Cyberthreats and Defenses

Vol. 31 No. 3

By

Sharon D. Nelson, Esq., is president and John W. Simek is vice president of Sensei Enterprises, Inc., a legal technology, information security, and digital forensics firm based in Fairfax, Virginia.

The Federal Bureau of Investigation (FBI) has warned law firms that they are targets for hackers and that the security firm Mandiant has been spending 10 percent of its time investigating data breaches in law firms. In fact, Mandiant has confirmed that it has worked with more than 50 law firms dealing with confirmed or suspected data breaches. Clearly, it can happen to any firm.

Now consider the fact that most lawyers do not have cyberinsurance to cover the expense of complying with data breach laws, which now exist in 47 states, the District of Columbia, and the Virgin Islands. A single data breach could be a financial disaster for a small law firm.

The last stumbling block for lawyers who are disinclined to focus on security issues is their belief that it won’t happen to them—particularly their belief that no one would be interested in their data. Most of us can understand why merger and acquisition firms would be a magnet for hackers—clearly there is a great deal of money to be made on Wall Street with insider information. But what about small law firms? What attractive data do they hold? Well, many small firms practice family law—and their computers contain Social Security Numbers, birth dates, credit card numbers, and other detailed financial information. This is precisely the kind of data that identity thieves are looking for. They routinely scan for vulnerable systems seeking such data.

Business espionage is another motivation for breaking into law firms. Perhaps you represent a company about which a competitor wishes to acquire business intelligence—from you.

There is also the press. In 2011 the News of the World notoriously hacked into cell phones to feed the public’s insatiable appetite for gossip. Consider all the interest in a murder trial—is it conceivable that a reporter might seek private information to get a scoop? Of course.

What’s New in the Data Breach World?

Attackers are becoming more sophisticated, developing better and better tools. They study their targets and wait for the right moment to try to enter high-value networks.

Verizon’s 2013 Data Breach report noted that, in 2012, that there were more than 47,000 reported security incidents and 621 confirmed data breaches. Verizon also identified only 14 percent of the threats as coming from internal sources, with 92 percent coming from external sources, 1 percent coming from third parties who had a relationship with the breached entity, and 19 percent attributed to state-affiliated actors.

The leading three threat agents are hacking, network intrusions exploiting weak or stolen credentials, and malware, followed by physical attacks and leveraged social tactics.

Although the insider threats appear to be down slightly from previous years, bear in mind the case of Matthew Kluger, a lawyer who allegedly stole insider information from the law firms he worked for during a 17-year period. At Wilson Sonsini, his most recent employer, he got the information from the firm’s document management system. As Law Technology News pointed out in a 2011 article, this underscored three law firm information security challenges:

  • The need to balance security with the need to share information;
  • The importance of having securities policies, with people in place having enough authority to enforce and monitor the policies, updating them as needed; and
  • The clear message that law firms need to focus on threats from insiders because the tendency is often to focus on external threats and ignore those in the office.

Law Firms’ Bad Rap on Information Security

Security consultants consistently report that law firms are “stingy” about spending money on data security and lag far behind their corporate counterparts. Only at the largest firms does one find security specialists.

Laws firms in general, and small firms in particular, are not very likely to have vulnerability assessments done. If they do have an assessment done, they often don’t follow the best practice of repeating the assessments at regular intervals.

Firm-wide encryption is almost unheard of, although with the recent news of the National Security Agency actions more businesses and firms are looking to encryption as a way to protect privacy from government snooping.

We forget how our mobility has opened up new vulnerabilities. Flash drives, tablets, smartphones—all are easily lost or stolen, yet most lawyers do not encrypt these mobile devices. Sadly, they do not even go to the trouble to have a password or PIN on their devices.

Social media sites have become a wonderful place for criminals and business espionage experts to set up shop. Even developers for social media sites have been found with their hands in the cookie jar. And yet, very few firms put in place social media policies, train employees about the safe usage of social media, or implement technology that might intercept malware before it is installed on the network.

Engagement letters should note that security cannot be guaranteed and advise clients not to send sensitive information electronically. Unfortunately, we rarely see that sort of language used by solos and small firms.

Spear Phishing—and a Data Breach Avoided

Spear phishing is targeted phishing. It is more likely to be successful because it often appears to come from someone you trust and the subject line is one designed to engage the recipient. For instance, it might say, “Check this out—you’re quoted in this article.” An appeal to ego is often successful. Once in, the perpetrators will look for administrator accounts and the accounts of managing or senior partners to allow them to move freely within the larger network.

