chevron-down Created with Sketch Beta.

ARTICLE

Legal Cybersecurity Tips and Secrets (Cheat Sheet for Attorneys), 2024 Edition

Michael Andrew Iseri

Summary

  • California has joined 39 other states in recognizing the indispensable link between technological competence and the duty of legal proficiency.
  • In the increasingly digital landscape of legal practice, guarding against common attack vectors is paramount.
  • It is crucial for legal professionals to understand and implement robust security measures for their hardware.
  • Regular data backups, maintained on physical devices and in cloud services, are a robust defense against potential data loss and ransomware.
Legal Cybersecurity Tips and Secrets (Cheat Sheet for Attorneys), 2024 Edition
monstArrr_ via Getty Images

All California lawyers have a "duty to keep abreast of the changes in the law and its practice, including the benefits and risks associated with relevant technology." Cal. Rules of Pro. Conduct r. 1.1 (Cal. State Bar 2021) (“Competence”).

On March 22, 2021, the California Supreme Court significantly amended the California Rules of Professional Conduct, particularly Rule 1.1, comment 1. This amendment obliges California attorneys to be aware of and understand the risks associated with the technology used in their legal practices, including cyber threats and cybersecurity issues. California has thus joined 39 other states in recognizing the indispensable link between technological competence and the duty of legal proficiency. Robert J. Ambrogi, “Tech Competence”, LawSites (2021); Robert J. Ambrogi, “California Becomes 39th State to Adopt Duty of Technology Competence,” LawSites (Mar. 24, 2021).

This article serves as an essential cheat sheet for both emerging and seasoned attorneys, encapsulating the best cybersecurity practices for the legal arena. This knowledge is distilled from my extensive experience and presentations at the California Lawyers Association’s Annual Meetings for three years. This piece is designed to arm legal practitioners with the best practices to navigate the increasingly complex cyber landscape effectively.

The Fundamental Rules of Cybersecurity

In the complex world of cybersecurity, two fundamental rules stand out for their critical importance.

Rule #1: Prioritize Physical Security over Cybersecurity

The first rule emphasizes the importance of physical security. It is necessary to prevent unauthorized physical device access as a primary defense mechanism. This involves safeguarding devices against theft or physical damage, as the best cybersecurity measures are ineffective if physical access to devices is compromised.

Rule #2: Acknowledge the Human Element

The second rule addresses the human factor in cybersecurity. It recognizes that humans are often the weakest link in the cybersecurity chain. Tricking someone is usually much more achievable than breaching a machine’s defenses. It is vital to focus on educating and training individuals within an organization. This includes fostering a culture of security awareness and ensuring that staff are knowledgeable about common cyber threats like phishing and social engineering and are equipped to recognize and respond to them effectively.

This framework not only involves technical measures and advanced software solutions but also encompasses physical safeguards and an acute awareness of the human aspects of cybersecurity. By adhering to these two foundational rules, legal professionals can create a robust framework for cybersecurity.

Navigating Digital Threats: Attack Vectors and Exploits

In the increasingly digital landscape of legal practice, guarding against common attack vectors is paramount. Legal professionals must safeguard their digital environments to protect sensitive information. Key areas of focus include the following:

  1. Social Engineering. This involves manipulative tactics to deceive individuals into revealing confidential information. Legal professionals must be aware of such attempts and exercise skepticism in their interactions.
  2. Computer Exploits. It is vital to stay informed about and protect against exploits that target computer vulnerabilities. Regular updates and security measures are essential in thwarting such attacks.
  3. Risky Attachments. Email attachments are a standard method for spreading malware. Caution should be exercised when opening attachments, especially from unknown or untrusted sources.
  4. Phishing. Deceptive emails or messages that aim to extract sensitive information are abundant. Legal professionals should scrutinize emails for authenticity and avoid clicking on suspicious links or providing confidential information.
  5. Man-in-the-Middle Attacks. These attacks involve intercepting communication between two parties. Ensuring secure and encrypted communication channels is vital to prevent such interception.
  6. Spoofing. This refers to the act of impersonating legitimate entities to gain access to information or networks. Awareness and verification of the authenticity of communication and digital entities are vital in preventing such breaches.
  7. Vigilance in Digital Spaces. Just as one would avoid risky situations in real life, the same prudence should be applied to digital spaces. Avoiding suspicious websites, unsecured networks, and other digital “alleyways” is essential.

