Earlier this year, Bob Ambrogi talked about security and how lawyers should be scared - and take the subject more seriously. He made mentions of a few noteable instances in which lawyers were hacked and had to pay penalties to recover data, or in which they were sued in a class action.
We looked into the issue and found one notable case where three men hacked into multiple US law firms, accessing the email accounts of lawyers helping companies with major business deals (including one involving Intel Corporation). They used the information they found to trade, and ended up making more than $4 million. Officials are now warning law firms to be careful and watch for similar incidents, since their servers hold valuable information for hackers.
To help lawyers improve their security measures and prevent a breach to their system, we went out and interviewed cyber security expert Mara Glasser, who graciously provided a breakdown of what "cyber security" means and how lawyers can take their protocols to the next level:
I. Can you tell us about your background and your experience with cyber security?
I currently work as a Senior Cyber Intelligence Analyst for a cyber security company called Q6 Cyber based out of Miami and Tel Aviv. My experience and specialization in cyber fraud/cyber crime allows me to help my clients gain visibility into their adversaries and secure data that may otherwise end up in the wrong hands.
Armed with this information, I am able to provide proactive recommendations and solutions so that organizations can better protect their assets. Prior to joining Q6 Cyber, I lived in Israel where I worked in the cyber security sector as a Cyber Intelligence Analyst alongside members of various intelligence communities as well as with the private sector. I have an MA in Security and Counter- Terrorism.
Q6 Cyber is a cybersecurity company based in Miami and Tel Aviv. The company provides a wide range of cutting-edge cybersecurity solutions and services, enabling organizations to effectively manage and dramatically reduce the risk and impact of cyber attacks.
The company is led by former U.S. intelligence officials (NSA, U.S. Secret Service). Q6 Cyber serves customers in the United States and internationally across multiple industries such as financial services, real estate, legal, retail, hospitality, logistics, and investment management.
II. What is “cyber security” in plain English?
Cyber Security is comprised of practices, processes, and technologies that are designed to defend networks, computers, data, and, in general, all assets from unauthorized access which can lead to attacks and damage.
III. How hard is it for someone to hack my computer or device?
It depends on a lot of different variables such as the level of sophistication of the threat actor involved, the user, the system, and the policies of the organization. All of these variables set a precedent of how secure or insecure you might be.
However, whether we want to believe it or not, we make it a lot easier for the “bad guys” to get into our computers/ devices when we lack knowledge in how to protect our assets.
Conduct Penetration Tests
Starting at an organizational level, we at Q6 Cyber recommend that organizations conduct penetration tests. This is the testing of computer systems, networks, and web applications to find vulnerabilities that an attacker can exploit or take advantage of. Penetration tests are conducted remotely and do not require physical access to your premises. Every organization is unique and so the penetration test service is tailored to meet your needs.
When Q6 conducts these tests, we generally gain access through applications and devices that are not properly configured, often with default passwords still in place. Systems that are not kept up to date with security patches are generally easier to compromise than fully updated ones. When a user reuses the same password for all of their personal and work accounts, there is a higher chance that the user will be compromised.
With all of the recent data breaches, an attacker can get information to learn a user’s password to attempt to take over their account(s). The next most commonly successful attacks are those based on social engineering - such as phishing. In such cases, an attacker acts as a legitimate company/or person and attempts to get users to click on malicious links and trigger malicious software, which enables the attacker to gain entry. Basically, from these few examples, users can be their own worst enemy.
IV. What are some precautions I can take to protect my computer / device?
I think the preliminary step is to understand the controls that you have put into place; however, there are also some general practices that can help to reduce the chance of compromising your system and account credentials.
Keep Your System Software Up to Date
First, and one of the most overlooked items, is to keep your system software up to date - and do NOT run any pirated software. Secondly, I cannot emphasize enough the importance of having a strong, unique password, which makes it smore difficult for an attacker to compromise your system.
With data breaches such that targeted LinkedIn, Yahoo, and other websites occurring more frequently, an attacker looking to compromise a user or organization can build a list of common passwords from these breaches that can substantially increase their chances of success.
Create Strong, Unique Passwords
According to the 2016 Verizon Data Breach Investigations Report: “Legitimate user credentials were used in most data breaches, with some 63% of them using weak, default, or stolen passwords.” I suggest using a long pass phrase (ex: a few words combined from your favorite song), and using a password manager that has the ability to generate and store passwords for you.
Use 2-Factor Authentication
Additionally, I suggest using a 2-factor authentication process wherever possible to help reduce the chances of a compromise. It is important to understand and to clarify that those 2-factor authentications using SMS are no longer recommended by NIST (National Institute of Standards and Technology).
Instead, find a 2-factor authentication that uses a secure token such as RSA ID, or an application such as Google Authenticator (I use this for many of my online accounts). Other recommendations include locking screensavers for your portable devices, to help protect unauthorized people from using the device when left idle.
Remotely Wipe Lost or Compromised Portable Devices
We also recommend that organizations implement systems that allow them to remotely wipe a lost or compromised portable device to ensure that it is no longer able to connect to the organization’s systems. The key to all of this is to have a comprehensive series of overlapping security controls combined with strong monitoring, so that if something is to happen, it is noticed and resolved quickly.
Lawyers hold a lot of personal information about their clients on their personal devices. What precautions would you recommend for them to protect their client data?
Implement Strong Access Controls
Similar to the recommendations above, lawyers need to look at all of the different ways that client information can be compromised, and ensure there are overlapping controls in place. The bulk of client data should be stored in a well-secured, centralized location with strong access controls that limit a user’s visibility to only the required clients.
