On demand 1h 14m 58s Basic

Cyber Security for Law Firms 101

4.8 out of 5 Excellent(11 reviews)
View all credits3 approved jurisdictions
Play video
  • Credit information
  • Related courses

Cyber Security for Law Firms 101

Cyber security issues across numerous industries have been hard to miss in recent years and law firms are no exception. In this introductory discussion, we’ll talk about the basics of cyber security as it pertains to law firms. Along the way, we’ll discuss the wide array of threats to law firm and client data, electronic scams, tricks and the consequences that can come with them, as well as the steps to take in order to prepare for the next inevitable attack.

Transcript

Shaun Salmon - Hey everyone, I'm Shaun Salmon, vice president of MCLE and professional development here at Quimbee. Today, I'll be joined by cybersecurity expert and attorney, Scott Aurnou. Scott is honestly a fabulous human being and a wealth of knowledge when it comes to data protection. And during the next hour, I'll be asking Scott to talk to us about the basics of cybersecurity for law firms, including understanding the electronic threats that face firms today and how to be ready for a security incident. So, Scott, welcome. I know we have like so much to get through, but before we jump in, is there anything else you wanna add?

Scott Aurnou - Just thank you very much, and hello. Yeah, lots of info. So I'll just zip it and ask questions, I'm happy to answer.

Shaun Salmon - Perfect. So jumping right in, are law firms at any greater risk than other organizations for a security breach?

Scott Aurnou - I'd love to say no, but unfortunately the answer is yes. And part of your problem really that you run into there is the fact that we're dealing with clients. And a lot of those times, it's not just a matter of targeting the law firm itself, it can also be targeting the client. And often what'll happen is you'll have a client who has, say, a more secure system, and the attackers looking at their system, trying to find in and says, "Hey, wait a second. "They've got attorneys." And then they go after the attorney network, which is not as well defended. Or, there's the fact that you have multiple clients and they're all gonna hit you at once, basically in short order, they tend to, hackers that is, tend to view attorneys as a soft target holding valuable data, it's a really lousy combination. But yeah, it does mean that law firms tend to get targeted inordinately, unfortunately.

Shaun Salmon - Got it. And so, I mean, when you're helping firms, right, or if you are a firm, where do you start? I'm sure it's good to understand a few tech basics, but walk us through how you start this.

Scott Aurnou - Well, usually, it depends on what sort of, where they need me. It's like, has something just happened? Are we reacting to that? If I'm walking people through understanding this stuff, I do start off with the basics. I mean, as simple as what is binary data? Now, binary code is what's referred to as basically the most basic sense of data. That's ones and zeros. We've all seen this, but what is it? In effect, it's how this stuff is stored. It's a positive or negative, like on or off, or if it's magnetically polarized, positive or negative. And the whole idea there is using those units, that's how everything breaks down. I mean, this recording we're watching it breaks down to binary code. Every program you use. Anything you store. Anything, binary code. And these ones and zeros are kind of, it's not a lot there. The smallest amount you'd get out of them would be eight of them together, that's called a bit. And the thing is they start adding up pretty quickly. You get about a thousand of those becomes a kilobyte, I'm sorry, eight is a byte. Sorry about that. Each individual ones a bit, about thousand of those is a kilobyte, thousand of those a megabyte, thousand of those a gigabyte, then a terabyte. Now, how much is that realistically? Well, the conservative estimate, I mean, obviously, this will vary depending on what sort of information you have there. Would it be something like a 4K movie? Obviously, that's gonna take up a lot more room than the same movie and standard definition, something like that. But sort of a conservative estimate. Let's say you're talking about just text. One gigabyte is about 75,000 pages of text.

So for example, I have here a handy stick drive, this little guy can hold about 19 million pages of text, just this. And if you're talking about a typical drive on a computer, terabyte, two terabytes, that's 75, 150 million pages of data. So if someone gets access and has that kind of storage capacity, they can take an awful lot from your network. And of course, moving beyond that, then it becomes, well, how does this all work with the networks? You hear those numbers like gigabytes and terabytes, and they're talking about storage or memory on a computer, well, what are those? Storage is where you're actually holding onto things that are still there when you turn it off, sort of like a filing cabinet. Memory is what's actually up and running. That's how you can run what's happening on the computer instantaneously. I like to think of it as a desk you're working on, and at the end of the day, anything left in the desk disappears. So if you save it and put it into storage and it winds up in a filing cabinet, it's still there in the morning, you can call it backup.

A storage comes in a few different flavors. Typically, it's magnetic, optical, or what's called flash, or SSD, including that little stick drive I was just holding up. Magnetic basically is magnetic polarization, positive or negative for the ones through zeros. Optical is small depressions on a little disc that get read with a laser, think of like a CD or DVD. Magnetic drives are like older computer drives. They look like a stack of silvery pancakes, a little spindle reading them kind of. And flash or SSD, modern drives have those, they don't have moving parts, but the same thing, you're still storing ones and zeros, stick drives will have that. They tend to be good. They have other issues like one of the funky things with those is if you store something eight times, it will store in eight different places in the drive so it doesn't wear part of the drive out. Now, why would I mention this? Because let's say a forensics expert is trying to look at something later. That's an awful lot of versions for them to look at. And if you're trying to get rid of data, it makes it that much harder to hide it. Now, on a related note, then you have, say, computer networks themselves, typically they're organized by what's called client-server model. Let's say you're watching this right now on a computer related to your work network. That's a client. The centralized computers that actually do more central functions for the whole thing could be anything like a brief bank, your email, those are servers.

Now, typically speaking, you'd sort of like a spokes on a wheel, you might say, the servers are centralized. And then they go out to each individual computer. Now, on the other hand, when you're talking about something much larger than this, like the internet, that's basically a gigantic decentralized network across the world. The thing is how does data get from point A to point B? You don't just send it in giant gobs, it gets broken down into little pieces called data packets. Think of it like, I guess like your transporter in "Star Trek," they disassemble everybody and then reintegrate the parts wherever they're beaming Kirk and Spock and the crew too. Yeah, that sort of thing, that's basically what's happening. Now with the cloud itself, of course, that's a related thing that actually goes back, believe it or not, to old network drawings, like from when you had network engineers, as far back as the '70s, they would actually literally map out what's where on a network. You can still see these now online if you're looking for some really exciting stuff to check out. And typically what'll happen is towards the side of the network, it'll literally have a little arrow saying to internet and a cloud. That's where they came up from it, or with it, that was actually, believe it or not, a Microsoft marketing campaign. I think it really took off about 10 years ago and everybody went, oh, the cloud. Yeah, take it to the cloud. Meanwhile, network people are going, yeah, the cloud we know, we know. So the concept has been around for a while, but that's all it means. The cloud is just a computer somewhere else. That's it. That's the full concept, start to finish.

Now, when this information's going back and forth, the way it's transferred is using what are called protocols. Protocols will transfer data from place to place and different protocols have different properties. They'll handle different kinds of data, or some of them might be more secure than others. For example, one, you see very commonly is HTTP hypertext transfer protocol. That's the internet. And mostly now you see HTTPS which is hypertext transfer protocol secure, which is running over a type of encryption called SSL. And the whole idea there is that that's what's sending the net from you to me and vice versa. That's what translating it. Now, when these things go from system to system, they're basically they have to have openings to get into each system. And those are called ports. And there are a number of numbered ports. I mean, the total number is over 64,000, there's quite a few, but they're a number that are sort of set ports unless you go about changing them. HTTP, for example, is always gonna be port 80, unless you switch it. HTTPS is port 443. That's just what's normally done. There's a bunch that get used commonly. And they're typically those ports. One thing to mention, though, with respect to the protocols is you do have to have a matching set on either side. Think of it like you're talking to someone from another part of the world, and let's say you speak English, Dutch, and Japanese, the person you're talking to speaks French, Swahili, and Japanese. Well, your conversation's gonna take place in Japanese. 'Cause, that's the protocol that you both speak. Now, one last thing just to mention is programs. We've all heard of these, very complex concept. It's a set of instructions, that's it. That's what a program is. Sometimes it might be referred to as software or app or application, same concept, just a set of instructions. Hopefully, that covers enough for the basics. That's usually where we'd start off just to give people sort of the groundwork is then when you're moving along and you reference something like a program you're not going, yeah, what's that again?

Shaun Salmon - So, in like the last six minutes, I just learned so much. I'm not sure what's gonna actually stick in here 'cause to me a program is this the only program it's what we're doing right now, but.

Scott Aurnou - You're doing that in one single sentence.

Shaun Salmon - So, okay, where does security come in? Like talk to me about vulnerabilities and how to control it and everything else.

