Download - Cyber Security for Business
-
7/26/2019 Cyber Security for Business
1/44
Cyber Security for Law Dr Adrian McCullagh
Ph.D. (IT Security), LL.B. (Hons), B. App. Sc. (Computin
ODMOB Lawyers
Email: [email protected]
Mob: 0401 646 486
mailto:[email protected]:[email protected] -
7/26/2019 Cyber Security for Business
2/44
Disclaimer PLEASE NOTE: the information disclosed in the presentatio
provision of Legal advice or Professional Services advicereader/attendee has an issue then they should seek applegal/technical advice. The author/presenter makes no correctness of anything contained in this presentation. Thpresentation is ever changing at a rapid rate and as sucpresentation is the sole opinion of the author/presenter arelied upon as either legal or technical advice. Every situand as such proper analysis must be undertaken when seprofessional advice.
Consequently, the author/presenter takes no responsibilithat may exist in this paper and certainly takes no responreader/attendee takes any actions based on what is (eximplication) contained in this paper/presentation.
All readers/attendees take full responsibility for anything may do in reliance of anything contained in thispaper/presentation.
Dr. Adrian McCullagh: [email protected]
2
-
7/26/2019 Cyber Security for Business
3/44
Agenda Introduction or why are lawyers under threat
What is a Cyber Attack
Hackers
Ransomware
Planning for an attack
Security risk analysis
Treating cyber risk
Mitigation of cyber risk
Data Breach notification laws
Ethics rules : Aust Sol Conduct RulesRule 9.1
What to do if ransomware infection
Before an attack
Post attack
Conclusion
Dr. Adrian McCullagh: [email protected]
3
-
7/26/2019 Cyber Security for Business
4/44
Preface: Law firms are just anothsmall business:
The content of this presentation was directed towfirms.
It was a presentation to QLD law firms at the requeQueensland Law Society
The content can also be equally applicable to all whether large, medium or small.
Of course the ethical rules noted in this presentatioapply to Law firms but other aspects in this presenbe advantageous to non law firms.
The central issue is how to protect an organisationcyber-security attack and in particular a ransomw
Dr. Adrian McCullagh: [email protected]
4
-
7/26/2019 Cyber Security for Business
5/44
Introduction or why are lawyers und
Dr. Adrian McCullagh: [email protected]
5
-
7/26/2019 Cyber Security for Business
6/44
Lawyers are prime target- Why
Lawyers are prime targets because they hold
information. Large firms are being targeted because they
prime clients especially M&A transactions
BUT Do not think you have to be a large firm to
Small firms are being targeted through ransom
Dr. Adrian McCullagh: [email protected]
6
-
7/26/2019 Cyber Security for Business
7/44
Lawyers are prime target- Why All small business are targets to ransomware
Small law firms are relatively easy prey for cyber cgangs
Computer security is not easy: if it was then criminanot succeed as they do
There are many reasons for hackers to target Law a value perspective, Law firms hold some of the hquality data concerning their clients. Mossack FattackPanama Papers. 2.4 terabytes of data lea
Whether intellectual property, strategic business dlitigation-related information, firms hold some of thsought-after information on target companies.
Do not under-estimate the industrial hacker.
Dr. Adrian McCullagh: [email protected]
7
-
7/26/2019 Cyber Security for Business
8/44
Lawyers are prime target- Why
The risks to law firms are no longer limited to rainfection by malware. Law firms like other busprofessionals have become targets by:
(1) attackers who are capable of exploiting knvulnerabilities, Zero day attacks
(2) attackers who are better funded and more sophisticated at discovering new vulnerabilitiesand exploiting them, and
(3) certain state-sponsored attackers capable creating vulnerabilities in systems, including systare otherwise strongly protected.
Terrorists are becoming hackers so as to fund thoperations.- Al Qa-eda; ISIS etc.
Dr. Adrian McCullagh: [email protected]
8
-
7/26/2019 Cyber Security for Business
9/44
What is a Cyber Attack
Dr. Adrian McCullagh: [email protected]
9
-
7/26/2019 Cyber Security for Business
10/44
Cyber attacks
A cyber attack is any intentional unauthorisedby a third party to an organisations IT environ
Attacks to information security vary greatly in who is conducting an attack, the purpose of tand the means of conducting it.
Cyber attacks can take many forms such as:
Mobile device attacks (SS7 attack);
Hacker attacks usually zero day attacks;Phishing attacks/ social engineering attacks;
Malware attacks:
Ransomware;
Viruses;Dr. Adrian McCullagh: [email protected]
10
-
7/26/2019 Cyber Security for Business
11/44
Planning for an attack
Dr. Adrian McCullagh: [email protected]
11
-
7/26/2019 Cyber Security for Business
12/44
Planning for an attack
According to a well known US based Hacker t
two types of organisations:Those that know they have suffered an atta
Those that have suffered an attack but do yet.
