The Rise of the Dark Web
Often considered to be a “far away” threat, the risks associated with the dark web are often underestimated. The internet that most of us know—Amazon, email, retail websites, news sites and social media—only accounts for a small fraction of the entire internet. The dangers lurking in the dark web are like the deepest parts of an expansive and mostly unknown ocean, with regular internet browsing patterns represented by a clearly visible and accessible shoreline.
For the legal community, the dark web presents several risks, many of which aid a cybercriminal in executing attacks. From information gathering in the wake of a breach to opening credit accounts using purchased card numbers, cybercriminals rely on the dark web.
Clients expect the utmost care in ensuring the confidentiality of their data. Law firms are prime targets of cybercriminals because of the value of the data they collect and store. In this article, I will discuss some of the primary threats that a firm may encounter, the types of risk associated with these threats, and steps to both prevent and mitigate damages in the event of an attack.
One significant risk for law firms is the installation of malware via social engineering attacks. “Malware” is bad software that is installed by bad actors with the intention to exploit vulnerabilities in code, which allows for other forms of software on the targeted systems to act the way the cybercriminals want it to. Once malware is installed, data exfiltration, operational dysfunction, control of the device by the cybercriminal or ransomware attacks can all ensue. Viruses, worms, rootkits, ransomware and spyware are all types of malware that can be installed in a variety of ways, and all pose significant risks to a law firm. However, the primary method that cybercriminals tend to utilize in disseminating malware is social engineering.
Social engineering attacks take advantage of the all-too-forgotten “human” element of security. Instead of compromising technological weaknesses, cybercriminals will go for a route that typically takes a lot less work. Phishing emails are probably the most common social engineering tactic. A typical phishing email appears to be sent from someone we know, maybe a boss or co-worker. The email will often request a confidential task that needs to be done right away. “I am busy right now and can’t talk on the
phone. I need a $50,000 wire transfer. This needs to be done immediately, so don’t tell anyone about it. Thx.” When the request seems urgent and especially if it appears to be coming from upper management, an employee may feel pressured to follow through without double-checking or ensuring the validity of the demand. These emails can often appear legitimate, including details that would at face value seem to only be known by the sender.
Social engineering attacks are often strengthened and personalized by a method known as doxxing. Doxxing is the act of publicly identifying or publishing private information about a person, often with malicious intent. To strengthen an attack by personalizing it to the target, a cybercriminal will frequently visit personal information reseller websites to gather as much information possible. The dark web may also be a source of information.
Perhaps more damaging though is information willingly put out on the internet by the targets themselves. Social media can be a cybercriminal’s best source of information. Posting personal information, even something as innocuous as when you are going to be out of the office on vacation, can be used to bolster a social engineering attack and result in data exfiltration, financial damage or reputational harm. Legal consequences can also ensue, as well as operational dysfunction.
The Risk to Law Firms
The risks associated with cyberthreats are both immediate and ongoing and extend far beyond a firm’s financial strength. An attack that compromises the confidential data of a firm’s clients can severely impact that firm’s reputation and overall success. In our digital age, the legal community has the huge responsibility of ensuring the confidentiality of its clients’ digital information. Any breach in this trust is going to have immediate and long-lasting repercussions.
Cyber attacks also pose significant financial and operational risks. Responding to an attack, especially if a firm has no pre-existing plans or protocol in place, can be incredibly expensive and time-consuming. A ransomware attack that requires financial payments to regain access to client data can cost a firm thousands of dollars.
Operationally, an attacker may gain access to a firm’s devices, making day-today operations impossible to conduct for a period of time. The ongoing legal risk associated with an attack, especially in the event of client data being compromised, can further contribute to a firm’s financial losses and reputational damage.
To counteract these threats and mitigate the associated risks, thinking ahead is a firm’s best approach. Combining proactive and reactive cybersecurity strategies is critical, as well as designating in-house parties responsible for cybersecurity and ensuring top-down management support of security protocols and procedures. Proactive cybersecurity strategies include the development of a cybersecurity team responsible for ensuring the development and implementation of cybersecurity standards, and the establishment of clear communication channels in the event of a cyber attack.
Moving beyond the IT department, creating a culture of security requires interdepartmental support, especially from upper management. If an employee receives a phishing email, he or she should know how to (or not to) respond and how to report the incident to appropriate parties.
Proactive solutions should also consider best practices in regard to email encryption, fortifying networks, implementing controls, the security of third-party vendors, physical security, the institution of regularly scheduled security assessments that include vulnerability scanning as well as penetration testing and employee training and awareness programs.
Part of a proactive cybersecurity approach is that a firm knows how it will respond in-house and publicly if it is made victim to an attack. Having a third-party security vendor on hand for assessment and mitigation is often a necessary first step; gathering accurate information about the scope and damages of a breach is important in addressing the public and mitigating ongoing damage. Reporting procedures and requirements should also be understood prior to an incident occurring.
Our interconnected world has made things easier but also more complex. When technology works in our favor, it makes everything better. Data can be collected and stored easily and in huge amounts, communication is instant and the operations of our organizations are made possible. Credit freezes and good “cyber hygiene” may prevent some of the dangers associated with the dark web and the personal information that may be readily available there. When cybercriminals take advantage of technology, the results can be disastrous, especially within the legal community. Acknowledging the ever-evolving threat landscape, as well as its associated risks, can help keep a firm one step ahead.