Scott Aurnou - Well, there's a lot of things that break down the concepts. Vulnerabilities are a good place to start. You'd have vulnerabilities, threats, and risk. Now the ideal behind a vulnerability is it's what's the potential weakness that an attacker is going after? And then the threat is what is the attacker doing? And the risk is the likelihood that comes out of that. So let's think of it, for example, let's say you have an open window in your apartment and the threat is a burglar. Now the likelihood then would relate to, well, where's the window? Are we talking about a first-floor window or a 51st-floor window, obviously 51st, much lower risk. One of the things to look at is the potential impact as it's referred to, which is okay, let's say this threat uses the vulnerability and it happens. Well, what are some factors that might affect that? An example I might give you would be something like an earthquake, for example, let's say, you have an earthquake that hits San Francisco versus the exact same magnitude earthquake hitting Boston. Now believe it or not, you're gonna probably get a lot more damage happening in Boston because San Francisco has building codes that specifically have to make buildings earthquake resistant. They're not gonna block everything in the world, but they're much more resilient against that particular type of attack. Those requirements don't exist in Boston because they don't tend to get earthquakes the same way. So the impact of that earthquake in Boston is going to be more severe.

Another concept to look at is something called the CIA triad. That's sort of what underlies all of security, nothing to do with the agency, just clearing that up. But the CIA in this context is confidentiality, integrity, and availability. Confidentiality is somewhat related to privacy. It's the idea that the only people who can see a specific thing are the people who are supposed to be authorized to see it. So if you are saving something for a certain number of people that's who can see it, that's confidentiality. Integrity on the other hand means that the data is unaltered, so it means someone hasn't gone in. Let's say if you're looking at a report card in a school, someone hasn't snuck in and changed the grades, it has integrity, it's left alone as it is unaltered. Availability means you can get to it when you want to. Now, while that might seem like an obvious thing, there is some kinds of attacks like ransomware, where basically an attacker will encrypt your own data from you thus it becomes unavailable, so you can't get to your own data. It's also viewed as an integrity attack because that alters the data. But I digress, now, what do you do to actually deal with these? How do you protect things? These are what we refer to as controls.

Controls are broken into three categories: there's physical, technical, and administrative. Physical controls are things like guards, physical locks, doors, guard dogs, cameras, literally physical world things you can see. Technical safeguards are things that we would look at in a computer system. You've probably heard of a firewall. There are also intrusion detection systems, intrusion protection systems. There are what's called a security incident and event manager, basically, anything technically based that will slow things down. Encryption is another one, for example. Administrative controls, that's typically where lawyers tend to come into the picture a little more where you might see an administrative control, for example, would be something like policies, procedures often drafted by attorneys. Contracts are actually hugely important as an administrative control because it sets the guidelines. And if an attorney knows their stuff, you can set guidelines that are really much, much, more secure. And speaking of which, one of the things to look at is framework, standards, and guidelines. These are things that you can find from various security organizations, including the government, probably the best-known one I would point to right off the bat would be from NIST, which is the National Institutes of Standards and Technology in DC. They have what's referred to as the cyber security framework, they're on version 1.1 now, which is actually pretty solid. It's a good place to start because it lays out computer controls without making them unnecessarily confusing.

Let's see, there's also the ISO 27000 series. If you're working for a large organization, you might deal with that. It's a much more detailed set of controls as it were, hundreds and hundreds of them. So I mean, many of these systems, when you're looking at all the controls, they'll set them in layers. For example, a guideline, I would mention be the CIS the computer, sorry, sorry. The Center for Internet Studies, my apologies. They have basically controls and benchmarks and they sort of set it in levels where if you're all the way at the top, you're doing something like 300 controls. The one before that you're doing like 180, it goes down step by step. And obviously, the farther up you can be the more secure your network will be.

Shaun Salmon - And what is the role like the very specific role of policies and procedures when you talk about this?

Scott Aurnou - Well, though, it's funny it seems like a, oh yeah, policies, whatever. And as an employee, of course, they actually serve a super important function because in effect they're sort of setting the guiderails and in security, that's such a critical thing because you really to be consistent throughout your organization to protect things. And plus God forbid something goes wrong. If you're sort of doing it ad hoc, as opposed to really controlling things and keeping it consistent, A: it's really hard to figure out what went wrong in the first place. And then B: well, what do we fix? We weren't really doing anything particularly consistent. So that really makes it tricky. Obviously, these are administrative controls to start with. And it boils down to just a few things. A policy should always clearly state what's the purpose, what's it for? What's the scope? Who's affected by this? What does it do? And then finally, who is responsible for what under the policy? So make sure who knows who's doing what? And why they're doing it. What has to happen as a result? And examples of this might be something like an overall information security policy, an acceptable use policy, as it relates to data, social media policy, internet policy, you name it, things like that.

Procedures are related, they tend to lay out specific steps pertaining to tasks. For example, let's say you're bringing in a new employee, you'll have a very specific procedure. You have to do step one, step two, step three, and you've gotta make sure you do those things to make sure you're bringing the person on correctly. You're properly setting up a secure access to the network for them, that sort of thing. Another one I can give you an example of would be setting up various security equipment. One particular I could mention, full story. A good buddy, John, John's a network engineer. Very good one. John was once configuring a firewall. I'm sure you've heard of firewalls. Firewalls are essentially filters for passing traffic. The big industrial ones can be pretty complex. They basically work on rule sets, sort of if X condition exists, then take Y action, that type of thing.

Now while that may seem simple if you've got like several thousand rules going through a big firewall that's tricky stuff. John was working on one, updating it. There was a glitch and everything disappeared. Luckily, John's a good engineer. And he had backed everything up before he started. So it turned, it turned to as opposed to an absolute catastrophe, which it would've been if they didn't have the data backed up, because that was the procedure. John followed it 'cause he's good at what he does. Now at the end of the day, what these come down to is they allow you to follow that consistent approach throughout an organization. And that's one of your key things about security if you are consistent, if there's something wrong, you can fix it and you can find it.

Shaun Salmon - Got it. So the moral of that story is be like John, yes.

Scott Aurnou - Yeah, John's are goods.

Shaun Salmon - Be like John, got it. Okay, so pivoting like a little bit, right. What does risk management do?

Scott Aurnou - Well, risk management is your overall viewpoint before you get into the controls, before you get into anything else. It's sort of like, well, what's up? What are we looking at? What are we protecting? How do we do this? How do we fix it? This is your step back and analyze, which is a great place to start. In fact, you're assessing what's happening. Then you're managing that risk and you're mitigating it. And that way you're stopping the potential losses hopefully before they happen. And in fact, this starts with what's called a risk assessment. One way to outline this is from another thing from this National Institute Standard Technology, they have a list of publications called their SP 800 series, Special Publication 800-30, Revision 1, is specifically for risk assessments. Basically what they come down to is you go through your system and then at the end of it, you're gonna wind up with a prioritized list of actual security risks. A simplified version of the essential steps are determine the scope of what you're looking at. Like what are you looking to protect? Is it your whole network? Is it part of it? And then identify and categorize assets to protect. That's always critically important.

So you can put in great controls, if you don't know what you're actually protecting, best of luck, that can really go south on you. But if you actually know what to protect, you can obviously take the steps to do so, then once you've identified these assets you wanna protect, you then identify the threats to those assets potentially. Then you wanna look at what are the potential vulnerabilities in those assets and the systems protecting those assets? Then you look at the likelihood of occurrence. Then we mentioned impact earlier. You're looking at the magnitude of impact, this is not necessarily Boston versus San Francisco. This is for your system, looking at the specific stuff you're looking to protect, what are you going to do? And then with all these combined, you determine risk. And then once you've got an idea of the risk, the question is how to approach it. There are four essential approaches to risk. There's a void, accept, deny, and transfer.

To avoid, that's where you're trying to take steps to mitigate the risk, that's okay, we see something's bad here, well, tell you what? Let's actually put something in our system that will protect things. Let's set up that better firewall. Let's set up an intrusion detection system, that sort of thing. Accepting means you look at the risk and go, well, I see there's a risk here, but at the end of the day, what they're gonna steal is an aunt Edna's brownie recipe, and we never like those brownies anyway. So we'll just accept that risk, no need to spend that several thousand dollars to get a firewall to protect it. Or you can deny it. This is a bad idea. Don't deny risk, deny is basically the la, la, la, la, la, I'm not listening. Which is not a happy approach because at the end of the day, when you do get hit and you will, you're basically acting like, oh, I didn't know about this. That's gonna go south because that's where you wind up, A: you lose assets. B: you could wind up losing clients. And C: you can have a little visit from a number of different regulators.

Finally, there's transferring risk. That's again, lawyers come in here because typically a transferrer risk, that's via a contract, for example, you're dealing with a vendor, if this type of security incident occurs, liability falls here, that type of thing, or would also be through cyber liability insurance. Very, very careful when you're drafting cyber liability insurance, A: read it really, really carefully. B: talk to it with your technical people. So what'll happen sometimes is they'll put in little codicils in their word. They don't really cover the risk you want them to cover or worse they'll ask you to do things that your system isn't actually doing. So let's say there's a certain type of testing they want in a system like there's something called a pen test where basically an attacker tries to worm their way into the system and then gives you a report on what they find. Let's say they require a pen test every quarter, which is awfully frequent. Something happens, they come in and say, well, gosh, we're really sorry about your system, Shaun, but could you show us our latest pen test report, your last ones from like eight months ago, they go, gosh, that's terrible but sorry, we have to deny coverage 'cause it had to be three months ago and meantime you may be cursing them, but unfortunately, it's in the contract. So you just have to be careful that you know what you're actually signing onto.