According to the Chief Security Officer for Fire
testimony to Congress the average time betwattack and knowing that there has been an a209 days (nearly 7 months).
It is usually the Law Enforcement who notifies t
Dr. Adrian McCullagh: [email protected]
12
-
7/26/2019 Cyber Security for Business
13/44
Planning for an attack
Interestingly, there are currently no laws which
victim to report a crime that has been perpetagainst them.
This may change in the near future as the FedParliament is currently considering breach notlaws. That is if there is a data breach involvingunauthorised disclosure of third party persona
identifiable information held by an APP entity data concerns sensitive personal information affected persons will need to be promptly notwell as the Privacy Commissioner.
Dr. Adrian McCullagh: [email protected]
13
-
7/26/2019 Cyber Security for Business
14/44
Planning for an attack
This legislation will be an amendment to the P1989 (Cth), which impacts all organisations thaor = to $3 million annual gross revenue threshowhen it comes to health records which will obaffect personal injury claims.
Consequently. If a law firm has an annual reve
-
7/26/2019 Cyber Security for Business
15/44
Planning for an attack
The issue is whether the law itself should be alteregeneral when it comes to reporting criminal incivictims.
I believe that if the impact of the criminal activitaffects the primary victim but also impacts secovictims then there should be an obligation to infoenforcement.
The Primary victim will be the firm/organisation thsubject of the hack.
The secondary victims will all or the persons to wunauthorised disclosed personal informationrelates.Dr. Adrian McCullagh: [email protected]
15
-
7/26/2019 Cyber Security for Business
16/44
Planning for an attack Lawyers have a duty to safeguard their own bus
records, including intellectual property, lawyer w
product, and financial and employment recorda few.
Electronic records are an integral part of every labusiness.
Client information is held on a fiduciary basis and
confidentiality must be maintained. Even though there is this fiduciary position in Aus
confidential information is not property.
BUT what does the requirement concerningconfidentiality be maintained mean?Dr. Adrian McCullagh: [email protected]
16
-
7/26/2019 Cyber Security for Business
17/44
Planning for an attack
Information security involves the AIC Model:
Availability of the information must be upheld. If tinformation is not available then the other 2 elemno importance;
Integrity of the information will be the basis of futumaking. If you cannot trust the information then itsubstantially diminished;
Confidentiality requires a need to know structure. information held will necessarily involve confidentLawyers in relation to confidentiality must know whthey have, where it resides, its level of sensitivity, asecured.
Dr. Adrian McCullagh: [email protected]
17
-
7/26/2019 Cyber Security for Business
18/44
Planning for an attack
Implementing a security framework is actually
Some of the things that lawyers MUST do are:Staff awareness training. According to IBM mo
90% of all hacker incidents can be attributed tohuman failure which could involve:
Failure to properly configure some acquired sectechnology like:
Firewall;
Data Loss prevention technology.
Intrusion detection technology
Failure of some staff member who downloads some
Failure to patch systems regularly and promptly.Dr. Adrian McCullagh: [email protected]
18
-
7/26/2019 Cyber Security for Business
19/44
Planning for an attack
The Law firm may want to consider separate insuis specifically designed to cover cyber incidents
In general professional indemnity insurance policNOT designed cover a cyber attack.
Clause 2 which covers the indemnity for Civil Liaas follows:
Lexon shall indemnify the Insured against any civil lia(including Claimants costs and Defence Costs):
2.1.1. arising from any Claim first made against the Iduring the Period of Insurance; and
2.1.2. arising from the provision of Legal Services by
The definition of Legal Services warrants careful reDr. Adrian McCullagh: [email protected]
19
-
7/26/2019 Cyber Security for Business
20/44
Planning for an attack
Though the security of client data is integral to the prlegal services it is arguable that the security of client
not fit within the definition of providing legal service
Other types of insurance available include general cliability insurance but this also may in general terms ncyber attack. Some GCLI specifically excludes cybe
There does exist special cyber risk insurance but this t
insurance is immature. Before taking out such insurance not only ask what it
also ask what it does not cover. For example make sthe impact of ransomware.
In this regard seek specialist advice before hand.
Dr. Adrian McCullagh: [email protected]
20
-
7/26/2019 Cyber Security for Business
21/44
Data Breach notification laws
Dr. Adrian McCullagh: [email protected]
21
-
7/26/2019 Cyber Security for Business
22/44
Notification Laws
On 3 December 2015, the Fed Govt released exposu
Privacy Amendment (Notification of Serious DataBreaches) Bill 2015.
The bill has not yet been passed into legislation.
If passed the Act will require:
Any APP entity that has reasonable grounds to believeserious data breach has occurred must notify the Priva
Commissioner and take reasonable steps to notify the affindividuals of the breach.
A breach is serious if it gives rise to a real risk of serious affected individual, such as identity theft.
