presenters: college of law practice management ivan ......2018 fireeye report • 1 in every 101...
TRANSCRIPT
Presenters: Ivan Hemmans, Bill Kyrouz, Sharon Nelson and Tim Russell
College of Law Practice ManagementSuffolk Law School
How many of you personally know of a law firm or legal entity breach?
Worried about a data breach? You should be.
• 2017 ABA Legal Tech Report • 22% of firms breached at some
point • Over one third of firms with 10-
99 attorneys were compromised in 2017 alone
• Only 26% had an Incident Response Plan
• 1/3 of in-house counsel had a breach in 2017 (2018 survey by the Assn. for Corporate Counsel)
Threat Actors• Cybercriminals (most
common) • Hackers• Hactivists• Government surveillance• State sponsored / condoned
espionage• Publicly available tools to
know your weaknesses, and toolkits to develop malware and phishing campaigns
• Insiders(disgruntled / dishonest / bored / untrained)
2018 FireEye report
• 1 in every 101 emails is a hacking attempt• Analyzed half a billion emails Jan-June 2018• Only 10% ransomware or phishing with
infected links/attachments• 90% involved social engineering/and
identity impersonation – goal to directly steal data or install malware in the future
2018 Verizon Data Breach Report• Malware involved in 30% of breaches – 51% last year• Where malware involved, 39% of time it was ransomware• Expect cryptocurrency mining will make more revenue for
cybercriminals than ransomware in 2018• Pretexting (pretending to be someone else) 5 times more prevalent
since last year’s report• Average of 4% of users will fall for a phishing test
2018 Verizon Data Breach Report
• 76% of breaches financially motivated, espionage came in 2nd
• Organized cybercriminal – 50% of breachs; 12% nation-states or their proxies
If it could happen to DLA Piper . . . how can the rest of us protect ourselves?
• One of the top ten law firms in the world by revenue and number of lawyers• June 27th – email and phones down, some of their network – some computers
shut down as a precaution• GoldenEye/NotPetya malware – appeared at first to be ransomware, real
intent to destroy data (exploited NSA tools published by the Shadow Brokers)• July 3rd statement – email back up, bringing up other systems• Mum as to source of problem• What really happened?
Breached? What will you tell your clients?
National Law Journal – May 2, 2016
• Law Firm Breaches Happening at Dizzying Speeds
Milestones in Law Firm Cybersecurity I
2000 ILoveYou Virus
~2003 Intelligence Officials identify law firms as the best target for foreign hackers
2008 -present
Conficker, Cryptolocker, et al
2010 Massachusetts Data Security Regulations (201 CMR 17)
2011 FBI gathers Top 100 Firms together in New York
2012 “Major New York Firm’” - entire document collection found on server in China
2014 AmLaw 100 Firm: Attorney charged with insider tradingISO 27001 Certification gains steam in legal at behest of financial industry
2015 LS-ISAO Formed
2016 Panama Papers Breach (Mossack Fonseca folds in 2018)Large firms targeted for M&A Info, NY Firms Breached [WSJ]Other targeted attack against the law firm community (common software)
2017 WannaCry and NotPetyaAppleby (International Consortium of Investigative Journalists)
2018 More vulnerabilities in software common to law firms…?
Milestones in Law Firm Cybersecurity II
Russian cybercriminal looking for hacker assistance
• March 29, 2016 Crain’s Chicago Business
• “Oleras” posted in cybercriminal forum
• Offered more than $100,000 plus 50-50 of profits exceeding $1 million
• Insider info sought for stock market gain
• Almost 50 firms listed as targets• A “Who’s Who” of law firms• Two known breached – Cravath and
Weil
Breaches from the Am Law 200• March 29 – Wall Street Journal• Cravath Swaine and Weil Gotshall• Breached in summer of 2015• Other firms also breached• Source? Unknown but CS confirmed
“limited breach” • Not aware of any improper use of info
December 2016• Manhattan U.S. Attorney unsealed
indictment against 3 Chinese men who used law firm employee credentials to access huge number of internal e-mails at Cravath Swaine and Weil Gotshal in 2015
• 2 firms represent 44 of the Fortune 100 companies in US
• Made more than $4 million in illegal stock trades
• Spear phishing attacks• Attempted to hack into 7 firms• Odds of success appears to be 2 in 7
The Panama Papers• April 5, The Guardian: “The Panama Papers”• Mossack Fonseca, 11.5 million files• 1977-2016, 2.6 terabytes• BBC – firm helped clients
• Launder money• Dodge sanctions• Evade taxes
• Vladimir Putin – $2 billion• Security was trivial
May 9, 2016 – Second round of Panama Papers released
• Searchable by name/country• International Consortium of Investigative Journalists• More than 200,000 entities• Akin Gump, Arnold & Porter, Baker & McKenzie,
Bryan Cave, Dentons, DLA Piper, Greenberg Traurig, Hogan Lovells, Jones Day, K&L Gates, Linklaters, Morgan Lewis, Norton Rose, Orrick, Perkins Coie, Square Patton Boggs, Squire, Sanders & Dempsey, Troutman Sanders, White & Case, Wilmer Cutler –and the list goes on
Advanced hackers with advanced tools and sufficient funding
How many of you are personally aware of a data breach caused by an insider?
Insiders: Reported 4/18/16 • Former IT engineer for Dallas
law firm Locke Lord
• 9 Years Prison, $1.7 Million Fine
• Issued commands that caused "significant damage“
• "including deleting or disabling hundreds of user accounts, desktop and laptop accounts, and user e-mail accounts."