Such vigilance and proactive measures are crucial for lawyers in safeguarding their (and their client’s) sensitive information against the evolving landscape of threats.

Protecting Your Hardware: Physical and Device Security

It is crucial for legal professionals to understand and implement robust security measures for their hardware. One key aspect is the state of encryption on various devices. It is essential to recognize that laptops running Windows or Apple’s macOS are not encrypted by default: the user must activate encryption manually. (For example, Windows requires Pro versions to have the program BitLocker, which encrypts entire hard drives and USB drives but must be activated manually.) Similarly, Android and iOS phones typically require users to activate encryption manually. This contrasts with Google Chromebooks, which come with encryption enabled as standard. Awareness and appropriate action regarding these encryption standards are essential for safeguarding sensitive legal and client data.

Another vital component of device security is consistent software maintenance. Regularly updating and patching software is more than just a performance enhancer; it is a critical defense against exploitation of known vulnerabilities. These updates often include vital security patches that protect devices and data from emerging cyber threats.

Additionally, the seemingly innocuous act of connecting external devices, like USB keys or phones, to a computer should be cautiously approached. The legal sector, in particular, must be vigilant against the risks of these external devices. They can be carriers of malware or facilitate data breaches, compromising the confidentiality and integrity of sensitive legal information. Hence, never plugging a random USB device or phone into a computer is not just a precaution—it is a necessity in maintaining stringent cybersecurity protocols.

By adhering to these practices, legal professionals can ensure a higher level of security for their physical devices, which is a central component of maintaining comprehensive cybersecurity in their practice.

Data Backups: Ensuring Data Integrity and Accessibility

Effective data management and backup strategies are critical. Regular data backups, maintained on physical devices and in cloud services, are a robust defense against potential data loss and ransomware. Furthermore, legal professionals must be acutely aware of where their data is stored, whether on physical devices or in online cloud backup services.

The security of these backups is equally important. It is imperative that they are not only regularly updated but also physically secure and safeguarded from unauthorized access or environmental risks. In environments where devices are shared among multiple entities, ensuring data segregation is vital to prevent unauthorized access or data mixing.

Clear policies regarding employee access to stored data must outline who can access specific data and under which circumstances. This extends to creating comprehensive policies and procedures for third-party access and breach-notification protocols. Should a breach occur, a well-defined response policy, including immediate actions, notification procedures, legal implications, and remediation steps, should be in place. Furthermore, implementing a disaster recovery and business continuity plan ensures minimal disruption to legal services in the event of significant data loss, safeguarding the firm’s and clients’ interests. Lastly, protocols concerning data access and exportation must be established and rigorously followed to ensure compliance with legal standards and to maintain client confidentiality.

Effective data management and backup strategies are paramount in legal practice to ensure data integrity and accessibility. Here is an overview on safeguarding data:

  1. Consistent Data Backups. Regularly backing up data is the first defense against data loss. Having multiple backup copies is essential, including on physical devices and in cloud services.
  2. Data Storage Awareness. Understand where your data is stored. This includes knowledge of physical devices, cloud backup services, and other data repositories.
  3. Security of Backups. Ensure that backups are physically secure and protected from unauthorized access or environmental hazards.
  4. Data Segregation. In environments where multiple entities use the same device, it is crucial to understand how data is segregated to prevent unauthorized access or data mixing.
  5. Access Policies. Develop clear policies regarding employee access to stored data, outlining who can access what data and under what circumstances.
  6. Third-Party Access and Breach Protocols. Create comprehensive policies and procedures for third-party access to data, and establish breach-notification protocols.
  7. Response to Breaches. Have a well-defined response policy for data breaches, detailing immediate actions, notification procedures, and remediation steps.
  8. Disaster Recovery and Business Continuity. Implement a disaster recovery and business continuity plan to ensure minimal disruption to legal services in the event of a significant data loss.
  9. Data Access and Exportation Protocols. Establish protocols concerning access to and exportation of your data, ensuring legal compliance and client confidentiality.