Dr. Adrian McCullagh: [email protected]
22
-
7/26/2019 Cyber Security for Business
23/44
Notification Laws
The notification must include:
the identity and contact details of the entitybeen breached;
a description of the breach and the reasongrounds upon which the entity believes theoccurred;
the kinds of information involved in the brearecommended steps for the individual to tak
response to the breach.
Dr. Adrian McCullagh: [email protected]
23
-
7/26/2019 Cyber Security for Business
24/44
Ethics rules : Aus. Sol. ConductRule 9.1
Dr. Adrian McCullagh: [email protected]
24
-
7/26/2019 Cyber Security for Business
25/44
ASCR: Rule 9.1
Confidentiality 9.1
A solicitor must not disclose any information whconfidential to a client and acquired by the solduring the clients engagement to any person w
9.1.1 a solicitor who is a partner, principal, direcemployee of the solicitors law practice; or
9.1.2 a barrister or an employee of, or person otengaged by, the solicitors law practice or by aassociated entity for the purposes of delivering administering legal services in relation to the clie
EXCEPT as permitted in Rule 9.2.
Dr. Adrian McCullagh: [email protected]
25
-
7/26/2019 Cyber Security for Business
26/44
ASCR: Rule 9.1
9.2 A solicitor may disclose confidential client informa
9.2.1 the client expressly or impliedly authorises disclosu
9.2.2 the solicitor is permitted or is compelled by law to
9.2.3 the solicitor discloses the information in a confidefor the sole purpose of obtaining advice in connectionsolicitors legal or ethical obligations;
9.2.4 the solicitor discloses the information for the sole
avoiding the probable commission of a serious crimina 9.2.5 the solicitor discloses the information for the purp
preventing imminent serious physical harm to the clienanother person; or
9.2.6 the information is disclosed to the insurer of thesolicitor, law practice or associated entity.
Dr. Adrian McCullagh: [email protected]
26
-
7/26/2019 Cyber Security for Business
27/44
ASCR: Rule 9.1
NOTE: the Exclusions to clause 9.1 as set out in paragthrough to 9.2.6 only apply to the case where the So
intentionally discloses the client confidential informat
When a successful hack attack occurs there is no intthe part of the Solicitor. There is an unauthorised discclient information which will not fall within the noted detailed in clause 9.2.
Further, if the law firm has annual revenue of not less then the Australia Privacy Principles may apply.
APP 8 requires all APP entities to deploy reasonable smeasures in the protection of Personal Information aespecially sensitive personal information.
Dr. Adrian McCullagh: [email protected]
27
-
7/26/2019 Cyber Security for Business
28/44
ASCR: UK equivalent
In 2011, a UK lawyer (Mt Andrew Crossley) who was t
principal of the firm ACS: Law was fined 1000 poundsInformation Commissioner for a major data leak fromsystem.
The UK Information Commissioner admitted that if ACnot ceased to trade the Commissioner would have fLaw firm 200,000 pounds. Such a fine would have th
largest single fine for a data breach. The unauthorised disclosure of ACS: Law involved the
details of thousands of alleged file sharers along withemails from Mr Crossley and other litigants.
Dr. Adrian McCullagh: [email protected]
28
-
7/26/2019 Cyber Security for Business
29/44
ASCR: UK equivalent
His Honour Judge Birss noted that the security system
implemented by ACS: Law was barely fit for purposecommercial environment otherwise known as a domenvironment.
As his honour stated Sensitive personal details relatithousands of people were made available for downworldwide audience and will have caused them
embarrassment and considerable distress.
Dr. Adrian McCullagh: [email protected]
29
-
7/26/2019 Cyber Security for Business
30/44
What to do on ransomware infec
Dr. Adrian McCullagh: [email protected]
30
-
7/26/2019 Cyber Security for Business
31/44
Ransomware (its Prevalence isGrowing)
Ransomware is software that prevents a legitimateusing the IT system for its proper purposes.
Such impediments include:
Preventing an authorised user from access the IT sys
Unauthorised Encryption of data files;
Disruption of the proper use of the relevant IT system
Aligned with these impediment will be some notificthe perpetrator for some form of ransom to be pato remove the impediment.
Some ransomware involves scareware which scarauthorised user to enter into some correctiveservice.
Dr. Adrian McCullagh: [email protected]
31
-
7/26/2019 Cyber Security for Business
32/44
Ransomware (its Prevalence isGrowing) All types of ransomware are illegal but that do
help anyone who is subject to this type of atta
Perpetrators are now requiring payment by biwhich is a pseudo-anonymous virtual currency
If you are a victim you should, though you do to, inform the police. They will have a numbe
their disposal which may help but more imporneed to know so as to understand how the crbeing deployed.
