Law Firm Cybersecurity: Practical Tips for Protecting Your Data

Download Law Firm Cybersecurity: Practical Tips for Protecting Your Data

Post on 11-Aug-2015




0 download

Embed Size (px)


  2. 2. In February, 2013, the FBI gave a keynote presentation on law firm security threats at LegalTech New York. In an article from Law Technology News, the special agent in charge of the FBIs cyber operations in New York City is quoted as stating: We have hundreds of law firms that we see increasingly being targeted by hackers. We all understand that the cyber threat is our next great challenge. Cyber intrusions are all over the place, theyre dangerous, and theyre much more sophisticated than they were just a few years ago.
  4. 4. REASONS LAW FIRMS REPRESENT A CYBER TARGET: Many firms regularly maintain a tremendous amount of highly confidential information and information is the currency that cyber criminals trade in. You may not be the primary target. Many attacks are of the command and control variety where the objective is to use your environment as a beachhead for a secondary attack. Cyber criminals may be targeting YOUR CLIENT or ANOTHER FIRM and realize that you represent the means to get passed their existing infrastructure. As an industry, we make for a very easy target.
  5. 5. The measures in place for many firms are very far behind those in other industries. But its not just about spending money. The Goldman Sachs data breach resulted in the discloser of 70+ million users accounts and over 7 million business accounts. Goldman Sachs spend over $250 million dollars A YEAR in cyber defense. Its about the focus security gets all the way down to the end users. End users are the single weakest point in any network.
  7. 7. For two straight years, more than two thirds of Cyber Espionage has featured Phishing as its primary means of attack According to the Verizon 2015 DBIR, in 2014, users opened approximately 23% of inbound Phishing messages and 11% clicked on attachments. Historically, Phishing has been the means to target individuals and not businesses. This however is also changing dramatically. Enter The Dyre Wolf. This is a new campaign that utilizes the now popular Dyre, or Dyreza, malware directly targeting corporate banking accounts This phishing and malware campaign leverages spear phishing, malware (initial infection via Upatre), social engineering, complex process injections, the Deep Web and even Distributed Denial of Service (DDoS) sprees to complete an attack Dyre wolf is a perfect example of how most defenses are still only as safe is the weakest employee. PHISHING / SOCIAL ENGINEERING ATTACKS
  8. 8. THE DYRE WOLF ATTACK Not your typical malware campaign Each attack cost companies $500,000 - $1.5 million Uses targeted spear phishing emails, malware and social engineering
  9. 9. THE DYRE WOLF ATTACK Photo credit: IBM, 2015
  10. 10. THE DYRE WOLF ATTACK Photo credit: IBM, 2015
  11. 11. THE DYRE WOLF ATTACK Photo credit: IBM, 2015
  12. 12. THE DYRE WOLF ATTACK Photo credit: IBM, 2015
  13. 13. THE DYRE WOLF ATTACK Photo credit: IBM, 2015
  14. 14. THE DYRE WOLF ATTACK Photo credit: IBM, 2015
  16. 16. Dyre wolf is a perfect example of how most defenses are still only as safe is the weakest employee. Defending against Phishing attacks are largely centered on knowledge and training of the weakest link in your system end users.
  17. 17. ACCIDENTS (AGAINUSERS) Accidental disclosure of confidential information is a substantial reason for a data breaches with over 60% being initiated by system administrators. Read Biggest Cyber Security Threat to Law Firms is Not What You Think Types of accidents often break down into 3 primary categories: 1) Doh!: ever sent an email to a client and about .0009 seconds after hitting the send button, you realize youve sent information to the wrong recipient? DBIR reports this as being the single largest exposure point for data 2) My Bad!: According to the same DBIR reports, about 17% of the breach / disclosures are the result of users publishing nonpublic data to public servers. Sensitive client data does not belong on the Google! 3) Oops!: The last bucket of end user snafus is the insecure disposal of personal and medical data.
  18. 18. VULNERABILITIES (WE DONT NEED NO STINKIN PATCHES) CVEs, or common vulnerabilities and exposures, is a worldwide list of known system vulnerabilities that is published to any and all who want to use it. Most companies performing vulnerability scans are leveraging this list to test a network for known weaknesses. Software and OS updates are leveraging this list to build fixes to vulnerabilities as fast as they are identified. Which brings up an interesting point the vast majority of breaches in 2014 were initiated through known CVEs that were at least a year old. AT LEAST A YEAR OLD! 97% of the known exploits were created with 10 CVEs ONLY 10! But before you ask the remaining exploits were created with 7 MILLION CVEs. So you cannot simply look for the top 10 and call it a day.