By implementing comprehensive data backup strategies, maintaining vigilant security protocols, and establishing clear policies for data access and breach response, attorneys can significantly enhance the protection and integrity of sensitive information. This commitment to robust data management ensures compliance with legal standards and fortifies the trust between attorney and client. Ultimately, these practices are not just about safeguarding data; they are about preserving the foundational principles of confidentiality and reliability that are integral to the legal profession.

An Overview of Password Cracking

The sophistication of password-cracking techniques has reached unprecedented levels, making implementation of robust password protocols a critical aspect of cybersecurity. This section comprehensively analyzes password vulnerabilities and the estimated time frames for cracking various password complexities using brute-force methods.

The brute-force approach, a method where a password-cracking program sequentially tests every possible combination of characters, has evolved significantly. Modern password-cracking strategies rely on this method and incorporate more nuanced techniques. These include targeting commonly used passwords, exploiting dictionary-word patterns, leveraging known encryption or hashing algorithm weaknesses, and applying probability theories such as birthday attacks.

Below is an illustrative list of passwords, juxtaposed with the estimated time frames for their compromise through brute-force attacks in 2022:

  • Simple Numeric Password: “9234567890” — approximately 3 seconds to crack
  • Primary Alphabetic Password: “abcDEF” — approximately 6 seconds to crack
  • Alphanumeric with Special Character: “abcDEF!” — approximately 3 hours to crack
  • Enhanced Complexity: “abcDEF!1” — approximately 25 days to crack
  • Further Complexity: “abcDEF!10” — approximately 6.5 years to crack
  • High Complexity: “abcDEF!10*” — approximately 610 years to crack
  • Extreme Complexity: “abcDEF!10*A” — approximately 57,337 years to crack
  • Ultra-Complex Password: “8@MoVing!VaCant#HUmble244” — approximately 241,111,914,873,899,690,000,000,000,000,000,000 years to crack

(Note: These times are estimates at best and do not incorporate hardware, software, and network optimizations. See How Long to Hack My Password, Random-ize (last visited Jan. 8, 2024).)

An important note on common patterns: The password “asdfjkl;” represents the default hand-resting position on a keyboard. While it may seem unique, its predictability renders it vulnerable and useless. A sophisticated password-cracking program could decipher it in less than a second. This highlights the critical need for awareness of common phrases and dictionary words in password creation, such as “password1,” “letmein,” “avocad0,” or “il0vey0u,” which are prime targets for advanced cracking programs. Please be advised that more competent password-cracking programs would first go through the commonly used passwords and then use dictionary-word password algorithms, any known encryption/hashing algorithm exploits, the birthday attack probability theory, and much more.

This analysis underscores the imperative for legal professionals to adopt robust and complex passwords, steering clear of predictable patterns and common phrases. As technology continues to advance, so, too, must our strategies for protecting sensitive information, ensuring that our practices remain competent and exemplary in cybersecurity.

Essential Password Practices for Security

In the digital age, where data breaches are increasingly common, the importance of robust password protocols cannot be overstated, especially in the legal profession where sensitive data is commonplace. A strong password is the first defense against unauthorized access to critical information. However, there are other essential password practices as well. Here are some recommended practices for password creation and management:

  1. Complexity and Unpredictability. Passwords should never be simple or predictable. They must be complex enough to withstand standard cracking techniques and should not be easily guessable.
  2. Regular Updates. There is some debate over the practice, but, generally, the recommendation is to change passwords every 30 to 90 days, particularly following a major exploit. This helps mitigate risks associated with password breaches over time.
  3. Strict Confidentiality. Passwords should never be shared except under the strictest circumstances and with utmost control. Even then, sharing should be minimized and handled with caution.
  4. Separate Passwords for Sensitive Data. Different passwords and PINs should be used for accessing distinct types of sensitive data, such as financial information, major email accounts, and critical legal or business services. This segregation ensures that a breach in one area doesn’t compromise other data.
  5. Personal Information Exclusion. Passwords should not contain information that is personal to the creator, such as a father’s middle name, to avoid easy guesses through social engineering tactics.
  6. Security Questions. Whenever possible, enable security questions for an additional layer of security. However, the answers to these questions should not be based on actual, easily discoverable information about the user. This practice helps prevent incidents similar to the high-profile breach experienced by Paris Hilton, where personal knowledge of her dog’s name led to unauthorized online account access.