Limit Storing Client Data to Current Projects Only
The amount of client data stored on an attorney’s personal device should be limited to current projects, in order to minimize the risk of compromise or loss. Ideally, they should always use encrypted emails to communicate to clients and share client data. When this is not possible, Q6 Cyber recommends that users share files through systems that perform strong authentication (such as 2-factor authentication) and have role-based access controls, such as Microsoft’s SharePoint, OneDrive, or Google Drive, rather than through an unencrypted email.
Train Your Employees
Lastly, it is always recommended that organizations hold a company policy training session. This is used to inform and educate employees on company policies about security protocols and other security matters, such as what to look for when opening a suspicious email.
V. In your professional opinion, is it safer to store information in the cloud or on your personal device?
Move to the Cloud
I would say that data stored on the cloud is not infallible, but overall, is more secure than storing data on your personal device. Each presents different challenges and both need comprehensive security controls in order to fully protect sensitive information.
For example, a user storing data in a cloud-based system which is only protected with a simple password that is the same as the other passwords the user used on LinkedIn or other websites is not safer just because it is in the cloud.
Another risk with storing data only on your personal device is one Q6 has received calls from the offices of medical professionals and lawyers due to one of their office machines being infected with Ransomware. This malicious software is designed by an attacker to block access to a computer system (files included) until you pay the requested sum of money.
Have Regular Backups of All Your Data
The issue at hand lies here, even if you pay the ransom and receive your data, the attacker has your valuable data in hand. If you do happen to have sensitive data on your device always password protect the data. Also, having regular backups of all of your data is highly recommended.
However, data stored on a personal laptop that does not have the latest security updates installed, and which is used to conduct a wide variety of personal business, is at high risk for being compromised by malware - which would consequently put all of the sensitive client data stored on the computer at risk.
The data on the cloud servers are encrypted, which makes hacking a formidable task for criminals. Another benefit with storing your data on the cloud is the ease of access. Today, we don’t have to be in the office in order to be efficient and get work done. We can be on opposite ends of the world and access the data needed if stored in a secure cloud location. Not to mention, that this is probably the most cost-effective method of sharing data.
VI. What are some tips for lawyers to protect the data they store in the cloud?
The risk of physical compromise for data stored in a cloud service is relatively low, but the risk of compromise due to poor authentication controls is relatively high. Users are overwhelmed with password requirements and in order to be productive they have a small number of password variations that are regularly used (and reused across multiple accounts).
Support Single Sign-On if Possible
Attackers know this and, to no surprise, exploit it. We recommend turning on 2-factor authentication whenever possible. Also, if your organization is able to support single sign-on (SSO), this should be used whenever possible in order to minimize password burden on the user.
The SSO works when a user logs in to one client and is then signed in to other clients automatically regardless of the platform or domain by used by the user. For example, when logging into your gmail account you are simultaneously also logged into your Youtube account. SSO performs one strong authentication of the user and passes that authentication to the various systems that the user needs to access.
"In addition to authentication, users should be vigilant about with whom they share files and folders. Only those with a legitimate reason to have files and folders containing sensitive information should be able to access them at any given time."
Finally, when shopping around for an appropriate cloud service, make sure that the service supports the latest TLS encryption and uses HSTS (HTTP Strict Transport Security) to minimize the chances of the data being compromised while in transit. The likelihood of an attacker breaking into an Amazon Web Services or a Google Data Center and stealing a hard drive is incredibly small.
As mentioned above, the data compromised through cloud services is almost exclusively done via weak user passwords, misconfigured access controls, or bugs in the software that provides access to the data.
VII. Why should lawyers take this seriously? Have there been important or notable hacks recently that can illustrate the seriousness of the situation?
We hear this a lot: “It won’t happen to me”... well hopefully it won’t, but most likely it will at one point or another. Recently, it was publicized that over 1 billion Yahoo user accounts had been compromised. The security industry cannot stress enough the issue of password reuse.
Imagine a criminal who has access to the over-1-billion user accounts now likely has your compromised email address and password. Think of how many of your accounts (bank, Dropbox, etc.) that you may use the same password for. For all of these, the criminal can potentially also have access.
It is no secret that law firms are a prime target, as they hold a lot of sensitive data. Earlier in 2016, 11.5 million leaked documents known as the Panama Papers were made public. These leaked documents detailed financial and attorney-client information belonging to wealthy individuals and public officials. The victim of the breach was Panamanian law firm Mossack Fonseca. This breach not only may have financial repercussions, but also can affect an organization’s brand reputation.
VIII. Thank you Mara! As a closing thought, is security better today than it was, say, a year or five years ago? What are providers doing to ensure security for their customers?
As technology advances, so does the sophistication of cyber attacks and the threat actors involved. Hacktivists, cyber criminals, and state-sponsored groups have remained one step ahead. I would say currently, a big challenge that can be traced back to the user is one which I would call “human vulnerability.”
Attackers have increased their method of social engineering attacks, crafting highly targeted phishing attacks that entice users to click on malicious links. Organizations not only have to worry about the threat of cyber attacks but also disgruntled employees that are involved with releasing sensitive data and engaging in malicious activities with the data.
I believe that security starts at an organizational level with that organization putting proper security controls in place and making sure that their employees understand proper protocols. A penetration test is a good starting indicator on how secure an organization really is.
I am a big believer in company training sessions that help employees visualize and learn about what to do and what not to do. Clarifying exactly which 2-factor authentication to use, what internal password policies to follow, and what different types of social engineering attacks exist, can help to prevent and deter a compromise that can have consequences far beyond financial.
Lastly, an individual should always use proper security protocols - such as using strong passwords, not reusing passwords across accounts, and using a 2-factor authentication whenever possible.