Shaun Salmon - And let's talk now about how does this apply to a law firm's computer network?

Scott Aurnou - Well, at the end of the day, the network is basically that's your primary repository for both firm and client data. That's the crown jewels that's what's hiding there. So there you have to look at well, okay. Here's where everything couldn't go badly. Well, what are you looking at? You have a range of potential attackers, these could include criminal gangs and mind you, I know you've probably seen TV, there's a bunch of people wearing hoodies attacking that's not what's happening. Could be very organized gangs. A lot of them are out of Eastern Europe, but not all. And they're making a lot of money doing work that doesn't require a lot of challenge. And because they're often in jurisdictions like Russia, that won't bother prosecuting them if they break into your systems and steal stuff, they don't really have much of a disincentive to do so. Plus like I say, it's a very, very, very high-profit margin.

Now, apart from them, you might literally be element to issues from competitors or adversaries. Yeah, that could mean that something like litigation that's a problem. They probably wouldn't attack you directly. But did I mention the criminal gangs? Yeah, they could very well hire one of them to come after you, as insane as that sounds. There was actually a big business deal going down a few years back with a bunch of law firms in Toronto. And they later found out that they had been hacked. All of them, like all seven firms, had been hacked by the Chinese government, yikes. And speaking of which nation-states are really nasty adversaries because they have a lot of resources. And if a nation-state is after you, it's really, really hard to defend your stuff. There's also actual insiders, these are people inside your network who are not keeping the faith if you will. And they're a big danger because normally a lot of security things are sort of towards the outside of a network, keeping people out, these are people who are already in. There are certain ways systems can be set up to defend a little better against insiders, I'll mention that, but definitely a tricky thing. And always it's an issue you want to make sure you understand who you're hiring. Don't just bring people in. And then finally we have hacktivists. You're not really hearing about like Anonymous and such as much anymore, but they still exist. Wikileaks still exists. These organizations will occasionally break out and release stuff. And again, as law firms sometimes the clients you're representing might, lack of a better way to put it, piss some people off and they might go, "Well, we'll show you." And they'll go release it. And meantime, they might also hack all of your other stuff in there.

Good example of this would be, I think to date is still the largest computer data breach happened was actually at a law firm called Mossack Fonseca in 2014. If the name sounds familiar, that data breach was referred to later as the Panama Papers, all because they were protecting a bunch of rich clients and they got tagged. Now, what can these attackers do? Well, there's a lot of different types of what's called malware, which they can load onto your system. That's short for malicious software. And if you remember, software program, set of instructions, malicious, set of instructions. So basically deliberately doing bad things to your system. And this can include the classic virus that you've heard of, related thing called the worm. Big difference is that a virus, a human has to take some interaction to make a virus work like click on something or open a certain file. Worms just jump system to system and propagate on their own. It's also something referred to as a Trojan Horse, nothing to do with the historical Trojans except kinda because the idea is it's something that doesn't look harmless. You bring it onto your system and secretly there's malware latent underneath, could be something like, for example, you download a song and it secretly has malware. That's a Trojan. There's also something with a cool name, a logic bomb. That's an attack that's based on a specific condition being met.

For example, let's say, Bob gets fired. Bob was a system administrator, Bob's not gonna take that. So he sets it up, so if he doesn't log into the system for three consecutive pay periods, this thing attacks. And so when it hits that third period, the logic bomb is triggered and then the malware is released. One other thing you might get is something that might absorb you into a botnet. What is that? A botnet is basically a large collection of computers that's controlled via the internet. And it can be used to do various types of mass attacks, it could have been used for something called cryptojacking where they're basically mining cryptocurrency like Bitcoin. Another thing you're gonna look at obviously is data breaches. That's probably the basic you're thinking of in the first place, this is straight-up theft. Sometimes what'll happen is it'll be something called an APT or advanced persistent threat. That's someone who is quote-unquote dwelling in your network. They're waiting there and gradually stealing stuff and doing whatever they want with it. They might sell it. They might simply take it and then use it against you later in something like a ransomware attack.

Now ransomware is the type of business interruption attack, mentioned this a couple of times, this is interruption attacks, of course, meant to keep you from doing your work. Ransomware on its face, encrypts your data, so that you can't use it until you buy a decryption key, assuming they actually keep their word and sell it. One thing a lot of these companies will do now, or companies, attackers will do now to try and encourage you to pay up is while they're at it, they'll also steal your stuff. So they'll steal sensitive data. They'll lock up your system, they'll say, "Well, you need to pay us or else." And if you don't pay them, oh, well, gosh, it'd be a shame, if we have to release this super-sensitive data about one of your clients, wouldn't it? It's that sort of a threat. And of course, this is problematic. The related type of business disruption attack is something called a DDoS or distributed denial-of-service attack. That's where they use one of those botnets I mentioned earlier, where they're essentially used to overwhelm a system with traffic. So they'll get constant types of basically electronic requests that will make it so that the thing can't function like it's supposed to like trying to imagine people trying to get in and out of a building that has, say, four revolving doors at the front. Imagine all of a sudden 10,000 people show up and are blocking those doors so that the normal traffic that would go in and out can't get in. That's what a DDoS attack does.

Another thing you could get is something like straight-up account takeover. That's where an attacker gets into the system and basically appears to be someone else. And that can lead to all sorts of problems as you might imagine. So what do you do to actually stop this sort of thing when it happens? That's when you're looking at these controls, we mentioned earlier, and there are certain controls, which in a network will be helpful. I'll run down a small list of them. There are so many more out there. I'm just trying to keep this so this isn't insanely and unnecessary complicated, first would probably be a securely designed network in the first place. Big one, there is something called network segmentation. We're basically breaking up the parts of the networks so they're independent from each other. Think of it like water type compartments in a ship or a submarine, or if you've watched the excellent sci-fi series "Battlestar Galactica," there was a scene in there where one of the main ships, the Battle Star took a major hit on the side, but because it had basically airtight compartments, the entire ship didn't get destroyed. There was great destruction where it was exposed to space, of course, and mind you actual spaceships are like this too. The real ones we see, the whole idea there is you contain the damage into the section that gets hit. It doesn't flow throughout the system like air or water moving around.

Now another concept to touch upon is the idea of a perimeter defense versus what's called the zero-trust network. We'll do this really fast, we could talk about it for an hour. It'd be very exciting, I promise. The idea with the perimeter is this sort of the classic way of defending a network where there'd be an outer defense, almost like a castle wall. And then once you got inside of that, you can move about freely inside the network. The idea is like once you sign in, you don't have to worry about dealing with say these firewalls I mentioned, which would be filtering traffic or other network defenses. Once you're in, you're considered part of the system and safe, problem is nowadays that is a little trickier to do, not just for someone breaking into the system, but also because a lot of people are working from home. Sometimes what are set up? And usually, in bigger systems, it's a little tricky to implement in a smaller system is something called a zero-trust network. The idea with that is it treats everybody like they're coming in from the outside. So everybody has to, as they move around the network constantly get basically checked and made sure that they're verified, it's them, it's okay. Effectively, we're identifying who you are. We're authenticating who you are, and what you're authorized to see. And with a system like this, that's often minimized. So in effect what'll happen is even if you have access within the network, you'll have less access rather than more access. The idea is to keep it as small as possible. That way, if someone bad gets in the amount of damage they have is much more limited.

Now I mentioned firewalls, that's one type of thing you'd wanna design within a network. Typically the way you'd wanna put it together, you'd have basically like choke points. So effectively all the traffic moving within the network in these various protocols, moving data around would be running through points with lots of protective network monitoring, protective devices there, firewalls one, like I say, it's a filter for these different data packets moving through, another one that's related. I think I may have mentioned earlier, intrusion detection, and intrusion protection systems.

Basically the difference there is an intrusion detection system lets your security staff know, oh, by the way, something went through here that looked a little iffy. A intrusion protection system tries to stop it. Maybe a way to analogize that would be the difference between a camera at a red stoplight, for example, sees someone doing running the light, they actually send a notification to the police versus a DWI checkpoint where if someone's going through, they actually try and stop you if you don't pass the breathalyzer test. Another thing to do, that's really important is something called system hardening. And mind you do this at home too. The whole idea with system hardening is you're trying to take out extra stuff you might be exposed to. This would be what might be commonly referred to as an attack surface. Basically, what part of you is exposed? Think of it like you're having a snowball fight. If you're facing square up and you're throwing snowballs, you're going to get pelted. If you have a good sense to hide behind a tree, at least there's a little less of you available to get hit a minimal attack surface. So you wanna do something like that when you're dealing with a system, the idea behind system hardening is anything on your computer that you're not using, any older applications, any, say, remote access that your IT department did last year, that nobody bothered to take out, gotta remove all that stuff.