Furthermore, avoiding standard and easily guessable codes is crucial when considering PINs, especially for mobile devices. Studies show that the top 20 most common mobile phone PINs account for 26 percent of all cracked phones: 0000, 1004, 1010, 1111, 1122, 1212, 1234, 1313, 2000, 2001, 2222, 3333, 4321, 4444, 5555, 6666, 6969, 7777, 8888, and 9999. Avoiding these standard PINs can significantly enhance the security of your devices.

Adhering to these password and PIN protocols is not just a technical necessity but a fundamental aspect of practicing safe and responsible legal ethics, particularly in the legal field where the confidentiality and integrity of data are paramount.

Implementing Effective Password Management

Effective password management is a critical component of cybersecurity, crucial for safeguarding sensitive information and maintaining the integrity of digital operations. There are two primary methods recommended for maintaining strong and secure passwords.

The first method involves utilizing a password-management system, such as Bitwarden. These systems offer a secure and efficient solution for storing and managing a variety of passwords. One of the key advantages of using such systems is the ability to implement system-wide administration. This feature is particularly beneficial in an organizational setting, allowing for centralized control over password management among users. While advanced features of these systems often come with a cost, the investment is justified by their enhanced security and convenience. Please note that there were previous security breaches/exploits with LastPass (significant security breaches in 2022), 1Password, Dashlane, and other programs.

(In December 2023, password managers such as 1Password, Dashlane, LastPass, and others were affected by a security vulnerability known as the Android AutoSpill password manager vulnerability. For more information, see Davey Winder, Warning as 1Password, DashLane, LastPass and 3 Others Leak Passwords, Forbes (Dec. 11, 2023).)

The second method is the creation of code-based passwords incorporating entropy characters to increase complexity. This approach involves writing a series of words or phrases and substituting each with a predetermined code known only to the user, combined with random entropy characters. For instance, a simple code might be the following:

  • Written Code: “Apple + Life + City + FavD”
    • Memorized Decryption Key:
      • Apple → Pie
      • Life → 42
      • City → LALALAND
      • FavD → Wall-E
    • Resulting Password: “Pie42LALALANDWall-E”

With code-based passwords, you can write them down and store them. As long as the user protects the code usage and decryption, then written code-based passwords would not be cracked.

From there, you can do more advanced variations of code-based passwords by providing special characters and sequences between coded words to increase complexity and entropy. For instance, an advanced variation might be the following:

  • Advanced Written Code: “! + Apple + Life + abcde + City + @ + 0982 + FavD + *”
    • Memorized Decryption Key:
      • Apple → Pie
      • Life → 42
      • City → LALALAND
      • FavD → Wall-E
    • Actual Password: “!Pie42abcdeLALALAND@0982Wall-E*”

However, it is crucial to note the importance of avoiding the storage of passwords in web browsers like Chrome, Edge, or Firefox. Passwords saved in these browsers are often stored in plain text, making them susceptible to easy retrieval. A straightforward online search can reveal instructions on how anyone can access these saved passwords in these browsers even without knowing the user’s password.

Legal professionals can greatly improve their cybersecurity posture by adopting these password-management techniques. Whether through sophisticated password-management systems or the creation of complex code-based passwords, it is essential to ensure that the methods for creating and storing passwords align with the highest cybersecurity standards. This commitment to robust password management is a critical step in safeguarding sensitive information and upholding the integrity of legal practice in the digital age.

Hot Keys: Maximizing Efficiency with Windows, Web Browsers, and Office Productivity Programs

Efficient navigation of the workstation, office productivity programs, and web browsers is crucial for legal professionals. In the fast-paced world of legal practice, mastering Windows hot keys can significantly enhance productivity and cybersecurity.

Hot keys are potent tools for optimizing research and workflow management, and they enable attorneys to manage their workstations, productivity programs, and web browsing, saving time and energy and enhancing productivity in their daily online interactions.