QLD Police have one of the most sophisticatecyber crime forensics team in Australia
Dr. Adrian McCullagh: [email protected]
32
-
7/26/2019 Cyber Security for Business
33/44
RansomwareJIGSAW Applicat
Dr. Adrian McCullagh: [email protected]
33
Ransomware
-
7/26/2019 Cyber Security for Business
34/44
RansomwareCourtesy of Microsoft Security
Crowti is also known as crypDr. Adrian McCullagh: [email protected]
34
-
7/26/2019 Cyber Security for Business
35/44
Ransomware
Other well known ransomware applications are:
Cryptolocker this ransomware will encrypt all files and the d
will not be provided unless payment is made. FireEye has dethat will decrypt the encrypted files without the need to pay Microsoft also ahs a tool that can be sued to rectify a crypto
SAMSAMthis ransomware attacks the JBOSS webserver. Thattack vector that attacks a webserver. It not only encrypts the server but also waits for the backup and encrypts all of thdata. A solution to this is to only do incremental backups. Con an offline machine for recovery purposes and store all cle
data offline daily.
JigSawas you will see in the next slide this ransomware not you data but on after 24 hours on an hourly basis it will deletepayment is made or everything is deleted within 72 hours. Agby bitcoin the pseudo-anonymous virtual currency.
Dr. Adrian McCullagh: [email protected]
35
-
7/26/2019 Cyber Security for Business
36/44
Ransomware: how not to be a v Things to do in order to reduce the risk:
Have a patch management procedure that is regularly reviewedthink it is being automatically being done once it is set up. The re
at least every 3 months. It is not a hard task once. Audit logs arecheck.
Train staff and retrain staff (refresher courses) about not downloaattachments that they are not expecting;
Implements appropriate security measures like; firewalls, anti-viruregular backup procedures, disaster recovery procedures that amonths, every back up no matter how small should be tested forpurposes once a month or sooner and stored offline, implements
prevention technology, implement intrusion detection technolog
Never forget any of the above and engage an expert in the local IT consultant will not in my opinion have the necessary e
Dr. Adrian McCullagh: [email protected]
36
-
7/26/2019 Cyber Security for Business
37/44
Conclusion - Checklist
Dr. Adrian McCullagh: [email protected]
37
-
7/26/2019 Cyber Security for Business
38/44
Conclusion Lawyers are an increasing target
In general Professional Indemnity Insurance m
cover a cyber attack and as such practitionewant to review the professional indemnity insupolicy to satisfy themselves that their professioindemnity coverage includes cyber incidents.
Ransomware is a major problem as this attackinclude small and large law firms.
Cyber security is not easy so engage an expelocal IT person).
Dr. Adrian McCullagh: [email protected]
38
-
7/26/2019 Cyber Security for Business
39/44
Conclusion/ checklist Training is an important risk management aspect.
it is advisable to have refresher courses on an annannual basis.
ODMOB Lawyers provides a training practice so aminimise the risk of human error.
Deploy appropriate security technology like anti-vsoftware, firewall, intrusion detection and data lostechnology.
Back up data and test the data and store the dat
Note that Data breach laws are changing
Test your security framework on a regular basis, atper year. An appropriate pen test is the best appr
Dr. Adrian McCullagh: [email protected]
39
-
7/26/2019 Cyber Security for Business
40/44
Conclusion/ checklist The FBI on 29 April 2016 issued the following ch
concerning proactive protective measures in with Ransomware attacks:
Prevention Efforts
Make sure employees are aware of ransomaware of their critical roles in protecting theorganizations data. Training; Training; Train
Patch operating system, software, and firm
digital devices (which may be made easiecentralized patch management system).
Ensure antivirus and anti-malware solutions automatically update and conduct regula
Dr. Adrian McCullagh: [email protected]
40
-
7/26/2019 Cyber Security for Business
41/44
Conclusion/ checklistManage the use of privileged accou
users should be assigned administrati
access unless absolutely needed, anuse administrator accounts when nec
Configure access controls, including directory, and network share permissappropriately. If users only need read
information, they dont need write-acthose files or directories.
Dr. Adrian McCullagh: [email protected]
41
-
7/26/2019 Cyber Security for Business
42/44
Conclusion/ checklistDisable macro scripts from office files
transmitted over e-mail.
Implement software restriction policieother controls to prevent programs frexecuting from common ransomwarlocations (e.g., temporary folders suppopular Internet browsers,
compression/decompression program
Dr. Adrian McCullagh: [email protected]
42
-
7/26/2019 Cyber Security for Business
43/44
Conclusion/ checklist Business Continuity Efforts
Back up data regularly and verify the
of those backups regularly.Secure your backups. Make sure the
connected to the computers and nethey are backing up
Dr. Adrian McCullagh: [email protected]
43
-
7/26/2019 Cyber Security for Business
44/44
Any questions?
Dr. Adrian McCullagh: [email protected]
44