Another part of that is you wanna take out default settings. What do I mean by this? A lot of things will work outside the box because they'll have like a default password and a default account. Like it might be your account is admin and your password is admin123. That's nice and all in terms of it will actually work outside the box. It's laughably insecure. And of course, the bad guys know where these are. If you're really curious to see this in action, there's a website out there called routerpasswords.com. The idea is it's supposed to help you recover if you have any problems with your router. But of course, if you leave the original router password, you're not gonna really have it protected because anybody can look that up. And aside from this, you also wanna look at securely storing your system assets, like physical assets. I mentioned the servers before. Those are usually in a locked closet, because if someone can physically access your server, they can get a lot of data off it, and that's a real threat. And a related note if you're using computers, you wanna obviously lock those down. Laptops you wanna make sure that they are what's called full file encrypted. The idea is that rather than a full file, you're doing the entire disc. Full disc encryption will make sure that if somebody steals it, they can't really get much because it's encrypted. And of course, the laws that deal with this, a lot of them apply to unencrypted data.

So you may not have to actually report it if it's a theft of encrypted data, because under the law it's often considered secure. Now you also wanna have things for mobile systems, stuff like if you lose your phone, you wanna have Find Your iPhone or Find Your Droid enabled. And if not, you wanna make sure you have the ability to wipe the device clear that way you can do what's called a factory reset, take out the device that's on there. Also as you're going through, sorry, I know there's a lot here. Yeah, we're rushing through it, data classification's a key thing. We mentioned that before with risk assessments, that's literally like a first step because you've gotta know what is it you're protecting? What's the valuable stuff? That's where data classification comes in. What is aunt Edna's brownie recipe? Versus what's a major client paper? That if it gets out, it's a real problem.

Also encryption, we talked about a little earlier. That's basically that's using an algorithm, which is basically a set of steps running on a certain set of data to turn readable data into what looks like gibberish, and for encryption, that's great for both data, what's called at rest that's being stored or in transit, moving from place to place. And you'll see it a number of different systems, Certainly, if you have a modern phone, you probably encrypt everything automatically. When you look at a website, make sure it has W, basically, it's www, it's HTTPS. That's the secure version of it. Typically, if you're looking at that little address bar on the top, there'll see a little padlock on the upper left, that'll indicate to you it's encrypted. And so when somebody tries to break in and take it, they can't really read it because they're gonna get gibberish. And again, there's this full disc encryption idea, you can also do it file by file. Now, if you're dealing with a wireless router, which many systems are nowadays, you wanna make sure you have current encryption because the older systems get broken, the newer ones come out and they're stronger. The current one is called WPA or Wifi Protected Access 3. Wifi Protected Access 2 for enterprise is still decent, but WPA3 is the current one. And obviously, if you have an older one, it's gonna be less secure, in particular, if you have one called WEP or a Wired Equivalent Privacy, that's the really oldest one and it's been broken for years, don't go anywhere near that one. And then, obviously, you've probably heard of antivirus software, sometimes referred to as anti-malware.

Generally, you wanna have that in place sometimes for newer phones that might not necessarily be needed, but for most systems, absolutely. And you wanna have spam filters guarding your email, stuff like that. You'll also wanna make sure that the actual network itself is being looked at. You have network monitoring in place, 'cause you'll have different tools that can do that. And my apologies, I know this is a ton of information at once, but in effect, as they're monitoring the network, they can read through what's going through it. And that's a very helpful thing because if something dicey is happening, hopefully, they can catch it.

There are different types of systems. Some of them are looking for a particular baseline and looking for behavioral anomalies, sometimes bad like malware, bad programs will be flagged in the look for sections of those. Those are what are called signature-based systems. And a lot of what they're also looking at, you wanna make sure it's mapped out, first we talked about the data. You also wanna map the network itself and what's called a enumerate the various things on the network. So if you've got a device in the network, you wanna know what is it? Who owns it? What version of software is it using? That type of thing. Because the more information your security personnel have, the more they can secure your network. And then one key thing related to this is something called patch management, in short, keep all your stuff as up-to-date as possible. Because the idea here is you wanna make sure that you're using current stuff. The reason for that is that attacks like 98, 99% of attacks are generally against things that have already been fixed. What am I to about? If you ever get an update coming out for like your phone or your computer, like, oh, yeah, update to Android 12. Yeah, that's what it is. Yeah, that's actually a good thing to do because the newer systems are more protected. And when you see an update coming out, if it's coming directly from the system, that's a good thing because when it comes out, as it's up-to-date, those older problems are fixed. Problem is a lot of people don't do that. Attackers know this. so what they'll do is they'll look for the fixes and then attack the things that are fixed because most of your older systems are being used. I'm amazed at some of the older systems I've seen in use in different places. And obviously, if you see it, like, let's say, for example, you've got a system old enough that they're no longer updating it. That's called being out of support. Like, say Windows XP, do not use Windows XP.

If you see it, make sure you update to something that's still being updated, i.e supported because that's safer. Another thing you're gonna wanna do is make sure that your systems are backed up in case something does go wrong. And it's important to make sure that these are, you wanna have more than one. You don't just have a backup, 'cause, God forbid something goes wrong, you wanna have multiple backups, i.e multi-tiered, it's a great idea to encrypt your backups, certainly no less so than your data is encrypted. But if your backups are encrypted, they're that much safer. And it's always a good idea to have them separate from your systems. Because those ransomware attacks I mentioned earlier were often designed specifically to fish around your network to find everything they can. And they make it a point to encrypt backups because theoretically, if one of them gets through your system encrypts and you're able to catch it and shut down the system in time. And then basically the forensics folks come in, look what happened? The incident response folks, come in, they fix it. They fix your network and they bring it backup, if your backups are intact, they can repopulate your network from that, which is actually a workable thing. And you might not actually have to pay the ransom, we hope. But I mean, at the end of the day, it's important to do that. And also one thing to mention with backups, test them because it's great to have backups, but if you don't test them, you'll find out they don't work just exactly when you need them, which is so not fun. But then you wanna look at what to do when you're done with something, this would be proper data disposal. We could talk about this for a good 10 minutes, so rather than do that, yeah. Basically what it comes down to is when you're done with something, you've gotta make sure that the data on it is sufficiently secure.

There's a standard again from NIST, which lays out three levels, they call clear, purge, and destroy. Clear is basically the equivalent of hitting delete. You can't see it, but it's actually still on the system. Purge means you'd need good forensic equipment to actually find it. Destroy is kind of what it sounds like. And it's like dropping a phone in a metal shredder or something like that. And yes, that exists. There are even videos online of various computer equipment being thrown into metal shredders because, and again, as law firms, this is something you should consider. That's the most positive way to make sure no one can touch your data because it's literally been trashed. There's no way to get anything off the system because keep in mind, after the Space Shuttle Columbia, tragically crashed, they were actually able to recover some data from the wreckage. Damaged systems, that's great, but it doesn't necessarily get rid of everything. And if you really wanna be secure, destroy it. Finally, I would mention audit logs. That's just recording what's happening on the system. Who's accessing what and when? And where that's so important is later if there's an issue you can look at it and see about fixing it or finding out what happened generally speaking. So there's some systems that will rely on why is someone keep trying to get into this? And then they give you an alert and hopefully, you can stop it before it becomes a problem. And then, oh, sorry.

Shaun Salmon - No, no, go ahead. Go ahead.

Scott Aurnou - I can keep going for weeks, you know me. Just a related concept, something called defense and depth. Cause, I know I've mentioned a lot of things here. You think, wow, do I have to do all this stuff? What it basically comes down to is its sort of putting multiple hurdles between an attacker and your system. So instead of just dealing with one control, they have to make it through 4, 5, 6, 7, and each step along the way it's harder for them to get in. And there's more likelihood you'll catch them with their hand in the cookie jar, which is always a good thing. And obviously, there's also cloud-related risk as you're dealing with a remote workforce. We mentioned now, and also anytime you're dealing with vendors, obviously, that's a very big deal. And from an attorney standpoint, you gotta make sure that it's all written down because then you indicate what you expect from them from a secure standpoint and who's liable for what?

Shaun Salmon - Okay, so that's actually kind of where I was gonna go. I was going to mention or ask you to mention the difference between, 'cause destroying the hardware right, it's fine. But that doesn't-

Scott Aurnou - It looks cool, nothing else.

Shaun Salmon - But that doesn't solve in anything that's cloud-based now. So you're not actually solving for the problem, but then you said, you get what I was gonna say.

Scott Aurnou - Well, what you might have is contractually part of your agreement with a vendor might include, well, let's say provisions to the effect of within 10 days with the termination of this contract, regardless of cause, your vendor agrees to destroy all data and you'll actually give the standards, they have to keep to like the drives must be destroyed. Drives must be what's called degaussed which is like basically demagnetizing them. So it pulls for a magnetic drive, it pulls everything in one direction. So it's all ones are all zeros, of course, that effectively still destroys the drive, but you get the idea.

Shaun Salmon - Yeah, interesting. Okay, so that was, as you mentioned, a ton of information, so to all the viewers.

Scott Aurnou - And that was the short version too.