Specific hot keys are also crucial for quick security responses. Sensitive judicial information on the computer of one of my friends, who worked for a federal judge, was significantly tampered with when that person left it unattended and unlocked within the work area. Simply pushing “Windows Key + L” would have prevented such a vast security outcome by setting the computer to the lock screen (assuming a password was set on the machine).

Essential hot keys include the following:

Windows Hot Keys

  1. Ctrl + Alt + Del: login menu command options
  2. Ctrl + Shift + Esc: open Task Manager
  3. Windows Key: pull up the Windows menu
  4. Windows Key + M: minimize all windows
  5. Windows Key + “,”: temporarily minimize all windows while pressed
  6. Windows Key + L: lock the computer
  7. Windows Key + M: minimize all windows
  8. Windows Key + D: minimize all windows to desktop; hit again to redeploy windows
  9. Alt + Tab: switch between windows
  10. Windows Key + Tab: open the Task View interface to switch between open windows or Virtual Desktops
  11. Hold Shift + Left Mouse Click on a Program in Task Bar: open another instance of a program
  12. Alt + F4: close the current window
  13. Windows Key + X, U, R: restart Windows 10 and 11
  14. Windows Key + X, U, U: shut down Windows 10 and 11
  15. Windows Key + Ctrl + D: create a new Virtual Desktop (useful for organizing different task windows)
  16. Windows Key + Ctrl + F4: close current Virtual Desktop
  17. Windows Key + Ctrl + Left/Right Arrow: move between Virtual Desktops for enhanced task management

Microsoft Word Hot Keys

  1. Ctrl + A: select all
  2. Ctrl + C: copy
  3. Ctrl + X: cut
  4. Ctrl + V: paste
  5. Ctrl + Z: undo actions
  6. Ctrl + Y: redo actions
  7. Ctrl + B: bold
  8. Ctrl + I: italic
  9. Ctrl + U: underline
  10. Ctrl + S: save
  11. Ctrl + P: print
  12. [After Copying] Mouse Right Click and Select Under Paste Options: paste plain text
  13. Ctrl + F: find
  14. Ctrl + H: find and replace
  15. F7: spell check
  16. Ctrl + K: insert hyperlink
  17. Shift + Left/Right Arrow: highlight one character at a time
  18. Shift + Ctrl + Left/Right Arrow: highlight one word at a time
  19. [While Selection Is Already Highlighted] Shift + Alt + Up/Down Arrow: Moves the selection up or down by lines or bullet points
  20. Shift + F3: cycle through all caps, small caps, smart caps
  21. Alt + O, N: open menu for bullet points
  22. [Beginning of a Bullet Point Item] Tab: indent and make a bullet point entry at the next level, right
  23. [Beginning of a Bullet Point Item] Tab + Shift: indent and make a bullet point entry at the previous level, left
  24. Ctrl + F: add a footnote
  25. Ctrl + L / E / R / J: align text left, center, or right or justify

Web Browser Hot Keys

  1. Ctrl + F: open a find bar to search for text within the current webpage
  2. Ctrl + “+” / “-”: zoom in/out on a webpage (note: you can check if a website was used by checking for saved zoom options)
  3. Ctrl + 0: reset zoom level to default
  4. Shift + Enter: force a next line space in a text command (useful for text chat sessions where enter defaults to send messages, such as for LinkedIn messages)
  5. Alt + Left Arrow/Right Arrow: navigate backward/forward through the browsing history
  6. Ctrl + Enter: automatically add www. and .com to your input in the address bar and open the webpage
  7. Ctrl + Shift + T: reopen closed tabs in the order they were closed
  8. F11: enter or exit full-screen mode in web browsers
  9. Ctrl + H: open browsing history
  10. Ctrl + J: open the downloads window
  11. Ctrl + Shift + Delete: open the clear browsing data dialog
  12. Ctrl + Tab: cycle through web browser tabs
  13. Ctrl + T: create new web browser tab

