Quimbee logo
DMCA.com Protection Status

Cyber Security in Large Law Firms

4.8 out of 5 Excellent(10 reviews)
SA
Presenter(s)
Start your FREE 7-day trial
Preview this course and the rest of Quimbee's CLE library for free with a 7-day free trial membership.
Buy this course - $49
Get access to just this course for $49
Play video

Cyber Security in Large Law Firms

Large law firms are constantly fending off a variety of ever-evolving electronic threats. Some are sophisticated, some not so much. They include electronic attacks, misplaced and stolen devices, everyday mistakes and an endless assortment of tricks and scams. Any of these can lead to serious consequences. In this program, we’ll discuss those threats and the consequences that can come with them, as well as measures to reduce the risk to organizational assets and prepare for the inevitable next attack.

Presenters

Scott Aurnou
Founder of The Security Advocate
The Security Advocate

Transcript

- This is Cyber Security in Large Law Firms. My name is Scott Aurnou. We have a lot to cover, so let's jump right in. Lawyers make excellent targets for data theft. It's an open secret that law firms are targeted constantly. Attackers often see law firms as a back door to strike at the firm's clients. Among criminal hackers, law firms are typically viewed as soft targets with valuable information. Nearly every major firm has experienced a breach at some point, many more than once. In fact, one of the largest data breaches in history took place at a law firm in April 2016. That was Mossack Fonseca. That breach was better known in the public as the Panama Papers. But the threats go well beyond data breaches. Ransomware, business email compromised scams, distributed denial-of-service attacks, and others pose a problem. According to the FBI, business email compromise or BEC scams have cost 43 billion in losses since 2016. Attacks have increased by 65% between July 2019 and December of 2021. And in 2021, data breaches arising from ransomware increased as much as they had in the proceeding five years combined. That's according to the Verizon Enterprise 2022 Data Breach Investigations Report, which is well-regarded in industry. These numbers actually are very low, since many victims don't report the crimes. According to the FBI, only 10 to 12% of cyber crimes are actually reported. Now, large law firms typically do have the advantage of resources, including dedicated security, personnel, and budgets, but that size also makes larger firms more prominent targets. Today, we'll talk about pertinent tech basics, risk management fundamentals, network security, and incident response. Data is broken into three general categories: active, archival, and latent. Active data is what you see in front of you when you're using a computer, your phone, whatever it is. It's the stuff you can access right away. It's the stuff you can easily retrieve. Archival data, it's stuff that's been put away. It's effectively the same data but put into deeper storage. You might think of it like papers put off in a warehouse. You can get to it, but it's not right there. So this might be something like a backup that's off somewhere else. Latent data is a little more interesting. That stuff that people think they've deleted from a system that's still lurking around somewhere. As you can imagine, forensic investigators are pretty fond of that. Now, data itself, all data is reduced to binary code. You've seen this. It's ones and zeros often disappearing into the horizon. And because all data is reduced to this information, this allows various devices to share information, because effectively, they're all using the same type of data. Now, every individual one or zero is called a bit. The smallest amount that's actually readable is eight of them together, which is a byte B-Y-T-E. That's pretty small. Depending on the program, it might be a number, a letter, maybe a small word. It's not a lot, but as they gather up, they get bigger. You can have more and more information. You've heard of the terminology. 1,021 bytes is called a kilobyte. 1,021 of those is a megabyte. Then a gigabyte, terabyte, and so on. And as you have more of them, they each cover more information. And it depends a bit on what you're using it for. Like a high def movie will take up more space than a standard definition movie, that type of thing. But as a general benchmark, if you're talking about just text, a gigabyte is about 75,000 pages of data. So it's a fair amount. And of course, think about how many gigabytes you see in even a stick drive sitting in your pocket. And it adds up pretty quickly. So the actual storage is done in three basic fashions. There's magnetic, optical, and flash, also known as solid state or SSD storage. Examples of this, magnetic you might see something like older hard drives. And they're literally stacked like pancakes. It's these silvery discs. They look a little bit like compact discs, and there'll be a little spin alarm that reads the data. It's actually stored as changes in magnetic polarity. So positives and negatives will correspond to the ones and zeros. CDs and DVDs use optical drives. And that's basically using a laser to read, but instead of the magnetic switches, it's a little, very, very small depressions in the disc, which it reads to correspond to the data. USB drives, smartphones, and some newer hard drives will use the SSDs which are done in a non-moving fashion using little switches inside them. One thing that's interesting about that type of storage is that because they have to preserve the drive, if something is saved multiple times, it saved in multiple places, which of course can create an interesting thing should someone be looking into that drive later for data. Now, that storage, a concept related to that is storage versus memory. You may have heard of RAM, which is random access memory. That's called volatile memory. What that means in English is that it works so long as your computer is on. So you may think of that as your working space while you're using your computer. And effectively, when you turn it off, that working space is completely cleared off. So anything you haven't saved or stored will be lost. Perhaps you may remember back in school, if you had an incident where you were working on a report and something went wrong with the computer, you lost all your work if you hadn't saved it. But on a related note, what is a program? Also referred to as an application or app. In a simple fashion, it's basically a set of instructions for a computer or device to file related note. An algorithm is a procedure or formula using a sequence of specified steps to solve a problem. One other concept which touched on is protocols and ports. Protocols are effectively the languages of devices. Different protocols will cover different types of information. And the ports are the openings between different devices that allow them to communicate. So for example, let's say you're using the internet. That would be a protocol called HTTP or hyper text transfer protocol that goes on port 80. Both the receiving and the sending device have port 80 open. And it goes through that protocol. A secure version of it is HTTPS, which is the secure, like I say, the encrypted version that goes through port 443 and will connect on both sides. Now, of course, machines that have to communicate have to use the same protocol. It's like people using the same language to talk to each other. You have a friend coming in from Japan. Your friend speaks Japanese, speaks English, and speaks Dutch. You speak say Italian, Spanish, and English. Well, your conversation's gonna take place in English, because that's a protocol you both understand. Another concept to talk about is what's called the client-server model. That's sort of a basic setup for networks. And the way that works is you have centralized computers called servers, which are more powerful and will handle centralized functions for a given network. You might think something like a brief bank in a firm. Centralized, all covered there. And like spokes on a wheel, the individual clients will connect to that server model in the center. And for example, if you're watching this on a work computer right now, you're watching this on a client. It's connected to it. And you don't have, for example, that brief bank or whatever else it is centralized on that individual computer, but you can access it from it. And of course, a network, generally speaking, will include all devices intended to have access to your firm's data. But of course the computer traits that make it easier to access your own data also make it easier for an attacker to do so if he or she gains access to your system. The internet itself is essentially a massive decentralized network and information goes back and forth through a process called packet switching, in which information is broken down, sent from one place to another, and then reassembled on the other side. If you've ever seen the movie "Willy Wonka and The Chocolate Factory," there's a scene where the kids wind up in a room with Wonkavision. One of the kids is zapped, winds up disappearing. The other kids look up and there are a bunch of little colorful pieces flying across the ceiling, which then reassemble on the other side of the room. While that's a little oversimplified, and in fact, that's kinda what packet switching is. And the idea is it whips over the net and then reassembles in the other side. Each packet has not just the payload of the data inside it, but what are called headers, which indicate where it's going and how it fits with the other ones around it. And it goes from place to place on the internet, using something called an IP or internet protocol address, which is a numerical address corresponding to not just websites, but also devices on the internet. And with that numerical address, you have an exact center, you have an exact location, and you know where something is going. Security itself requires senior management buy-in. A top-down approach is much more effective than attempting to do bottom-up scattering around your organization. IT and information security are also not the same thing. IT generally is focused on new features, keeping things up and running, and doing so as fast as possible. Whereas security is focused on keeping things secure, locking them down. As you can imagine, they're often across purposes. So if you try to put one under the other, it can be a problem. So security should not report to IT. In a basic sense, the start of this, which you're looking at are threats, vulnerabilities, and risks. A threat is something that has the potential to cause harm. And a vulnerability is the potential opening that threats can use or exploit to cause harm. For example, a vulnerability might be an open window and the threat is a burglar. The risk would be likelihood. Is that window on the first floor or the 51st floor? A related concept is something called impact effectively. If that threat uses that vulnerability, what will actually happen? So in this case, it might be what's inside to steal? Are we talking about gold bars or dust monies and old couch cushions? Another related concept is something called an attack surface. That's basically how much of your network is exposed to an attacker. The way to think of this might be something like a snowball fight. Are you standing sideways and hiding behind a tree? Are you squared up right for the person who's gonna belt you with a snowball, exposing yourself and exposing your surface effectively to get hit more easily? The attack coming in itself, by the way, is called an attack vector. Another basic concept in security is something called the CIA triad. Nothing to do with the agency. Stands for confidentiality, integrity, and availability. Confidentiality refers to data that can be accessed by you and no one else who is supposed to have, or no one else who's not allowed to access it. Only the people who are allowed to access data can. That's confidentiality. Integrity means it's unaltered. So the idea there would be, if it's been changed around by an attacker, let's say they've gone on their school computer and changed grades, the integrity has failed, and you've actually got a document which is no longer good, 'cause it's been compromised. Availability means you can get it when you wanna get it. And there are certain attacks which are all about denying you the ability to get to your own data. And like ransomware, for example, they then charge you for the ability to get your data back, at least in theory. Now, to deal with the various problems, you have what are called controls. Sometimes, different types are referred to as countermeasures or safeguards. But the idea is these are things used to protect your system from potential attacks. They're broken into three essential categories: physical, administrative, and technical. Physical refers to things like gates, locked doors, security, guards, cameras, the things you can actually see, feel, and touch. Administrative are things that are written. These are things like insurance policies, policies themselves, written procedures, security awareness training. Technical is the stuff most people tend to think of as classic cybersecurity. Firewalls, antivirus systems, intrusion detection