12-19-14 cle for south (p garrett)

WHY CLIENT DATA IS AT RISK;HOW IT IS AT RISK;

AND HOW TO MITIGATE THE RISK USING SOME SIMPLE SECURITY POLICIES AND

PROCEDURES

South University, CLEDecember 19, 2014

Presented by:

Patrick J. Garrett, J.D.,

Why your client data is risk:

Attorneys have lots of PII (personal identifying information)

Social Security # Medical records Driver's license #

You have client work-product and proprietary information.

Trademark information Business formulas and code

An attacker is using you to get to your client.

Why your client data is risk: It will cost you more money to fix the infection

then the cost of the ransom: IT professional New Hardware Software Loss of data.

Many attorneys simply do not understand information security so they do not take steps to protect the data. They are easy targets!

What are Security Controls?

Policies and procedures that demand and direct users to implement specific security features, or mitigate potential vulnerabilities, that are associated with hardware, software, or the transportation of data; and, to conform behavior and actions to support the three (3) general goals of information security:

1. Confidentiality

2. Integrity

3. Availability

Why you must implement security controls:

Civil Liability for negligence and malpractice. Common law negligence or wantonness

HIPAA: requires “reasonable and appropriate” security.

PCI laws for financial and credit card companies and processors.

Even if you are not obligated to provide certain levels of security, your clients may be obligated.

They may not be able to share their information with you unless you implement and understand the security controls

Your clients will start expecting and demanding that you have controls in place.

Why you must implement security controls:

Ethical obligations to keep data secure: Confidentiality –

Rule 1.6(a), Alabama Rules of Professional Conduct: “A lawyer shall not reveal information relating to representation of a client unless the client consents after consultation, except for disclosures that are impliedly authorized in order to carry out the representation . . .” Digital or electronic information is treated the

same as a paper file. (not just PDF's) Applies to ALL information related to the

representation.

Office of General Counsel, Alabama State Bar, Formal Opinion 2010-02, Retention, Storage, Ownership, Production and Destruction of Client Files

“Like documents that are converted, documents that are originally created and maintained electronically must be secured and reasonable measures must be in place to protect the confidentiality, security and integrity of the document.”

“This requires the lawyer to ensure that only authorized

individuals have access to the electronic files. The lawyer should also take reasonable steps to ensure that the files are secure from outside intrusion.”

“Although not required for traditional paper files, a lawyer must “back up” all electronically stored files onto another computer or media that can be accessed to restore data in case the lawyer’s computer crashes, the file is corrupted, or his office is damaged or destroyed.”

“Lawyers do have an ethical obligation to prevent the premature or inappropriate destruction of client files.”

Additional takeaways from 2010-02:

Using a Cloud provider for backup is ok – as long as the lawyer exercises reasonable care in doing so.

Must keep client files for a mandatory minimum of 6 years from the final disposition or date of closing the file, but . . . “special circumstances may exist that require a longer, even indefinite, period of retention. Files relating to minors, probate matters, estate planning, tax, criminal law, business entities and transactional matters should be retained indefinitely and until their contents are substantively and practically obsolete and their retention would serve no useful purpose to the client, the lawyer, or the administration of justice.” # 2010-02, pg. 7

Must have ability to make the file available for the client during this time as well.

Why you must implementsecurity controls:

Competence – Rule 1.1, ABA Model Rules of Professional Conduct, Comment

[8]: To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.

Alabama has not adopted this yet, its version states: “To maintain the requisite knowledge and skill, a lawyer should engage in continuing study and education.”

Potential current or future obligation to understand the technology that you use.

Ethical obligations in a nutshell: Secure the data

Take “reasonable” measures Risk Assessment Cost-Benefit Analysis Risk Mitigation

Protect confidentiality, security, and integrity of the data.

Authentication Encryption Hashing

Availability – Must store files for at least 6 years. Accessibility Durability Backups

What are your goals?

Comply with your ethical obligations by implementing practical security polices, procedures, and actions that are reasonable for your circumstances to help you ensure three things:

1) Confidentiality Authentication

2) Integrity

3) Availability

Factors to assist you in choosing what controls are right for you:

Where and how is my data stored? How am I transporting my data?. Where are the vulnerabilities when my data is

transported and stored? What threats can exploit these vulnerabilities?. What controls exist to mitigate the threat and

what resources do I have available to me? Based on all these factors, what controls must I

implement? In addition to the required controls, what other controls can I implement?

