Cybersecurity at the centre – competing globally with different rules

 

Originally published on Legal Insights Europe.

By Joseph Raczynski

The topic of global cybersecurity will challenge each one of us. It is an unstable concoction of cultural norms and legal property rights patiently awaiting attention before it bursts. The overarching question is ‘how can legal organizations and overall society manage rising threats to the integrity of intellectual property (IP) whilst retaining and using information’? Add in the complexity that the global landscape is comprised of open societies, with freedoms and individuality, and close societies, of collectivism and oppression. The fundamentals of open society and IP rights—contrasted with closed societies and their misuse of IP through cyber threats will soon force change.

The Situation

The Council on Foreign Relations has been focusing recent seminars on emerging technology and cybersecurity as it relates to China and Russia. The thematic quintessence from the highest former administrators in the U.S. Intelligence Community is that the UK, Europe, and U.S. are under constant IP attack. They cited countless examples of nation states sending students and other professionals to the UK and U.S. with the sole intention of pilfering IP. Purportedly in one example, students at some of the best scientific universities are forced into this criminal role by their government. Their family, at home, is threatened if information from the student is not collected and given to the state. The majority of students have honest intentions in their travels—advancement of their own education and to enjoy the cultural exchange, but increasingly the U.S. Intelligence Community is alarmed at what they are finding. Commercial cyber espionage.

The cultural philosophies are starkly different, from one state to the next. The society of one state is open and the other closed. For example, pushing for individual’s governance of their own personal information manifested through General Data Protection Regulation—as with the European Union, while the other state created a ‘social credit’ score by ranking citizens based on their behaviour from data gathered by millions of facial recognition eyes in the sky. Both governments strive for rapid development in artificial intelligence, quantum computing, blockchain, and biotechnology. Governments develop these specialty areas in different ways. Eric Schmidt, former Google CEO, once said, “there will be two internets, one for China and one for the rest of the world”. The washing of information about the 1989 Tiananmen Square protests from every Chinese online forum and publication is cited as an example of the ‘other internet’. As a result, most teenagers in China have never heard of the protests which turned into a massacre.

Law firms as a collective serve as the largest holder of IP. As such, they are a top target for cyber espionage. The overarching laws are clear in the UK, and most often people abide by them. When there is conflict, legal process takes place and ultimately decisions are made, resulting in a final adjudication. What if no one paid attention to the decision? What if people did whatever they wanted, even though the IP for Flake candy bar is registered, China could copy it and sell it where ever they wished? This is the situation with the closed societies, and typically cybersecurity breeches are the means to an end for nation states looking to bolster their own companies.

The Dilemma

According to the U.S. Intelligence Community, the challenge is that closed societies are breaking into law firms and corporations, stealing IP and using it to build their own companies. The speed of these new companies built on the backs of stolen IP is phenomenal and will be much more difficult for those UK organizations to compete against.

Certainly, corporate espionage has been around since before cobblers competed in shoe-making. The difference is that open societies, by their nature, are now threatened by IP exploitation in the UK and US. Going forward and beyond sanctions, as the super powers of the world grow in strength and play by a different set of rules, law firms and corporations will likely need to map new ways how they protect their information and IP. The UK, U.S., and Europe will need to figure out how a society that plays by a clear set of rules competes against a society that can hack any law firm and use that information to illegally profit.

The vice grip of cybersecurity concerns on law firms

Originally published on Legal Insights UK & Ireland

By Joseph Raczynski

Law firms stand in a very precarious position in the cybersecurity world. Next to financial institutions, private legal institutions are a virtual honey pot for cybercriminals. Any breach, no matter the size, impacts the client, and certainly could destroy a firm’s reputation.

Four years ago, I toured over 50 law firms discussing cybersecurity with chief information officers (CIO), managing partners, lawyers and support staff. Each year since, it remains one of the hottest legal technology topics with my clients. The unfortunate situation is that, while law firms have dramatically shored up the barriers of defence, criminals have new methods to circumnavigate the ramparts.

Why law firms now?

Recently, I was at a CIO conference with 350 medium and large law firm CIOs in attendance. The keynote speaker stunned the crowd with a singular statement: “do you realise you [CIOs] are the gatekeepers to 71 percent of the non-public intellectual property (IP)?” The first reason law firms are attacked is because of IP. Criminals of all sorts see law firms rife with IP that can be pilfered.

