cyber crime – how to prevent an attack and its impact on ...€¦ · and its impact on...
TRANSCRIPT
Cyber crime – how to prevent an attackand its impact on professional liability
Why are we here?
14/11/2016 Law Mutual (WA) 2
1 Professional Liability Risk Profile Analysis
Risks: disclosure of confidential information; loss of trust funds; system failureCause: Cyber crime – hacking; phishing; scamming, ransomware; etc.Consequences: financial (client sues; replenish trust account, recovery costs); reputationSeverity: $$$$$; loss of reputation; loss of businessLikelihood: Almost certain without adequate controls
Professor Craig ValliCurrently the Director of ECU’s Security Research Institute and Fellow of the Australian Computer Society, Craig has more than 25 years’ experience in the IT industry. He regularly consults with industry and government, focussing on securing networks and critical infrastructures, detection of network borne threats, forensic analysis of cyber security incidents, network security and digital forensics. Craig has an active research profile with in excess of 90 publications to his name.
14/11/2016 Law Mutual (WA) 3
Michael PatersonMichael Paterson is the Principal of Michael Paterson & Associates, a commercial law firm whose clients are mainly businesses and business owners.He has degrees in Law, with honours, and in Computer Science from A.N.U. in Canberra.As well as being a solicitor, Michael has developed software and is actively involved in both the legal and computer industries. With his knowledge and practical experience in the computer industry, Michael Paterson has developed a niche practice area in computer, technology and intellectual property law.
14/11/2016 Law Mutual (WA) 4
Ronwyn NorthRonwyn North is a lawyer turned practice management consultant who specialises in risk management, ethics and everything law school never taught you about being a good lawyer. She has been involved in the Law Mutual Risk Management program since it started in 1995 and likes to help lawyers find ways to make legal practice more profitable, more satisfying and less risky.
14/11/2016 Law Mutual (WA) 5
STRUCTURE OF SEMINAR
24/08/2016 Law Mutual (WA) 6
• Introduction• Craig – IT Risks and Prevention Measures• Michael – Relevant Examples and some Quick Wins• Ronwyn – Professional Liability Risk and Prevention• Panel question time
IT Risks and Prevention Measures
Professor Craig Valli
How big?
The Internet has shrunk the world e.g the Perth antipode ~ 32 hours via jet, ~ 3.2s via Internet
Australians are targeted because no matter what our politicians tell us we are relatively affluent
Once you connect to the Internet it is just you against all “others” about 3.4×1038 possibilities of them now
Attack 1 in 4 and reach ~ 20% of the market Crime with shotguns is a high risk, low reward enterprise
14/11/2016 Law Mutual (WA) 8
Who us?• You could be just cyber road kill
– you are possibly unimportant but the people or organisation you work for or the organisation your organisation works for are not
– your “trust” relationships used to attack others
– Your data holdings are gateways to other targets or ventures
– You have a responsibility under Privacy Act to report breaches
14/11/2016 Law Mutual (WA) 9
How easy?
