
THEIR DIGITAL ASSETS?
Prepare for Emergencies
Anytime there is a death, including the death of a lawyer, the
potential for the cyber threat increases.
According to a 2013 Harris Poll, 93% of Americans who
have digital assets aren’t aware of what happens to digital
assets when they die.
Just like having a Will, every lawyer should have some very
safe and secure location where his own staff or trusted
fiduciary can disclose what his or her digital passwords are, or
the access code to the password manager. (Again, always
check your state statutes.)
6/15/2016
28
HOW DO I ENSURE MY CLIENTS CAN OBTAIN THEIR
DIGITAL ASSETS?
Prepare for Emergencies
ULC - FIDUCIARY ACCESS TO DIGITAL ASSETS COMMITTEE:
Since 2014, the "Fiduciary Access to Digital Assets
Committee" of the Uniform Law Commission (ULC) has worked
with companies to try to craft a model act that would vest first
of all lawyers with at least the authority to manage or distribute
digital assets or copy of delete those assets as appropriate
Lawyers need to advise clients always to have their own safe
and secure location or a fiduciary who knows what his or her
digital passwords are, or the access code to the Client’s
password manager.
6/15/2016
29
HOW DO I PREPARE FOR A CYBER-ATTACK
IN MY OFFICE?
Prepare for an Incident
Every office is probably going to be subject at some point to
some minor incident or attack or loss of a password. So, what
do Lawyers need to do?
1. Create policies and plans for prevention and response
2. Plans must address the minimum physical, technical, and
administrative safeguards
3. Include a plan to respond to an actual or threatened breach
6/15/2016
30
What is a Breach?
The Department of Justice defines a breach as:
“[The] loss of control, compromise, unauthorized
disclosure, unauthorized acquisition or access or any similar
term where a person(s) other than the authorized users
have access or potential access to information, whether that
is physical information or electronic information.“
6/15/2016
31
Handling an Incident
Although YOUR state may have different specific requirements,
generally, a Custodian of confidential information should notify
the individuals as follows:
1. Provide a general description of the incident, including:- Information that can mitigate harm to the individual
- Customer service contact information
- Steps to obtain and review credit reports
- Steps to file fraud alerts
2. Remind individuals to remain vigilant and report suspicious
activity
3. Provide FTC contact information for identity theft protection
6/15/2016
32
FINAL THOUGHTS
1. Take inventory of all digital assets
2. Start using a password manager immediately!
3. Enable automatic updates on all your systems
4. Enable whole drive encryption
5. Train staff on security practices
Wrap-Up
6/15/2016
33
Top Related