systems, et cetera. Now, with the policies I mentioned, these are administrative security controls, and different organizations will create different ones to suit their needs. Templates are available online for many different types of policies and the related procedures. And we'll cover that in just a moment. A few other basic concepts just to touch upon, there's risk management, which we'll talk about in a little more detail in just a few minutes, but the essential concepts there are risk assessments, where you're breaking down and looking at the risk, and data classification, where you're looking at what data you have and what level of protection it needs. It's also cyber liability insurance, which we'll talk about a bit later in the program. And also incident response, which focus on business continuity and disaster recovery plans, as well as the incident response procedures. Again, we'll talk about that a little later. We'll also touch upon frameworks and standards, which are often used to organize all of this information. There are a few different types. We'll touch upon them later. At the end of the day, the goal here is a robust security program with consistent policies, repeatable procedures. They're designed to identify, prevent, detect, respond to and recover from the constantly evolving threats that a modern business faces. Policies are the framework that get everyone on the same page, allowing for a consistent approach to security throughout an organization. For any policy created, be sure to clearly lay out its purpose, scope, and the responsibilities that come with its implementation. In effect, what's it for? Who or what does it apply to? And who will be accountable for what as a result? Different organizations will create different policies to suit their needs. There are a few common ones, as well as their typical uses. An information security policy is a high level statement of an organization's security objectives. Specific security controls and technical details are laid out in separate written procedures. An information policy clarifies what information, electronic and/or paper is considered sensitive by the organization and how it should be handled. An acceptable use policy will define homes, permitted to use organization computers, email, and other resources. It should clarify what, if any software, can be downloaded onto the organization's equipment. And it must clarify that there is no expectation of privacy on organization equipment or systems. An internet access policy will define appropriate uses of web access and mail, so specify inappropriate uses. A social media policy will define who can speak on behalf of the organization and what content can be shared. Now, these are not set in stone. Your firm may use these differently or create entirely different policies to suit your needs. Templates are available for many different types of policies. And in the supplemental materials to this presentation, there is a link from CSO online with a number of such templates listed. On a related note, procedures are critically important as well. They detail how specific systems should be configured and security measures should be deployed. They keep security controls consistent throughout an organization while giving detailed specifications for different types of systems. They must be kept up to date as new technology systems and applications are implemented. If you'll forgive the over-simplification, risk management involves assessing, managing, and mitigating potential losses. There are four essential approaches to risk: avoid, accept, deny, and transfer. When you avoid risk, you're actually taking steps to mitigate that risk. This is what security controls are for. You try and reduce the problem. Accepting risk is an awareness regarding the risk, but also that the cost to mitigate exceeds the value of the actual assets at risk. So you accept. Denial is effectively ignoring the risk. Don't do that. Finally, transferring is sending it off to a counterparty. This would be something like cyber liability insurance or contract provisions would specify what the other party is supposed to do. The risk management process begins with a risk assessment. This effectively generates a prioritized list of security risks to the organization. The agency NIST, the National Institutes of Standards of Technology, has a publication series called the SP 800 series. SP 800-30 revision one lays out the essential steps for risk assessments. Now, what does a risk assessment entail? You prepare by identifying and categorizing the assets to protect. This effectively determines the assessment scope. It can be harder than it sounds, especially in a large organization. And of course this includes data classification. To what extent does it need to be protected? That sort of thing. There are five essential steps. This is a simplified version of a not so simple process. One, identify the threats. Two, identify the vulnerabilities. Three, determine the likelihood of occurrence. Four, determine the magnitude of impact. And five, determine the risk. Your firm network is the primary repository of confidential client data and firm data. Who are the potential attackers? These could be criminal gangs, competitors, or adversaries. Depending on the type of work your firm does, it could be nation states. There's always a risk from insiders and even hactivists that Fonseca Panama Papers breach from 2016 involve just that. So exactly, what are you protecting your network from? These could business interruption attacks, data breaches, malware, or social engineering. We'll cover all of these in turn. Protecting your network begins with a secured network design. A well-laid out network is both easier to defend and easier to monitor. A couple of the main things you wanna look at here are network segmentation and choke points. Network segmentation is breaking your network into parts, sort of like water type compartments on a submarine. And choke points is making sure that the traffic moving through your network is going through specified points where you have security controls in place that can analyze it and potentially stop it if there's a problem there. You also wanna change default settings. We'll talk about this a little bit later, but in effect, what it comes down to is a lot of the stuff that comes out of the box works because they're default settings, default passwords, et cetera, et cetera. And this can be a problem because most attackers can find them pretty easily. If you like to see an example of this, check out the website, routerpasswords.com. You can probably find the initial password for your router unless it's been changed. Also, you wanna make sure data encryption is widely used throughout the network. This is basically running an algorithm through the data, which basically scrambles it and turns it from readable easy to use data into gibberish, which requires the decryption key to get it back. In effect, it's encrypted with one key, decrypted with either the same key or different key, depending on what type of encryption is set up. If an attacker gets the data without the corresponding encryption key, they won't be able to decrypt it and use it. Under a lot of the regulations that covered this area, would've wound up happening there is that the data, even though it's stolen, if it's stolen without the key, that's considered secured and hence, not a reportable data breach. You'll also wanna check out your wireless network encryption. Basically, are your firm's routers using the current version of it? Which would be WPA3. That's wifi protected access three, or WPA2 for enterprise. The earlier version's WPA. Or worse yet, WEP, which is wired equivalent. Privacy are both not secured by today's standards and can be trivially broken by attackers. System hardening is also a necessity. This is basically removing anything that you don't actually use on the system. In effect, if you don't use it, remove it. Another area that needs to be covered is patch management. This is keeping your software up to date. The vast majority of attacks go after things that have already been fixed, but most people don't put the software updates into place in a timely manner. Attackers know this, and that's what they target to go after networks. In a related note, you also wanna hit what's called firmware. This is stuff on your network devices that's actually keeping it running. So this would be the operating systems on something like a router or switch, something like that. They need to be kept up date as well. One other thing is endpoint security. Endpoint's the part of the network we actually interact with. This might be your phone, your computer, a printer, the things that humans actually go day to day with, aside from your IT staff. And hackers will often use poorly secured endpoints as a beachhead to gain access to a network. Another thing to look at is access management, which we'll cover in a little more detail in a little bit. And the key thing there is to limit access rights. i.e. who can get to what. And we'll talk a little bit about something called the principle of least privilege. The idea that if someone's on the network, you only wanna give them access to what they need and absolutely nothing else. And one other thing, we'll talk about a little bit of backups, which prevent potentially catastrophic data loss and system damage in the event of an accident or malicious destruction, because if something goes wrong, you can dump the system effectively and reset with your backup. Another concept to look at is defense in depth. This is effectively putting multiple controls between an attacker and a target network. An analogy for this might be something like an outer gate guard dogs in a locked door between an attacker and a target building. There's also a concept of a perimeter in most networks. It's basically a conceptual boundary separating an organization's network from the outside world. In other words, the internet. It's not so easy to define in the age of cloud computing and remote work, but it's still somewhat pertinent, as a lot of security controls are set up to guard the perimeter. One of the main security controls you may have heard of is antivirus software also referred to as anti malware software. It targets malicious programs that can use either a signature-based approach, where it's looking for snippets of the offending code to try and recognize and block, or behavioral-based where it's looking for something that's off the baseline inside the network. Another thing you may have heard of is something called a firewall. That's basically a filter, which looks at the data packets coming into a network, depending on the type of firewall. It might look at individual packets. It could look at packets as they relate to the ones around it, or even try to do what's called deep packet inspection, or it's tempting to look at the payload inside the packet, the actual data to see if there's something amiss there. Now, network monitoring is also key, and this involves network traffic analysis. Typical devices for that would be something like an intrusion detection system or intrusion prevention system, that's IDS or IPS. Again, there's signature and behavioral-based. Also, something to look at is logs. Log is basically recording the events that happen within a network, attempted logins, things like that. The more you have an idea of that information, the more you can see if something is wrong. Or if something happens later, you can look back at the logs and see where the problem originated. Now, behavioral-based IDS and IPS, as well as the antivirus is generally more effective. Studies have shown that once inside the perimeter, attackers almost always switch over to legitimate IT tools to analyze and spread across your network rather than the malware they may have used to get in initially. And of course, if it's a signature-based system, once they're using something legitimate, it's not gonna show up. You're more likely to see something that's a little off your baseline. In effect, what the behavioral stuff does, is it analyzes your network, sees what's normal, and then looks for things that don't quite fit. Additional tools you can run across include data loss prevention or DLP systems, honeypots, and application whitelisting sometimes referred to as allowlisting. A data loss prevention system tags data within your system, and looks for things that shouldn't be going outside your system or being exfiltrated from your system and tries to block it. Let's say it's looking for something like credit card numbers or social security numbers, specified kinds of data. It tags it, if it's moving outside the system, the DLP will try to stop it. Honeypots are meant to be basically tempting targets. The idea there is that it's, in effect, a trip wire. If an attacker sees something that looks like an attractive piece of your network that's actually fake, that's a honeypot. The idea is that a real person on the network would never use it, but it would be something like super secret, top secret data related to a specific client. The attacker goes, hmm, what's this? They go to check it, and then your security team gets an alert, notifying them that someone's in the system who should not be. If you have multiple