In a smaller firm, the e-mail’s subject line might well read “Referring a case to you”—that would certainly be appealing in these uncertain economic times. Over and over again, it has been demonstrated that “spear phishing” is the most successful weapon for getting into a law firm’s network.

In 2010 the Los Angeles–based firm Gipson Hoffman & Pancione survived an attempted spear phishing attack. The firm had filed a $2.2 billion copyright infringement suit on behalf of CYBERsitter LLC. Shortly thereafter, the firm noted a dramatic increase in suspicious e-mails.

The e-mails appeared to be sent from lawyers at the firm and included a message requesting the recipients to open an attachment. The firm’s internal investigation revealed that the attachment contained malware that appeared to come from China. We can never say enough about the value of training. In this case, training saved the firm from making a costly error. Attorneys and support staff had been warned to be on the lookout for suspicious e-mails after the suit was filed because the suit accused the Chinese government and several companies of stealing code from CYBERsitter’s Internet filtering program. No one clicked on the attachment, so no malware bomb was detonated.

OK, I’m Convinced—What’s Next?

First, understand how data breaches happen. Here are the most common ways:

  • Devices with unencrypted data are stolen or lost.
  • Security patches are not installed.
  • Lawyers and staff are not trained about social engineering. One example is where someone pretends to be your IT provider and needs an employee’s ID and password to “fix something.”
  • Malware comes in via an attachment or through social media (e.g., the previously referenced spear phishing).
  • Hackers, cybercriminals, and even national governments find vulnerability in your network.

Since the old, innocent days of script kiddies, we now have more sinister types trying to get your information, and their skill set has vastly improved along with the tools available. Also, our networks are becoming more interconnected and complex all the time—and as Philip Reitinger, the director of the National Cybersecurity Center in the Department of Homeland Security, has said, “Complexity is the enemy of security.” As he further pointed out, if someone really wants your data, they stand an excellent chance of getting it.

Here’s another reason to be wary, this one from Alan Paller, the director of research at the SANS Institute: “If I want to know about Boeing and I hack into Boeing, there are a billion files about Boeing. But if I go to Boeing’s international law firm, they’re perfect. They’re like gold. They have exactly what I’m looking for. You reduce your effort.”

Essential steps to take:

  • Have a vulnerability assessment performed, at least annually.
  • Remediate any vulnerabilities discovered.
  • Use enterprise-class anti-malware, not single-function products such as an antivirus program (we like Kaspersky and Trend Micro).
  • Have security policies and plans in place:
    • Remote Access Policy.
    • Incident Response Plan.
    • Disaster Recovery Plan.
    • Acceptable Internet and Electronic Communications Policy.
    • Social Media Policy. (More than two-thirds of small businesses do not have such a policy, and yet 18 percent of users have been hit by social media malware according to a 2011 report by the Ponemon Institute.)
    • Employee Termination Checklist.
    • Password Policy.
    • Mobile Device Policy. (This is critical if you allow the use of personal devices, including smartphones.)
    • Employee Background Checks.
    • Employee Monitoring Policy. (It is helpful to have a log-on screen that specifically says that there is no right of privacy—this makes it hard for employees to argue that they didn’t know the policy.)
    • Guest Access Policy. (Guests are frequently allowed on law firm networks, but they should not be able to reach client data, firm financial information, etc.—and they should be given a password that expires quickly.)
    • Vendor Access Policy.
  • Make sure critical security patches are promptly applied.
  • Map your network (you can use a free tool such as Nmap, nmap.org) to identify devices and applications running on the network. Regular scanning will show you what and who should and shouldn’t be on the network. Anything that looks suspicious can be investigated.
  • Depending on the size of your firm, you may want to consider an intrusion detection system (IDS). Larger firms may want to use a network behavior analysis tool, which monitors network traffic and detects anomalies, but this is probably beyond the budget of small firms.
  • Consider using content filtering, which keeps employees from visiting sites (notably pornographic sites) where evildoers are apt to plant drive-by malware.
  • Examine the security policies of business partners.
  • Verify that your firewall is properly configured.
  • Encrypt sensitive data in transit and in storage. This is especially important for mobile devices, which are so frequently lost or stolen. Make sure they can be remotely wiped and that they will wipe themselves after a certain number of incorrect passwords are typed in.
  • Change all default passwords—these are plastered all over the Internet.
  • If you have bent to the pleas of employees to connect their personal devices to your network, make sure you have a mobile device manager, which can help manage security. The new trend is to have two instances on the phone, one for business and one for personal stuff, with the employer tightly managing the business instance of the phone. Because most small law firms are not using mobile device managers, allowing personal devices on the network is a Faustian bargain with a severe security risk. It is very important that data be encrypted, that passwords be required, and that the devices can be remotely wiped.
  • Verify that your wireless network is properly secured.
  • Log remote access, and limit access to sensitive data.
  • Make sure you know where all your data is actually located!
  • Make sure you know which experts you would call in the event of a breach.
  • Make sure your devices are physically secure.
  • If you accept credit cards, make sure you follow the PCI Data Security Standards (DSS), which can be found at pcisecuritystandards.org.
  • Get IT and partners to work together. Firm culture is a big problem—it is often true that a partner can refuse an IT security recommendation simply by saying, “I don’t want to work that way.”
  • Have a plan for damage control to the firm’s reputation.

