Law Firm and Corporate Cybersecruity Presentation – UMB

By Joseph Raczynski

Recorded at the University of Maryland, Baltimore during the “Cybersecruity and You” morning session. Discussed is the current landscape of cybersecurity at law firms and corporations, the primary issues these organizations are finding and general awareness of what is happening.

LegalSEC: Email Security is Priority One for Law Firms

By Joseph Raczynski

BALTIMORE, Md. — “Three strikes and you are out of the firm.” This is the mantra of one law firm when dealing with employees who click on spear-phishing emails, according to Mounil Patel, Strategic Technology Consultant at Mimecast, an email and cloud security firm.

Patel’s comments came at the recent gathering of legal tech and cybersecurity officials, the LegalSEC Summit, presented last week by the International Legal Technology Association (ILTA) in Baltimore.

Simply stated, email is currently the largest hole in law firm and corporate security. Most other aspects of the firm have been shored up over the last several years, including firewall and antivirus protection, malware defenses, and monitoring of networks. However, as Patel pointed out, a law firm can have every monitoring and protection application in place, but email’s reliance on the human decision factor creates major headaches for the firm’s IT staff.

emailTo illustrate, Patel described one incident where he received an email from someone with whom he had worked years ago at a previous company. The email was directed to him and clearly appeared to be from his old colleague’s email address. The cordial note brought up some of their old connections at the previous company and then asked if he would kindly review the attached resume to see if there might be a fit for him at his new company. Patel naturally opened the PDF and the virus payload was released. The point is, with today’s more sophisticated email attacks, there is almost no way for people to know what are genuine correspondences from friends or colleagues and what is a “virus bomb”.

Patel’s advice:

  • Be suspicious of everything that comes into your inbox especially from the outside;
  • .EXEs and .ZIPs files should always be blocked or deleted;
  • PDFs can be difficult — be sure to run the latest patches from Adobe (creator of PDFs);
  • Be aware of where links and URLs are taking you;
  • Law firm or company IT departments should send weekly notes to remind people to be cautious; and
  • For finance, use internal non-email based systems for wire transfers and notifications.

 

It is interesting to note that many law firms and corporations are internally testing their own employees with such targeted spear-phishing attacks similar to the one Patel received. A client of Patel’s ran one such email security campaign and when an attorney was caught opening the attached files or following the links, that person immediately received a pre-recorded message via voicemail from the entire executive partnership that such behavior was unacceptable.

The message went on to state if they were caught twice more they would be terminated — three strikes and they were out.

One best practice noted by one chief information officer at the Summit was that before you start your phishing campaign, let the firm know you are conducting this. She found that attorneys began sending IT suspicious emails proactively. In addition, reaffirm those who do not click the phishing emails, by not noting that they are doing good work.

Email will continue to dog corporations and law firms for the foreseeable future. Ultimately it comes down to humans making decision on what to open and click on. At this point in time, a well-crafted targeted email attack appeals to most people, unfortunately. (In fact, the likelihood of an executive clicking on one of these attacks is at a stunning 96%, according to McAfee.)

So, heeding some of Patel’s advice could save your organization the pains of another attack launched via email.

LegalSEC: Shedding Light on the Dark Net 

By Joseph Raczynski

The importance of law firms understanding the dark web

Your very sensitive private client data could be available for all to see on the Internet right now.  Technically this data would be on the Dark Net or Dark Web.  It is the portion of the World Wide Web that is hidden or inaccessible from normal browsers.  As corporations and law firms grapple with larger and more profound attacks, I think it is important to be aware of how individuals access it and what occurs there to better safeguard your firm from what is happening now.  At the cybersecurity LegalSEC Summit last week in Baltimore, Kevin Lancaster CEO of Winvale, Todd Nielson, President at ‎Secuvant Cyber Security, and Will Nuland, Sr. Security Researcher at Dell SecureWorks, spoke about the nuances around the Dark Net.

The Dark Web, born from a United States government program had positive intent from the onset.  It created a cyberspace where people in disaffected regions could anonymously visit and share ideas freely.  North Koreans and Iranians use this to congregate and postulate new ways to live.  They could then visit this space in the ether and share ideas freely without the fear that they would be persecuted for espousing ideas incongruous with their government point of view.

How to get there:

The following is not advised, but is here as an awareness of how people access the Dark Web.

