cyber security for business

7/26/2019 Cyber Security for Business

1/44

Cyber Security for Law Dr Adrian McCullagh

Ph.D. (IT Security), LL.B. (Hons), B. App. Sc. (Computin

ODMOB Lawyers

Email: [email protected]

Mob: 0401 646 486
mailto:[email protected]:[email protected]


2/44

Disclaimer PLEASE NOTE: the information disclosed in the presentatio

provision of Legal advice or Professional Services advicereader/attendee has an issue then they should seek applegal/technical advice. The author/presenter makes no correctness of anything contained in this presentation. Thpresentation is ever changing at a rapid rate and as sucpresentation is the sole opinion of the author/presenter arelied upon as either legal or technical advice. Every situand as such proper analysis must be undertaken when seprofessional advice.

Consequently, the author/presenter takes no responsibilithat may exist in this paper and certainly takes no responreader/attendee takes any actions based on what is (eximplication) contained in this paper/presentation.

All readers/attendees take full responsibility for anything may do in reliance of anything contained in thispaper/presentation.

Dr. Adrian McCullagh: [email protected]

2


3/44

Agenda Introduction or why are lawyers under threat

What is a Cyber Attack

Hackers

Ransomware

Planning for an attack

Security risk analysis

Treating cyber risk

Mitigation of cyber risk

Data Breach notification laws

Ethics rules : Aust Sol Conduct RulesRule 9.1

What to do if ransomware infection

Before an attack

Post attack

Conclusion


3


4/44

Preface: Law firms are just anothsmall business:

The content of this presentation was directed towfirms.

It was a presentation to QLD law firms at the requeQueensland Law Society

The content can also be equally applicable to all whether large, medium or small.

Of course the ethical rules noted in this presentatioapply to Law firms but other aspects in this presenbe advantageous to non law firms.

The central issue is how to protect an organisationcyber-security attack and in particular a ransomw


4


5/44

Introduction or why are lawyers und


5


6/44

Lawyers are prime target- Why

Lawyers are prime targets because they hold

information. Large firms are being targeted because they

prime clients especially M&A transactions

BUT Do not think you have to be a large firm to

Small firms are being targeted through ransom


6


7/44

Lawyers are prime target- Why All small business are targets to ransomware

Small law firms are relatively easy prey for cyber cgangs

Computer security is not easy: if it was then criminanot succeed as they do

There are many reasons for hackers to target Law a value perspective, Law firms hold some of the hquality data concerning their clients. Mossack FattackPanama Papers. 2.4 terabytes of data lea

Whether intellectual property, strategic business dlitigation-related information, firms hold some of thsought-after information on target companies.

Do not under-estimate the industrial hacker.


7


8/44

Lawyers are prime target- Why

The risks to law firms are no longer limited to rainfection by malware. Law firms like other busprofessionals have become targets by:

(1) attackers who are capable of exploiting knvulnerabilities, Zero day attacks

(2) attackers who are better funded and more sophisticated at discovering new vulnerabilitiesand exploiting them, and

(3) certain state-sponsored attackers capable creating vulnerabilities in systems, including systare otherwise strongly protected.

Terrorists are becoming hackers so as to fund thoperations.- Al Qa-eda; ISIS etc.


8


9/44

What is a Cyber Attack


9


10/44

Cyber attacks

A cyber attack is any intentional unauthorisedby a third party to an organisations IT environ

Attacks to information security vary greatly in who is conducting an attack, the purpose of tand the means of conducting it.

Cyber attacks can take many forms such as:

Mobile device attacks (SS7 attack);

Hacker attacks usually zero day attacks;Phishing attacks/ social engineering attacks;

Malware attacks:

Ransomware;

Viruses;Dr. Adrian McCullagh: [email protected]

10


11/44



11


12/44


According to a well known US based Hacker t

two types of organisations:Those that know they have suffered an atta

Those that have suffered an attack but do yet.

According to the Chief Security Officer for Fire

testimony to Congress the average time betwattack and knowing that there has been an a209 days (nearly 7 months).

It is usually the Law Enforcement who notifies t


12


13/44


Interestingly, there are currently no laws which

victim to report a crime that has been perpetagainst them.

This may change in the near future as the FedParliament is currently considering breach notlaws. That is if there is a data breach involvingunauthorised disclosure of third party persona

identifiable information held by an APP entity data concerns sensitive personal information affected persons will need to be promptly notwell as the Privacy Commissioner.


13


14/44


This legislation will be an amendment to the P1989 (Cth), which impacts all organisations thaor = to $3 million annual gross revenue threshowhen it comes to health records which will obaffect personal injury claims.

Consequently. If a law firm has an annual reve


15/44


The issue is whether the law itself should be alteregeneral when it comes to reporting criminal incivictims.

I believe that if the impact of the criminal activitaffects the primary victim but also impacts secovictims then there should be an obligation to infoenforcement.

The Primary victim will be the firm/organisation thsubject of the hack.

The secondary victims will all or the persons to wunauthorised disclosed personal informationrelates.Dr. Adrian McCullagh: [email protected]

15


16/44

Planning for an attack Lawyers have a duty to safeguard their own bus

records, including intellectual property, lawyer w

product, and financial and employment recorda few.