One Asian country has allegedly lifted massive amounts of IP from technology companies, not from the companies themselves, but rather their law firms. Once obtained, they pass the IP to their nation’s internal network of state owned companies for development. Apple could have trade secrets stolen and then developed and sold in China before Apple could get it to market in London. To this end, Joe Patrice, Editor of Above the Law, once called law firms “the soft underbelly of the cybersecurity world”. The good news is that law firms have fortified their gates more recently to stymie the IP raiders.

The second reason why law firms are attacked is business information. Last year a known hacker in Russia targeted the top 25 law firms in the world to pull out any merger and acquisition (M&A) information. The criminals silently slip past firewalls, identify M&A documentation of companies set to merge, then can use that information to purchase stock—all before it is publicly announced.

Methods of attack

There is a myriad of tried and true means to crack networks and computers. Having been a white hat hacker script kiddie, years ago, I recently dipped my toe back into the space to see what has changed. My conclusion: it is easier to hack now than it was 10 years ago.

I bought a £4 specialised USB the other day, which will load any sort of script onto a computer in under four seconds. Simply choose the script from 100’s publicly available on the web, convert the code through a free compiler, load it onto the USB stick—and voila! In my testing, I could scrape the user names and passwords entered on my computer, and have it automatically sent to a test email account, simply by placing the ’bad USB’ or ’Rubber Ducky’ into my drive for a few seconds. Does your firm lock down USB ports? Perhaps it is worth considering as an attack of this nature can be executed with relative ease.

There are countless other ways to hack a computer or IoT (Internet of Things) device, but no greater risk is higher than email. Allen Paller, of the US-based SANS Institute, cites 95 percent of all malware and breaches start with email. Phishing attacks, discussed in a new government report published by the National Cyber Security Centre: ‘The cyber threat to UK legal sector’, states that 80 percent of law firms in the UK have had attempted phishing attacks in the last year. These sorts of attacks can be prevented in several ways:

  • Have processes in place when dealing with accounting so emails are not approval for funds transfer—use an internal application for requests and verification
  • Use software to distinguish ‘external’ emails from ‘internal’
  • Link protection—use real-time analysis of URLs and domains so that the user is safely redirected to valid domains when clicking ‘unknown’ links in emails
  • Assuring that all applications are running their most up to date versions

One of the largest law firms in the world, DLA Piper, was hit by ransomware last year. Fortunately, DLA Piper survived, though weeks of recovery at a tremendous cost. Still, these types of attacks can be devastating. They encrypt all files on your computer or network—leaving you two options: pay the ransom to get the password, or delete everything off the computer and rebuild with your backup files. Either option can leave a law firm, for a short or long period of time, with limited ability to address client needs.

The future of cybersecurity will be a multi-pronged approach. No longer is antivirus software the ultimate defence. Instead, law firms will need tools that detect intruders using artificial intelligence infused algorithms to figure out abnormal activity on the network. Blockchain will help securitise information and identities with a distributed network—compared to a central repository of sensitive information. Lastly, the General Data Protection Regulation has already, and will continue to, force all parties to take security more seriously or risk significant fines.

Kill Chain: The 7 Stages of a Cyberattack

Originally published in the Thomson Reuters Tax & Accounting Blog

By Joseph Raczynski

In our new world reality where cyberattacks are a daily occurrence and every organization must focus on critical infrastructure surrounding cybersecurity, businesses have begun to think like the military. How can we defend our enterprise? To that end, it’s not surprising that companies have adopted soldierly, combative mindsets and terminology.

The term “kill chain” originates from the armed forces and refers to the structure—or seven stages—of a cyberattack:

1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command & Control
7. Action on Objectives

Now, many proactive institutions are attempting to “break” an opponent’s kill chain as a defense method or preemptive action. One of the leaders in this space adapting the concept for Information Security is Lockheed Martin.

Thinking Like a Hacker
A hacker typically has a creative, analytical mindset. These individuals search for paths toward a solution—often devising serpentine and circuitous routes to attain their goal. It’s this approach that we need to build awareness around if we are to thwart an onslaught of attacks.

As an example, let’s pretend that a hacker wants to get into your Tax Consultancy LLP organization to pilfer the Social Security numbers of your clients. This is how they may think at every stage of the kill chain. Your goal is to understand the steps and proactively counter each one to protect your network.

Stage 1: Reconnaissance
Hackers begin by researching your company online—gathering names, titles, and email addresses of people who work for the organization. They identify one person to target and then plan their avenue of attack. They may use e-mail attachments with viruses, port surf the company network, drop a memory card containing malicious code in the parking lot, or decrypt WiFi traffic. In this scenario, let’s say they choose e-mail as their method. An e-mail containing a link is sent to the selected individual, who, once they click on the link, inadvertently downloads the malware.