honeypots, that's referred to as a honeynet. Application whitelisting is basically an invitation-only party. Think of it as a regular system you might have something like a bar, where you have a bouncer who throws someone out if they misbehave. But anyone can get it in the first place. White listing is the other way around. Invite only, so you can't get in the door in the first place unless you're allowed in or whitelisted. The first step in network monitoring is understanding what's actually connected to what. Network mapping clarifies the relationships between computers, devices, servers, and available services on a given network. It's important to know your network access points and check for unintended access. Related concept network enumeration involves keeping an updated list of every machine and device with access to the network. This includes serial numbers, device and computer owners, and the level of access for each. It's important not to permit jailbroken or rooted devices to access your network. Jailbreaking relates to overriding the security settings on an Apple device like an iPhone or iPad, whereas rooting refers to the same process on an Android device. It will allow it to do certain things the phone doesn't natively permit, perhaps accessing illegal programs, that type of thing. But it also makes the device vastly less secure and certainly should not be connected to an organizational network. A centralized software called mobile device management software should be able to lock this down and detect it easily enough, but it has to actually be used for that purpose. Intrusion detection and prevention systems, like we mentioned here, the IDS and IPS, they're a little bit different. IDS is sort of like a red light camera. It's passive. It's looking for something that looks unusual and then sends an alert to your security team. IPS is more like a DWI checkpoint. It's active. It sees something out of place that tries to actively stop it. The network traffic is analyzed to gain insight into the type and amount of traffic or data flowing through your network. There are numerous tools available. These are things like network analyzers, protocol analyzers, packet analyzers, packet sniffers. Names you might see would include Wireshark and map and others. And if you wish, you can actually discuss this with your security team. They're actually probably happy to talk to you about it. The more you know, the more secure the network becomes. Another thing you'll run across, or you may or may not actually as an attorney is something called a SIEM system. That's S-I-E-M or security incident and event management. Those are basically used to tie in information from different parts of the network together. So if something collectively looks a little out of place, it lets your security team know, because normally, they're dealing with audit logs. And audit logs can be rather massive if they're coming from enough devices. Your security staff will choose what gets monitors. These are logins, things like remote access, parties trying to get through firewalls, that type of thing. But like I say, more is actually not better. Too much information can be overwhelming and crucial alerts can get lost in the den. The target breach, which happened in 2013, actually involved something in which, yes, alerts were received. However, those were among tens of thousands alert received every day by that security team. And the handful that actually were on target were missed because of the sheer number of them. Forecast call for about 29 billion internet of things devices to be connected to the net by 2022. And yeah, that's right now. Also, the number is growing rapidly. Smart appliances and other IoT devices like smart thermostats can connect to the internet through your network. And the default settings are often insecure. And of course, that's smart fridge and the smart thermostat, et cetera, et cetera. They're all going to need software updates for around 20 years or so, because you're gonna have them for quite a while. What does that mean for something with weak default settings and not necessarily likely maintenance and safety concerns? Could be a problem. There's a joke in the information security community, the S in IoT stands for security. If you're thinking, wait, there's no S. That's the joke. Physical security can be easy to overlook when contemplating cybersecurity, but physical access typically means easy network access. It's also easy to steal physical records on paper. And also, devices called network taps can be placed on communication lines within or leading to a building, which effectively reads the data going through the lines, assuming it's not encrypted. Now, how do attackers gain physical access to a building such as yours? A main way would be pretexting. This would be something like someone pretending to be a fire inspector, looking at copper wiring, that type of thing, or a "new guy" from your IT department checking on your remote setup. Once they've got their story set, they're in and they can create mayhem. Another thing is something called tailgating. Tailgating is basically someone who has the actual right and authority to be there, allowing someone who does not in generally by accident. The idea there is that it could be someone hanging around an entrance to your building. They look the part, they sound the part, they're from "a different department." And after you chatted for a few minutes, you're going to go back in. And they're like, oh no, I forgot my pass on my desk. My boss is gonna kill me. You being a decent human being, of course, yeah, sure, come on in. And then you've inadvertently allowed them into the network. Another one to look at here is threats that are on removable devices like USB sticks. This is often done through something called baiting. Baiting is setting up something like that, so that it looks like it's tempting. Try to imagine a USB stick labeled something like expected staff cuts in the next month. Of course you're gonna wanna look at that. You'll plug it into the system. And if it's laid in with malware, that malware gets on the system. Now, another thing to look at here obviously is physical loss or theft of hardware and/or data. These are like lost or stolen laptops, mobile devices, and storage media, like the aforementioned USB sticks. They can be lost when the devices are outside the network, or they can be taken by an internal intruder moving around inside as a result of tailgating or pretexting. And this underscores the critical importance of encryption, because if something like this is stolen but it's encrypted, it's not gonna be so easy for the attacker to be able to open up and read it because they don't have the decryption key. And of course, you have to look at paper data too. This could be stuff on group printers and recycling bins and even dumpsters. Yes, that's right. Dumpster diving is real. And also, if it's someone who's inside, what's sitting on your desk? They can just reach over, take it and keep going. And of course, another thing to look at here is damage or destruction from various causes. Could be weather, fire, critters, misplaced magnets, hurting a magnetic drive, something like that. And again, this underscores the value of backups to restore systems when needed. Insider threats to the confidentiality of client data can be especially pernicious. The threat effectively begins inside the network, hurting your perimeter defenses. It includes, in part, departing employees. When dealing with them, you need to immediately revoke access for any ex-employee as soon as he or she leaves. This means revoking any network access, including account, email, and VPN connectivity. Enterprise devices in the departing employee's possession should be remote-wiped. This means basically sending a command, which will effectively factory reset the device or wipe all the data off of it. If it is an enterprise-issued device, your security team should have the ability to do this. On a personal level, you can also do this with your own phone if it's stolen. Also wanna deactivate any physical badges to prevent unauthorized entry into the facilities. And it's important to coordinate between IT and HR when an employee is terminated to make sure these things are done in a timely fashion. So what are the risks? There's theft of firm data. There's also sabotage. A gentleman named Timothy Lloyd set off a type of malware called a logic bomb against his employer, Omega Engineering Corporation in 1996. He was a former network administrator who wrote six lines of code, which detonated when one of Omega's employees logged into the system. It destroyed design and production programs worth nearly $10 million for that former employer, which was a primary supplier to the Navy and NASA and resulted in the first ever computer sabotage case ever tried in federal court. If you're curious to read more, it's United States v Lloyd 269 F.3d 228. That's third circuit, 2001. Another risk from insider is shadow IT and data leakage. That can be intentional or unintentional. Basically, the idea is you wanna get more work done at home or keep copies of firm data, contacts, research briefs, et cetera. And when you bring firm information outside the network, but your network personnel don't know about it, that's shadow IT. It's sort of part of the network, but not really. So they can't control and protect it. And this could mean emailing work to yourself on a home computer or non-work email account, portable storage like a USB stick or storing work data in personal cloud accounts. It's a common problem to simply forget to delete that firm data once you're done with it. And of course, once it's there, it's out there and attackers can get to it. And related unintentional threat could be who else has access to your colleagues' computers or devices. Spouses, kids, et cetera. It could be as simple as a kid playing a game. And what winds up happening is when playing that game, they wind up downloading something related to it, which is laid in with malware. And then poof, it's introduced to your system. Countermeasures can include network monitoring, DLP systems, and also procedures. These might include mandatory vacation in which people in given positions are basically forced to be outside that position for a given period of time on vacation, which means if that person is engaging in an insider threat, doing something threatening to the network, the person who's taking over that position for that time can theoretically find it. It's also rotating duties, which is a similar concept where people rotate through different job functions. And if they see something suspicious, of course, that can be alerted and hopefully stopped. Also for certain sensitive actions, multiple personnel should be required. Obviously, if you're moving large amounts of cash, for example, that should be secured by having more than one responsible for it. And of course, keeping systems up to date in whitelisting or allowlisting can counter attempts to introduce the malware itself into the system as if the system is up to date and the malware is based on earlier flaw, it won't work inside the system. Inventory and control is critical to protecting a modern network. You need to establish what you actually have to protect before you can set about protecting it. This is especially important with the increased remote work and usage of cloud-based resources in modern days. These revolve around system assets and software assets. System assets include anything with the potential to store or process data. It's important to establish and maintain an accurate, detailed and up-to-date inventory of all enterprise assets, including assets connected physically, virtually, remotely, and those within cloud environments, as well as assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. This includes servers, network devices, end user devices, including portable and mobile, and non-computing or IoT devices. Active discovery tools can be set to identify assets connecting to your network, and this should be done daily, if not more often. Unauthorized assets should of course be removed and/or denied access. Software access should be actively, sorry, software assets should be actively managed. This means inventory tracking and correcting. And this is for all software. That's operating systems and applications, which are connected to your network. So that only authorized software is installed and can execute, i.e. run. And that unauthorized and unmanaged software is found and prevented from installation or execution on the system. Also, keeping software up to date and addressing any potential licensing issue is key to making sure the version you're using is in fact a secure version. Unsupported software should be removed as well as unnecessary applications, add-ons, plugins, et cetera. Commercial software inventory tools are widely available. And also, the whitelisting and allowlisting we referenced earlier is included in many modern endpoint system suites and even natively implemented in certain versions of major operating systems. Network infrastructure management begins with secure network architecture. We touched upon the idea of segmentation earlier. The idea that you wanna keep your network in separate, effectively