Shaun Salmon - Yeah, right, no, I know this is the 101 class. So for anyone who's watching, obviously, you can revisit and scrub back at any time in this to hear Scott go over that again. And of course, and we'll go over this at the end of this interview too, but people can reach out to you if they have questions. So moving forward through the additional questions we have for you today, how can a firm control who it onto its network? How do they protect themselves that way?

Scott Aurnou - That's a key thing actually, 'cause at the end of the day, it's called access control and it's a technical control, it's hugely, hugely important. At the end of the day, you really wanna limit who can get on the network in the first place. And there's actually a name for that. It's called the principle of least privilege. The idea is anyone who's in there, you only let them to the extent that they need to be, sort of the need to know approach if you will. So if somebody gets in, they can't get to anything they're not supposed to touch. Theoretically, that's what you should always do.

One related concept is something called administrative rights. The administrator accounts are normally how a typical system starts. And the thing that's cool with an administrator account is that you can download stuff, you can delete stuff, you can modify stuff, that's cool. Except if an attacker can access one of those accounts, in which case it's really not cool at all. So it's a really big deal to limit those. You wanna make sure there are few of them as possible. And even the people who have administrator accounts you don't want them to use those as their main accounts. It's more like you have an admin account and you use a normal account, 99.9% of the time to do day-to-day work. And then when there's a reason to log into the admin account, that's when you use it. And you can do this with your home computer, mind you, what you can do is you can effectively set up basically a guest account in your system and use that as your main account. And then if you need to download some software or something, you just jump into the administrator account, do what you need to do and log back out. Typically you won't even have to log in. Often what'll happen is you're going to say download a program and it'll ask you like, ah, well, this needs an administrator approval. And it just asks you to type in the password it allows you to download and you're done, that's it. That way if someone else is trying to do it, they don't automatically have access that they break into your network. They still have a standard account. They can still cost you mischief, but it's limited, and that's the important thing. Now in terms of actually getting into it, there's four basic features, if you will, to access control, identification, authentication, authorization, and finally auditing or accountability. Identification that's the equivalent of identifying yourself when you log into your network, let's say, you're logging in and your ID, your username is something like Shaun123.

Okay, so we've identified, that's you, Shaun. Now then it's a question of, well, how do we know it's really you? That's who you need to authenticate. Usually, that's something like a password or a thumbprint. Now related concept there called a multifactor, or two-factor authentication where it's more than just the password. The idea is the password is something you know. There's also something you have, it could be something like a little token, which you either plug into the computer it has a randomly generated number that you have to type in as well. Another thing would be something you are that could be something like a retinal scan or a fingerprint or a palm print or something like that. The idea is that having more than one of them at once is a much more secure way to do the system because the attacker needs to get both. Now mind you, it's not impossible for an attacker to get more than one of these at a time, but it does make it much, much, more difficult. And some of them are more secure than others, something called the Yubikey, which is one of these like a USB stick that you plug in your computer, that's really secure, because unless they can physically get a hold of it from you, it's really hard to actually get into your system without that. So that's a very good protection. Now I also mentioned authorization, that's once you're in the system, what can you do? That comes back to that principle of least privilege less is better. And then finally auditing or accountability basically is keeping an eye on who's in? Who's doing what? Who's trying to log in? Who kept going by this firewall? Because the more you know, the more you can look at and go, hey, wait a second. We do not have an office in Kazakhstan. Why do they keep trying to log in from there? That's gonna look suspicious. So if they see that, that's good.

Also, you wanna realize, how does this actually apply realistically? I guess the most classic example might be bringing new people in and when people are terminated. So onboarding in what's called deprecation, when you're getting rid of an account. That's why you wanna make sure all of these steps are followed as you're going. And certainly, as we mentioned this, passwords are a key thing. Without going into too much detail, the key element, more than anything else, the password is length, the longer the better, because the idea is a longer password has more possible combinations. For example, if you're talking about the difference between an eight-character password and a 12 character password, there are 81 million times as many permutations for a 12 character password, not 81 million more, 81 million times more. So it's a huge, huge difference. And certainly, you wanna be able to use different characters. So if say, you'll wanna be able to use those exclamation points and numbers. And the thing to realize also is a lot of these are being attacked by a computer program. So when you're being clever and going, no one's gonna know I'm using a dollar sign instead of an S . Yeah, computers obviously know that you're just confusing yourself.

So it's better to go with something long. Typically they have something like what's called a passphrase. Something like, I can't believe I ate those 15 lobsters, exclamation point, something like that. That's all gonna make sense to you. It's nice and long. It's really hard for a computer to guess. And you might stand a chance of remembering it, or you can use something absurd. Like one example that was used in a great comic called XKCD was correct horse battery staple. It's goofy. It's also long and hard to guess, don't ever use that one, mind you, every system knows it because it was in the comic, but that's the idea. You just want length something long that relates to you. And of course, you might be saying to yourself, dude, I have like 40 different accounts now, you want me to warn a whole bunch of passwords, 'cause yeah, you do wanna use different ones. If you use the same one over and over again, they crack one, they can steal the others. It's called daisy-chaining.

What do you do? Well, this type of software called the Password Manager. And the idea behind a password manager is you have one password to remember. Once you remember that it will populate the systems, and what's great with that. Is it not only populates the systems, it identifies them based on what's called an IP address. So it's the numerical address on the internet as opposed to the address you see. So even if it looks like the same address, sometimes attackers would do something slightly different. Like you're looking at an L in a name versus an I in a name that looks kinda the same. 'Cause, it's capital I. Uh-uh, they'll catch that and stop it. And that way they won't let you log into the wrong system or they won't put the password in, and those are really helpful. Now we actually have some attached materials, like literally put in an article on how to pick a good one. So don't sweat it right this second. Yeah, definitely print out supplemental materials. They're here to help. And one related thing you might run into, if you're with a larger organization, something called an SSO or single sign-on system, those are cool and convenient. They are sort of the diametric opposite of the zero-trust network, I mentioned before. The idea with an SSO is it gives you a lot of access to things once you log in. And obviously, there's a certain risk with that nowadays, 'cause the more access you have, the more potential danger an attacker can get if they compromise your system.

Shaun Salmon - Right, and single sign-on though, tend to now be packaged with two-factor authentication almost entirely, like I haven't seen it.

Scott Aurnou - As we could, we should.

Shaun Salmon - Yeah, okay I haven't seen one without it, in all of my orbiting.

Scott Aurnou - There's a real danger with that without it obviously. And again, with two-factor authentication, depends on what you're using. There's a nasty type of attack in which basically it's a trick attack where attackers will trick your mobile company into changing your SIM card, which is what identifies your phone as yours. So that it identifies their phone as your phone and that attack coupled with a password, they might be able to break in that way. Sorry, I'm here to be fond. That's what I do if you don't like it.

Shaun Salmon - No, but like you're saying that about my phone and obviously like-

Scott Aurnou - Well, the thing is-.

Shaun Salmon - We're attached to those.

Scott Aurnou - Kind of attack. That doesn't target you, it targets your mobile company. So what do you do to defend yourself? It's really tricky.

Shaun Salmon - So how do mobile devices factor in to law firm security?

Scott Aurnou - Well, in fact, they're what are called endpoints. An endpoint in a network is basically what you're interacting with. So that could mean the computer you're watching this on. That could mean a printer that could certainly mean your mobile device. And those are problematic because endpoints are sort of the beachheads that attackers use to get into networks. And when you're talking about a mobile device, it's pretty much similar threats to anything you'd see on a computer, but wait, there's more, then you start seeing there's the risk of loss or theft because they are small and mobile. That's the whole point. And then you also have this nasty thing called fragmentation. Fragmentation's kind of a funky one, basically, the way it works, that's an Android problem, but keep in mind Androids are most phones. What happens with Android updates? The system is Google puts them out and then it'll go to, let's say, you have a Samsung phone with a, let's say, you're working Verizon on it. First Samsung will tweak that update and then Verizon will tweak that update and then you'll get it. And not only is there a delay, but also it means that you're running into stuff that's sort of operating just a little differently. So it's a problem because overtime is there are more and more and more phones and different operators. And you want into, instead of a version of a system like you have at apple, you have different types over and over again.

Now for Android users saying, "Hey, that's so unfair." I'm with you because there is a way to avoid this very easily with Android and that's Google's own phones, the Pixel line, which are pretty solid phones. I'm actually, I'm a fan of them myself. Most of the people I know who are technical folks have Pixel phones. So don't think I'm just saying that either one system or the other is better at the end of the day, there are ways to do either systems securely, but realize if you're using an Android phone, that's not a Pixel line phone, this is a risk and it's gonna become more of a risk overtime because it not only slows down, if any one of those three units stops producing an update, you don't get it. So if it comes out from Google, but then either the manufacturer or the service provider doesn't feel like updating you're outta luck and that's not cool. But another thing to also look at is something called jailbreaking also referred to as rooting, depending on the system jailbreaking is for an iPhone, rooting is for an Android phone. That's basically overriding the security settings on the phone, which if you're 20, that's super cool. If you're actually in a law firm, not so much because what happens with that is obviously it means that a lot of these security protections that are built into a modern phone and they are actually pretty solid, they take 'em out. And if one of those is connected to your network, it's a really big risk.