Bonus: Windows Key Commands

  1. Ctrl + Shift + Alt + Windows Key: open Microsoft 365 in your default browser
  2. Ctrl + Shift + Alt + Windows Key + L: open LinkedIn in your default browser
  3. Ctrl + Shift + Alt + Windows Key + W: open Word
  4. Ctrl + Shift + Alt + Windows Key + X: open Excel
  5. Ctrl + Shift + Alt + Windows Key + P: open PowerPoint
  6. Ctrl + Shift + Alt + Windows Key + O: open Outlook
  7. Ctrl + Shift + Alt + Windows Key + T: open Microsoft Teams
  8. Ctrl + Shift + Alt + Windows Key + D: open Microsoft OneDrive
  9. Ctrl + Shift + Alt + Windows Key + N: open Microsoft OneNote
  10. Ctrl + Shift + Alt + Windows Key + Y: open Microsoft Viva Engage

For macOS and other office productivity programs and web browsers, do an online search for similar commands, if they exist.

These hot keys are indispensable tools, enabling legal professionals to navigate Windows, office productivity programs such as Microsoft Office, and web browsers with precision, ultimately saving time and streamlining tasks in their legal practice.

Mark Your Calendars: Understanding the Life Cycle and “Sunsetting” of Operating Systems

Operating systems (OS) do not last indefinitely: they have expiration dates commonly called “sunsetting” or “end of life.” This marks when an operating system mostly no longer receives security updates or new features, significantly impacting its functionality and security.

For users of Microsoft Windows, being aware of these sunsetting dates is essential for maintaining a secure and efficient computing environment. Here is an overview of the sunsetting timelines for various Windows versions:

Microsoft Windows

  • Sunsetting of Windows XP
    April 2014 (12 years of support)
  • Sunsetting of Windows Vista
    April 2017 (10 years of support)
  • Sunsetting of Windows 7
    January 2020 (11 years of support)
  • Sunsetting of Windows 8
    January 2023 (11 years of support)
  • Sunsetting of Windows 9
    Not applicable—Microsoft skipped Windows 9 just like Apple skipped iPhone 9
  • Sunsetting of Windows 10
    October 2025 (10+ years of support)

In contrast, Apple’s approach to supporting its operating systems differs slightly. Typically, Apple provides around three years of support for its recent operating systems. However, there is no official statement from Apple confirming this policy. This lack of formal communication necessitates that Apple users remain particularly vigilant about their system updates and the potential security implications of using older versions:

Apple

  • Sunsetted Versions
    • macOS 11 and below (released November 2020)
  • Current and Supported Versions
    • macOS 12 (released October 2021)
    • macOS 13 (released October 2022)
    • macOS 14 (released September 2023)

A notable event in this context was the expiration of the “IdenTrust DST Root CA X3” root certificate on September 30, 2021. This expiration had widespread effects, causing older computers and phones to receive certificate warnings when accessing websites that use Let’s Encrypt certificates. DST Root CA X3 Expiration (September 2021), Let’s Encrypt (updated Feb. 5, 2024). Affected devices included Apple computers running macOS 10.11 (“OS X El Capitan”) or earlier, Windows XP Service Pack 3 or earlier (which sunsetted in April 2014), iPhones with iOS 9 or less, Nintendo 3DS game systems, and PlayStation 3 game consoles. Certificate Compatibility, Let’s Encrypt (Aug. 2, 2023). This incident led to a surge in complaints from attorneys and users suddenly facing unexpected security alerts.

For attorneys and legal professionals, understanding the life cycle of their operating systems and the implications of sunsetting is not just a matter of convenience; it is a critical aspect of ensuring the security and integrity of their digital practices. Staying updated with these timelines and planning for necessary upgrades or transitions are critical for maintaining a secure and reliable technological environment.

Conclusion

Cybersecurity is not a mere addendum to legal practice but a fundamental aspect that demands vigilant attention and continuous adaptation. The comprehensive guide outlined in this article, spanning from security protocols to the life cycle of operating systems, provides attorneys with a robust framework to fortify their digital practices. As legal practitioners, we must stay abreast of technological advancements and emerging cyber threats.

By staying vigilant against digital threats, integrating effective password-management strategies, and optimizing our use of technology, we enhance our personal efficiency and contribute to the collective security and resilience of the legal field. In doing so, we protect ourselves and our clients while strengthening the foundations of both justice and confidentiality that are the pillars of our profession, whether physical or digital.

    Author