Learn what cyber security means for your law firm, your employees, and your bottom line. This presentation will provide a snapshot of the IT Security threats facing law firms today, as well as the knowledge and tools you can use to prevent them.
2. In February, 2013, the FBI gave a keynote presentation on law firm
security threats at LegalTech New York. In an article from Law
Technology News, the special agent in charge of the FBI’s cyber
operations in New York City is quoted as stating:
“We have hundreds of law firms that we see increasingly
being targeted by hackers. …We all understand that the
cyber threat is our next great challenge. Cyber intrusions are
all over the place, they’re dangerous, and they’re much more
sophisticated” than they were just a few years ago.”
4. REASONS LAW FIRMS
REPRESENT A CYBER TARGET:
• Many firms regularly maintain a tremendous amount of highly
confidential information and information is the currency that cyber
criminals trade in.
• You may not be the primary target. Many attacks are of the
command and control variety where the objective is to use your
environment as a beachhead for a secondary attack.
• Cyber criminals may be targeting YOUR CLIENT or ANOTHER FIRM
and realize that you represent the means to get passed their
existing infrastructure.
• As an industry, we make for a very easy target.
5. The measures in place for many firms are very far behind those in
other industries.
But its not just about spending money. The Goldman Sachs data
breach resulted in the discloser of 70+ million users accounts and
over 7 million business accounts. Goldman Sachs spend over $250
million dollars A YEAR in cyber defense.
It’s about the focus security gets all the way down to the end users.
End users are the single weakest point in any network.
7. • For two straight years, more than two thirds of Cyber Espionage
has featured Phishing as its primary means of attack
• According to the Verizon 2015 DBIR, in 2014, users opened
approximately 23% of inbound Phishing messages and 11%
clicked on attachments.
• Historically, Phishing has been the means to target individuals and
not businesses. This however is also changing dramatically.
• Enter “The Dyre Wolf”. This is a new campaign that utilizes the
now popular Dyre, or Dyreza, malware directly targeting corporate
banking accounts
• This phishing and malware campaign leverages spear phishing,
malware (initial infection via Upatre), social engineering, complex
process injections, the Deep Web and even Distributed Denial of
Service (DDoS) sprees to complete an attack Dyre wolf is a perfect
example of how most defenses are still only as safe is the weakest
employee.
PHISHING / SOCIAL
ENGINEERING ATTACKS
8. THE DYRE WOLF ATTACK
• Not your typical malware campaign
• Each attack cost companies $500,000 -
$1.5 million
• Uses targeted spear phishing emails,
malware and social engineering
16. Dyre wolf is a perfect example of how most
defenses are still only as safe is the weakest
employee.
Defending against Phishing attacks are largely
centered on knowledge and training of the
weakest link in your system – end users.
17. ACCIDENTS (AGAIN…USERS)
• Accidental disclosure of confidential information is a substantial
reason for a data breaches with over 60% being initiated by system
administrators.
Read “Biggest Cyber Security Threat to Law Firms is Not What You Think”
• Types of accidents often break down into 3 primary categories:
1) “D’oh!”: ever sent an email to a client and about .0009 seconds after
hitting the send button, you realize you’ve sent information to the wrong
recipient? DBIR reports this as being the single largest exposure point
for data
2) “My Bad!”: According to the same DBIR reports, about 17% of the
breach / disclosures are the result of users publishing nonpublic data to
public servers. Sensitive client data does not belong on the Google!
3) “Oops!”: The last bucket of end user snafu’s is the insecure disposal of
personal and medical data.
18. VULNERABILITIES…
(WE DON’T NEED NO STINKIN’ PATCHES)
• CVE’s, or common vulnerabilities and exposures, is a worldwide
list of known system vulnerabilities that is published to any and all
who want to use it.
• Most companies performing vulnerability scans are leveraging this
list to test a network for known weaknesses. Software and OS
updates are leveraging this list to build fixes to vulnerabilities as
fast as they are identified.
• Which brings up an interesting point – the vast majority of
breaches in 2014 were initiated through known CVE’s that were at
least a year old. AT LEAST A YEAR OLD!
• 97% of the known exploits were created with 10 CVE’s – ONLY 10!
• But before you ask – the remaining exploits were created with 7
MILLION CVE’s. So you cannot simply look for the top 10 and call
it a day.
19. THE LONG-CON
• Ransomware has traditionally acted as a zero day attack;
however, those same criminals are finding that a long, slow
attack can yield even higher returns.
• The next phase of ransom are will likely sit in an
environment for months before initiating action
• Possible scenarios now include server side attacks that can
encrypt data moving to and from the server until the
criminal feels they have sufficient amounts of data
encrypted
• They simply hold your and your data hostage in return for
payment
• No payment means they remove the encryption key and
none of your systems will work until you do
20. THE INTERNET OF THINGS & BYOD
(IT’S ONLY GOING TO GET MORE DIFFICULT…)
• Dramatic increase in the number of internet connected
devices that could lead to accidently exposure of
confidential information.
• Target proved this in spades
• As you look at your environment from a security perspective,
have you considered everything?