water type compartment. So something infecting one section won't move into another. A good historical example of this would go back to 1918 with an Austro-Hungarian battle cruiser called the Szent István or Saint Stephen. It was almost 500 feet long. Big monster of a ship back in the day. It was a Dreadnought class used for the big scary ones on the seas. And it was sunk by a couple of torpedoes from Italian motor torpedo boats, which of course, we're talking vintage 1918 torpedoes, nothing like the current ones. How in the world did these two torpedoes sink such a gigantic ship? Well, the architecture of the ship was such that it was basically one giant hole. Things were not detached beyond basic room separations. So when it was hit with these torpedoes and water started gushing in, all they had were these heavy collision mats they pushed up against the hole in the hole and water pumps. Problem is, since they couldn't keep the water specified in specific segments of the ship, it kept moving across the ship, like an infection moving across a network, and eventually the ship rolled over and sank. There are videos online if you're curious to see it. Now, we mentioned the concept of the principle of least privilege. The idea is that once someone is inside a system, it's not just a matter of what you're able to do to get into the system. It's also what are you authorized to do once you're inside it. And the idea behind the principle of least privilege is to keep that authorization to a minimum. So if an account is compromised, that way, there's less damage than an attacker can theoretically do, because realistically, why would you give anyone access to something they don't need to access? Nothing good can come of that. We also touched upon choke points earlier, and this is the idea that the way you're setting up a network funnels information flows into areas that can be more easily protected as opposed to moving across wherever it is. And that's harder because then the security folks have to effectively chase it down. Now, it's also important, like we said earlier, keeping firmware and software up-to-date also using secure protocols. Default configurations for network devices are geared for ease of use of deployment and, sorry, ease of use and ease of deployment, not security. So the idea there is always to make sure that it's great, that it's set up to work out of the box, but you've gotta make sure it's working securely. Potential default vulnerabilities include open services and ports, default accounts and passwords, including service accounts. Support for older vulnerable protocols and pre-installation of unneeded software, AKA bloatware. Sort of like the garbage you see on your phone when you turn it on. It's got a bunch of programs you don't want and never asked for. Any changes or exceptions must be fully documented with up-to-date network and security architecture diagrams. The changes or exceptions must be removed as soon as they're no longer needed. Also, it's important to establish and maintain a centralized AAA. That's authentication, authorization, and audit infrastructure. Once again, someone's inside the network, what are they authorized to do? Have you authenticated them being in the network in the first place? And once they're on the network, can you audit what's happened there so that we can see what's going on and what might have to check later if there is in fact a security incident? Also, remote connection should be made via VPN and connect through the enterprise's AAA infrastructure. Effective network monitoring and defense requires a trained and organized teams. Some smaller firms may use what are called MSSPs, managed security service providers. But a larger firm should have an internal team. Now, realizing what they're reacting to is security alerts. Those alerts should be centralized. A SIEM system can help organize the various logs and alerts for the team, which can make life a little bit easier. Detection and prevention tools we touched upon earlier are generally filtering between the various network segments and they're collecting traffic flow logs so they can see what is going where. An IDS or intrusion detection system can be host-based, a HID, or network based, which is a NIDS. The idea of a host-based system is it's directly on a computer or server. It's right on it looking for whatever trouble it's seeing in the traffic directly. A network-based one will be looking at traffic as it's flowing between various segments of the network and devices. An IPS or intrusion prevention system again can be host-based or network-based. Same basic concept. Enterprise monitoring should be able to see into cloud platforms that might not be in-line with on-premises security technology. Meaning, if it's not necessarily lined up with your system, your security team still needs to know what's going on. Your security team will also have to establish and maintain a secure configuration process for enterprise assets, meaning servers, network devices, end user devices, including portable and mobile and non-computing or IOT devices as well as software, meaning operating systems and applications. Default settings on devices for manufacturers and resellers, as we've noted, are typically geared towards ease of use with default passwords, administrator accounts, bloatware, open services and ports, et cetera. Security configuration updates must be managed through the life cycle of the asset or software. And secure baseline resources are available through NIDS as well as the center for information securities benchmarks. Both of these are included in supplemental materials, if you're curious to look at them. Baselines can be augmented in response to compliance requirements and/or enterprise security policy. Just be sure to document any changes. Security controls are also helpful here, including session locking, i.e. password protecting when something's not being used for very long. Should be two minutes or less for mobile devices and 15 minutes or less for other network assets. Firewalls should be used for servers and end user devices. And secure protocols such as secure shell and HTTPS should be used rather than insecure ones, such as Telenet and HTTP. HTTP, once again, is the unencrypted internet. And Telenet is an old communications protocol dating back to the 1970s. Obviously, that's not very safe nowadays. Also, admin accounts and default accounts should all be disabled. Admin accounts generally have full access to a network. And of course, if an attacker gets access to it, they can do just about anything they want. Add new accounts, add software, delete software, alter software. And of course, you don't want that. Also, these device lockouts, these are important because basically, that's someone trying to get into a device and you wanna have limits on that. Should be 10 attempts or less for mobile devices, 20 or less for other network assets. And that can be set up through Microsoft's Intune device lock or Apple's configuration profile maxed failed attempts. Also, you wanna enable remote wipe on portable devices to protect them if they're stolen. Separate work and personal spaces can also be enabled on mobile and user devices using Apple's configuration profile or Android's work profile. Let's take a moment to talk about access control. So what is it? In fact, who can get on your network and what can they do once they're on? The basic steps are identification, authentication, authorization, and auditing sometimes referred to as accounting or accountability. Identification is, who are you? For example, what is your username? You're identifying yourself to the system before you try to get on it. And I will mention this over and over again. The username admin or administrators should not exist anywhere on your network. That's a glowing red flag for attackers to come after a highly privileged account that can cause great damage if they access it. Now, second, we have authentication. Are you who you claim to be? This is why passwords exist. Now, one thing that's often used to protect system is something called a slower password encryption scheme with what are called multiple iterations. Plain English, what happens is when you use these specific types of encryption, you enter your password rather than very quickly snapping back, which might take a small fraction of a second, like a 1/10,000 of a second. It'll go through it over and over again internally. So instead of say 1/100,000th of a second, it'll take a 10th of a second. Now, of course, at home or in the office, you're probably not gonna notice this, but for a machine-based attacker that's trying to do millions of guesses a second, you can obviously imagine this slows it down quite a bit. Just in case you're curious, those slower password encryption schemes have names like bcrypt or PBKDF2s, few others. But that's what's used to slow down attackers in this particular avenue of attack. One other thing you run across is something called multifactor authentication. These can be tokens, biometrics, text messages, and others. We'll talk a little bit more about that in just a moment, but that's something done in addition to a password to authenticate who you are. And then once you're allowed into the network authorization, what are you actually permitted to do? This is broken into a four word acronym, which is actually CRUD. Yeah, CRUD, which is create, read, update, and delete, which is what you can do with the various files you can interact with. Can you create new ones? Can you just read existing ones? Are you allowed to update them? Or can you delete them? Finally, you have accountability or auditing. And that lets your security folks know who's on the network and what actions they're undertaking. Now, how should your law firm approach access control? I'll say it over and over again. You need to limit access rights, who can get to what, and this definitely includes senior partners. One thing that sometimes endangers networks is senior partners who want access just because. The problem is that makes them very ripe targets for attackers, and that's a problem, which brings us back to that principle of least privilege. And mind you, that's not just for your own personnel. And a third party access to your system must also be as limited as possible. Mentioned the target breach a little earlier. That actually came through an HVAC vendors system, which was connected to targets to a greater extent than it should have been. It was uncovered during the 2013 holiday shopping season. And the thieves made off with approximately 40 million customer credit card numbers. In the aftermath, target has paid out well in excess of 100 million in settlements with affected banks and customers. And the CEO and CIO stepped down soon thereafter. And the principle of least privilege also applies to devices, applications, et cetera, not just people. Whatever it is on the system, it shouldn't access more than it absolutely needs to access. Also, the admin privileges. These are these heightened accounts that can do anything within the system: creating new user accounts, new programs, deleting programs. That should be as limited as possible. Now, if access for a specific account does need to be temporarily expanded, like let's say a case involving multiple practice groups, be sure to rescind that expanded access just as soon as it's no longer needed. And once again, immediately rescind access, including remote access for any ex-employee as soon as he or she leaves. Passwords and the corresponding multifactor authentication control access to various accounts and system resources. And they can have a tremendous impact in the confidentiality of client and firm data. So what steps should you use? What steps should you take to use them securely? Of course, once again, change all the full passwords immediately. And also, don't reuse your passwords. This is sometimes referred to as Daisy chaining. Also, 'cause obviously when you're Daisy chaining, let's say somewhere, somehow, an account gets compromised. If you're using that same password elsewhere, could lead to that account getting compromised thereafter. Also, don't have a file or email called passwords anywhere on a local computer or stored in an email account. Both are relatively easily searchable, and an attacker will do that pretty early in the process. So the most important factor in making a password secure is actually length. The longer it is, the more possible combinations and possibilities there are. For example, if you're talking about a 12 character password versus an eight character password, there are 81 million times as many combinations for a 12 character password. Not 81 million more, 81 million times as many. It's a really big difference. So nowadays, realistically, you want about a 14 character minimum. Now, this can include upper and lowercase letters, numbers, and symbols, and a good way to do this is using something called a passphrase. This can be a literally a collection of random words. One famous example is correct horse battery staple. Don't use that one, it's been used before. Or you can do something that relates to something that you've done, something familiar. Ski weekend in Vail 94, something like that. Okay, that relates to something you've done. It's gonna be