Stage 2: Weaponization
Hackers have libraries of code at their disposal that they use and tweak for their attacks. They consider the networks, operating systems, and software that Tax Consultancy LLP—and every company they target—may run. By identifying these components through research, the hackers can customize their code to work in those environments. One of the most common ways to compromise a computer or network is to attack unpatched software by companies such as Microsoft Cisco—applications that have known vulnerabilities, but ones that Tax Consultancy LLP may not have updated.

Stage 3: Delivery
In this instance, the hacker has decided to target the CFO of Tax Consultancy LLP. Through research, the hacker knows the name of the CFO, where she lives, works and even personal information gathered from the Web. He knows she coaches an eighth-grade softball team, enjoys camping, and shops at a local Safeway Food store she once complained about on Google reviews. Armed with this information, the hacker decides to lure the CFO with a spear phishing tactic.

Stage 4: Exploitation
The hacker crafts a perfectly feasible email to the CFO.

“Dear Jenny, it has been too long since we last spoke! I hope all is well. The last time we chatted we were at Safeway, complaining about their so called “fresh fish” section. One of these days they will have fresh shrimp, not just the frozen variety. The reason I am writing is that our daughters are in the same softball league. They have grown up so fast! I know you are busy, so you may not be aware, but they are hoping to go to Florida for a tournament in a few months. We are trying to raise some money for the kids who currently don’t have the means to get there, can you please help by donating say $20 to the cause? You can click here to donate.”

Stage 5: Installation
There is a 96 percent likelihood that the CFO will click on the link in the spear phishing e-mail. When she does, the malicious software takes root.

Stage 6: Command & Control
Once the malicious code has been installed, it phones home to the hacker. The hacker then has the ability to control it, let it sit for an extended period of time, automatically listen to packets across the network, or crawl through the network. All of this depends on what was deployed and what the hacker wants from the system. In our imaginary scenario, the hacker is after Social Security numbers, so he may attack the central database of Tax Consultancy LLP that houses all of their clients’ information, most likely found in an unencrypted DBA system, or perhaps Excel spreadsheets or other email accounts. The hacker is then able to harvest the information and send it out through the firm’s firewall to a remote server as a repository.

Stage 7: Action on Objectives
Finally, the hacker is able to extract whatever information they’ve been targeting. They can now easily gather Social Security numbers contained in the firm’s data. Of course, the options for exploiting this sort of information are many. The hacker may sell the numbers on the dark web, file fake tax returns, or use them to apply for credit or new identities.

Be Vigilant
All of this happened because the hacker was able to effectively use each stage of the kill chain to astutely identify the company’s possible vulnerabilities and leverage them. Today, all businesses should spend time walking through these stages, identify vulnerabilities, and shoring up their defenses to eliminate them. It’s not an easy task, but the more critically each of us look at these seven stages of the kill chain, the better we can prevent the next hack.

Cyberattacks are here to stay – protect your organization with these 10 best practices

Originally published on the Thomson Reuters Tax & Accounting Community Connect

by Joseph Raczynski

Our online connections can be downright frightening! The diabolical among us seize every opportunity to plunder our personal information. In fact, FireEye, a leading cybersecurity corporation, has some startling statistics to support this. When conducting an audit of 1,200 companies, they found that 97 percent of the organizations’ networks had been compromised—meaning that the vast majority of these businesses had malware sitting on their servers collecting internal information and sending it back out through the firewall to a remote locale. For most of these companies, it was at least 225 days before they realized a bad actor was sitting inside their network syphoning critical business data.

That’s the bad news. Here’s the good news: There are best practices and tools that will help protect your organization from hacks. Here are 10 that I recommend.

Create an email address for junk.
Use it for newsletters, online merchants, cable companies and mobile carriers. These companies will be or have already been hacked. More than likely, phishing emails asking you to click on links will come from this group. By creating a separate inbox for junk, you’ll know that most of the email in this account can be ignored or taken with a grain of salt, while communications from trusted accounts will be sent to a different email address (although still be cautious about clicking on links in your “trusted” account, as well).

Encrypt your hard drive.
This will protect your information if ever you lose your computer or phone. Essentially, an encrypted hard drive requires that you enter a password on the device as soon as it boots up. It is not the Windows or iOS sign-on. If the Windows or iOS sign-on is the first thing you see when you start your computer or phone from scratch, your computer is not encrypted and is at risk.