Mozilla Firefox has a plugin (Tor Project), a simple free application run by a nonprofit organization which turns your normal browser into a Tor Onion enabled browser.  What that means is that the plugin creates a tunneled Internet to a minimum of 100 other locations around the world.  You are essentially establishing a proxy connection to other computers who are running the same Tor software.  This establishes a very strong sense of anonymity and security that no one knows who you are or where you live (IP address).   If I live in Washington, DC after running the plugin I may show up as living in Prague, but first being routed through 99 other cities.

darkweb

Once the application is launched you would need to find an index page, like the Hidden Wiki, which gives users a general launching off point for perusing the Dark Web websites.  It is not a pure search and find environment like Google, though some sites are indexed.  Sites are not set up with URL structure like we have on the Open Web, http://www.thomsonreuters.com.  In fact they appear to be hashed with letters and numbers in a random pattern.  They also end in an .onion compared to the normal .com that we tend to see.  So an example address might be: ijfije856ya5lo.onion.

Once there:

Unfortunately, once a user passes into this realm, there is a minefield awaiting.  The Wiki page starts with the benign and dives headlong into the frightening and disturbing.  You can buy $10,000 of fake US dollars for the equivalent of $5,000 in Bitcoin, the currency of choice.  The cryptocurrency Bitcoin is also generally considered anonymous.   Other possibilities include, hiring a hacker, buying prescription drugs, and buying illegal drugs, and acquiring arms or if you so desired, get involved in unregulated medical trials.  On the darker side, you can even hire a hit man.

Law Firm Perspective on Dark Web:

The key important piece to this post is that law firms are now being brought into the dark side.  Criminals are stealing IP information, M&A information and dropping off onto the Dark Web.  Other groups are grabbing proprietary information or sensitive client information from law firm networks and saving it onto the Dark Net to either expose the firm, or to hold at ransom.  Hackers for hire have been used to target corporations and law firms.

One of the subjects that was asked of the panel, how should firms handle the Dark Web?   In my time consulting around this subject, I was curious about the response.  The group was split.  Some thought that companies should not use their own networks to access the environment, others stated that in a controlled access situation, they could monitor what is going on the Dark Web to protect their brand.  In fact, it was stated that nearly two million people a day visit, but most are monitoring what is happening.  Law firms and corporations should be looking for client names, login and passwords, email address of their respective company.

With the increase in cyber-attacks, all entities have to be aware of how the hackers operate.  Understanding the Dark Web in the context of this is part of the due diligence for any corporation or law firm today.  Fortunately a new wave of companies are surfacing which can monitor the Dark Net on behalf of your organization.

LegalSEC: Cybersecurity, Rooted in 500 Years of History

By Joseph Raczynski

Learning from colonial piracy about the war on cybersecurity 

“It is a small world.  It’s a fragile world.  No one is safe until everyone is safe.”  These are the cautionary words of Rod Beckstrom of The Rod Beckstrom Group, the keynote speaker at the cybersecurity LegalSEC Summit last week in Baltimore.  With over 350 legal technology professionals leaning into his every word, he set the stage for where cybersecurity is headed with an advisory tale from history now repeating itself on the Internet.  His intent, to arm the guardians overseeing 80-90% of the country’s IP information all sitting in the same room at that moment in time.

History of Pirates

In 1491, the “Erdapfel” of Martin Beheim was created.  It is the oldest surviving terrestrial globe – excluding the Americas.  This sphere was cutting edge technology of the day.  Like any technology its uses can be for the betterment of humanity or its decline.  Not surprisingly, around the release of the globe, piracy began to flourish.  Seafaring scoundrels viewed the world anew with this technology and seized upon its bounty.

These salty scofflaws took four unique forms in their day.  One group of pirates were sponsored by the Dutch, Spanish, and British empires respectively.  Another group realized they could band together using their private ships to attack on the high seas for gems and precious metals.  The third formed a coalition around pirating for a cause.  The last group were one-off ships that would attack others for jewels or money.  These four pirating entities have a present day adaptation.  They translate to State Actors (e.g. China, Iran, North Korea), Organized Crime (e.g. in Russia or Estonia), Hacktivist (e.g. Anonymous) and Lone Hackers (e.g. anyone and everyone).  One new addition, in the Cyber Age there is also the internal threat to organizations known as “Insider Joe” attacks which are very prevalent.

keynote

Present and Future

As Beckstrom described in this presentation, the wars over the years require time for forces to align.  During the Nuclear era, once the major powers acquired these arms, everyone realized it was in the best interest of each country not to use them, i.e. mutually assured destruction.  This is ongoing right now with Cyberwar.  He said that China or Russia could hobble the infrastructure of the United States tomorrow, but they realize that if they did that, the US would do the same to them, therefore no one conducts this sort of cyber-attack.