familiar to you and easy to remember, but it's nice and long, so an automated attack is gonna have a lot of different options and it'll take time for it to break it. So a lot of these attacks, like I say, are coming by a machine. These are called brute force attacks, and they're just making guesses one after another after another, trying to break the system. So if you have something that's longer, there are more potential guesses and it becomes more complicated. Now, two-factor authentication or multifactor authentication involves things like fingerprint scanners, text messages, authenticator apps, or security tokens. Now, when you're talking about something like a fingerprint scanner, that's called biometrics, you have an issue there with what's called non-revocability. The reason for that is, at the end of the day, like I mentioned earlier, everything is reduced to data - ones and zeros. The way one of these systems actually works is you'll do a fingerprint, thumbprint, hand print, whatever it is on the system initially to get the first baseline, and that's what the system stores. And it's comparing it to that when you try to log in again later. The thing is, what's it comparing? It's comparing data. When it breaks it down in the first place, it's breaking it down to data. And then when you're trying to log in again, it's breaking that down to data and seeing if they can match. Of course it means if an attacker happens to get a hold of that data, you can't switch out your thumb or your hand print or whatever else it is as easily as you can a password. Now, a physical token I think is a great way to go about this. There are different ways they're set up. Some of them you'll hold a token which has a changing code and you'll have to punch in the code after you do your password. That's effective. There are other ones like a YubiKey where you actually plug it into your system, and until it's physically plugged into the system, it won't operate. Also, relatively effective. A very helpful related technology is something called a password manager. Hopefully, your firm has you using these already. If not, I definitely recommend looking into them. Password managers can randomly generate strong passwords for a user. Nice, long gibberish looking things that you actually don't have to remember because the passwords are encrypted and locked behind a single master password that only the user knows. That's the one you have to worry about. The software will also securely save your login info so that you can automatically log into the accounts either directly through the software or via a browser button add-on. It will also prevent you from inadvertently entering a password on the wrong site like a phishing site. The way it does this is it's going again by the actual internet protocol address for whatever site you're looking at. And mind you, attackers can make fake sites look exactly like the real thing. Everything about it looks legit, but it's actually in the wrong place for the internet, and password management software will catch that and will try to log you in. You can also have a portable version of the software, which can be installed on a USB drive and used to be your login to accounts on other computers. So again, your firm hopefully is providing this. And if not, there are a number of options. How do you choose a good one? Take a look in the supplemental materials. Popped in a link from PC Magazine talking about which ones are out there, what their relative features are, and which ones might work best for you. Account and access control management of course will fall to your security team. It will assign and manage authorization to account credentials with a centralized inventory. And that centralized inventory should include which authorizations go for each individual user. Of course, it's easier for an attacker, be it external or internal, to gain unauthorized access to enterprise assets or data by using valid user credentials than by hacking their way in. The potential attack vectors here are weak passwords, accounts that are still valid after user leaves the enterprise, and dormant or lingering test accounts. These could also be shared accounts that have not been changed in months or in years. Service accounts embedded in applications or user with the same password as one use in a compromised online account, like a public password dump, et cetera. This is the Daisy chaining we referred to earlier. Social engineering. Basically, an engineer to get their password. We'll touch upon social engineering momentarily. This is basically trickery to get you to give up information or access, and then using malware to capture passwords or tokens in memory or over the network. These spyware keyloggers, et cetera. We'll talk about that in just a bit. Administrator and highly privileged accounts are especially targeted because they allow attackers to add other accounts, download applications, and make changes to assets that can make them more vulnerable to additional attacks. This is the privilege escalation we touched upon earlier. Now, for controls, credentials and accounts must be inventoried and tracked. And this should include the name, username, start date and department of each individual user at a minimum. Dormant accounts must be disabled after no more than 45 days inactive and eventually removed from the system. Periodic audits are also important, monthly or often more. Also, you have to ensure that all active accounts correspond to authorized users of specific enterprise assets. There should be no orphan accounts that don't really attach to anything. An administrator and highly privileged accounts should be separate and only used when absolutely necessary. Those account holders must also have non-privileged accounts which they actually use day to day. And of course, unique passwords are key. Current best practices call for an eight character password for accounts using multifactor authentication and 14 character password for accounts not using MFA. As I mentioned earlier, longer is always better, so even if you can get away with eight, according to the guidelines, longer is a better move. Single sign on and password managers are also key. Single sign on accounts, which many of you may encounter now, you have one sign on which gets you throughout the network. That should always be combined with a password manager because there's a lot of danger there. And also, multifactor authentication. This should also be required for administrator and privileged accounts just out of hand and also for remote logins and strongly recommended for single sign on accounts. It's an extra layer. Is it slightly inconvenient? Yes. Does it help protect you and your enterprise? Big yes. Also, processes should be established for initiating, changing, and revoking account authorizations. Immediately disabling accounts upon termination or change in a user's role or authorizations within the enterprise. And disabling accounts as often preferable to immediate deletion in order to preserve audit trails in case there's something that needs to be checked later. Initial access to the system should be established in accordance with the user's role. This is called role-based access control, and tweaks can be made later. Data protection is also a key concern as data no longer stays with an enterprises border. It could be in the cloud, on portable end user devices where users work from home. And it's often shared with partners and online services that might have it anywhere in the world. Attacks can involve network and/or third party data exfiltration. That's removal. And theft to portable end user devices or even user error. And of course there are related federal and state compliance concerns where specific steps need to be followed. It's important to establish and maintain a data management framework, data classification guidelines and requirements for protection, handling, retention, and disposal of data. This includes a data inventory. Permissions AKA access control lists are also used. The acronym for this is ACL and sometimes that's pronounced "acles." Data retention should specify both minimum and maximum retention time. And date of classification scheme should be in place, which indicates which level of protection a data needs. Data might be classified as sensitive, confidential, public, or others. Data inventory and mapping is also important to document data flows. In effect, which software accesses the data and where does that happen in the network? Data should also be segmented based on sensitivity level. Effectively kept separate from data and enterprise assets at other levels with access controls put in place to restrict access to authorized users only. Encryption is also very useful here for data in transit that's moving between users or from place to place within or outside the network. At rest, where it's stored in a single spot. Portable mobile devices and removable media as there is, of course, the theft risk with both of those. Data loss prevention is also helpful in this regard, and logs should include access to sensitive data. And then there's secure data disposal. What actually happens when you delete a file? In effect, when you hit delete and then you go into the recycle bin to delete something, it doesn't actually go away. What the system really does is it puts a little marker next to it, which allows the system to use that particular space of storage for something else to be saved on top of it. So in effect, the underlying or latent data remains until it's actively overwritten by something new. Now, when you're disposing of given data on a system, you wanna include anything that can store data. And this includes external drives, backup discs, and tapes. Yes, some organizations still use tapes, and also printers and digital copiers, both of which actually have hard drives in which data can be lingering. Even if the data is overwritten, there may be other ways to get at it if you have an adversary who is possessed of good resources and determined enough to go after it. One way to ensure that the confidentiality of client data isn't compromised is to properly dispose of that data once you don't actually need it or have an obligation to keep it. Attackers cannot steal what isn't there. NIST SP 800-88 revision one lays out a media sanitization standard. Comes down to three things: clear, purge, and destroy. Clear is what most people think of is deleted. That's where you've hit delete. You've maybe emptied the recycle bin and you can't see it. It's still on the system, but it's been cleared from what you can see. That's the lowest level. Purging is when you actually make an effort to really clear out the system. And generally, an attacker would require something like an advanced lab to actually get ahold of that. Destroy is kind of what it sounds like. That might be dropping a hard drive into a metal shredder or something of the like. There's nothing left, so nothing to steal. Now, your basic data destruction methods come down to a few. There's one called degaussing, which is also demagnetization. Basically, it's holding a very strong magnet next to a magnetic storage device or magnetic tape. The thing is, with a degaussing machine, they are very strong. They basically pull everything in the same direction. So all the data becomes all ones or all zeros. i.e. unreadable. Also, if you're talking about an old school hard drive, it probably will also destroy the actual drive as well because the magnets are that strong. There's also overriding or wiping, which is saving data on top of whatever's there. It's often gibberish, or just, again, all ones, all zeros. For mobile devices, you also have something called a factory reset. And that removes all data and downloaded applications from the device and can also be done as a result of remote wiping, either from a system administrator for a system telephone or, sorry, mobile phone or your own phone. If you have it stolen, you wanna set up remote wiping. You can do that as well. Now, one thing to realize, given the way flash storage works, where it's storing information, not in the same place over and again, but different places as you save different versions of it. Regular overwriting may not be as effective because since it's in different places, you might not get all of it because generally, the way overwriting works is it'll overwrite the undamaged portions of a drive. So if there is anything wrong, like an error or something like that in one portion, it might not erase it. You might have some data left over. Finally, we have physical destruction. This is more than just damage. The Space Shuttle Columbia actually led to some data recovery, even though we all saw what happened to that. You wanna have it really blown away. And there are firms that actually will do that. They'll actually document the chain of custody, take your drives or whatever else, drop it into a metal shredder, film it, and show it to you just so you know it's been destroyed. And of course, on a related note, don't forget to securely dispose of paper records as well as they can certainly be checked. If you're looking to do that with a shredder, I recommend a crosscut shredder cause they're a bit more difficult to actually reconstruct after the fact. Of course, it's important