Electronic records are an integral part of every labusiness.

Client information is held on a fiduciary basis and

confidentiality must be maintained. Even though there is this fiduciary position in Aus

confidential information is not property.

BUT what does the requirement concerningconfidentiality be maintained mean?Dr. Adrian McCullagh: [email protected]

16


17/44


Information security involves the AIC Model:

Availability of the information must be upheld. If tinformation is not available then the other 2 elemno importance;

Integrity of the information will be the basis of futumaking. If you cannot trust the information then itsubstantially diminished;

Confidentiality requires a need to know structure. information held will necessarily involve confidentLawyers in relation to confidentiality must know whthey have, where it resides, its level of sensitivity, asecured.


17


18/44


Implementing a security framework is actually

Some of the things that lawyers MUST do are:Staff awareness training. According to IBM mo

90% of all hacker incidents can be attributed tohuman failure which could involve:

Failure to properly configure some acquired sectechnology like:

Firewall;

Data Loss prevention technology.

Intrusion detection technology

Failure of some staff member who downloads some

Failure to patch systems regularly and promptly.Dr. Adrian McCullagh: [email protected]

18


19/44


The Law firm may want to consider separate insuis specifically designed to cover cyber incidents

In general professional indemnity insurance policNOT designed cover a cyber attack.

Clause 2 which covers the indemnity for Civil Liaas follows:

Lexon shall indemnify the Insured against any civil lia(including Claimants costs and Defence Costs):

2.1.1. arising from any Claim first made against the Iduring the Period of Insurance; and

2.1.2. arising from the provision of Legal Services by

The definition of Legal Services warrants careful reDr. Adrian McCullagh: [email protected]

19


20/44


Though the security of client data is integral to the prlegal services it is arguable that the security of client

not fit within the definition of providing legal service

Other types of insurance available include general cliability insurance but this also may in general terms ncyber attack. Some GCLI specifically excludes cybe

There does exist special cyber risk insurance but this t

insurance is immature. Before taking out such insurance not only ask what it

also ask what it does not cover. For example make sthe impact of ransomware.

In this regard seek specialist advice before hand.


20


21/44

Data Breach notification laws


21


22/44

Notification Laws

On 3 December 2015, the Fed Govt released exposu

Privacy Amendment (Notification of Serious DataBreaches) Bill 2015.

The bill has not yet been passed into legislation.

If passed the Act will require:

Any APP entity that has reasonable grounds to believeserious data breach has occurred must notify the Priva

Commissioner and take reasonable steps to notify the affindividuals of the breach.

A breach is serious if it gives rise to a real risk of serious affected individual, such as identity theft.


22


23/44

Notification Laws

The notification must include:

the identity and contact details of the entitybeen breached;

a description of the breach and the reasongrounds upon which the entity believes theoccurred;

the kinds of information involved in the brearecommended steps for the individual to tak

response to the breach.


23


24/44

Ethics rules : Aus. Sol. ConductRule 9.1


24


25/44

ASCR: Rule 9.1

Confidentiality 9.1

A solicitor must not disclose any information whconfidential to a client and acquired by the solduring the clients engagement to any person w

9.1.1 a solicitor who is a partner, principal, direcemployee of the solicitors law practice; or

9.1.2 a barrister or an employee of, or person otengaged by, the solicitors law practice or by aassociated entity for the purposes of delivering administering legal services in relation to the clie

EXCEPT as permitted in Rule 9.2.


25


26/44

ASCR: Rule 9.1

9.2 A solicitor may disclose confidential client informa

9.2.1 the client expressly or impliedly authorises disclosu

9.2.2 the solicitor is permitted or is compelled by law to

9.2.3 the solicitor discloses the information in a confidefor the sole purpose of obtaining advice in connectionsolicitors legal or ethical obligations;

9.2.4 the solicitor discloses the information for the sole

avoiding the probable commission of a serious crimina 9.2.5 the solicitor discloses the information for the purp

preventing imminent serious physical harm to the clienanother person; or

9.2.6 the information is disclosed to the insurer of thesolicitor, law practice or associated entity.


26


27/44

ASCR: Rule 9.1

NOTE: the Exclusions to clause 9.1 as set out in paragthrough to 9.2.6 only apply to the case where the So

intentionally discloses the client confidential informat

When a successful hack attack occurs there is no intthe part of the Solicitor. There is an unauthorised discclient information which will not fall within the noted detailed in clause 9.2.

Further, if the law firm has annual revenue of not less then the Australia Privacy Principles may apply.

APP 8 requires all APP entities to deploy reasonable smeasures in the protection of Personal Information aespecially sensitive personal information.


27


28/44

ASCR: UK equivalent

In 2011, a UK lawyer (Mt Andrew Crossley) who was t

principal of the firm ACS: Law was fined 1000 poundsInformation Commissioner for a major data leak fromsystem.