Law firms are not a sovereign territory so all aforementioned groups are threats and in turn are seeking them out.  These groups have tools which are sold on the Dark Web as out of the box solutions and can wreak havoc for firms in very little time.  In the graphic below Beckstrom outlines an ecosystem where various parties work together but in isolation to earn money or take down a company.  The scripts are created by people and sold to criminals.  While another sets of criminals have harvested millions of credentials.  In conjunction the Criminal Operator uses both to target a law firm or corporation.  Those proceeds or goods are then routed through Mules.  These are everyday people who simply accept packages and send them along to someone else which keeps the money flowing. In most of the law firm attacks, mules are not used, instead data is either released or held at random by the Criminal Operator.

rod1

The only way to combat this said Beckstrom will be a new world of robots fighting robots (computer bots), which is now occurring.  This next era defense is sifting through huge amounts of data and applying cognitive computing and artificial intelligence with a layer of deep learning on top.  In this light he underscored the importance of preparedness.  One of the world’s largest banks, JPMorgan, has decided to pledge a half billion dollars toward the fight on cybersecurity.

Beckstrom closed with the warning to each firm CIO that the time is now to invest heavily in cybersecurity.  Every one of the attacker profiles mentioned are attempting to break in and get access to law firm and corporate information.  Prepare now because time is short – we are not safe until everyone is safe – by taking the responsibility to invest.

State of the Cloud at Law Firms: The Interstitial Phase of Law Firm Cloud Philosophy

By Joseph Raczynski

The word “Cloud” can be a divisive word at law firms. Recently uttering the term during technology meetings with East Coast-based law firms with between 50 and 3,000 attorneys elicited starkly differing responses based on firm size and practice dominance.

Most of the midsized firms with whom I have met over the last year were favorable toward its use in most cases. One CIO declared it was firm negligence not to use the Cloud for data. He cited the inability for most firms to retain the expertise necessary to safeguard data inside the firm. Typically, larger law firms with clients in the financial industry explicitly forbid embracing such services outside of their network. Indeed, these clients underline this conservative firm posture by pushing for responses to 300-part questionnaires about how the law firm handles their data and outlining privacy and security practices related to the Cloud.

Despite this push from the financial industry, I would argue that we are in an interstitial period of Cloud adoption at law firms. In the not too distant future, I believe that many of the firms today which avoid or disallow its use will accept it. Law firms are risk-adverse institutions. While Cloud technology may appear laden with hazard, it might actually be the opposite. Initially when the Cloud — a rebranded name for a decades old concept — returned, early adopters encountered data breaches.

Years of security issues were thrust into the headlines, and those goaded reputable Cloud providers toward major investment around protecting their services. Now with far tighter rein of control, Cloud providers are much better positioned to court law firms of all sizes. Unless a firm has a solid technology budget and the ability to retain top-notch security experts, an argument could be made that housing data in a secure cloud would be more prudent than inside an internal firm network.

A recent New York Law Journal article by Ted Sabley on Does Adoption of Cloud Computing Shift Cyber Liability Risk? will give some readers pause for thought on greater adoption. Sabley mentions each of the largest Cloud providers have baked in new and surprising contract terms. They’ve shifted the liability in the End User License Agreements (EULA) to the customer. That is, if there is a breach of customer data hosted on the Cloud, the user bears the responsibility. This seems to be the case with Amazon Web Services (AWS), Google, Microsoft and Apple Cloud platforms.

Whether or not a customer shoulders the responsibility of a breach, the common practice for everyone dealing with Cloud providers should be the following:

  • Understand the Cloud contract. Who is responsible when a breach happens? What happens to the data if the Cloud provider company goes under or is acquired?
  • Realize which type of firm data is being placed into the Cloud. Is it loaded with Personally Identifiable Information (PII)? Is your client aware of where the data is being stored?
  • Purchase Cybersecurity Insurance. Years ago this was a fairly nebulous insurance process, however, now it seems to be much more defined. Seek out expertise with all of the various components and nuances in this arena.