• Traditional unmonitored vectors include fax machines and
printers but, have you checked that new TV in the
conference room?
• What about that new iWatch?
22. • First things first - the firm, its partners and directors, all must
agree that security is a priority.
– First it needs to be a priority from the top down if the end users
are to adjust their daily behavior to marry to security policies of
the firm.
– The senior most people in any organization are typically the
least likely to be willing to adjust their behavior!
• Any investments needed to properly build and maintain a security
plan will require the people at the top to spend out of their own
pocket.
• Must be a permanent part of the business plan
GETTING IN FRONT OF THE
PROBLEM
23. STEP 1: PUT SOMEONE IN
CHARGE OF CYBERSECURITY
• Many organizations set a course for failure almost from the start
by not establishing responsibility for one person or a team of
people to manage this process.
• Must also be responsible for moving the firm from compliance to
security. These two are not the same thing.
• Even an ISO27001 certified firm may not be secure – they simply
have the policies and procedures in place for an effective security
program
24. STEP 2: HAVE SOMETHING
FOR THEM TO ENFORCE
• Every firm should employ some form of a written security plan
• There are 4 core controls within to a proper plan – Physical, Policy,
Detective and Corrective
• Key elements for a law firm security plan include:
– Identification - Identify the data your firm maintains, establish its
location and identify which information is most sensitive and in need of
monitoring.
– Encryption - Whether at rest or in transit, data should always be
encrypted.
– Remote Access / Authentication - What information will you allow access
to from outside the building?
– Password Policies - Will you be willing and able to implement a complex
password policy that changes every 90 days?
– Social Media Policy - Use at work? Can you use the same log in for
Facebook as you can for your company PC?
25. STEP 2: HAVE SOMETHING FOR
THEM TO ENFORCE (CONT.)
• Key elements for a law firm security plan (con’t)
– Physical Security - Are you planning to restrict building access? Can
you track when people come and go? Are there cameras to track
access to critical information?
– Vendor Security - No one likes to do it but auditing your 3rd party
vendors can be a critical piece to your security plan.
– Breach Response Planning - Each plan should contain critical pieces
such as client notification plans, plan for notifying authorities,
documentation plans, and overall decision-making ability.
26. STEP 3: CREATE & MAINTAIN A PROPER
DEFENSE / MONITORING ENVIRONMENT
• Firewall with IDS or IPS - A firewall with intrusion detection (IDS) or intrusion
prevention (IPS) is recommended for maximum protection against malicious traffic.
• Spam Filter – The majority of viruses that get into networks are from email phishing
attempts.
• Patching - The greatest source of vulnerability comes from using software and
application that are not properly patched (i.e. they lack the latest updates).
• Mobile Device Management – Allows you to manage, secure and monitor your firm’s
mobile devices in real time.
• Encryption – Any device that can store sensitive information (i.e. phones, laptops,
tablets) and is built to leave the building should be encrypted.
• White Listing Systems – For advanced defensive environments. This system keeps
anything that you do not designate from being installed anywhere on your network.
• Logging Systems - Understanding where your data resides AND being able to
establish patterns of users traffic can go a long way to knowing
when something has gone wrong and you’ve been breached.
Read: 5 Basic
Cybersecurity Controls
Every Firm MUST Have
in Place
27. STEP 4: FORM A MILITIA
• Create a security policy and turn your employees into your cyber
militia
• Employees represent one of your greatest defense opportunities,
but they need to understand the importance of protecting your
confidential data and the rules for keeping it safe.
• Training - Over 23% of people open phishing messages and 11%
click on attachments
• Enforcement - It’s up to management to ensure that the policies
and procedures are being followed
– Look to test users with false phishing emails to see who opens them
– Focus training on the types of campaigns that were most successful in
your company
28. STEP 5: CONTINUAL MONITORING
AND IMPROVEMENT
• Continual assessment and validation is necessary to verify the
effectiveness of your security efforts.
– Many attacks happen from exploiting weaknesses in browsers, web
applications, malicious websites, and other applications.
– Vulnerability Scanning is the most a cost-effective way to protect your
environment from unpatched exploits, new threats and hackers.
• Penetration Testing - A penetration test provides a point-in-time
snapshot of security gaps and should be done regularly to
determine system vulnerabilities.
• Security Assessment - Have a qualified third party review your
network and identify potential business implications of security
threats and how they can be remediated to improve compliance
and longevity.
29. ADDITIONAL RESOURCES
• 5 Basic Cybersecurity Controls Every Firm MUST Have in Place
• My firm has been hacked, what do I do?
• Which type of hackers represent the biggest threat to law firms?
• Law Firm Cyber Security Threat Matrix [eBook]
• Should Firms Restrict Access to Personal Email?
• Law Firm Cyber Security: Protecting Your Client’s Data
• What your Law Firm Needs to Know About IT Risk and Security
Audits
For further reading, visit our blog Legal Loudspeaker.
30. Discover how Accellis can help you
stay in front of cybersecurity threats.
Whether it’s a security assessment, penetration test, or
compliance evaluation – our team of certified security
experts can ensure you’re on the right track.
SCHEDULE A FREE
CONSULTATION
Schedule a Consultation