The UK Information Commissioner admitted that if ACnot ceased to trade the Commissioner would have fLaw firm 200,000 pounds. Such a fine would have th

largest single fine for a data breach. The unauthorised disclosure of ACS: Law involved the

details of thousands of alleged file sharers along withemails from Mr Crossley and other litigants.


28


29/44

ASCR: UK equivalent

His Honour Judge Birss noted that the security system

implemented by ACS: Law was barely fit for purposecommercial environment otherwise known as a domenvironment.

As his honour stated Sensitive personal details relatithousands of people were made available for downworldwide audience and will have caused them

embarrassment and considerable distress.


29


30/44

What to do on ransomware infec


30


31/44

Ransomware (its Prevalence isGrowing)

Ransomware is software that prevents a legitimateusing the IT system for its proper purposes.

Such impediments include:

Preventing an authorised user from access the IT sys

Unauthorised Encryption of data files;

Disruption of the proper use of the relevant IT system

Aligned with these impediment will be some notificthe perpetrator for some form of ransom to be pato remove the impediment.

Some ransomware involves scareware which scarauthorised user to enter into some correctiveservice.


31


32/44

Ransomware (its Prevalence isGrowing) All types of ransomware are illegal but that do

help anyone who is subject to this type of atta

Perpetrators are now requiring payment by biwhich is a pseudo-anonymous virtual currency

If you are a victim you should, though you do to, inform the police. They will have a numbe

their disposal which may help but more imporneed to know so as to understand how the crbeing deployed.

QLD Police have one of the most sophisticatecyber crime forensics team in Australia


32


33/44

RansomwareJIGSAW Applicat


33

Ransomware


34/44

RansomwareCourtesy of Microsoft Security

Crowti is also known as crypDr. Adrian McCullagh: [email protected]

34


35/44

Ransomware

Other well known ransomware applications are:

Cryptolocker this ransomware will encrypt all files and the d

will not be provided unless payment is made. FireEye has dethat will decrypt the encrypted files without the need to pay Microsoft also ahs a tool that can be sued to rectify a crypto

SAMSAMthis ransomware attacks the JBOSS webserver. Thattack vector that attacks a webserver. It not only encrypts the server but also waits for the backup and encrypts all of thdata. A solution to this is to only do incremental backups. Con an offline machine for recovery purposes and store all cle

data offline daily.

JigSawas you will see in the next slide this ransomware not you data but on after 24 hours on an hourly basis it will deletepayment is made or everything is deleted within 72 hours. Agby bitcoin the pseudo-anonymous virtual currency.


35


36/44

Ransomware: how not to be a v Things to do in order to reduce the risk:

Have a patch management procedure that is regularly reviewedthink it is being automatically being done once it is set up. The re

at least every 3 months. It is not a hard task once. Audit logs arecheck.

Train staff and retrain staff (refresher courses) about not downloaattachments that they are not expecting;

Implements appropriate security measures like; firewalls, anti-viruregular backup procedures, disaster recovery procedures that amonths, every back up no matter how small should be tested forpurposes once a month or sooner and stored offline, implements

prevention technology, implement intrusion detection technolog

Never forget any of the above and engage an expert in the local IT consultant will not in my opinion have the necessary e


36


37/44

Conclusion - Checklist


37


38/44

Conclusion Lawyers are an increasing target

In general Professional Indemnity Insurance m

cover a cyber attack and as such practitionewant to review the professional indemnity insupolicy to satisfy themselves that their professioindemnity coverage includes cyber incidents.

Ransomware is a major problem as this attackinclude small and large law firms.

Cyber security is not easy so engage an expelocal IT person).


38


39/44

Conclusion/ checklist Training is an important risk management aspect.

it is advisable to have refresher courses on an annannual basis.

ODMOB Lawyers provides a training practice so aminimise the risk of human error.

Deploy appropriate security technology like anti-vsoftware, firewall, intrusion detection and data lostechnology.

Back up data and test the data and store the dat

Note that Data breach laws are changing

Test your security framework on a regular basis, atper year. An appropriate pen test is the best appr


39


40/44

Conclusion/ checklist The FBI on 29 April 2016 issued the following ch

concerning proactive protective measures in with Ransomware attacks:

Prevention Efforts

Make sure employees are aware of ransomaware of their critical roles in protecting theorganizations data. Training; Training; Train

Patch operating system, software, and firm

digital devices (which may be made easiecentralized patch management system).

Ensure antivirus and anti-malware solutions automatically update and conduct regula


40


41/44

Conclusion/ checklistManage the use of privileged accou

users should be assigned administrati

access unless absolutely needed, anuse administrator accounts when nec

Configure access controls, including directory, and network share permissappropriately. If users only need read

information, they dont need write-acthose files or directories.


41


42/44

Conclusion/ checklistDisable macro scripts from office files

transmitted over e-mail.

Implement software restriction policieother controls to prevent programs frexecuting from common ransomwarlocations (e.g., temporary folders suppopular Internet browsers,

compression/decompression program


42


43/44

Conclusion/ checklist Business Continuity Efforts

Back up data regularly and verify the

of those backups regularly.Secure your backups. Make sure the

connected to the computers and nethey are backing up


43


44/44

Any questions?


44

cyber security for business

Documents