Currently firms of all sizes find themselves in two camps when it comes to the Cloud. Midsized firms have generally flown into the Cloud, while big firms hover between land and air, in a bit of a fog-like state. With increasing pressures of expense and the challenges of retaining network and cybersecurity expertise, the future for law firms is undoubtedly in the clouds.

The Paralegal’s Role in the New World of Cybersecurity

Published: The Legal Intelligencer

Written: Victor Panieczko

Contributor: Joseph Raczynski

Cyberattacks have affected virtually every industry. These include, but are not limited to, health care, education, finance, energy, retail, hospitality and government. Most of us have seen or heard about the security breaches of Home Depot Inc., eBay Inc., Target Corp., Sony Pictures Entertainment, JPMorgan Chase, and the U.S. Office of Personnel Management. What is cybersecurity? The National Initiative for Cybersecurity Career and Studies (NICCS) defines cybersecurity as “the activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation.” Oxforddictionaries.com states that cybersecurity is “the state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this.” Finally, Webopedia.com characterizes cybersecurity as “the technologies and processes designed to protect computers, networks and data from unauthorized access, vulnerabilities and attacks.”

Cybersecurity is by all accounts a growing challenge. Today, hackers are more advanced and better equipped. Their success mostly depends on finding a hole, or vulnerability, that goes unpatched or unnoticed by defenders. The more difficult a system is to infiltrate, the more time, energy and skill hackers must invest into cracking that system. More attacks are coming from highly skilled and sophisticated hacker groups, with their motivations varying from monetary gain to disruption and injury to their targets for any number of non-monetary reasons.

Virtually every cybersecurity expert and commentator agrees that the threats to cybersecurity are evolving and growing more worrisome. Risks associated with cybersecurity have escalated for many law firms, managing partners and corporate boards of directors. They are working and prioritizing cybersecurity to establish security awareness throughout the organizations and demonstrating cybersecurity as an enterprise priority. Lawyers and law firms handle highly sensitive and confidential client data and play a critical role in assisting general counsel on how to handle a cyberbreach when information is compromised. Edward J. McAndrew, assistant U.S. attorney and cybercrime coordinator, explains what have been the most significant developments in the area of law firm cybersecurity:

“Because of the information entrusted to them, the sensitive matters they handle, and the prominent positions in society they often occupy, lawyers are primary targets for all types of cyberattacks. … Cybersecurity has become both an ethical obligation and business imperative for law firms of all sizes. The Model Rules of Professional Conduct and the ethical rules of a growing number of state bars expressly encompass obligations to secure, and to maintain the confidentiality of, client data. Clients are under increasing pressure to secure their own and their customers’ data. They are applying that pressure on law firms.”

Many law firms have offices around the globe, and their clients’ operations are constantly expanding. Clients conducting business in industries such as health care, banking and financial services, retail and telecommunications are at a high risk for cybersecurity breaches. Clients are raising their cybersecurity concerns with their lawyers and looking for advice from law firms on how to protect against a breach and design a security plan in case a breach does occur. When asked if paralegals will be involved in their law firms’ processes of creating and developing cyberrisk management protocols, Joseph Raczynski, technology manager from Thomson Reuters, explained that “it makes natural sense that paralegals who have an interest in process and cybersecurity take a significant role in managing these protocols. Paralegals touch so many aspects of the firm. They use various applications, websites, manage large volumes of data and email. All of these facets can be an entryway for viruses, malware and hackers. Paralegals who have a natural inclination toward process and an interest in cybersecurity would be a great fit in this realm to help fill the void at the firm.”

On a large scale, law firms handle and store a large volume of their clients’ confidential information in their networks. Law firms are vulnerable targets for hackers because they represent clients in high-risk industries. The more high-volume and sophisticated clients they have, the better information they possess, and the more value it holds for hackers. Lawyers are holders of clients’ personal and legal information and have an ethical duty to protect client data. The American Bar Association Model Rules of Professional Conduct, in Rule 1.6(c), state, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Corporate and individual clients entrust their lawyer and the law firms with their sensitive and confidential data. A client’s data might relate to intellectual property, employment or labor disputes, real estate, political matters, victim statements, and witness and expert identities and testimonies. Benjamin M. Lawsky, New York State Department of Financial Services superintendent, stated in a letter to CEOs, GCs and CIOs:

“Recent cybersecurity breaches should serve as a stern wake-up call for insurers and other financial institutions to strengthen their cyberdefenses. Those companies are entrusted with a virtual treasure trove of sensitive customer information that is an inviting target for hackers. Regulators and private-sector companies must both redouble their efforts and move aggressively to help safeguard this consumer data.”