Now, one way to detect that is something called mobile device management software, MDM. And that's basically how you will control the various endpoints on your system. Typically speaking, if you're with a larger organization, you'll have a mobile device management system, which will make sure that your phones are consistently configured so that they're set up in a secure fashion. If there's an update that needs to be pushed out, it'll push them out to all the phones, that type of thing. So like I say, with security, consistency is an important thing and that's one thing the mobile device management software will do that's really helpful. Now, if you're talking about individual systems beyond the, like I say, the system-wide endpoint stuff on any given device, and again, the MDM should push this sort of stuff. You have the Find My iPhone or Find My Droid, which allows you to track what happens to it. That's really handy if you lose it. And if it gets straight-up stolen, another thing you can enact is referred to as remote wiping. One way to delete data on a mobile device is something called a factory reset, which basically sets it back to its original settings. Typically speaking, that'll take out anything on the phone, but again, if you have an attacker who just happens to have a lab nearby, they might be able to get something off of that. 'Cause, typically even with the factory reset, if parts of the driver damaged that might not take out the data, we're probably won't get too much detail for one hour program, my apologies.

Shaun Salmon - I mean, that's okay. But all I keep thinking are the four times that my child has tried to factory reset my phone and I've had full spiral panic attacks. So every time I hear factory reset now, I just have a moment of where's my phone because it's a lot.

Scott Aurnou - That's hysterical actually. And mind you, there're attacks that deliberately target kids.

Shaun Salmon - Oh, like through YouTube and stuff.

Scott Aurnou - Oh, I mean, yeah, there's that, but let's say if someone wants to get into your system and access it and they know that, oh, its a good chance, so and so son or daughter might get on, they might do something like have, mentioned the Trojan horse attack earlier, try and imagine a level up for a game they're playing or a cool artifact from that game that just happens to be infected. So it's like, hey look at this awesome sword I've got, this is rocking. Meantime it's attacking the system in the background. And of course, attacks in real life are not like in the movies. They don't make noise, no alarms go off. It's all quietly happening in the background so you don't notice it.

Shaun Salmon - But are they targeting children or husbands? Because that is not targeting my child. Just gonna be real clear on that, okay.

Scott Aurnou - I don't know a thing.

Shaun Salmon - Okay, so I will have to tell him about that though, Scott, because I wonder if he even knows that that's a thing, and thank you for sharing.

Scott Aurnou - I mean, it's probably not a very common attack factor, but just the same. And sometimes attacks will be tailored because they need to get the data on your system and they'll put some more, some intelligent folks on the case and they'll actually study you and go, oh, so and so plays this game. I know what we can do. And they twist their mustache and go do bad things.

Shaun Salmon - When we're done with this. I'm literally gonna go have to go down a rabbit hole of Xbox and PS5, oh, my God.

Scott Aurnou - Again, it's a question of connectivity of what's that connected to?

Shaun Salmon - Right, right, right.

Scott Aurnou - If it's properly connected, hopefully the risk will be minimized, hopefully.

Shaun Salmon - Okay, that's fair, okay. You've swayed my panic a little bit. So do attackers typically target the system itself or the people using it?

Scott Aurnou - That would be answer B, yes. Typically speaking, the way they get in is by tricking people. That's your most common attack. This is referred to as social engineering and it has a whole bunch of different flavors. We'll discover some of the main ones here. Primarily you may have heard of the main email one, 'cause you probably get tested for it. It's called phishing with a P-H. And the idea with a phishing attack is it's usually sort of a shotgun blast of an attack trying to trick people into doing things. Typically that might be something like, oh, hey, you just won tickets to fly to Aruba, if you click on this email in the next five minutes, that type of thing. They'll always have something where you have to take action and there's a time attached to it. Or there might be a threat or there might be something like, oh, hey, we've just processed your order for the new car. You're going, "Wait, what?" Which is a normal human reaction. That's actually what they're counting on. The idea is you're supposed to look panic and click and it'll either come in something where there's an actual infected link. So you're clicking and it takes you to an infected website or there'll be an attachment and the attachment's kind of iffy.

And one way you might see that, for example, and again, we're just whipping through quick examples, let's say, the attachment doesn't open right. And it asks you to, what's called enable macros, which add features on certain Microsoft devices or certain Microsoft programs. Typically that would be either through Excel or through Word. So if you see one of those where it's, even it reminds you, even if it's coming from someone familiar, it's not that hard to fake that. So that's pretty common where you'll see someone actually tell you, oh, yeah, yeah, totally. We're using that from a friend of yours. Your friend might not have sent it. It could have been fake, that's something called spoofing. And that's part of what makes this tricky. And an even more enhanced version of this is something called spearfishing. That's where they research you a bit and it does come and it's directed to you. It's not a scattershot approach. It's saying, hi, Shaun, we saw last week that you and I did this. Hey, would you like to try that? I sent you a little follow-up and you're going, "Oh, that's right, we met." Click, and then long and behold, that's the actual attack and it's not uncommon to do that. And then one little nasty variant to that is something called a BEC scam or business email compromise. That's basically trying to trick someone in your organization into wiring out money. And while you might think, how would that happen? It's not as uncommon as you might think.

One of the big tricks is to pretend it's something from a very senior person in the company. Usually, someone who just happens to be outta the office that day, oh, you've gotta wire this out right away. And get it done by the end of the day or something like, oh, well, we're closing this deal for this house. And I just wanted to update the wire info. And of course, that's not really what's happening. So how do you defend yourself against these? Well, the step more than anything else, skepticism. I always like to say that you should assume everything is a fake, fraud, or trick, or scam until you've got proof to the contrary. And even then, even if you're wondering like, well, is this legit? Especially if someone's looking to get you to send out money or something like that, or take another step that looks iffy or even doesn't look iffy, but potentially it could be, what's called an out-of-band communication.

What I mean by that is don't simply respond to the email or in the case of a phone call, don't simply go with that, lookup your contact information for that person. If it's coming from a company that you deal with, lookup the contact information for that company. And realize you don't typically get something like a Microsoft or like a credit card company contacting you to threaten you for things like that, or the tax people, doesn't happen. The IRS doesn't do that, but of course, they wanna scare you into reacting. This is how you know this can happen via the phone too. Like I mentioned, an out-of-band communication is key. So you wanna look, you wanna say, check out, okay, what's this bank's actual phone number? Or okay, Mr. Smithers has told me to wire this out right away. Well, that's an awful lot of money. Let me go check with Mr. Smither's and low and behold, you get ahold of Mr. Smither's or his personal assistance saying, "No, that didn't happen." And that's great 'cause you just made a big savings. And if you're wondering how bad can this be? There was a CEO of a company out in Austria, an aircraft parts company, I guess about five years ago, who fell for one of these BE scams to the tune of I believe it was $17 million, as you might imagine, he was fired not long after, but wow. Now, of course, these hits don't just happen via email.

Another way you can see them is often during web browsing, an infected website is sometimes referred to as drive-by download you stop in and wham, it hits your system, the best way to defend against that realistically, is A, don't click on things you shouldn't be looking at 'cause they look like, oh, that looks interesting, click. Think before you click and more then anything, keep your system up-to-date. As I mentioned earlier, most attacks hit older stuff. So if it's attacking something that was fixed a few months ago and your system's up-to-date, it basically bounces off your system because it's protected. A particularized version of that is something called the watering hole attack. And that's something where you're literally lured to an infected website designed for you. An example of that I can give you from a few years ago, there was a company that I think it was down in, I won't say Texas, but I'm not 100% sure on that one. It was basically an energy production company that had a fairly well-defended network. So the attacker, rather than trying to get indirectly found out that a lot of the people that company liked ordering takeout from a particular Chinese food restaurant and infected the menu page from the restaurant. So then when people went on to go order food, they infected the network that way.

Another thing that can be done is something called baiting. That's an infected USB drive, so effectively plug it into your system, and then that downloads malware into your system. Why would anybody do that? Well, let's say it's a public place in the company and there's a stick drive that's labeled something like senior partner compensation in the current year. Yeah, you're curious, it's human nature. That's what the attacker's counting on. So you take it, you plug it in, you go, huh, what's that? And of course, with something like that, you're not gonna wanna tell your security folks first, you plug it in, boom, attack. So that's just something to keep an eye out for. So even it does look like a juicy, exciting, be it a USB drive or disc or whatever else, bring it to your security folks. Just a smart move first off. And obviously, we talked about phone scams a little bit there. Can be from the IRS or anybody else, and they're only gonna try and scare and threaten you, and generally, they're full of it. So don't let them scare you, basically.

