Presenters: Ivan Hemmans, Bill Kyrouz, Sharon Nelson and Tim Russell

College of Law Practice ManagementSuffolk Law School

How many of you personally know of a law firm or legal entity breach?

Worried about a data breach? You should be.

• 2017 ABA Legal Tech Report • 22% of firms breached at some

point • Over one third of firms with 10-

99 attorneys were compromised in 2017 alone

• Only 26% had an Incident Response Plan

• 1/3 of in-house counsel had a breach in 2017 (2018 survey by the Assn. for Corporate Counsel)

Threat Actors• Cybercriminals (most

common) • Hackers• Hactivists• Government surveillance• State sponsored / condoned

espionage• Publicly available tools to

know your weaknesses, and toolkits to develop malware and phishing campaigns

• Insiders(disgruntled / dishonest / bored / untrained)

2018 FireEye report

• 1 in every 101 emails is a hacking attempt• Analyzed half a billion emails Jan-June 2018• Only 10% ransomware or phishing with

infected links/attachments• 90% involved social engineering/and

identity impersonation – goal to directly steal data or install malware in the future

2018 Verizon Data Breach Report• Malware involved in 30% of breaches – 51% last year• Where malware involved, 39% of time it was ransomware• Expect cryptocurrency mining will make more revenue for

cybercriminals than ransomware in 2018• Pretexting (pretending to be someone else) 5 times more prevalent

since last year’s report• Average of 4% of users will fall for a phishing test

2018 Verizon Data Breach Report

• 76% of breaches financially motivated, espionage came in 2nd

• Organized cybercriminal – 50% of breachs; 12% nation-states or their proxies

If it could happen to DLA Piper . . . how can the rest of us protect ourselves?

• One of the top ten law firms in the world by revenue and number of lawyers• June 27th – email and phones down, some of their network – some computers

shut down as a precaution• GoldenEye/NotPetya malware – appeared at first to be ransomware, real

intent to destroy data (exploited NSA tools published by the Shadow Brokers)• July 3rd statement – email back up, bringing up other systems• Mum as to source of problem• What really happened?

Breached? What will you tell your clients?

National Law Journal – May 2, 2016

• Law Firm Breaches Happening at Dizzying Speeds

Milestones in Law Firm Cybersecurity I

2000 ILoveYou Virus

~2003 Intelligence Officials identify law firms as the best target for foreign hackers

2008 -present

Conficker, Cryptolocker, et al

2010 Massachusetts Data Security Regulations (201 CMR 17)

2011 FBI gathers Top 100 Firms together in New York

2012 “Major New York Firm’” - entire document collection found on server in China

2014 AmLaw 100 Firm: Attorney charged with insider tradingISO 27001 Certification gains steam in legal at behest of financial industry

2015 LS-ISAO Formed

2016 Panama Papers Breach (Mossack Fonseca folds in 2018)Large firms targeted for M&A Info, NY Firms Breached [WSJ]Other targeted attack against the law firm community (common software)

2017 WannaCry and NotPetyaAppleby (International Consortium of Investigative Journalists)

2018 More vulnerabilities in software common to law firms…?

Milestones in Law Firm Cybersecurity II

Russian cybercriminal looking for hacker assistance

• March 29, 2016 Crain’s Chicago Business

• “Oleras” posted in cybercriminal forum

• Offered more than $100,000 plus 50-50 of profits exceeding $1 million

• Insider info sought for stock market gain

• Almost 50 firms listed as targets• A “Who’s Who” of law firms• Two known breached – Cravath and

Weil

Breaches from the Am Law 200• March 29 – Wall Street Journal• Cravath Swaine and Weil Gotshall• Breached in summer of 2015• Other firms also breached• Source? Unknown but CS confirmed

“limited breach” • Not aware of any improper use of info

December 2016• Manhattan U.S. Attorney unsealed

indictment against 3 Chinese men who used law firm employee credentials to access huge number of internal e-mails at Cravath Swaine and Weil Gotshal in 2015

• 2 firms represent 44 of the Fortune 100 companies in US

• Made more than $4 million in illegal stock trades

• Spear phishing attacks• Attempted to hack into 7 firms• Odds of success appears to be 2 in 7

The Panama Papers• April 5, The Guardian: “The Panama Papers”• Mossack Fonseca, 11.5 million files• 1977-2016, 2.6 terabytes• BBC – firm helped clients

• Launder money• Dodge sanctions• Evade taxes

• Vladimir Putin – $2 billion• Security was trivial

May 9, 2016 – Second round of Panama Papers released

• Searchable by name/country• International Consortium of Investigative Journalists• More than 200,000 entities• Akin Gump, Arnold & Porter, Baker & McKenzie,

Bryan Cave, Dentons, DLA Piper, Greenberg Traurig, Hogan Lovells, Jones Day, K&L Gates, Linklaters, Morgan Lewis, Norton Rose, Orrick, Perkins Coie, Square Patton Boggs, Squire, Sanders & Dempsey, Troutman Sanders, White & Case, Wilmer Cutler –and the list goes on

Advanced hackers with advanced tools and sufficient funding

How many of you are personally aware of a data breach caused by an insider?

Insiders: Reported 4/18/16 • Former IT engineer for Dallas

law firm Locke Lord

• 9 Years Prison, $1.7 Million Fine

• Issued commands that caused "significant damage“

• "including deleting or disabling hundreds of user accounts, desktop and laptop accounts, and user e-mail accounts."