Further, DFS “encourages all institutions to view cybersecurity as an integral aspect of their overall risk management strategy, rather than solely as a subset of information technology.”

Because law firms these days have highly mobile workforces, they should be aware of the emergence of cyberrisks in their respective firms. If the firms do not have proper protection in place to stop hackers from obtaining critical and confidential information related to client matters, the breaches will result in substantial loss of time, resources, productivity, revenue, and perhaps most importantly, credibility. To help law firms and businesses deal with cyberattacks and breaches, U.S. Congress has passed legislation regarding cybersecurity enforcement, the Cybersecurity Enhancement Act of 2014 (S 1353). Additional pending federal legislation includes the Protecting Cyber Networks Act (HR 1560); the National Cybersecurity Protection Advancement Act of 2015 (HR 1731) and the Cybersecurity Information Sharing Act of 2015 (S 754).

Legal technology is constantly undergoing development and change. We went from microfilm and microfiche to CD-ROM, to Lexis and Westlaw, to email and the Internet, to technology-assisted review (TAR) and electronically stored information (ESI), to social medial and now to cybersecurity. These technological advances transformed the law firm workplace. Many litigation paralegals obtained skills in TAR and ESI. Should paralegals learn new skills related to cybersecurity? Raczynski explains what effect he foresees cybersecurity and other technological developments will have on paralegals:

“Paralegals are squarely in the mix with regard to cybersecurity activity for both the protection of client data, but also as targets for hackers. They carry a significant responsibility in assuring that the firm is not compromised. Through their everyday projects paralegals are on the frontlines of major security threats. They must be vigilant in awareness about the software they download and use, sites visited, and links clicked. As law firms become larger targets for hackers because of IP and proprietary information for mergers and acquisitions, there are a host of ways that they are being targeted.”

Further, McAndrew answers if he thinks paralegals will spend more time assisting and/or working on cybersecurity projects:

“Yes—in at least two respects. First, the need for cybersecurity-related legal services has exploded seemingly overnight. Many firms are building practices focused on the legal issues created by cybersecurity needs across industry sectors. Working on these issues requires a very high level of legal and technological expertise. More paralegals are likely to begin specializing in cyberlaw, just as more lawyers and firms are beginning to do so. Second, cybersecurity is becoming an important business issue for the law firms themselves. Inadequate cybersecurity is becoming a business disqualifier; good cybersecurity is a business differentiator. Those firms and professionals who can distinguish themselves as knowledgeable and appropriately focused on these issues add additional value to the service they can offer clients. As integral parts of the legal services team, paralegals are likely to spend additional time learning about and working on cybersecurity-related, business development projects.”

 

Security Breaches Trending Ever Higher at Law Firms: Cybersecurity and the Actual Threats Firm See Today

By Joseph Raczynski

Security is the number one anxiety for law firm management. After visiting with numerous law firms spanning the East coast over the past month, the anecdotal evidence is rich. These independent accounts from large- and medium-sized law firms alike reaffirm the data presented in the recently released American Bar Association’s 2015 Legal Technology Survey. Cybersecurity occupies a significant portion of firms’ time and creates many sleepless nights.

While law firms clamp down on every possible aspect of the business that can be affected, increasingly this is becoming a monumental task. The points of network compromise are many and the attack forms are varied. Alas, a single successful breach of a firm’s walled garden can be devastating. As the Legal Tech Survey outlines, the nefarious do not discriminate based on the size of the firm. As identified by the chart below, most types of firms experienced an increase in breaches from last year to this year.

Cited: ABA Legal Tech Survey.