Train and keep on training both lawyers and staff. Employees continue to fall for even easy-to-spot social engineering and threats. When an incident is over, sit down and do some serious Monday morning quarterbacking. You may have policies or procedures to change. Whatever your incident response plan, it probably did not wholly survive first contact with the enemy.

Never think that you can handle a data breach without expert involvement. Only an information security specialist can truly do that, which is one reason that we haven’t included a complicated set of technical instructions here. For one thing, they’d be obsolete as soon as written—and for another, they would constitute a book in and of themselves.

Secure Passwords: The Rules Have Changed

According to a report published by the Georgia Institute of Technology, it is time to move to 12-character passwords. In essence, Georgia Tech researchers were able to use clusters of graphic cards to crack eight-character passwords in less than two hours. And trust us, if researchers are doing this, so are the cybercriminals of the world.

The researchers discovered that, when they applied the same processing power to 12-character passwords, it would take 17,134 years to crack them. Cybercriminals, even when highly motivated, are going to bypass 12-character passwords—there are just too many folks out there asking for their security to be violated with less secure passwords.

In response, over the last few years, we have joined others who lecture on security and recommended the use of full sentences or passphrases as passwords. They are so much easier for all of us to recall.

“I’msickofLindsayLohan!” is simple enough to remember and complex enough to confound a would-be password cracker. Using characters that are non-letters helps add to the complexity and therefore to your security. The English alphabet contains just 26 letters, but there are 95 letters and symbols on a standard keyboard. “Mixing it up” makes it even more difficult for cybercriminals to break your password.

Password-cracking capabilities will continue to increase, not only by the National Security Agency, but by cybercriminals as well. By harnessing the power of the cloud to chain (essentially) multiple supercomputers together, passwords as long as 48 characters have been cracked. But rest assured, this is currently the rarity. One day, we will all have two-factor authentication—the two factors being something you know (e.g., a password) and something you have (e.g., a USB token). Google has announced publicly that “passwords are dead” (not yet though) and that it is heading toward two-factor authentication throughout its range of products and service.

Remembering and Storing Your Passwords

Perhaps the greatest problem is remembering all these passwords. One solution is to use an encrypted flash drive such as the IronKey (ironkey.com), which includes a password “vault” application that remembers all the characters for you. Not our recommendation because it is too darn easy to lose.

For $19.95 you can turn to a product such as eWallet (iliumsoft.com/ewallet), which will store your passwords in encrypted format and allow you to sync access to it from multiple devices, including smartphones (be sure to check that yours is supported). This may be the best solution currently available for busy lawyers. Author Simek uses eWallet as a backup (synced to the Galaxy S3) to his IronKey. With a 30-day free trial, it’s hard to go wrong.

Whatever you do, make sure you do take passwords seriously. We know from experience that most lawyers are not going to buy a product like the IronKey or use a product like eWallet. This may change as the years go by, but for now, the majority will simply come up with passwords on the fly as required. If that sounds like you, at least take heed of the message conveyed by the Georgia Institute of Technology and make your passwords strong 12-character passwords. At least then you will have demonstrated that you took “reasonable measures” to protect client confidentiality.

And remember, the price of security is constant vigilance, so keep your cybersecurity knowledge current!

Advertisement

  • About GPSolo magazine

  • Subscriptions

  • More Information

  • Contact Us