• Anyone can buy the means…• Social Engineering - Free Wireless, Free Software, Funny
images/links• Alternate channels – any device that’s net connected and
can get to an Internet gateway, USB attack• Old is new again…attack recycling
14/11/2016 Law Mutual (WA) 10
Cyber crime markets
• There are markets where people sell their “warez”
• It is a “service” industry all of its own
• GLOBAL• For a price you can target and
attack ANYONE
14/11/2016 Law Mutual (WA) 11
14/11/2016 Law Mutual (WA) 12
Cybercrime is a (well paid) business
• Attack, Compromise, Capitalise– Information is the biggest commodity– Multiple use of the same “data”
• Cyber Crime is a global business– Increasingly organised– Financial is just one threat vector and fading– Many devices many opportunities for attack – Global reach…
14/11/2016 Law Mutual (WA) 13
14/11/2016 Law Mutual (WA) 14
Don’t panic!• Top 4 of the ASD top 35 will get you an instant 80% return,
easy to do!• Most countermeasures you need are FREE in your
systems – firewalls, encryption• Backup the Backup and VERIFY backup• Full system logging at all times• Communicated, Practiced and Enforced Policy• If is not in use TURN it off• Managed Service options are increasing…
14/11/2016 Law Mutual (WA) 15
Don’t panic
• You need a PLAN for when it DOES go wrong…– Who is going to clean it up– How are your going to communicate it
• ACORN – Australian Cybercrime Online Reporting Network https://www.acorn.gov.au
• If you are attacked report it, non-reporting and subsequent non-prosecution is one of the biggest problems that enables cybercrime to prosper
14/11/2016 Law Mutual (WA) 16
Relevant Examples and some Quick Wins
Michael Paterson
24/08/2016 Law Mutual (WA) 18
Law Mutual – Cyber Crime: How to Prevent Attacks and its Impact on Professional Liability - Examples
14/11/2016 Law Mutual (WA) 19
Some Statistics• 2015 ACC Report – cyber crime
affected 5 million Australians in 2013, at a cost of over $1 billion!
• ABA Survey 2015:• 25% of firms with more than 100
lawyers reported actual breaches• > 50% of firms had no data
breach response plan in place
14/11/2016 Law Mutual (WA) 20
• Mossack Fonseca – the Panama Papers
• Outdated software with known vulnerabilities• Website/Webserver on the same computer as its client data• Lessons:
- keep all software up to date- Keep client data on a different computer from your website
14/11/2016 Law Mutual (WA) 21
Mergers and Acquisitions - Insider Trading • Ukrainian Stock Broker – “Olera”• Engaged Hackers to “acquire” merger and acquisition
information from high profile law firms• 47 were reportedly breached, including Allen & Overy,
DLA Piper and Jones Day• Wiley Rein LLP – Chinese hacking group infiltrated
the firm that was dealing with a tariff case in relation to Chinese solar lights
• Issue: If the large firms are vulnerable, what hope have the small firms
14/11/2016 Law Mutual (WA) 22
Ransomware and OtherPhishing Expeditions
• My IT Service Provider has a Medical Practice client …
• E-mail purportedly from my Accountant …• E-mail purported from me to my office
manager …• Malicious attack via Perth website …
14/11/2016 Law Mutual (WA) 23
Recent Anton Pillar Cases– Unauthorised Document Reproduction
• USB Thumb Drive left in taxi on leaving employment …
• Ex-Director copied 55,000 documents and reproduced many for his new competing business
14/11/2016 Law Mutual (WA) 24
Trust Account Scams
• Perth Real Estate Agency- $500k from trust account
• 2013 – Ontario Law Firm lost 6 figure amount from its trust account …
• Forged Bank Cheque …
14/11/2016 Law Mutual (WA) 25
Malicious and Not So Malicious Smart Phone Apps
• Chinese software development kit for iPhone and Android Apps
• Twitter, Facebook, LinkedIn, Zynga
14/11/2016 Law Mutual (WA) 26
Some Quick Wins• Controls to reduce exposure to causes • Technology Up to date firewalls, anti spam, anti virus,
anti malware on all equipment and devices Better back up Secure cloud
• People Phishing awareness Funds transfer protocols (esp. trust account) Password protocols Safe browsing and limits to personal use Train your staff
Cybercrime Professional Indemnity Risk and Prevention
Ronwyn North
14/11/2016 Law Mutual (WA) 28
Do you feel the risk is real?
