CYBER SECURITY FOR LAW FIRMS

Scott B. SuhyCEONetWatcher.comscott.suhy@netwatcher.com

CYBER SECURITY FOR LAW FIRMSWhat steps your firm should take to

protect against a cyber attack

Steve BrittPartnerBerenzweig Leonardsbritt@berenzweiglaw.com

Steve RutkovitzCEOChoice Cyber Securitysteve@choicecybersecurity.com

2

Agenda

•Why law firms are vulnerable to cyber attack•What are lawyer's ethical duties •The value of privilege & how to obtain it•The value of the security assessment•The value of continuous security monitoring•Q&A

3

Why law firms are vulnerable to exploitation

• Wiley Rein hacking in 2012

• Cravath, Swain & Moore + Weil Gotshal & Manges hacked in 2015

• Fenwick & West has been hacked twice

• The 2015 ABA Law Firm Survey of 90,000 respondents reported; • 25% of firms with at least 100 attorneys have a breach, • 15% of all firms have had a breach • 34% of 100 law firms have had clients request a security audit • Large clients routinely send security due diligence questionnaires

• Most common types of breaches: Loss or theft of laptops, thumb drives, smart phones or tablets, spear phishing and employees/third parties using unauthorized hardware and software (Evernote/Google Drive)

Current Data Breach Landscape

• Their organization’s protection level is usually weaker than their corporate counterparts (customers)

• Law firms rarely report a breach…

According to the 2015 ABA Legal Technology Survey Report, 15 percent of overall firms and 25 percent of law

firms with at least 100 attorneys have experienced a breach, yet almost half of attorneys say their firms have

no data breach response plan in place. (more here).

Bottom-line: Law firms are great targets for cybercriminals

Confidential details of offshore accounts for 12 world leaders & 128 public officials.

11.5 million confidential documents and 2.6 terabytes of data were stolen.

The firm’s customer facing WordPress website was running an outdated/vulnerable version of a plugin called ‘Revolution Slider’ that enabled a hacker to exploit a well known bug and gain access to its mail servers hosted on the same IP network.

The exploit was well known to the hacker community and published back in October 2014 however the plugin was never updated

Case Study: Mossack FonsecaThe Panama Papers

We have hundreds of law firms that we see increasingly being targeted by hackers.”– Mary Galligan, the special agent in charge of cyber and special operations for the

FBI’s New York Office.

HacktivistPuckett & Faraj, a Washington-area firm, was hacked by activists associated with the group Anonymous, who were angered by the firm’s representation of a U.S. soldier who pleaded guilty in connection with his role in the death of 24 Iraqi civilians. (more)

CyberespionageGipson Hoffman & Pancione, based in Los Angeles, was hacked because of a software piracy lawsuit it filed against the Chinese government. (more)

Financial GainA broker named “Oleras” living in Ukraine was detected attempting to hire hackers to break into firms’ computer systems so he could trade on insider information at Flashpoint, a New York threat intelligence firm. (more)

Insider TradingHackers broke into the computer networks at some of the country’s most prestigious law firms (including Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP). Federal investigators are exploring whether they stole confidential information for the purpose of insider trading, according to people familiar with the matter. (more)

Why?

• The American Bar Association Model Rules of Professional Conduct, requires law firms to protect client information (Model Rule 1.1, 1.4 & 1.6)

• 47 states also have Data Breach Notification Laws. Listed here.

• There are also sector specific requirements – HIPAA, PCI-DSS…

It is your responsibility to protect your client’s data!

• The ABA Commission on Ethics 20/20 added new amendments and comments

• “Lawyers must keep abreast of benefits and risks of technology”

• “Lawyers must take reasonable steps to prevent inadvertent or unauthorized disclosure or unauthorized access to client information.”

• 19 states now have laws dealing with electronic and paper record disposal

Your firm’s reputation is all it has. You never want to have to put out a release like this:

“Last summer, the Firm identified a limited breach of its IT systems. We have worked closely with law enforcement authorities who have jurisdiction over this matter, and we are not aware that any of the information that may have been accessed has been used improperly. Upon identifying the incident we immediately supplemented our IT security measures with the assistance of additional outside security consultants. Client confidentiality is sacrosanct. We continually invest in state-of-the-art systems and procedures and work with clients and security firms to assess the strength of our protections. We will continue to work to ensure our systems are best in class.”

