The Anatomy of Successful Cyber Attacks

By Joseph Raczynski

Preparation for cyberattacks on your network requires a fundamental understanding of the complete picture of who has launched the assault.  Steve Surdu of Surdu Consulting, LLP gave the keynote address at ILTA LegalSEC Summit 2015 in Baltimore, MD describing “The Anatomy of Successful Cyber Attacks.”

Steve outlined four attacker or threat profile group types; Hacktivists, Criminals, Terrorists, and Nation States.  In the matrix below I break out each section he reviewed into a column view to better understand the who, why, where, motivations, advantages, limitations, and impacts for each group.  I removed the Terrorist group as they tend not to pose a threat to law firms.

In summary the table offers an insight into the full anatomy of the threat for law firms.  To mitigate the aforementioned threats, he outlined five key strategies:

  • Awareness: An absolute must is providing education of all parties surrounding the law firm. This includes teaching employees, management, suppliers, and even your clients on the threats that exist, the tactics of the hackers, and the various outcomes from unsafe computing.
  • Visibility: Never assume that you will know everything that is happening on your network. Keep an inventory of assets, logs and all alerts which when gathered together creates actionable intelligence.
  • Focus: Law firms must think how the hackers attack, so avoid misplaced faith in compliance alone.
  • Operational Expediency: Firms should make reasonable operational and security trade-offs. That is, do not spend all of your time on areas with little benefit, like patches for little used systems.  Prioritize on the biggest impact items first.
  • Priorities: The most valuable time spent on cybersecurity is spent on people and process over technology.

Wrapping up his discussion, he touched on cybersecurity in three areas pertinent to law firms; mobile, Cloud, and eDiscovery.

Mobile Technology:

At this juncture, mobile devices do not pose a significant attack vector for large law firms.  The real risk is one-offs including physical loss of the device, or exposure to data stored on the unit.  Firms should remain vigilant by using encryption, password protection, and provide remote wiping on demand.  Lastly he mentioned that Android remains a target.

Cloud:

The Cloud is intriguing from a security perspective.  It provides familiar components to on-prem issues, but is outsourced.  What that means is that the same predicaments arise but since a different operator is in the equation, it can be more complex.  Surdu recommends to counter this threat by vetting your Cloud vendor carefully to manage your risk.

eDiscovery:

Similar to the Cloud, eDiscovery invokes the same issues that it does externally as it would internally.  When you use hosted services those services have to be vetted for controlled access, general integrity, encryption were necessary and to assure that privacy laws are being followed.  He recommends that firms use familiar and consistent platforms when possible.

In his parting thoughts, he focused on several salient points.  While difficult, attempt to retain key players for your firm security.  A revolving door in the Information Security department is ripe for attacks.  Create a process to track key information and assets.  By having these procedures in place the firm will know the who, what, where and when of deflecting cyber-attacks.  Work to cultivate and maintain senior management to establish a sense of normalcy.  Often hackers go after newer management because they are less likely to know systems and process.  He also stressed that your best adversaries understand that details matter.  “You should focus on the little things, because if you cannot get that right you will not get the bigger things.”  Lastly he ended with a push for firms to concentrate on finishing security projects because that is much more important than simply starting them.

Law Firm Security Architecture 101

By Joseph Raczynski

In a granular overview of the appropriate security procedures a law firm should have in place, Douglas Brush, Director ISG, Kraft Kennedy; Brad Bragg, CIO Womble Carlyle; Scott Rolf, CIO, Tucker Ellis, LLP; and Tim Golden, Manager, Enterprise Architecture & IT Governance, McGuireWoods; discussed “Security Architecture 101” at the ILTA LegalSEC Summit 2015 in Baltimore, MD.

Looking at the foundation level of security, the triumvirate used a security bench marking technical guide to offer an overview of the top 20 critical security controls.  The SANS Top 20, renamed the CIS Top 20 establishes specifics that companies should follow to maintain the highest level of security around their systems.

The emphasis surrounding these controls focus on the classic trifecta in a firm; people, process and technology.  The details of the twenty security controls are very specific and so I have bulleted the primary points for each below.