Use a URL defense application.
If your company doesn’t already have one, encourage them to look into getting one. The software determines whether a link is safe by going to a special secure server when you click on it. If the link isn’t safe, the application blocks the content from ever hitting your computer or phone.

Use a browser to identify fake websites.
If you don’t have a URL defense application, don’t click directly on an email link. Instead, open a browser and type in the company’s URL. This may be inconvenient, but many of the links embedded in emails connect to fake websites designed to download malicious software to your computer or phone.

Encrypt, encrypt, encrypt.
At some point, someone will break into your computer, phone, or network. Secure your documents, photos, and other important data beforehand by encrypting them in special encrypted folders. If hackers gain access, they will have to decrypt your important files—which isn’t easy.

Keep antivirus software updated.
While antivirus software has become a bit less effective, make sure yours is up to date and turned on. Many malware applications turn antivirus software off. If you see that your firewall or antivirus protection has been deactivated—usually there is a pop-up that will alert you—have your computer looked at by someone in IT.

Immediately update all software when prompted.
Some of the most recent attacks that have hit machines running Windows operating systems had patches that people put off for six weeks. Those debilitating viruses could have been prevented with a quick update requiring just a few minutes. Even better, turn on automatic updates for all of your applications.

Use a password management utility.
Look into an application like LastPass, which houses all of your passwords and randomly updates them for you so you don’t have to.

Make passwords more complex.
If you don’t use a password management application, create passwords that are actual sentences and vary them among your accounts. There are simple apps that can easily guess passwords, especially if they are short and don’t include a mix of letters, numbers, and symbols. A sentence password can look something like: MyMomW3ntT0HarvardIn1958! Just be sure to avoid including personal information in your passwords.

Authenticate, authenticate, authenticate.
If you have the option of dual-factor authentication, opt for the ones that use something like Google Authenticator. These apps create randomized numbers every 60 seconds which you input after your normal login and password. Sometimes people use a confirmation text with a number that you need to enter, but this is actually less secure than the authenticators. Not all services use this yet but will increasingly do so over the next few years with bank accounts and email.

Finally, in meeting with one of my customers recently, the chief technology officer of a 3,000-person institution mentioned that there had been 12 million attacks on his organization over the last six months—many from foreign actors. His institution is not alone. Malicious cyberattacks will only continue to increase, so implement the tips above, and be mindful of what you are doing with your data to protect yourself.

How prepared are law firms to face cyber security threats?

By Joseph Raczynski

The hacking of Panamanian law firm Mossack Fonseca last April resulted in 11.5 million leaked attorney-client privileged documents, exposing the widespread use of off-shore businesses by wealthy individuals and corporations around the world and highlighting the imperative need for proactive measures against corruption and other illicit financial activity.

But what it also revealed was just how vulnerable law firms can be to hackers and other cyber criminals.

Daniel GarrieDaniel Garrie is an arbitrator, forensic neutral and technical special master at JAMS, available in Los Angeles, New York and Seattle. He is executive managing partner of Law & Forensics LLC and head of the computer forensics and cybersecurity practice groups, with locations in the United States, India and Brazil. He is also a Partner at Zeichner Ellman & Krause LLP, where he heads their global cyber security practice, and an adjunct professor at Cardozo School of Law.

I recently spoke to Daniel Garrie, Global Head of eDiscovery, Forensics, and Cybersecurity Practices for Law & Forensics LLC, to get his insight into some of the cyber security issues facing law firms today:

Q. Daniel, why do hackers and other cyber criminals target law firms?

First, for information. All kinds of potentially valuable information: M&A information, IP information, real estate information, divorce information; information that can make people money or give them leverage. If you think about the law firms that just do mortgages, for example; getting a fully detailed mortgage package with social security numbers, bank account numbers, wiring information — that’s a pretty interesting piece of information.

Second, because in many cases, the law firm is the weakest link. Take the case of an M&A deal, for example. Why invest money and resources to hack the companies — which are more likely to have robust cyber security frameworks — when you can just hack the law firm, where cyber security resources are fewer and far more fragile?

Q. So law firms are not prepared to deal with these threats?

No, but not because they don’t want to be, but because of how law firms work as a partner profit-sharing entity. There has to be a reason to invest in measures to prevent them.

Q. And what are those reasons?

The consequences of unprotected and disclosed client data are two-fold. Not only do a law firm’s clients face potential reputational, financial, and legal risks when their private information is accessed and potentially distributed, the firm itself faces those same risks.