  19. 19. THE LONG-CON Ransomware has traditionally acted as a zero day attack; however, those same criminals are finding that a long, slow attack can yield even higher returns. The next phase of ransom are will likely sit in an environment for months before initiating action Possible scenarios now include server side attacks that can encrypt data moving to and from the server until the criminal feels they have sufficient amounts of data encrypted They simply hold your and your data hostage in return for payment No payment means they remove the encryption key and none of your systems will work until you do
  20. 20. THE INTERNET OF THINGS & BYOD (ITS ONLY GOING TO GET MORE DIFFICULT) Dramatic increase in the number of internet connected devices that could lead to accidently exposure of confidential information. Target proved this in spades As you look at your environment from a security perspective, have you considered everything? Traditional unmonitored vectors include fax machines and printers but, have you checked that new TV in the conference room? What about that new iWatch?
  22. 22. First things first - the firm, its partners and directors, all must agree that security is a priority. First it needs to be a priority from the top down if the end users are to adjust their daily behavior to marry to security policies of the firm. The senior most people in any organization are typically the least likely to be willing to adjust their behavior! Any investments needed to properly build and maintain a security plan will require the people at the top to spend out of their own pocket. Must be a permanent part of the business plan GETTING IN FRONT OF THE PROBLEM
  23. 23. STEP 1: PUT SOMEONE IN CHARGE OF CYBERSECURITY Many organizations set a course for failure almost from the start by not establishing responsibility for one person or a team of people to manage this process. Must also be responsible for moving the firm from compliance to security. These two are not the same thing. Even an ISO27001 certified firm may not be secure they simply have the policies and procedures in place for an effective security program
  24. 24. STEP 2: HAVE SOMETHING FOR THEM TO ENFORCE Every firm should employ some form of a written security plan There are 4 core controls within to a proper plan Physical, Policy, Detective and Corrective Key elements for a law firm security plan include: Identification - Identify the data your firm maintains, establish its location and identify which information is most sensitive and in need of monitoring. Encryption - Whether at rest or in transit, data should always be encrypted. Remote Access / Authentication - What information will you allow access to from outside the building? Password Policies - Will you be willing and able to implement a complex password policy that changes every 90 days? Social Media Policy - Use at work? Can you use the same log in for Facebook as you can for your company PC?
  25. 25. STEP 2: HAVE SOMETHING FOR THEM TO ENFORCE (CONT.) Key elements for a law firm security plan (cont) Physical Security - Are you planning to restrict building access? Can you track when people come and go? Are there cameras to track access to critical information? Vendor Security - No one likes to do it but auditing your 3rd party vendors can be a critical piece to your security plan. Breach Response Planning - Each plan should contain critical pieces such as client notification plans, plan for notifying authorities, documentation plans, and overall decision-making ability.
  26. 26. STEP 3: CREATE & MAINTAIN A PROPER DEFENSE / MONITORING ENVIRONMENT Firewall with IDS or IPS - A firewall with intrusion detection (IDS) or intrusion prevention (IPS) is recommended for maximum protection against malicious traffic. Spam Filter The majority of viruses that get into networks are from email phishing attempts. Patching - The greatest source of vulnerability comes from using software and application that are not properly patched (i.e. they lack the latest updates). Mobile Device Management Allows you to manage, secure and monitor your firms mobile devices in real time. Encryption Any device that can store sensitive information (i.e. phones, laptops, tablets) and is built to leave the building should be encrypted. White Listing Systems For advanced defensive environments. This system keeps anything that you do not designate from being installed anywhere on your network. Logging Systems - Understanding where your data resides AND being able to establish patterns of users traffic can go a long way to knowing when something has gone wrong and youve been breac


View more >