CIS Top 20: Critical Security Controls and Firm Preparation:

#1 Inventory of Authorized and Unauthorized Devices

  • Know where all of your hardware is located
  • Assign responsibility to each group: Servers, computers, mobile devices
  • Control your release management: If you have a new piece of hardware inventory it and place controls on it when it is brought into service

#2 Inventory of Authorized and Unauthorized Software

  • This is much more difficult to control than #1
  • Each group within the firm is unique and creates challenges – think expectations of the partner vs. admin assistant
  • Forbid users from loading their own software
  • Use the technology Microsoft has in place to prevent unauthorized installations – think of those annoying but helpful popup warnings
  • Develop a life-cycle for your software up front and retire older software

#3 Secure Configurations for Hardware and Software on Laptops, Workstations, & Servers

  • Test your “gold images” to make sure that all flaws are identified and the image is stable and secure
  • Use virtualization now!
  • Implement auto patching
  • Keep all logs for each image you have created

#4 Continuous Vulnerability Assessment & Remediation

  • Not every patch update is critical – stack rank which actually needs to be implemented
  • Sometimes outside organizations need to patch their third party software
  • Track time on what is being done for the firm management updates

#5 Malware Defense

  • Utilize common industry standard tools like FireEye
  • Web Sensors: break-the-link services are an excellent way to keep users from hitting corrupt sites, because these services visit the site before the page loads

#6 Application Software Security

  • Train your coders to use secure code
  • If you use outside developers vet them with background checks
  • Use common requirements
  • Mobile apps need to be encrypted – each piece can touch several parts of the mobile device, be mindful of that impact

#7 Wireless Device Control

  • Firms still do not lock down the WiFi (Major doors are open when access is available from the parking lot across the street.)

#8 Data Recovery Capability

  • Backup, backup, backup – include logs
  • If you are still using tapes – use encryption

#9 Security Skills Assessment & Appropriate Training to Fill Gaps

  • Make sure you have the right trainers – look inside your organization at firm training.  They know how to teach best.
  • Goal is to improve performance
  • Look at getting CLEs to incentivize the user base
  • Use metrics – where are they now verses before

#10 Secure Configuration for Network Devices such as Firewalls, Routers, and Switches

  • Document so that you can see what has been opened (a port) and then go back and close it when a task or client use is complete
  • Use Outlook calendar as a reminder for what was opened for a client
  • Look into two factor authentication
  • Use password vaults

#11 Limitation and Control of Network Ports, Protocols, & Services

  • Keep logs on who is doing what over which port and services

#12 Controlled Use of Administrative Privileges

  • Get people out of the pattern of logging in as an Admin all the time
  • Users should only be an Admin when doing a specific task needed with those privileges

#13 Boundary Defense

  • Identity is the new perimeter – create access via user access rights
  • Be mindful of the cloud in the space. The more you rely on the cloud, the more access users can gain

#14 Maintenance, Monitoring & Analysis of Audit Logs

  • Take snap shots of normal traffic
  • Look for the anomalies
  • Keep vigilant

#15 Controlled Access Based on Need to Know

  • Try to “close” access to the DMS – verses open DMS – creates more security on that platform
  • Suggestion: Move email into the DMS – this is controversial at law firms
  • Delete stuff that does not need to be there
  • Two factor authentication – should be used where possible
  • Ethical walls – need to be established
  • Activity trackers – help admins to see who is doing what and why

#16 Account Monitoring and Control

  • Create documentation, auditing and a ticketing process
  • Create good password policies
  • Look at not only unsuccessful logins but successful logins as someone from China could be logging in successfully every time – but you do not have someone working from there

#17 Data Protection

  • Use complex passwords – but teach users how to do – use new tools available
  • Help your firm use encryption – many options such as WinZip, BitLocker, etc.
  • Push for secure Cloud drives if they are done correctly they are better than a thumb drive

#18 Incident Response and Management

  • This is a living document that walks people through what needs to be done and when
  • Define what an incident is at the firm
  • Classify an event as an incident and what level of threat is poses

#19 Secure Network Engineering

  • Isolate user locations so that you can separate people, hardware and software. If you have everything in one bucket, when one goes awry the whole thing goes awry
  • Create a firewall rule that is ready so critical services can stay up if everything else goes down
  • In your server room, color code your network cables for ease of fixing

#20 Penetration Testing and Red Team Exercises

  • You should have firm technology people that can do penetration testing
  • Make sure they test using Social Engineering
  • Have rotating outside vendors perform this testing so that you always have different looks at your systems

 

Keeping It Secure – Internet in a Bubble

By Joseph Raczynski

Absolutely! Feel free to use YouTube, Twitter, Facebook and Gmail for business purposes at Kelley Drye.  As many firms struggle with internal access to these services for their employees, Kelley Drye has figured out how to satisfy employees and firm management by establishing a secure secondary path to the Internet in a bubble which they call Wild West Internet.