January 2017• Ferguson, Praet & Sherman• Researcher found accessible law firm
files on the Internet• Volume was astonishing• Video surveillance appeared to show
that two jail employees may have walked past inmate hanging himself, evidence not produced in investigation of the death
• Firm was synchronizing backup across the Internet without a password
FBI’s InfraGard
Do you train your employees? How often? Live training? Insiders train? Or outsiders?
Training Training TrainingHave We Mentioned Training?
Don’t be stupid!
Many mistakes made from moving too fast
True confessions time (let’s all play!)• Wrong person emailed?• Wrong attachment emailed?
Training tips for employers• Options: formal training, online modules,
random alerts / electronic postings• When to formally train? Lunch is the most
popular; one hour good timeframe• Make training mandatory – sign-in sheets
and logs• Forbid the use of smartphones or other
devices – and phones silenced• Outside trainers – not your in-house IT• Live is preferable but not always possible• Real-life stories/phishing examples• Train annually (at least!)
Have formal security polices, monitor and enforce them!
What is a phishing email?• Everyday phishing emails• Targeted emails – also known as spear phishing• What happens when you click on an attachment
or a link?
• 2016 PhishMe study• Why do users click?
• Curiosity (racy New Year’s photos)• Fear (bar complaint attached)• Urgency (boss needs this today)• Recognition (award you’ve gotten)
• SonicWall, Duo Security and OpenDNS• One phishing simulation (reported to
employees) drops risk of phishing success by 20%
91% of hacking attacks begin with a phishing email
Training• Phishing, especially spear phishing – most successful way of
breaching law firms – an e-mail from a friend/colleague can be spoofed. Hackers research personal details too – may know nickname
• Drive-by infections• Sharing credentials• Baiting (flash drives)• Piggybacking• Hitchhiking• Social engineering
Business email compromises• FBI – BEC/EAC $12+ billion from October 2013 – May 2018• Instructions to wire money, send check or send employee W-2s (to file
phony returns with refunds)• Thieves spoof emails and have insider knowledge of employer, employees,
clients – and cases• BEC may be preceded by phishing email to get more info
2018 Barracuda study: 60% of phishing emails no longer contain a link. They rely on impersonating someone you know, most often the CEO (hence the term “CEO fraud”) or company ownerFBI - BEC$12 billion scam October 2013 -May 2018
47% of phishing attacks want you to wire funds
All wire transfers should be verified in-person or by phone at a number known to be genuine
If you are having trouble viewing the e-card please click here.
Would you like to send an e-card? Visit our site. Making someone's day, one e-card at a time...
Your password rules? Length? Special characters? How often to change?
Average user has more than 40 sites requiring password, but only 5 passwords – Experian, 2016
Security Fatigue
Bitdefender 2018 Report: 56% of people reuse the same password everywhere
1. 1234562. Password3. 123456784. qwerty5. 123456. 1234567897. letmein8. 12345679. football10. iloveyou• Power On• Screen Saver
10 most common passwords of 2017
Source: forbes.com
Password Characteristics• Password world/security fatigue• June 2017 NIST Digital Identity
Guidelines - length beats complexity, special characters and upper and lower case help – use passphrases
• 14-64 characters (emojis and spaces)
• Breaker19You’vegotabearintheair!• Don’t need to change passwords
very often• Database of compromised
passwords
Burt Reynolds 9/6/18
New steps your firm/entity has taken?
Defensive basics: Old news but some firms still miss these
• Anyone running as an “administrator” instead of a “user”
•
Second factor for all remote access (VPN, Citrix)
•
“Naked” Outlook Web Access is probably a bad idea
•
Regular, tested, backups
Law firms spending record amounts on cybersecurity
• 2015 - Chase Cost Management Survey Large law firms spending average of 1.9% of gross annual revenues
• AM LAW 200 – as much as $7 million per year
We can’t keep the barbarians at the gates• Identify and protect – old mantra• Now, IDENTIFY, PROTECT, DETECT, RESPOND and RECOVER
The ascendant principle of cybersecurity for technology and for employee training
Patching should be a regular process, not an emergencyVulnerability management is more than patching (Windows 7 & cleartext pw’s*)Know your niche applications that auto-updateLateral Movement Must Be Contained
*Still have Windows 7 on your network?Implemented registry change after applying hotfix KB2871997 to disable clear text passwords?If you answered “Yes” and “No”, call the office after this session and get this going.
The Lessons of NotPetya
Cloud Account Security
Prime target:Small/boutique firms: Great platform to attack co-counsel (“BEC”)
Follow security checklists from Google, Microsoft, et al
MFA On Cloud Security Accounts is a Must
Someone should be setup to monitor for security alerts from your cloud service(s)
Your cloud security is as only good as your (well secured) endpoint
Biometrics/2FA/MFA• Biometrics is not a good solution – once your biometrics are
owned, they will always be owned (voiceprints, fingerprints, retinas) – 5.6 million fingerprints stolen in 2015 OPM breach
• 2FA is here and growing rapidly – enable wherever you can• Best protection? Something you know, something you have and
something you are
NIST Cybersecurity Framework: Small Business Information Security: The Fundamentals (up to 500 users)
ISO 27001 – Most commonly used by large firms
Version 1.1 released April 16, 2018
• Details on managing cyber supply chain risks
• Clarifies key terms• Introduces
measurement methods for cybersecurity
• Remains consistent with 2014 document
Top 20 CIS Controls
CIS Controls – Version 7
Enterprise security software
• Anti-Malware• Anti-Spyware• Heuristics• Internet Suites
• Trend Micro• Webroot
• No silver bullet• Some will come into your
network