Also, there are some in-person ones which will become more of an issue as people are more and more going into the office, especially as people who've joined the company as a result of the time off everyone's have, you might not have met them yet. And one example of this is something called tailgating. That's like, imagine a classic instance, you're going into work and let's say, you have a badge to read and the person behind you goes, "Oh, shoot, I must have left my badge at the office." And you're going, "Oh, hey, yeah, come on, I'll swing you in." That's tailgating. The idea is it's generally gonna be with someone who looks the part, looks like they belong there. Very polite, very friendly, but doesn't actually belong there. But of course, you don't know because you're being polite like people are normally supposed to be. And attackers count on that in some cases. Another one is something called pretexting and the idea is that someone who's somewhere they're not supposed to be and has a pretext to be there. That's the one you can do that. I guess I'll give you a good example of a pretext, so the original "Star Wars" movie, there's a scene where Luke Skywalker and Han Solo are literally walking around the Death Star, the giant imperial base, dressed up as stormtroopers. they're in disguise. So they have a pretext to be there. They look like they belong there because they're dressed in this part. So everybody looks twice.

 Now I mentioned insider threats a bit earlier, that's a huge issue in terms of just a personnel thing. There are certain defenses you can put in place like procedures. For example, you might have something like rotating duties. So the same person isn't doing the same thing all the time. That way, if someone else rotates in and goes, wait, just a damn second. What's going on with this? This isn't running right. And on a related note, you might have mandatory vacations. Like someone can't just stay in the job endlessly, they eventually have to take that two weeks off. And when they do, someone else gets in there and can check to make sure everything's in the up and up. Finally, you can also have a procedure in place where certain types of reactions require X number of people to work on it or approval from someone on this layer. That's also a great thing to do when we talked about the BEC scam earlier, there are definitely procedures which will help protect you from that. Because at the end of the day, the more people who get a look at and can potentially stop it, the less likely it is to proceed.

And finally, we have just plain mistakes. People are human you know, you take something home, you forget you leave it there. Or one of the great classic ones is missed delivery, which can happen with email if you've got auto-complete turned on, which most of us do. And I'll give you a funny example of that. So a few years back music pioneer Grandmaster Flash, actually put out a thank you to grandparents all around the land because they kept accidentally tagging him on Facebook because instead of typing grandma or grandpa, and it would have Grandmaster Flash pop up and then accidentally click yes, and send it. So he got tagged quite a bit around Facebook, which was awesome. But yeah, that's a quick look at it. Obviously, there are more, I think we're gonna do a program specifically talking about social engineering. So sort of listen in, we'll go into some more detail on this, 'cause this is where a lot of the attacks start.

Shaun Salmon - Awesome, so this is my last question for you. I know we're going a little over.

Scott Aurnou - Aim is to help.

Shaun Salmon - But that's okay. That's okay. I blame you a little too. No, I'm kidding. I'm kidding.

-Scott Aurnou  It's true though.

Shaun Salmon - So how should a firm respond to a security incident?

Scott Aurnou - Okay, so again, not wanting to kill this, we'll do the short version of the short version of this, basically, you could talk about this by itself for an hour.

Shaun Salmon - We probably will.

Scott Aurnou - Yeah, but maybe we can someday. More than anything else this is about preparation. Because if you're trying to figure out what to do while an attack is happening, it's gonna be so much worse, I guess a nice way to put it would be to analogize it to you playing a soccer game. The other team has the ball. They're running towards your goal and you're on the sidelines picking out your team, like, hey Fred, now you're a good goal. You'll wanna get in net. Julie, wanna play halfback? You're doing that. Meanwhile, they're running in. Guess what's gonna happen? They're gonna score on you. You have to be ready before this happens. It's critically important to do. I'll mention what these different plans and procedures are, do them right away. And if you need help, we mentioned those additional resources. I specifically put in links for incident response. Please don't wait on this stuff because if it goes bad, it goes really bad. So in effect, where you wanna start with is something called a business continuity plan or BCP, a related thing is something called the disaster recovery plan or DRP, sorry, there's gonna be some acronyms coming on this one.

The big difference there is a business continuity plan is basically what will get you back towards normal and like what sort of steps you need to get there. A disaster recovery plan is a little more short term and something like, wow, everything just went south on us. How do we get our like basic systems up and functioning enough to just keep the business going before we fully restore everything? And we just start the ball rolling is something called a business impact analysis. But wait, there's more BIA, business impact analysis. This is sort of a cousin to the risk assessment, in effect what you're doing here is you're going system by system and department by department, through your organization to figure out what's needed. What would be required to restore it? And just a general sense of what's important, what needs to be up and running? An example I could give you of this might be, let's say, the organization you work for is a financial services firm. Let's say you get hit with an attack. Now, obviously something like business development is an absolute key function for financial services firm to keep up and running, without it, you're gonna go outta business of course. However, if you've been hit with an attack that necessarily will take a backseat to the ability to actually process financial transactions, because if you can't do that, you've really got a problem.

So that will be part of what a BIA does. It identifies the various risks, prioritizes them, and lets you know, okay, this is the system we need to get up. And generally what it'll do is we'll say, system X needs to be up and running within this time period or this level of damage will happen. So it could be something like if we're up and running within two days, this works. If we're up and running within two hours, that's proper. If it's gonna be over five hours, we're gonna see damages to this effect. That's sort of where a BIA sets you up. And then in response to that, you're looking at the disaster recovery plan, which will get you your systems up and running quickly. And then the BCP, the business continuity plan, which will hopefully get you back to normal. Now, one part of a disaster recovery plan often related is something called an incident response procedure or IRP, sorry, more of them. In effect, an IRP is the step by step, what to do in the short term? Like, , everything went bad, and people are running around screaming. Well, what do you do? How do you actually stop this? One thing that's great with an IRP is a general rule indicate who's in charge? It will tell you basically, okay, here's what the steps are. Here's what we're trying to do, here is our incident response team. You generally have representatives from different departments, legal, technical, communications, HR. You might be saying what for? Your part of it is, you've got an incident, you're gonna wanna engage in crisis communications. So it needs to be done properly. And you need to have little considerations in there, stuff like, well, if our system's been compromised, I don't think that's how we wanna communicate with each other. Well, okay, how do you do that? What do you have? You've gotta have a backup system. It might be something as simple as, well, everybody use your private phones or use your private emails, but then again, it could be a risk of going through system resources to do that. So there are definitely, you're going to have to look at the plan B before it's actually needed. That's the whole point of this. You need to be ready. And generally, an IRP will have specific goals in mind, like system restoration or minimize damage what comes up first?

And certainly, you wanna bring up contacting individuals and organizations who can help you out. Maybe you have an outside contractor you work with. Certainly, it's a great idea to build a relationship with law enforcement who deals with this. Typically that's the FBI, the secret service to some extent, but typically the FBI. And actually, while you're listening to this, it's a great idea to give them a call. You know why? Because they're aware that they can help. And as a result, they have a lot of great presentations and materials they can give you and they're happy to do it. And that's great because you build that relationship in the first place when it happens instead of the panic call with like, oh, my God, oh, my God, oh, my God, who do I talk to? Who do I talk to? It becomes, wow, agent Jones, we just got hit, it's really bad. And they're like, "Hey, we got you." "Let's talk." And that's such a big difference when you get hit with one of these, because it's a terrifying sensation. The rug's getting pulled out from under you and depending on what type of organization and how involved you are with it, that can really be a big, bad hit. And of course, one thing you realize also, when you're talking about these plans, if writing them up does take a while. And sometimes they get delegated to folks who are a little more technical, be sure that when these plans are written, they're written for the folks who will actually be using them. Because if they're written for someone who is very technically inclined and then someone is looking at them from legal or marketing, or what have you, and goes, huh? Then it's not helping you.

You always wanna make sure that everyone can understand not just what they're supposed to do, but what they're being told to do. And then one other thing to make sure you do is test these things. They also wanna be updated, but testing them is critically important. I'd say at a minimum once a year, usually you'll have what's called a tabletop exercise where people are literally sitting around walking through an incident with their plan, like, okay, so then we'd do this, and then we'd do that. Okay, this would be our response to this. And that's critically important because if you get to a point where you can actually walk through it like that, that's really helpful because then you can understand what there is to protect. And then one more thing to mention is when you are actually doing the repairs here, generally speaking, the idea is you have a system that's been hit, it's been infected. It's very tempting to just patch the system and call it a day. Don't do that because a lot of attacks will generally be hiding under the surface. So you'll catch the obvious stuff. And the really nasty stuff is hiding underneath, after you think you've basically painted over the wall and you don't notice all the mold that's behind it, that kind of thing.

So you basically wanna rip the system down completely and then rebuild it from scratch and hopefully, repopulate it from your secure and separate from the system backups. And oh, one other thing to mention, sometimes not always, but sometimes you can get a bit of an advantage from dealing with outside counsel with cyber liability experience. What I mean by that is in effect, let's say, you've got an incident you're responding to. If you're filtering your communications between that outside counsel, you and your incident response personnel from say an outside forensics firm or some such often attorney-client privilege or work product may attach. And that will at least protect part of it. It's not a cure-all, it won't work all the time, but at least it makes that option open. The courts have held that if you try and do that with inside counsel, obviously, the in-house folks are not limited to just that they're also dealing with various in-house duties. And so generally privilege does not attach in that circumstance.