This inventive access was discussed at the “Keeping It Secure – Internet in a Bubble” session at the ILTA LegalSEC Summit 2015.  Judi Flournoy, CIO at Kelley Drye described the evolution of how they reached the Wild West Internet.   In part, the genesis was an outgrowth of a 300 part questionnaire request from a financial institution client.  With the significant restrictions the financial institutions placed on access they were forced to change their Web access policy.  The first iterations proved extremely draconian.  No access to personal email or social media was permitted. This met with incredible backlash from the staff.  In fact, there were attorneys in tears of frustration and anger, expressing feelings of disconnect from the outside world.  Peeling back the policy, the revised policy instituted individual access to those cleared by Human Resources on a one off approval basis.  Soon thereafter, throngs were making this request which became problematic.

Ultimately the solution and final policy decision involved creating a separate browser experience for users when they accessed YouTube, Twitter, Facebook and Gmail for business purposes.  With the assistance of Lisa Stone and Thomas Moreo from Cornerstone Information Technologies, they built a perimeter network which sat within their larger network but behind an additional firewall.  Thus they were able to safeguard all of their primary systems and establish a walled garden where people could access those services.  There were multiple safeguards put into place including that fact users could not print, download or cut and paste back into the primary network.  Users agree to these in principle and understand the limitations, but both those users and the firm found this to be a perfect halfway point.

For more granularity on instituting this please see the following:

  • They used an ASA Next Gen internal firewall creating an outer perimeter – DMZ
  • Citrix ZenApp
  • Read only domain controller with shares for profiles
  • MacAfee with all of the blocks associated for pornography and gaming sites
  • Blocked: printing, downloads and the ability to cut and paste back to the firm environment
  • Loaded MS Office in the environment so people could still read Word/Excel

The World of Advanced Endpoint Security

By Joseph Raczynski

Surprisingly the vendors in cybersecurity differ on their approaches to protecting your law firm. At the ILTA LegalSEC Summit 2015 in Baltimore, MD they had a panel discussion on how each vendor tackles the ever bounding threats.  For background when this post refers to endpoint security I am describing securing the user at the device level; i.e. the mobile phone or individual’s computer.

Gal Badishi of Palo Alto Networks started off his analysis with ominous statistics.  On average a firm does not recognize that they have been breached for 225 days after the initial strike.  In addition, of those attacks, 84% are found by third parties.  His primary theme throughout the conversation to counter these attacks was the proper implementation of a “Next Generation Firewall.”  This is defined on Wikipedia as “an integrated network platform that combines a traditional firewall with other network device filtering functionalities such as an application firewall using in-line deep packet inspection (DPI), an intrusion prevention system (IPS) and/or other techniques such as SSL and SSH interception, website filtering, QoS/bandwidth management, antivirus inspection and third-party integration (i.e. Active Directory).” (Wiki, 6/14/2015)

Keith Palumbo of Cylance fascinated the audience with a unique and futuristic tact to cybersecurity for law firms.  They use a form of Artificial Intelligence to uncover and deflect penetration from malicious intruders.  In fact Keith described the use of mathematical endpoint solutions including algorithms to help predict what types of “ones and zeros” will be malicious based on like or similar files.  Their equations employ similar processes financial institutions have devised for rapid electronic trading.  The cutting edge autonomous driving cars also operate under similar algorithms.  What fosters this is the utilization of extremely efficient computers and their prowess in mathematical processing.  In essence, Cylance collects samples of viruses, extracts common features in the code then transforms that code into feasible branch code.  At this stage the software vectorizes the viruses to then train the system on what might arrive at the firm’s door.  Finally it classifies the virus and clusters it into a defined grouping for future learning.

The third speaker, Harry Sverdlove of Bit9 begin his discussion with the statement that, “antivirus protection is almost pointless.”  He noted that what firms have been employing for the last 20 years with virus detection through updates is dead.  With the number of virus on the Internet, there is no feasible way to scan, collect, submit and maintain a log of the rapidly changing viruses.

Harry suggested that each firm start from the assumption they are or will be breached.  He painted an example of a house that a thief gains access to daily.  If you think about it in this sense, prevention of that thief from entering is no longer enough.  Firms must invest in detection and response.  Most firms do not have systems that seek out real-time detection mechanisms.  This lends itself to much longer periods of time that the thief remains inside the firm’s firewall.  If the initial firewall breach was not detected by the firm, that intruder could remain inside for significant periods of time.

Ultimately the three panelist concluded that a three pronged approach to endpoint security was necessary; prevention techniques, detection once the breech has occurred, and lastly creating a documented response using various tools and processes.  Whatever solution, they all suggested turning your firm data (logs, user profiles, patterns of access) into intelligence.  If you set precedents for how people access your network, you can identify the variance and seize the thief.

Citation:

Wikipedia, Next-Generation Firewall, 6/14/2015, https://en.wikipedia.org/wiki/Next-Generation_Firewall