October 23, 2012

How Law Firms Can Defend Against Social Engineering

Bill Gardner – October 23, 2012

Social engineering is the clever manipulation of the natural human tendency to trust. The most common (but by no means only) form of social-engineering attacks are phishing attacks. Phishing attacks are emails attempting to entice the receiver into (1) clicking a link or opening an attachment in the email that leads to malicious software, or (2) providing financial or personal information to the sender.

With the rise of phishing and other social-engineering attacks, building technical defenses around your law firm’s network—or allowing IT to do this if you’re at a larger firm—is simply not enough. During my time as the information technology director for a law firm, I’ve found that you must also secure the human.

The Business of Social Engineering
Threats from hacking groups against law firms are increasing; the FBI has issued a series of warnings to law firms that they are at risk of being targeted by phishing and other social-engineering attacks. Information-security firm Mandiant Corp. estimates that 80 law firms were attacked in 2011.

Most lawyers don’t appreciate the large amount of data they have accumulated on their in-house networks—including trade secrets, medical records, Social Security numbers, and financial information—all of which are targeted by computer criminals. So how can you defend against these types of attacks?

Defending Against the Attack
Don’t Just Click Stuff
Social engineers are going to attempt to prey on your staff’s natural curiosity and helpful nature to trick them into giving out confidential information or clicking on links or attachments containing malware. The best defense is to never click the links or open the attachments in unexpected email before validating the legitimacy of such email by directly accessing the sender’s website.

For example, if you receive an email from your bank stating there is a problem with your account, directly access the bank’s website or contact your bank’s customer-service department. If you click on the links in the email, you may be taken to a website that looks just like your bank’s website, and when you attempt to log in, your username and password may be stolen.

Lock Your Computer and Choose Strong Passwords
When not at your computer, lock the screen (on most Windows computers, this is “Windows Key + L”). This keeps someone from accessing your computer and using it as if they were you.

Passwords are the first defense in keeping your data safe. The longer the password, the more secure it is. Pass phrases are generally longer and more secure than passwords.

Be Careful What You Throw Out
Shredding confidential material such as medical records is not just a good practice, it might also be the law. If documents such as medical records fall into the hands of third parties, you will likely be in violation of HIPAA/HITECH and may have to notify victims based on state breach-notification laws. “Dumpster diving” for confidential material happens far more often than you think.

Don’t Forget Physical Security
Your data is not safe if someone can walk into your office and carry off a server. Make sure your staff knows that all visitors need to be escorted and that they should never let someone follow them though a locked door.

Implementing an Information-Security Awareness Program
While some vendors would be happy to sell you a software cure-all to stop these sorts of attacks, your best defense is to start an information-security awareness program in your firm to prepare the people who may fall victim to these social-engineering attacks.

Help Your Organization Understand the Threat
Making your users aware of the threat to your data is the first step in any information-security awareness program.The motives for stealing data vary. Most attackers are looking for data they can sell for money.

The Russian Business Network is an example of an organized computer-crime syndicate looking to steal personally identifiable information such as Social Security numbers and medical records to sell on the black market. On the other hand, many hackers from China are usually after your intellectual property or trade secrets that can be sold to competitors or used to gain a competitive edge.

Other attackers, known as hacktivists, may use social engineering to break into your network to deface your website or publicize your information; this could be because they don’t like who you represent or because they are anti-“big business.” Examples of hacktivist groups that have been in the news recently include Anonymous and Lulzsec.

Integrate Education into Existing Training Processes
Informing employees of the threats to your information and what they can do to keep themselves safe can be as simple as holding yearly training or making information security awareness a part of the on-boarding process.

Use Real-World Examples
Up-to-date information from recent news stories helps to illustrate breaches that have happened to other firms. Here are some example stories you can use:

Unlike a cure-all software tool, the relatively inexpensive process of educating your associates and peers will go a much longer way in securing your firm’s and clients’ data.

Keywords: litigation, technology, social engineering, hacktivist, hacktivism, Anonymous, Lulzsec, information security


Bill Gardner – October 23, 2012