to email with client's experts and third party vendors securely. The information security industry has a cliche that email is as secure as a postcard written in pencil. How does email actually work? In effect, what happens is you write up an email, you hit send, it goes from your computer to your email server for your firm up to the internet, and then skips across different routers in the internet to the receiving email server and goes to the recipient. Now, along the way, if that email is not secured via encryption, et cetera, it can be read or altered easily by anyone handling your email. This would be analogous to someone in a post office or an unscrupulous mail carrier having full access to it and being able to do whatever they want. And of course, receiving and disclosing ESI can pose significant risks. There could be data breach, inadvertent disclosure of privilege materials. That could be a simple mistake like misdelivery where you're sending it to the wrong party. On a related note, you have what I refer to as the auto complete menace, which is when you're starting to type in an address and the system automatically tries to finish it. And a funny note with that, a few years ago on Facebook, the musical pioneer Grandmaster Flash had on a note thanking grandparents who had repeatedly accidentally tagged him when trying to write notes to their kids. Now, that's fun. But of course if it happens in a real world setting, that can be really threatening. So that's something you have to keep an eye out for. And in terms of dealing with your clients and emailing data, How secure should it be? It's good to have an express understanding with them and third party vendors, et cetera. In effect, what communications will or won't be set electronically? When is encryption or other security measures going to be required? It should be spelled out in the engagement letters. A service level agreement or other written instrument as early in the relationship as possible. Social engineering involves attackers using human nature to gain access to system assets or data or get information. It can be done via email through phishing. That's P-H-I-S-HI-N-G, which are mass email campaigns that typically try to trick users into opening an infected attachment or clicking on an infected website and/or giving up personal or organizational information. Spear phishing is a personalized version of that. Instead of being a general thing, sort of send out shotgun style to get and snare the masses who fall for it, it's directed to you. It will generally address you by name and might reference something you're actually working on, like a specific case or agreement you're working on. It'll say, oh, here's the latest red line version. Check this out. And it'll appear to come from say department you're working with. You go to open it and surprise, surprise, it attacks your system. And mind you, that generally won't be obvious. It'll just look like something wrong with the document. And then poof, it's going on in the background. I referenced BEC scams earlier. What are those? Those are wire transfer fraud scams involving usually fake vendors or people masquerading as senior firm or company personnel. The whole idea is to get you to wire out information to an account controlled by them, which they can then empty before the trick is found. One thing that's come up with that that's associated oddly enough is a technology called Deepfakes, which is often used to create fake videos using real people put into fake situations. There's an audio version of that that's starting to show up in some attacks. So in effect, you'll get a phone call from someone who's masquerading as this vendor or senior personnel in the company claiming, oh, you need to send out this wire right away by the end of the day. This has gotta be done. And of course, if you are getting a call from the CEO or something like that, a lot of people will react to it. And that's the scam. Also, one thing that can be done is sometimes, this will target home buyers. So if you do deal with actual real estate transactions, keep an eye out if there's like a very late in the game email suddenly changing wire transfer instructions, because if that's happening, something weird is going on there, and you should always check with an independent source to make sure that's not what's really happening. Now, it's not just email. Any of these attacks can come via text message, which is called smishing. That's because the proper name for text messaging is short message service or SMS. And it can also be instant messaging or on any social network. Scams can also come from the web. Often, these are romance scams. They'll target young and old alike, and you can literally run into something like sextortion, which can lead to blackmail. It can be a fake angry parent claiming that you did whatever with the underage child. It can be someone pretending have a relationship with you who then claims they'll expose it to your spouse if you don't do X. I'm not looking to judge people here, but obviously, have a care for what you're doing and make sure you actually know who you're talking to. There are also phone calls. If you haven't yourself, your parents will probably run across fake tech support calls, where someone's claiming there's something wrong with your system that needs to be fixed. There are also fake overdue bills. Usually, it'd be right around the end of the month. Late in the day, you gotta pay it or we're gonna shut off your electricity. And people panic. That's kind of the whole idea here. They panic, they pay, and then the scammers get away with what they want. Sometimes around tax season, you'll get fake calls from the "IRS", which of course never contacts you this way. But of course the scammers are counting on you to not know that. The help desk is also a major target because firm help desks, as with any organization, are generally organized so that they have to try and help as many people as possible. And for them, doing well in their job means resolving as many tickets as they can. Attackers know this and will try to be a quick problem which they can resolve by giving them the information or whatever else they need to continue their scam. I mentioned the idea of baiting before this is handing out something like, let's say a stick drive at a conference, which happens to be infected or maybe you're looking in a common area in your firm, and there's something labeled senior partner compensation in the current year. Most people are gonna be curious, plug that into the system, and look before they show it to any security personnel. And if it's infected, boom, it's introduced to the system. There's also in-person social engineering. That's the pretexting I mentioned earlier. Again, think Luke and Han Solo dressed up as storm troopers on the death stars so that they can move around. Or pretty much any Eddie Murphy movie from the '80s where he is masquerading as someone else to get in somewhere he's not supposed to be. Tailgating, as I mentioned that earlier, the idea of letting in someone who looks like they're potentially supposed to be there who isn't. And this is a heightened risk nowadays because in the aftermath of COVID, there's returns to the office with a lot of new colleagues. So you've gotta make sure that the people you might say, "Oh, sure, come on in," are really people who belong there. And always keep in mind, social engineering attacks are always dynamic. By that, I mean, they're always changing. When you've gotten used to one, there's five different variants that pop up. The biggest risk of all comes from the assumption that we will be able to spot them when they happen. And just remember, beyond anything else, there are no rules here. By nature, social engineering attacks are direct threat to the confidentiality of client and firm information. So what can you do to avoid falling for one of the scams? Always assume that the call, email, message, whatever it is, is fake until you were given a convincing reason to think otherwise. If an email comes from a company or person you know, call the center directly. Don't use the number in the email. This is an out of band communication. You're not using the same method they use to contact you. And often, you'll find that you'll call, and they're like, wait, what are you talking about? And so when that happens, you've literally prevented a scam from taking advantage of you or your firm. One other thing you can do is if you're using a regular computer, if you hover over a link with your cursor in the lower left of the screen, it'll indicate what it's potentially going to. So you can look to see if a link actually matches up to what it says. Now, it's critical to have secure procedures for any financial transactions. These are direct, once again, out of band confirmation with any vendors, senior personnel, et cetera, requesting wire transfers or changes to any financial routing information. And of course, any request for speed and secrecy, regardless of reason, is a red flag and a half. If you believe your organization may have been targeted, contact your financial institution and law enforcement immediately. It's good to start with the FBI and Secret Service. This is both within their purview. And also, security awareness training is critically important. Employees, including attorneys, should know how to recognize suspicious communications, how to identify people who should not be in the office space, as well as what steps to take in response and what information should or shouldn't be given to a caller. Also, they should know how the help desk might contact them and what information they might ask for as well as what they won't ask. Help desk employees in particular should know how to verify employee identities before giving out passwords or other business information. And also, how to respond when somebody tries to circumvent proper procedures. Should also train employees and executives regarding what to expect so they don't get frustrated. At the end of the day, secure repeatable procedures are critical to protecting your organization. Attackers frequently target web browsers and email because users interact with them directly. There's an old saying in the IT world that the weakest part of any network is the space between the chair and the keyboard. Social engineering techniques are often used to trick users into giving up network access or information, which is then later used to gain access. This can include turning over login credentials or passwords, disclosing sensitive data, or inadvertently downloading malware. Web browsers are often targeted by corrupted add-ons and plugins. Add-ons come from the browser. Plugins are third party. And they're little programs, which you've no doubt seen before. It'll be something to help you organize your tabs, set up a dark pallet, bunch of different things. Attackers will also target and sometimes create their own plugins. So it's good to check out reviews and see what's actually legit and what maybe not so much. And browsers can be configured to severely limit add-ons and plugins. And your security department may well do that. Also, it's important to block popups. They're not just annoying. They can also be booby trapped. Another concern is infected websites. These can include drive-by downloads where basically, the second you go on the site, your computer is attacked. And if your software is not up to date, often, those attacks can get through that. If they are up to date, they're less likely to succeed, of course. Something related is called a watering hole attack, which is where you basically specifically goated to a site where it's a site you frequently visit that's infected to go after you. For example, let's say your firm is well-defended. Your security department's doing its job well. And an attacker wants to get in. Maybe they find out that associates at the firm like ordering takeout from a specific restaurant nearby. So rather than attacking the firm website directly, they go to the restaurant and booby trap the menu page. So you go to look and the attack comes from there. There's also something called SEO poisoning. SEO is search engine optimization. And the idea there is you're basically infecting images, which will come up on a search. Often, these are pictures. They might be related to celebrities or an item in the news, something like that, but you gotta look at it and boom. You could also set up filters for what's called the URL, which is the uniform resource locator. That's the line across the top of a webpage which indicates where you are on the net. Something like microsoft.com or something like that. Or DNS, which is the domain name system, which is indicating names versus the actual numbers on the internet from the IP addresses. Filtering with those can help spot malicious sites. You yourself probably won't do that, but your security department may well do it. Now, on your system, you may have certain restrictions in terms of what operating systems and browsers you can use, which is good. If you're using it on your own, make sure that you're using a fully supported web browser and be sure to keep it up-to-date. A few good ones that you can lock down effectively include Firefox, Brave and Vivaldi. Just remember, email is the most