Breach Themes

Two main types of breaches seem to be on the rise. The first is a variant on what most of us have experienced. Phishing attacks are a sloppy or poorly written email asking you to click on a link to a random bank perhaps called “United States Bank” in order to change your password. Clearly this was an unsophisticated attempt to gather your credentials. This has evolved many-fold recently. Now law firms are witnessing real pinpointed threats via spear-phishing attacks. In this scenario, a partner at your firm is targeted. The thief completes research from simple online searches; the firm the partner works for (Mayberry Law), their practice area (Automotive), perhaps cases they work on (Gomer Pyle v Barny Barney Fife), location (Mt Airy, NC) personal interests (baking pies) and perhaps outside activities (playing the guitar at the community center). With all of this data gathered someone can craft a directed email for your partner. For example:

“Hi Mr. Taylor,

My wife and I saw you playing your guitar the other night at the community center. Your folksy rifts were the bees’ knees! So we also ran into your Aunt Bee down at Gomer’s gas station and we wanted to ask if you could help out with a bake sale that we are having soon for Opie’s school. Please be so kind as to check out the fundraiser we are having located here” Thanks! Otis Campbell”

The sense almost any logical individual would surmise from this email — even if they may not recognize the name of the person or clearly remember the events around it — is that they must know the person. As a result, the likelihood of a partner or anyone else clicking on the malicious link is exceedingly high. This came up with each firm with whom I spoke as a tactic they are encountering which turns out to be a very effective way to compromise a network.

The other threat law firms are encountering is ransomware. In this scenario someone at the firm clicks on a malicious link and it executes code on their machine. That code first encrypts their hard drive and then begins to do the same across the network. This means you lose all access to your machine to do anything. The hacker then delivers popup messages freeing up those locked down hard drives for a fee. The two avenues to recover; erase the drive and restore from a backup or pay that fee to the hacker via Bitcoin. In my conversations I have heard this happen to a few organizations which unfortunately had not sufficiently backed up their drives. Thus they unfortunately had to pony up $10,000 or so to restore their data.

As the ABA’s Legal Tech Survey data cites, there is little question that breaches are rising. As a result, cyber insurance policies are garnering more attention to assist on the back-end of these attacks. Nonetheless, the continued focus remains on keeping the bad guys out. Most CIOs I have spoken with continue to focus on each aspect of the famed trifecta: the people, process and technology of cybersecurity. The heavy emphasis is on their people, assuring they do the right things; e.g. not clicking on malicious links. The other main thrust of three is the technology facet, assuring that each firm ramps up the deep-level monitoring of their own networks. There seems to be little doubt the industry is still combating a force that continues to gain strength while law firms spend increasingly more resources to keep their own and their clients’ data safe.

The Anatomy of Successful Cyber Attacks

By Joseph Raczynski

Preparation for cyberattacks on your network requires a fundamental understanding of the complete picture of who has launched the assault.  Steve Surdu of Surdu Consulting, LLP gave the keynote address at ILTA LegalSEC Summit 2015 in Baltimore, MD describing “The Anatomy of Successful Cyber Attacks.”

Steve outlined four attacker or threat profile group types; Hacktivists, Criminals, Terrorists, and Nation States.  In the matrix below I break out each section he reviewed into a column view to better understand the who, why, where, motivations, advantages, limitations, and impacts for each group.  I removed the Terrorist group as they tend not to pose a threat to law firms.

In summary the table offers an insight into the full anatomy of the threat for law firms.  To mitigate the aforementioned threats, he outlined five key strategies:

  • Awareness: An absolute must is providing education of all parties surrounding the law firm. This includes teaching employees, management, suppliers, and even your clients on the threats that exist, the tactics of the hackers, and the various outcomes from unsafe computing.
  • Visibility: Never assume that you will know everything that is happening on your network. Keep an inventory of assets, logs and all alerts which when gathered together creates actionable intelligence.
  • Focus: Law firms must think how the hackers attack, so avoid misplaced faith in compliance alone.
  • Operational Expediency: Firms should make reasonable operational and security trade-offs. That is, do not spend all of your time on areas with little benefit, like patches for little used systems.  Prioritize on the biggest impact items first.
  • Priorities: The most valuable time spent on cybersecurity is spent on people and process over technology.

Wrapping up his discussion, he touched on cybersecurity in three areas pertinent to law firms; mobile, Cloud, and eDiscovery.

Mobile Technology:

At this juncture, mobile devices do not pose a significant attack vector for large law firms.  The real risk is one-offs including physical loss of the device, or exposure to data stored on the unit.  Firms should remain vigilant by using encryption, password protection, and provide remote wiping on demand.  Lastly he mentioned that Android remains a target.