January 2017• Ferguson, Praet & Sherman• Researcher found accessible law firm

files on the Internet• Volume was astonishing• Video surveillance appeared to show

that two jail employees may have walked past inmate hanging himself, evidence not produced in investigation of the death

• Firm was synchronizing backup across the Internet without a password

FBI’s InfraGard

Do you train your employees? How often? Live training? Insiders train? Or outsiders?

Training Training TrainingHave We Mentioned Training?

Don’t be stupid!

Many mistakes made from moving too fast

True confessions time (let’s all play!)• Wrong person emailed?• Wrong attachment emailed?

Training tips for employers• Options: formal training, online modules,

random alerts / electronic postings• When to formally train? Lunch is the most

popular; one hour good timeframe• Make training mandatory – sign-in sheets

and logs• Forbid the use of smartphones or other

devices – and phones silenced• Outside trainers – not your in-house IT• Live is preferable but not always possible• Real-life stories/phishing examples• Train annually (at least!)

Have formal security polices, monitor and enforce them!

What is a phishing email?• Everyday phishing emails• Targeted emails – also known as spear phishing• What happens when you click on an attachment

or a link?

• 2016 PhishMe study• Why do users click?

• Curiosity (racy New Year’s photos)• Fear (bar complaint attached)• Urgency (boss needs this today)• Recognition (award you’ve gotten)

• SonicWall, Duo Security and OpenDNS• One phishing simulation (reported to

employees) drops risk of phishing success by 20%

91% of hacking attacks begin with a phishing email

Training• Phishing, especially spear phishing – most successful way of

breaching law firms – an e-mail from a friend/colleague can be spoofed. Hackers research personal details too – may know nickname

• Drive-by infections• Sharing credentials• Baiting (flash drives)• Piggybacking• Hitchhiking• Social engineering

Business email compromises• FBI – BEC/EAC $12+ billion from October 2013 – May 2018• Instructions to wire money, send check or send employee W-2s (to file

phony returns with refunds)• Thieves spoof emails and have insider knowledge of employer, employees,

clients – and cases• BEC may be preceded by phishing email to get more info

2018 Barracuda study: 60% of phishing emails no longer contain a link. They rely on impersonating someone you know, most often the CEO (hence the term “CEO fraud”) or company ownerFBI - BEC$12 billion scam October 2013 -May 2018

47% of phishing attacks want you to wire funds

All wire transfers should be verified in-person or by phone at a number known to be genuine

If you are having trouble viewing the e-card please click here.

Would you like to send an e-card? Visit our site. Making someone's day, one e-card at a time...

Your password rules? Length? Special characters? How often to change?

Average user has more than 40 sites requiring password, but only 5 passwords – Experian, 2016

Security Fatigue

Bitdefender 2018 Report: 56% of people reuse the same password everywhere

1. 1234562. Password3. 123456784. qwerty5. 123456. 1234567897. letmein8. 12345679. football10. iloveyou• Power On• Screen Saver

10 most common passwords of 2017

Source: forbes.com

Password Characteristics• Password world/security fatigue• June 2017 NIST Digital Identity

Guidelines - length beats complexity, special characters and upper and lower case help – use passphrases

• 14-64 characters (emojis and spaces)

• Breaker19You’vegotabearintheair!• Don’t need to change passwords

very often• Database of compromised

passwords

Burt Reynolds 9/6/18

New steps your firm/entity has taken?

Defensive basics: Old news but some firms still miss these

• Anyone running as an “administrator” instead of a “user”

•

Second factor for all remote access (VPN, Citrix)

•

“Naked” Outlook Web Access is probably a bad idea

•

Regular, tested, backups

Law firms spending record amounts on cybersecurity

• 2015 - Chase Cost Management Survey Large law firms spending average of 1.9% of gross annual revenues

• AM LAW 200 – as much as $7 million per year

We can’t keep the barbarians at the gates• Identify and protect – old mantra• Now, IDENTIFY, PROTECT, DETECT, RESPOND and RECOVER

The ascendant principle of cybersecurity for technology and for employee training

Patching should be a regular process, not an emergencyVulnerability management is more than patching (Windows 7 & cleartext pw’s*)Know your niche applications that auto-updateLateral Movement Must Be Contained

*Still have Windows 7 on your network?Implemented registry change after applying hotfix KB2871997 to disable clear text passwords?If you answered “Yes” and “No”, call the office after this session and get this going.

The Lessons of NotPetya

Cloud Account Security

Prime target:Small/boutique firms: Great platform to attack co-counsel (“BEC”)

Follow security checklists from Google, Microsoft, et al

MFA On Cloud Security Accounts is a Must

Someone should be setup to monitor for security alerts from your cloud service(s)

Your cloud security is as only good as your (well secured) endpoint

Biometrics/2FA/MFA• Biometrics is not a good solution – once your biometrics are

owned, they will always be owned (voiceprints, fingerprints, retinas) – 5.6 million fingerprints stolen in 2015 OPM breach

• 2FA is here and growing rapidly – enable wherever you can• Best protection? Something you know, something you have and

something you are

NIST Cybersecurity Framework: Small Business Information Security: The Fundamentals (up to 500 users)

ISO 27001 – Most commonly used by large firms

Version 1.1 released April 16, 2018

• Details on managing cyber supply chain risks

• Clarifies key terms• Introduces

measurement methods for cybersecurity

• Remains consistent with 2014 document

Top 20 CIS Controls

CIS Controls – Version 7

Enterprise security software

• Anti-Malware• Anti-Spyware• Heuristics• Internet Suites

• Trend Micro• Webroot

• No silver bullet• Some will come into your

network