common threat vector against enterprises. This is phishing, spearing phishing, business email compromise, et cetera. Controls include spam filtering and malware scanning at email gateways, basically as stuff is coming in. Spam, by the way, is actually an acronym for something posing as mail. Your system should also implement what's called DMARC, which is domain-based message authentication, reporting, and conformance, which ensures that something coming in is actually coming from where it's representing itself to be. And of course, it's also a good idea to have your security team block unnecessary file types. Basically, there are types of files you might actually interact with. Other ones should not be allowed on the system because at the end of the day, why are they there if not to attack you? So I mentioned malware a bit earlier. Malware is short for malicious software. A few different types are commonly encountered. One is a virus which requires human help to spread. Meaning you need to click on the link or open the attachment. A worm will replicate on its own. So once it gets in a system, it starts bouncing around. A Trojan will be disguised as something innocuous. Like it might be something like a song or video or other file that actually has a useful aspect to it. But in the background, there's something malicious hiding. A logic bomb is malware with a trigger. It might set off at a specific time, which is sometimes referred to as a time bomb or when a specific condition is met. So let's say someone, an embittered employee doesn't wanna be fired, and if they are fired, they're gonna set off a logic bomb in the company. Maybe they set it off so if their name does not appear on the payroll for two consecutive pay periods, it'll detonate and do damage to the system. Now, delivery methods for malware can be in a few different ways. One is based on the web. These are like the drive by download sites, that type of thing. Email attachments and links, very common. You click on something in the email, you open the attachment, boom. And also, direct access via infected media, like a stick drive or something like that, or from another network connection. The payloads can include spyware, which is basically allowing a outside party to watch what's happening on your network. Keyloggers, which are actually recording each individual keystroke, and again, sending that along. Ransomware, which will encrypt your data from you and then charge a ransom to give you the decryption key to get it back. Root kits, which give very base level access to an attacker where they can have a lot of control over your system and do some real damage. APTs or advanced persistent threats, which are basically when an attacker gets into your system and just code and quietly sits there hoovering up information over time. Those are dangerous because obviously, they can get a lot of stuff over a long period of time if they're sitting there lurking in your network for months or even years. There's also something called a remote access Trojan or RAT, which is basically, again, looks innocuous, but it allows the outside entity to have remote access control over your system and could do things from afar, which again, very bad. Wiper malware will actually erase data on your system. And something called the botnet is something which a victim gets pulled into, in which the controller of the botnet, effectively a bot master they're called, will control all the computers sucked into this botnet. Could be tens or even hundreds of thousands of computers and use it for nefarious purposes like attacking other parties, things like that. Could even be something goofy like crypto mining. Now, it's not like these things are distinct. They're often bundled together. So you don't get an attack with just one. You get an attack with several of them at once. And unlike television or movie depictions, there's generally no alarm or warning of any kind when a network is actually breached or compromised. So what are the controls you use to address these problems? Anti-malware software must be deployed at all possible entry points and enterprise assets to detect, prevent the spread of, and/or control the execution of malicious software or code. This includes traditional endpoint malware prevention and detection suites. We mentioned the idea earlier of signature versus behavioral approaches. Sometimes, a combination of the two is good simply because you have the signature, which has things which have already been recognized, and behavioral, which is key, because you're looking for things that are outside the norm. Even if an attacker switches over to non-malicious software, once they're in the system, you still stand a chance of catching them. Now, of course, it's important to make sure that you're getting the automatic signature updates from the vendor regarding any vulnerability or threat data. So if it is signature-based, it has to be kept up-to-date. That's critically important. And of course, this isn't something you're looking to handle on a person by person basis in a large network. It needs to be centrally managed for consistency across the infrastructure. And once again, we mentioned removable media earlier. There's that risk of baiting with things like USB drives. It's important to realize there are ways to defend against that. You wanna disable auto run and auto play for removable media. So if let's say someone is fooled and actually plugs a USB in, it won't automatically play. Also, removable media should be automatically scanned for malware anytime it connects to the system. Ransomware is delivered like most malware. Social engineering is common, and some variants will use attachments that look like gibberish and suggest that if the recipient just enables macros, which are small programs and Microsoft options that will allow you to do extra features, this could be something like MS Word or Excel, they enable macros if the message isn't rendering clearly. And as soon as they're enabled, of course, that lets the attack happen. It's also become quite popular with RDP, which is remote desktop protocols, a result of people working from home during the pandemic and after. Now, for prevention, key once again, keep software up-to-date. It's much less likely for an attack to succeed if the software is actually fully patched. Data backups are also very important and they should not be directly connected to your network. We'll talk more about that in just a moment. Also, use commercial or current commercial security products with email, web browsing controls, and whitelisting, allowlisting. Basically, the features are there. Make sure they're enabled. Keep RDP access behind a virtual private network, and use multifactor authentication as an extra layer of security. And of course, the security awareness training we touched upon earlier is key. Now, one thing to realize with ransomware is it was once primarily a threat to individual computers. Now, it's more and more being used against organizational networks. Current attacks often include stolen sensitive data to encourage the victim to pay. Basically, pay us up or we're gonna, you know, you'll be ashamed if this information happened to get released to the greater public, that sort of thing. And there have been high profile attacks against municipalities, hospitals, critical infrastructure, et cetera. Keep in mind that these are a lot more common than you might think. Most companies don't report them when they happen. And attacks against private enterprise networks with seven figure ransoms paid are actually frequent. One helpful resource from the cyber security infrastructure and security agency is their stop ransomware page, which is included in these supplemental materials. I mentioned earlier that backups prevent potentially catastrophic data loss and system damage in the event of an accident or malicious destruction. But keep in mind, this is not just data. Your software and system settings also need to be backed up if you want your system to be back up and running. Your security team's approach to data recovery will include establishing and maintaining data recovery practices sufficient to restore in scope enterprise assets to a pre-incident and trusted state. This will include automated backups, and backup data should have the same protection as the original data. Encrypted, separated. Whatever was done with the original data should be done with the backups. You should also have at least one isolated backup. This would be offsite, offline, cloud-based and presumably air gap, which means no connection to the rest of the network, 'cause ransomware gangs typically try to encrypt backups as well as network data. And it's very important to test backups 'cause otherwise, they'll fail at the worst possible moment. This should be done at least quarterly. Your security team will also have a vulnerability management program. Vulnerability assessments are performed with a scanning tool. They check for vulnerability like open ports or out-of-date software. And they evaluate the security settings and configurations throughout your system. The scan should be performed both from inside and outside the network to identify vulnerabilities to both internal and external threats. Scan should be performed regularly, perhaps monthly. And you should also establish a process to remediate the actual detected vulnerabilities. Otherwise, they literally just sit there. It's important to patch the operating system, enterprise assets, and applications being used. And this can be typically automated. Another related concept is something called pen testing, which is short for penetration testing. This is basically used once a system is secured to check just how lockdown it is. This is usually one attacker or a team of attackers called the red team, trying to break into a secured network to see if they find a way in. And if that way is found, it's then locked behind them. Third party risk management often relates to using third party vendors. Data hosting, E-discovery, and other service vendors can have your sensitive client data on their servers. Hackers know this and can use them as a back door to target client and other non-public information. If a vendor will have access to your firm's data and/or network, do your door diligence with respect to their security practice before you engage them. It's important to establish and maintain a vendor inventory. This will include risk classification and vendor contact information. Also, establish and maintain a vendor risk management policy. This should address vendor inventory, risk classification assessment, monitoring, and decommission. Risk classifications may include different characteristics. Examples would be data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Inherent risk is something that's just underlying by the nature. Let's say you're dealing with race cars. There's a risk of crashing. Well, what are you doing to mitigate that risk? Do you have better suspension systems? Do you have harnesses? Do you have roll cages? Things like that? Vendor contracts should include security provisions as well. This would mean data breach and security incident notification, data processing standards, i.e encryption, disposal commitments, et cetera. And also, a right to audit. They're working with your data. You should be able to check what's happening. Relevant standards for the use of cloud-based technology in the legal profession were published by the Legal Cloud Computing Association in March of 2016. And those standards are included as part of the supplemental material with a link. Also, you wanna reassess vendors annually at a minimum and update the contracts as needed. This means updated compliance requirements for emerging risks and others. Finally, you wanna have secured decommission, deactivating accounts, logins, and terminating data flows to ensure proper data disposal once the vendor relationship is terminated. A related concern is virtual assistance. They typically work with smaller firms and solos, but not always. These are outsourced services, including call centers, designers, and paralegals. They can be across town or across the globe. And of course, what are the security applications? Well, what can they access? How are they connecting to your network? And how secure are their systems? Are they up-to-date? Are they compromised? How would you know? Do they know? And of course, you run the risk of commingling other customers' data with your own. This could be misdelivery or other problems. There's a question of cost saving versus risk. Are you going to buy a computer, have your security team lock it down and send it to the virtual assistant? If not, there's a risk there. And how would they do on the security questionnaires and audits that your clients and insurers routinely send to your firm? In effect, there's a significant liability risk there. If there's a breach, the virtual assistant isn't going to be the deep pocketed defendant. Users themselves can also create substantial risk for an enterprise. Account compromised due to poor password hygiene and/or social engineering, misdelivery, losing portable devices with sensitive data, among others, are problems. A security awareness should be more than just annual trainings. Shorter topical