• Are you convinced, still sceptical or in denial?– Cyber-crime is a big threat – You could be hurt badly – You can protect yourself better
14/11/2016 Law Mutual (WA) 29
How badly could you be hurt?Potential professional liability or not? 1. Cryptolock or other outage results in missed deadline 2. Phishing email results in trust account deficiency 3. Malware or hacking results in trust account theft 4. Client data breach due to
– Theft of laptop or mobile– Loss of unencrypted USB – Hack of third party cloud storage– Use of insecure public or home wifi
5. Personal data breach exposes clients to identity theft, security threat or loss of privacy
6. Client IT system catches virus from your IT system
14/11/2016 Law Mutual (WA) 30
How badly could you be hurt?Covered by PII• ‘Civil liability incurred in connection with the Practice’
– Arising out of provision of legal services in ordinary course of legal practice
14/11/2016 Law Mutual (WA) 31
How badly could you be hurtNot covered by PII (1)• Civil liability to third parties not connected to practice of
law• Criminal liability
– Dishonesty, complicity • Disciplinary liability
– Defence costs, fines, costs orders in favour of prosecutor• Statutory liability
– Penalty for Privacy Law breach
14/11/2016 Law Mutual (WA) 32
How badly could you be hurtNot covered by PII (2)• Own business (1st party) losses or costs
– Ransom payments – Intellectual property – Forensic investigation – ‘Clean up’, restore, repair, replacement of data, devices,
hardware, software, websites – Notifying affected parties– Crisis management/PR – Lost revenue, fee refunds
14/11/2016 Law Mutual (WA) 33
Professional or any liabilityWill you be the test case? • Legal practice or business? • Duty if any?
– Prevent cybercrime per se? – Protect client from adverse consequences of lawyer falling victim
to cybercrime? • Standard of ‘take reasonable steps’? • Breach by what failures?• Causation by lawyer or criminal? • Loss or damage quantifiable?
TEST CASE
14/11/2016 Law Mutual (WA) 34
Other PII considerations
• Excess• One claim or several? • Above $2m? • Notify promptly • No admission of liability• Claims loadings • Capacity of scheme
14/11/2016 Law Mutual (WA) 35
How badly could you be hurt?Out of pocket or out of business?
• Can you afford to lose ‘assets’ to cybercrime? – Data – Privacy – Money – Means of production– Practising certificate – Insurance policies – Reputation – Goodwill – Wellbeing
14/11/2016 Law Mutual (WA) 36
What action can you take? It’s about more than technology • Exposure due to vulnerability of
– Technology 20%– People 80%
• People vulnerability – Unaware of threat – Underinvest in security – Not well trained– Not motivated – Rogue – Slips and lapses
14/11/2016 Law Mutual (WA) 37
What action can you take?Are you looking in the right direction?
14/11/2016 Law Mutual (WA) 38
What action can you take?Most return on investment?
4. Assess, Plan, Monitor, Review
1. Prevention 2. Incident Response 3. Recovery
Before During After
Reduce exposure to causes
Reduce exposure to consequences
Detect & contain cybercrime event
Risks Controls
Control monitoring
LessonsWeaknesses
New risks
14/11/2016 Law Mutual (WA) 39
What action can you take? 1. Prevention Practices • Security policies and protocols that balance security, privacy,
efficiency and freedom – Examples in handout
• Integration of security into work processes – Security designed in (automated) – Security weaknesses designed out
• Manage client expectations of security• Security related employment practices
– Hiring, Training, Appraisal, Reward • Security culture
– Beyond ‘spiritless compliance’
14/11/2016 Law Mutual (WA) 40
What action can you take? 2.Incident Response • Incident response
– Response plans in place and tested, not unproven – Timely reporting of suspicious activity – Responsive system monitoring (logs, alerts, alarms)
• Know-how and capacity to – Stop transfer of data or funds – Wipe data remotely– Prevent spread of virus or cryptolock– Pay ransom?
14/11/2016 Law Mutual (WA) 41
What action can you take? 3. Recovery & Insurance
• Adequate PII Top Up, Cyber or other Insurances • Restore from back up
– Have you tested it will work?• Forensic investigation and review
– Lessons– Improvement actions
• Notifications – Affected persons– Police– ACORN– Regulators – Insurers
14/11/2016 Law Mutual (WA) 42
What action can you take?4. Assessment & Review
• Risk & Control Map
– Understand cyber crime risk – Assess exposure/risk appetite – Set priorities– Produce action plan for controls and monitoring– Evaluate the plan, its execution and results