Cloud:

The Cloud is intriguing from a security perspective.  It provides familiar components to on-prem issues, but is outsourced.  What that means is that the same predicaments arise but since a different operator is in the equation, it can be more complex.  Surdu recommends to counter this threat by vetting your Cloud vendor carefully to manage your risk.

eDiscovery:

Similar to the Cloud, eDiscovery invokes the same issues that it does externally as it would internally.  When you use hosted services those services have to be vetted for controlled access, general integrity, encryption were necessary and to assure that privacy laws are being followed.  He recommends that firms use familiar and consistent platforms when possible.

In his parting thoughts, he focused on several salient points.  While difficult, attempt to retain key players for your firm security.  A revolving door in the Information Security department is ripe for attacks.  Create a process to track key information and assets.  By having these procedures in place the firm will know the who, what, where and when of deflecting cyber-attacks.  Work to cultivate and maintain senior management to establish a sense of normalcy.  Often hackers go after newer management because they are less likely to know systems and process.  He also stressed that your best adversaries understand that details matter.  “You should focus on the little things, because if you cannot get that right you will not get the bigger things.”  Lastly he ended with a push for firms to concentrate on finishing security projects because that is much more important than simply starting them.

The World of Advanced Endpoint Security

By Joseph Raczynski

Surprisingly the vendors in cybersecurity differ on their approaches to protecting your law firm. At the ILTA LegalSEC Summit 2015 in Baltimore, MD they had a panel discussion on how each vendor tackles the ever bounding threats.  For background when this post refers to endpoint security I am describing securing the user at the device level; i.e. the mobile phone or individual’s computer.

Gal Badishi of Palo Alto Networks started off his analysis with ominous statistics.  On average a firm does not recognize that they have been breached for 225 days after the initial strike.  In addition, of those attacks, 84% are found by third parties.  His primary theme throughout the conversation to counter these attacks was the proper implementation of a “Next Generation Firewall.”  This is defined on Wikipedia as “an integrated network platform that combines a traditional firewall with other network device filtering functionalities such as an application firewall using in-line deep packet inspection (DPI), an intrusion prevention system (IPS) and/or other techniques such as SSL and SSH interception, website filtering, QoS/bandwidth management, antivirus inspection and third-party integration (i.e. Active Directory).” (Wiki, 6/14/2015)

Keith Palumbo of Cylance fascinated the audience with a unique and futuristic tact to cybersecurity for law firms.  They use a form of Artificial Intelligence to uncover and deflect penetration from malicious intruders.  In fact Keith described the use of mathematical endpoint solutions including algorithms to help predict what types of “ones and zeros” will be malicious based on like or similar files.  Their equations employ similar processes financial institutions have devised for rapid electronic trading.  The cutting edge autonomous driving cars also operate under similar algorithms.  What fosters this is the utilization of extremely efficient computers and their prowess in mathematical processing.  In essence, Cylance collects samples of viruses, extracts common features in the code then transforms that code into feasible branch code.  At this stage the software vectorizes the viruses to then train the system on what might arrive at the firm’s door.  Finally it classifies the virus and clusters it into a defined grouping for future learning.

The third speaker, Harry Sverdlove of Bit9 begin his discussion with the statement that, “antivirus protection is almost pointless.”  He noted that what firms have been employing for the last 20 years with virus detection through updates is dead.  With the number of virus on the Internet, there is no feasible way to scan, collect, submit and maintain a log of the rapidly changing viruses.

Harry suggested that each firm start from the assumption they are or will be breached.  He painted an example of a house that a thief gains access to daily.  If you think about it in this sense, prevention of that thief from entering is no longer enough.  Firms must invest in detection and response.  Most firms do not have systems that seek out real-time detection mechanisms.  This lends itself to much longer periods of time that the thief remains inside the firm’s firewall.  If the initial firewall breach was not detected by the firm, that intruder could remain inside for significant periods of time.

Ultimately the three panelist concluded that a three pronged approach to endpoint security was necessary; prevention techniques, detection once the breech has occurred, and lastly creating a documented response using various tools and processes.  Whatever solution, they all suggested turning your firm data (logs, user profiles, patterns of access) into intelligence.  If you set precedents for how people access your network, you can identify the variance and seize the thief.

Citation:

Wikipedia, Next-Generation Firewall, 6/14/2015, https://en.wikipedia.org/wiki/Next-Generation_Firewall