trainings like IRS scams during tax season or package delivery scams around the holidays are helpful because it gets people in the right mindset to be thinking security. Training should include, recognized as social engineering attacks, authentication best practices. This is password creation and management, multifactor authentication. And also, there's data handling and causes of data exposure. Make sure, for example, that the folks in your team erase virtual and physical whiteboards at the end of online meetings, use secure data storage, and others. Recognizing and reporting social engineering attempts and security incidents is also important. Even if you catch it, your colleagues might not. It's also important to recognize and report missing security updates on devices. If your security team knows about it, they can fix it. And also general things like the dangers of using insecure networks like this, something you might find on a coffee shop or airport wifi, et cetera. Now the training should be role-based. So the different roles typically encounter different threats, and that the training actually addresses what they'll actually run into. For example, BEC emails are gonna target the financial team. Now, NIST once again actually has a good standard for this. NIST SP 800-50, which is called InfoSec Awareness Training. And again, a link is in the supplemental materials. Let's talk about incident response. Bad things can and will happen. This could be anything from a gas leak to a data breach, ransomware, biblical plagues, you name it. This can entail data destruction. It could be physical damage from a fire, flood, locus, whatever it is, alien invasions. Some malware will also electronically destroy data. And this underscores the importance of backups. A successful attack might entail a data breach with hackers stealing data from your system. A malware infection can damage the data in your system. You can have spyware, advanced persistent threats, key loggers, and others. All of which can create a myriad of problems. Computer forensics and security experts will be needed to assess the damage, patch vulnerabilities to prevent similar attacks in the system, and most likely, rebuild your network before going forward. It's very important to be set before something goes wrong so that you're ready when it happens. And these involve a business continuity plan or BCP, a disaster recovery plan or DRP, and an incident response procedure or IRP. So what are these? Business continuity plans and disaster recovery plans are often grouped together, but they're not the same thing. A DRP is keeping things running in the short term. It's often IT-centric. A BCP is recovering assets and processes within a reasonable amount of time, back to the state they were before the attack. And either one is typically needed with little or no warning. These plans need to be prepared well in advance, and being unprepared can literally destroy a business. You start the ball rolling with what's called the business impact analysis or BIA. A BIA determines what needs to be recovered and how quickly. As part of the process, you identify the processes or functions performed by each business unit. And with respect to each function, you look at the financial risk of not performing that function, the regulatory risk of not performing that function, and the customer or reputational risk of not performing that function. In effect, what needs to be backed up and running in what timeframe to minimize impact on the business. What will the impact be if a given process or function isn't restored right away? i.e. What does the business need day to day and what can wait? How soon will it be until that impact is felt, and how significant will that impact be? For example, if you're a bank, marketing is critical. But in the short term, it's not as critical as payment processing. This is a slow and involved process, but well worth doing correctly. Numerous resources and step by step guides are available. A business continuity plan or BCP cover steps needed to recover and replace business functions within a reasonable amount of time after a disruptive event. Of course, reasonable may depend on how critical the system in question is. It's meant to ensure critical business functions continue during a crisis. The plan will outline the immediate steps to take in response and specific steps will obviously depend upon the circumstances. Plan should cover business processes, your people, assets, business partners, et cetera. Basically, how will employees communicate? Where will they go and how will they continue working? Details vary greatly, depending on the size and type of business affected. Numerous free templates are available. And you can also use a BCP published by an organization similar to yours and modify it as necessary. A disaster recovery plan is a plan to maintain or rapidly restore IT infrastructure systems, et cetera in the event of a major disruption. It should contemplate various levels of disasters, from single systems or devices to data centers to entire sites and systems. It often includes an incident response procedure or IRP. An IRP defines what constitutes a security incident and lays out an organization's step by step response to that incident. Each incident is different, so the most important aspects of an IRP are who has the authority to act and what needs to be done, though not necessarily how. Once an incident has been identified, the IRP should specify escalation procedures, including the activation of an incident response team. Incident response team members should be drawn from the following departments: security, system administration, legal, human resources, and public relations. The IRP should specify one or more incident handling objectives. These can include protecting organizational systems or data, restoring operations, limiting bad PR and brand damage or prosecuting the offenders. That last one can be tricky since proper attribution is difficult, if not impossible in most cases. Skilled hackers, like the types who go after big law firms often use a number of tricks to cover their tracks or plant false clues inside their malware to throw investigators off their trail. You may thank your striking back and wind up attacking an elderly couple out in the Midwest. Response to the incident will flow directly from the handling objectives. And it's important to specify who has the authority to take action. This can include taking systems offline, contacting authorities, among others. The IRP should be created and regularly updated well in advance. Basically, you don't wanna start picking your team after the game has already started. If you're playing basketball on the sidelines, deciding who's gonna be the point guard, the other team's already running towards the basket, you have a problem. The IRP should also indicate which outside firms, security, forensics, crisis management, legal, et cetera, and individuals at them to contact. Of course, it's important to establish and maintain that contact information for parties that need to be informed of security incidents. Contacts may include internal staff, third party vendors, law enforcement, cyber insurance providers, relevant government agencies, information sharing and analysis or ISAC, I-S-A-C partners or other stakeholders. And also, it's important to verify contacts at least annually to ensure that the information is up-to-date. Also, determine which primary and secondary mechanisms will be used to communicate and report during a security incident. Mechanisms can include phone calls, emails, or letters. Keep in mind that certain mechanisms such as emails can be affected during a security incident. It's important to review annually or when significant enterprise changes occur that could impact this safeguard. Also, establish and maintain an enterprise process for the workforce to report security incidents. This should include reporting timeframe, personnel to report to, and a mechanism for reporting and the minimum information to be reported. Ensure that that work process, excuse me. Ensure that that process is publicly available to all of the workforce. Review annually or when significant enterprise changes occur that could impact this safeguard. Also, if an incident could possibly lead to a governmental investigation or lawsuit, engage in outside law firm with cybersecurity and/or data privacy expertise early on. Post-incident information control is critical. Engaging outside counsel brings with a potential attorney-client privilege and work product protections regarding post-incident discovery materials like reports and emails. At least one specific firm and attorneys with proper expertise should be included in the IRP. Also remember that an infected system probably should be rebuilt, not just patched up, because even if it looks fine, more surprises could be lurking somewhere in the system. It's also very, very important to test your organization's BCP, DRP, and IRP. Exercises need to test communication channels, decision making, and workflows. Test to failure, not just for failure. So see what actually happens. Don't just theorize. Otherwise, if anything isn't set up correctly, you'll find out at the worst possible moment. There are helpful resources in this area from the Council of Registered Security Testers or CREST. That's a cyber security incident response guide. And also the ABA has a helpful webpage with materials for law firms related to incident response. Both are included as links in the supplemental material. And of course, don't hesitate to bring in a security consultant to help set these up. Let's take a moment out to talk about cyber liability insurance. Commercial general liability policies have had a cyber exclusion since may of 2014. And yet in the interim, no standard cyber policy has appeared in the industry as yet. Key consideration there is whether you're looking at first party liability versus third party liability. This is effectively what's happening due to problems with your own network versus a lawsuit you're pulled onto versus as a result of a problem with a vendor or other third parties network. It's also important to know what your policy actually says, because if you agree to perform specific things like something like a pen test every six months and you don't, what'll happen is there'll be an issue. The adjuster will come by and says, gosh, that's terrible. We're sorry. Can we see your pen test reports? You can't show them, they'll deny coverage. And remember also to include security incidents beyond data breaches. And also, backdate any cyber liability insurance for at least two years, as sometimes, attackers can lurk in a system for quite some time before they're discovered. A number of insurers also have effective data breach response teams that can help you mitigate damage and get you back up and running without undue delay. And it's great to take use of that asset. So there's a lot happening here, and it can be easy to miss something if there isn't a method to the madness. Where do you start? Well, there are standards and frameworks which lay out sort of an organization to all of this. It basically starts with risk management. It moves into repeatable procedures and other controls, which can have a consistent security posture for your organization, and then becomes adaptive, changing to situations as they occur on the ground, if you will. One of the most prevalent ones recently is the NIST Cybersecurity Framework version. 1.1 came out in 2018. That's also good because you don't have to really have a background in this stuff to be able to understand it. A more detailed thing would be the ISO 27,000-series, which is much more involved and tends to be used by technical organizations, though some larger law firms do do it as there are a lot of security controls in place, and it's an indicator to clients of how seriously they take security. Compliance measures are also pertinent as there can be statutory and regulatory compliance requirements. Think HIPAA, Gramm-Leach-Bliley, et cetera. There's also the PCIDSS, which is the payment card industry's data security standard. Also, there are best practices, which are more like recommendations. In particular, the Center for Internet Security Controls version eight from 2021 is quite good to give you sort of a baseline to start from. And all of these are attached with links in the supplemental material. It's important, however, to move beyond the checklist. The best practices are a very helpful baseline. Same with the compliance requirements. But it's one the vast majority of hackers are already aware of. So it's important that your system is ready to go beyond them to address specific risks identified in your risk assessment. And likewise, the compliance as well can lure you into a false sense of security. Security's about locking your system down, not just adhering to a set of rules. I hope this has been helpful. Thank you very much and stay safe.

Start your FREE 7-day trial
Preview this course and the rest of Quimbee's CLE library for free with a 7-day free trial membership.
Buy this course - $49
Get access to just this course for $49

Course materials

HandoutSupplemental Materials

Practice areas


Course details

On demand
1h 31m 47s

Credit information