How your client data is at risk:

Why do I need to know how data is stored, transported, shared, and accessed? Every link in the chain of communication is a

vulnerability. Every other person or machine that you send

your information to is a vulnerability. How you send or share your data or information

can cause vulnerabilities. Everyplace you store your data is another

vulnerability that must be protected.

Vulnerabilities in the transport and storage process:

Interception of your data while communicating with someone else.

Unknowingly sending data to the wrong person or a illegitimate website.

Accessing your data by breaking into your computer or network.

Accessing your data using trickery or a compromised password.

How your client data is at risk:

THREATS TO THOSE VULNERABILITIES Attackers – outside parties trying to trick you or

by breaking into your computer network or system without your consent and knowledge.

Malicious Software – viruses, spyware, malware, etc.

Malicious insiders – disgruntled employees or sometimes clients.

Negligent actions – by you or your employees. Failure to take reasonable precautions.

Understand where and how your data is stored:

Data at rest: Hard drives, USB drives, servers, PC's, laptops,

smart phones, tablets, etc. This isn't just PDF's. Data in transit:

Email, internet, web traffic, network traffic, etc. Backup data

Locally or remotely Data in the cloud

How your data is transported:

Internal network

Internet

Typical Small business or home network

Free Public Wi-Fi

Internet

How your systems interact and communicate.

John Smith

Web Server for ParickGarrett.net

Typical for uploading / downloading files.

Please send me the webPage for Google.com

John Smith

Web Server

Here you go!

Typical request for an unsecured Http:// website.

1. The computer's browser sends the request (data packet) in clear-text.2.The Web server also sends the response in clear-text.

Neither party knows if the other party is who they say they are. Anyone who intercepts the packets can eavesdrop on the

communication because the data is in clear-text.

Where your data can be intercepted:

Internal network

Internet

How your data is intercepted:

Attacker uses software to scan for available wireless networks and return the results along with the kind of security (encryption) being used (ie – WEP, WPA, etc.) If network is unprotected or has weak encryption then

can easily crack it.

Once on the network, attacker uses “packet sniffing” software to capture the data packets to analyze, review, and cracking later.

How your data is intercepted:Impersonation

“Man in the Middle” attack – During your session with a website online, an attacker reads your unprotected communication in real time.

They then change that information before it is sent to the other party or they spoof their IP address and pretend to be the website.

Browser hijacking or Set up a fake website that looks like the legitimate website.

Anatomy of a network attack

Similar to interception, Attacker scans your network first to determine what kind of security you use.

Tries to guess what manufacturer your router comes from. Then looks up the documentation online that gives the default password for that particular router or tries them all.

If the user never changed the password then gets access to the whole network and can then intercept all data that comes through the router and can copy/steal/destroy data from any unsecured computer/server on the network.

Anatomy of a network attack If guessing the router password doesn't work

then use a “port scanner” software to see what ports are open and/or being used on the router firewall.

Attacker analyzes any captured packets and knowledge of commonly used ports to infer what kind of applications and operating system being used.

Forms a profile about your system. Looks up any known vulnerabilities about your OS or applications. Launches specific attack based on the hardware/software profile.

Anatomy of a network attack May try to infiltrate a single vulnerable system on

the network and span out to other systems.

Privilege escalation. If infiltrate single system then tries to get admin access on that system.

Admin access allows attacker to access other systems on the network.

A virus works this way on single computers

A worm spreads to other systems.

Internal network

Accounting / BillingDepartment

PRIVILEGE ESCALATION

Password Guessing/Cracking

Attacker researches you or your staff to gain info about you.

Social media pages, pictures, etc.

Follow you and learn your habits, kids names, pet names, favorite sports teams, etc.

They then use that information and software to try and guess your password. Use Brute force attacks:

Dictionary attack. Rainbow table attacks Can also just try default passwords or typical passwords.

How to mitigate your risks using security policies and procedures:

INTERCEPTION AND IMPERSONATION Only use secure networks.

Free Wi-Fi (Starbucks) is not secure and you have zero privacy.

If on an unsecured wi-fi then use a VPN provider.

On work/home wireless networks make sure you use the right encryption protocol.

WEP can be cracked usually in under an hour. WPA2 is best, but if not available then at least use WPA.


INTERCEPTION AND IMPERSONATION Only use secure websites and restrict your

employees from accessing only trusted, secure websites. Secure websites start with HTTPS:// and they use

SSL (older) or TLS (newer) security protocols.