All law firms are competing for business and firms that don’t protect against cyber security threats run the risk of losing a substantial amount of business. Law firms are becoming acutely more aware of the fact that if they’re hacked, chances are, they’re no longer going to be a law firm.

Q. So what steps can law firms take to get prepared to deal with these threats?

First, focus on cyber hygiene. Do whatever it takes to put the right preventative measures in place in place:encryption, “least access necessary” policies, training and education for staff, etc. Second, find trusted partners.Do business only with those whom you can trust because if they are labeled as “hacked,” it could devastate your business, too.

Original post in AnswersOn

LegalSEC: Shedding Light on the Dark Net 

By Joseph Raczynski

The importance of law firms understanding the dark web

Your very sensitive private client data could be available for all to see on the Internet right now.  Technically this data would be on the Dark Net or Dark Web.  It is the portion of the World Wide Web that is hidden or inaccessible from normal browsers.  As corporations and law firms grapple with larger and more profound attacks, I think it is important to be aware of how individuals access it and what occurs there to better safeguard your firm from what is happening now.  At the cybersecurity LegalSEC Summit last week in Baltimore, Kevin Lancaster CEO of Winvale, Todd Nielson, President at ‎Secuvant Cyber Security, and Will Nuland, Sr. Security Researcher at Dell SecureWorks, spoke about the nuances around the Dark Net.

The Dark Web, born from a United States government program had positive intent from the onset.  It created a cyberspace where people in disaffected regions could anonymously visit and share ideas freely.  North Koreans and Iranians use this to congregate and postulate new ways to live.  They could then visit this space in the ether and share ideas freely without the fear that they would be persecuted for espousing ideas incongruous with their government point of view.

How to get there:

The following is not advised, but is here as an awareness of how people access the Dark Web.

Mozilla Firefox has a plugin (Tor Project), a simple free application run by a nonprofit organization which turns your normal browser into a Tor Onion enabled browser.  What that means is that the plugin creates a tunneled Internet to a minimum of 100 other locations around the world.  You are essentially establishing a proxy connection to other computers who are running the same Tor software.  This establishes a very strong sense of anonymity and security that no one knows who you are or where you live (IP address).   If I live in Washington, DC after running the plugin I may show up as living in Prague, but first being routed through 99 other cities.

darkweb

Once the application is launched you would need to find an index page, like the Hidden Wiki, which gives users a general launching off point for perusing the Dark Web websites.  It is not a pure search and find environment like Google, though some sites are indexed.  Sites are not set up with URL structure like we have on the Open Web, http://www.thomsonreuters.com.  In fact they appear to be hashed with letters and numbers in a random pattern.  They also end in an .onion compared to the normal .com that we tend to see.  So an example address might be: ijfije856ya5lo.onion.

Once there:

Unfortunately, once a user passes into this realm, there is a minefield awaiting.  The Wiki page starts with the benign and dives headlong into the frightening and disturbing.  You can buy $10,000 of fake US dollars for the equivalent of $5,000 in Bitcoin, the currency of choice.  The cryptocurrency Bitcoin is also generally considered anonymous.   Other possibilities include, hiring a hacker, buying prescription drugs, and buying illegal drugs, and acquiring arms or if you so desired, get involved in unregulated medical trials.  On the darker side, you can even hire a hit man.

Law Firm Perspective on Dark Web:

The key important piece to this post is that law firms are now being brought into the dark side.  Criminals are stealing IP information, M&A information and dropping off onto the Dark Web.  Other groups are grabbing proprietary information or sensitive client information from law firm networks and saving it onto the Dark Net to either expose the firm, or to hold at ransom.  Hackers for hire have been used to target corporations and law firms.

One of the subjects that was asked of the panel, how should firms handle the Dark Web?   In my time consulting around this subject, I was curious about the response.  The group was split.  Some thought that companies should not use their own networks to access the environment, others stated that in a controlled access situation, they could monitor what is going on the Dark Web to protect their brand.  In fact, it was stated that nearly two million people a day visit, but most are monitoring what is happening.  Law firms and corporations should be looking for client names, login and passwords, email address of their respective company.

With the increase in cyber-attacks, all entities have to be aware of how the hackers operate.  Understanding the Dark Web in the context of this is part of the due diligence for any corporation or law firm today.  Fortunately a new wave of companies are surfacing which can monitor the Dark Net on behalf of your organization.