Shaun Salmon - Got it. So Scott, I mean-

Scott Aurnou - Short version.

Shaun Salmon - Yeah, no, I mean for sure but thank you. Listen, thank you so much for talking about this with me today. And for everyone watching, Scott has included so many resources for attorneys, tips on how an attorney should go about finding a qualified security expert, cybersecurity do's and don'ts, all of that can be found in the material. So don't forget to check those out. And then in the meantime, Scott, can you tell us where people can follow you your contact info and any like last minute things you wanna share before we break for the day?

Scott Aurnou - Sure, feel free to find me on LinkedIn, If you like, Scott, last name is Aurnou, which is A-U-R-N-O-U. Certainly, I think there's a little bio here if you'd like, yeah, hell, feel free to follow me on Instagram. If you like landscapes and ruins, I go there.

Shaun Salmon - I go there.

Scott Aurnou - Yeah, exactly.

Shaun Salmon - And they can also, awesome. And they can also contact you through the Quimbee website. There's a contact button at the bottom of your course page. So thank you so so much.

Scott Aurnou - My pleasure.

Shaun Salmon - And I will obviously talk to you soon 'cause we'll be doing some more of these.

Scott Aurnou - Awesome.

Shaun Salmon - Bye, Scott.

Scott Aurnou - See you soon.

Presenter(s)

SAJ
Scott Aurnou, JD
Founder and Cyber Security Attorney
The Security Advocate

Credit information

Jurisdiction
Credits
Available until
Status
Alabama
  • 1.0 general
Unavailable
Alaska
  • 1.0 voluntary
Pending
Arizona
  • 1.0 general
Pending
Arkansas
  • 1.0 general
Pending
California
  • 1.0 general
Pending
Colorado
  • 1.0 general
Pending
Connecticut
  • 1.0 general
Pending
Delaware
    Not Offered
    Florida
    • 1.5 technology
    Unavailable
    Georgia
    • 1.0 general
    Unavailable
    Guam
    • 1.0 general
    Pending
    Hawaii
    • 1.0 general
    Pending
    Idaho
      Not Offered
      Illinois
      • 1.0 general
      Pending
      Indiana
      • 1.3 general
      Unavailable
      Iowa
        Not Offered
        Kansas
          Not Offered
          Kentucky
            Not Offered
            Louisiana
              Not Offered
              Maine
              • 1.0 general
              December 31, 2026 at 11:59PM HST Pending
              Minnesota
              • 1.0 general
              Pending
              Mississippi
              • 1.2 general
              Pending
              Missouri
              • 1.0 general
              Pending
              Montana
                Not Offered
                Nebraska
                  Not Offered
                  Nevada
                    Not Offered
                    New Hampshire
                    • 1.0 general
                    Pending
                    New Jersey
                    • 1.5 general
                    Pending
                    New Mexico
                      Not Offered
                      New York
                      • 1.0 cybersecurity - general
                      Pending
                      North Carolina
                      • 1.0 technology
                      Unavailable
                      North Dakota
                      • 1.0 general
                      Pending
                      Ohio
                      • 1.0 general
                      Unavailable
                      Oklahoma
                        Not Offered
                        Oregon
                        • 1.0 practical skills
                        March 2, 2025 at 11:59PM HST Approved
                        Pennsylvania
                        • 1.0 general
                        Pending
                        Puerto Rico
                          Not Offered
                          Rhode Island
                            Not Offered
                            South Carolina
                            • 1.2 general
                            Unavailable
                            Tennessee
                            • 1.2 general
                            Pending
                            Texas
                            • 1.0 general
                            Unavailable
                            Utah
                            • 1.0 general
                            Unavailable
                            Vermont
                            • 1.0 general
                            Pending
                            Virginia
                              Not Offered
                              Virgin Islands
                              • 1.0 general
                              Pending
                              Washington
                              • 1.0 office management
                              March 2, 2026 at 11:59PM HST Approved
                              West Virginia
                                Not Offered
                                Wisconsin
                                  Not Offered
                                  Wyoming
                                    Not Offered
                                    Credits
                                    • 1.0 general
                                    Available until
                                    Status
                                    Unavailable
                                    Credits
                                    • 1.0 voluntary
                                    Available until
                                    Status
                                    Pending
                                    Credits
                                    • 1.0 general
                                    Available until
                                    Status
                                    Pending
                                    Credits
                                    • 1.0 general
                                    Available until
                                    Status
                                    Pending
                                    Credits
                                    • 1.0 general
                                    Available until
                                    Status
                                    Pending
                                    Credits
                                    • 1.0 general
                                    Available until
                                    Status
                                    Pending
                                    Credits
                                    • 1.0 general
                                    Available until
                                    Status
                                    Pending
                                    Credits
                                      Available until
                                      Status
                                      Not Offered
                                      Credits
                                      • 1.5 technology
                                      Available until
                                      Status
                                      Unavailable
                                      Credits
                                      • 1.0 general
                                      Available until
                                      Status
                                      Unavailable
                                      Credits
                                      • 1.0 general
                                      Available until
                                      Status
                                      Pending
                                      Credits
                                      • 1.0 general
                                      Available until
                                      Status
                                      Pending
                                      Credits
                                        Available until
                                        Status
                                        Not Offered
                                        Credits
                                        • 1.0 general
                                        Available until
                                        Status
                                        Pending
                                        Credits
                                        • 1.3 general
                                        Available until
                                        Status
                                        Unavailable
                                        Credits
                                          Available until
                                          Status
                                          Not Offered
                                          Credits
                                            Available until
                                            Status
                                            Not Offered
                                            Credits
                                              Available until
                                              Status
                                              Not Offered
                                              Credits
                                                Available until
                                                Status
                                                Not Offered
                                                Credits
                                                • 1.0 general
                                                Available until

                                                December 31, 2026 at 11:59PM HST

                                                Status
                                                Pending
                                                Credits
                                                • 1.0 general
                                                Available until
                                                Status
                                                Pending
                                                Credits
                                                • 1.2 general
                                                Available until
                                                Status
                                                Pending
                                                Credits
                                                • 1.0 general
                                                Available until
                                                Status
                                                Pending
                                                Credits
                                                  Available until
                                                  Status
                                                  Not Offered
                                                  Credits
                                                    Available until
                                                    Status
                                                    Not Offered
                                                    Credits
                                                      Available until
                                                      Status
                                                      Not Offered
                                                      Credits
                                                      • 1.0 general
                                                      Available until
                                                      Status
                                                      Pending
                                                      Credits
                                                      • 1.5 general
                                                      Available until
                                                      Status
                                                      Pending
                                                      Credits
                                                        Available until
                                                        Status
                                                        Not Offered
                                                        Credits
                                                        • 1.0 cybersecurity - general
                                                        Available until
                                                        Status
                                                        Pending
                                                        Credits
                                                        • 1.0 technology
                                                        Available until
                                                        Status
                                                        Unavailable
                                                        Credits
                                                        • 1.0 general
                                                        Available until
                                                        Status
                                                        Pending
                                                        Credits
                                                        • 1.0 general
                                                        Available until
                                                        Status
                                                        Unavailable
                                                        Credits
                                                          Available until
                                                          Status
                                                          Not Offered
                                                          Credits
                                                          • 1.0 practical skills
                                                          Available until

                                                          March 2, 2025 at 11:59PM HST

                                                          Status
                                                          Approved
                                                          Credits
                                                          • 1.0 general
                                                          Available until
                                                          Status
                                                          Pending
                                                          Credits
                                                            Available until
                                                            Status
                                                            Not Offered
                                                            Credits
                                                              Available until
                                                              Status
                                                              Not Offered
                                                              Credits
                                                              • 1.2 general
                                                              Available until
                                                              Status
                                                              Unavailable
                                                              Credits
                                                              • 1.2 general
                                                              Available until
                                                              Status
                                                              Pending
                                                              Credits
                                                              • 1.0 general
                                                              Available until
                                                              Status
                                                              Unavailable
                                                              Credits
                                                              • 1.0 general
                                                              Available until
                                                              Status
                                                              Unavailable
                                                              Credits
                                                              • 1.0 general
                                                              Available until
                                                              Status
                                                              Pending
                                                              Credits
                                                                Available until
                                                                Status
                                                                Not Offered
                                                                Credits
                                                                • 1.0 general
                                                                Available until
                                                                Status
                                                                Pending
                                                                Credits
                                                                • 1.0 office management
                                                                Available until

                                                                March 2, 2026 at 11:59PM HST

                                                                Status
                                                                Approved
                                                                Credits
                                                                  Available until
                                                                  Status
                                                                  Not Offered
                                                                  Credits
                                                                    Available until
                                                                    Status
                                                                    Not Offered
                                                                    Credits
                                                                      Available until
                                                                      Status
                                                                      Not Offered

                                                                      Become a Quimbee CLE presenter

                                                                      Quimbee partners with top attorneys nationwide. We offer course stipends, an in-house production team, and an unparalleled presenter experience. Apply to teach and show us what you've got.

                                                                      Become a Quimbee CLE presenter image