Download and use “HTTPS Everywhere” for Firefox or Chrome browsers. Will force websites to use Https by default if it is available.

Research website security if you will be providing it with your personal / banking information.

Uses Certificates to Authenticate and Encrypt Uses Asymmetric and Symmetric encryption.

John Smith

Typical request for an secured Https:// website.

Public key

Encrypted symmetric key

Certificates: authentication

Used for Confidentiality because it authenticates the person sending or receiving information.

Issued internally or a third party company known as a Certificate Authority (CA).

CA verifies identity of website owner. Digitally signs the certificate (akin to notarizing). The CA has built up credibility, trust, and name

recognition so when the CA vouches for the website, people will then trust the website.

Certificates: encryption

Used for Confidentiality because they are used to encrypt communications.

Use asymmetric encryption: have a public key listed on their certificate. Users use the public key to encrypt information to

send to the web site.

Only the website has the private key to decrypt, so if someone steals the data they can't read it.

Most often just use asymmetric encryption to encrypt a symmetric key because its faster.


NETWORK ATTACKS Change default password on router and make it

something complex. Make sure the firewall on router is adjusted to

restrict what type of traffic can come into and leave the network.

Use encryption on your hard drives, individual computers, and mobile devices in case your network is compromised.


NETWORK ATTACKS Harden each individual computer on the

network. Firewall and Anti-virus on and updated. Good patch management: always make sure

most recent OS and application updates are installed.

Remember “Patch Tuesday” for Windows: releases its updates (if any) every 2nd Tuesday of the month and sometimes the 4th Tuesday as well.

This is important because these often fix the “known vulnerabilities” that attackers look for.


NETWORK ATTACKS Use Restricted Access accounts to counter

malware and escalated privilege attacks. Never actively use the administrator account.

When creating an account only give it the minimum access needed.

Rename the admin account something else other then “administrator” or “admin”.


PASSWORD CRACKING Use long, complex passwords that include

symbols, numbers, and capital letters. Never send your password / username through

email. Change your password at least a couple times a

year. By the time an attacker figures out the password, he will have to start all over with a new password.

Set password settings to prevent using same password that have previously used.


DATA THEFT OR DESTRUCTION Always back up your data to a remote location.

You are required to keep the file for at least 6 years. Use encryption on all devices, computers, and

hard drives in case the data is stolen. Encryption will make it very difficult if to read

without the key.

When using cloud providers for storage make sure they are using encryption on their servers as well as the upload/download process.


DATA THEFT OR DESTRUCTION Tips for using encryption:

Premium editions of Windows 7 have ability to encrypt at file level using “Bitlocker”

File level encryption can store all your sensitive data. Good if don't want to encrypt entire hardrive.

If use a commercial encryption software, go with AES (Advanced Encryption Standard) or Twofish.

AES is used by government, banks, etc. Twofish is strong as well and is generally faster. AES-256 (AES with a 256 bit private key) is best

available.

MalwarePrevention: Anti-virus protection

Only use reputable vendors: Avast, McAfee, Etc. Firewalls – Windows, Apple OSX have built in

firewalls. Also implement the ones on your modem/router.

Make sure your operating system (OS) is up to date. Often times, malware exploits vulnerabilities in

these in order to gain access.

Ransomware comes in many types

Develop an overall security policy:

Put it in writing. Educate your staff on it and then review it at least

twice a year. It should address the following issues at

minimum: Acceptable use of the computer

Which websites or type of websites are acceptable to visit and which should not be used, etc..

Password policy. Require at least 12 characters (with symbols and numbers) No password shall be reused.

Develop an overall security policy:

How often backup should be done.

Where the backup will be stored (cloud provider, removable harddrive, offsite computer or server)

Patch Management: all systems set to automatically update or calendar patch Tuesdays for updates.

Email Policy: no opening emails from unknown persons unless you are expecting it. No clicking links within emails.

Network access: no free wi-fi in your office. Password changing for routers.

Physical security: No one left with computers, etc.

Other non-technical things you can do

Draft a file retention policy. If you voluntarily hold on to the file longer then you are required to then you are increasing your cost of securing the file and risk of a breach. (applies to Category 2 & 3,

see Formal Opinion 2010-02) Take the same actions on your home office. Train, Educate, and Enforce.

12-19-14 cle for south (p garrett)

Documents