– Cravath, Swaine & Moore LLP

• ACP protects communications between clients and their lawyers in a confidential setting that relate to legal advice and do not further a crime or fraud, as long as the privilege has not been waived

• This privilege is subject to several constraints

• It doesn’t apply based on the parties mutual agreement

• In most cases it will not apply to agents of the client unless the agent is necessary to transmit the privileged communication (e.g., translators)

• Lawyer-agents CAN be subject to the attorney-client privilege if the agent is assisting the lawyer in providing legal advice (United States v. Kovel, 296 F2d. 918 (2nd Cir. 1961)

The Value of Attorney Client Privilege

• Here are the best practices to demonstrate the necessity of an agent’s role in legal advice;

• Lawyer should document the need for agent's assistance and how it will be used

• Agent should work under the lawyer's direction – not the client’s

• Lawyer should incorporate the agent’s work into the lawyer’s legal advice, rather than simply forwarding the agent’s work, and

• Lawyer should document how he or she used agents work in its advice

A Lawyer-Agent’s Role

12

The value of the security assessment

• Most of the industry is “Winging it”

• No Comprehensive Approach

• Lack of a Controlled Framework

• No Structured Solution

Lack of Structure 

End to End Solution 

The Choice Cybersecurity Approach:

• Assess with a Gap Analysis

• Address vulnerabilities with a multi layered approach

• Maintain an acceptable level of risk through continuous monitoring and scanning

Risk Assessment 

• In order to move from Protection to Detection you must identify your assets

• Questions to ask:• What is important to your firm?• What are you trying to protect?• What are your threats?• How would a breach affect your

firm?• How would you respond to a

breach of confidentiality?

Data Assets 

• Data can be anywhere

• Cloud

• Mobile

• Servers

• Workstations

• Phones

• Tablets

• Laptops

What is Sensitive Data? 

1. Social Security Numbers

2. Credit Cards

3. Date of Birth

4. Driver’s License

5. Passport

6. IP Address

7. Digital Identity

Failed Assessment Example

• 666,732 Files Scanned

• 2,162 Suspected Incidents Found

• 327 Files with Suspect Data

• $888,600 Liability

2 Parts of the Risk Assessment

• Identify Vulnerabilities• Software • Hardware• Firewall• Sensitive Data

Executive Summary

Executive Summary

21

The value of continuous monitoring

Antivirus doesn’t work allthat well anymore…

“Crypting Service”

Example: http://execrypt.com “This is an automatic online service ExeCrypt which can help you to obfuscate binary data. Our service is indispensable tool to get secure your program content form curious researchers and prevent detection by antivirus programs.”

Follow Gartner for EP Protection Platforms

Protect the Endpoint…

• Firewall• Unified Threat

Management• Next Generation Firewall• Managed Firewall• Intrusion Protection

System (IPS)

Great, but not enough…

Firewall - Protect the Front Door!

• Malware Exploit!!!• Clicking on Phishing messages

and bad links• Running outdated software with

security vulnerabilities (Flash, Java, Windows…)

• Downloading risky software (TOR, BitTorrent, Telnet, Android apps…)

• Going to explicit websites• Sending info over the internet in

clear text

Continuous Monitoring – Know when someone lets the bad guy through the front door….

• Tools used for pen testing are widely available for anyone to leverage (metasploit, nmap, openvas etc..) all great but can be used against you too..

• https://showdan.io

Continuous Monitoring – Know when a bad actor is inside your network…

• Security hygiene • Lack of rigorous policy &

plans• Lack effective monitoring

What’s the Issue?

• Command & Control Malware• Ransomware• Spyware

Continuous Monitoring – Know when you are being exploited!

• Managed Security Service• Easy to install• Easy to use• Accurate• Affordable

• For as low as $299 a month

Continuous Monitoring – Know your score!

29

Q&A

Thank You

Scott B. SuhyCEONetWatcher.comscott.suhy@netwatcher.com

Steve BrittPartnerBerenzweig Leonardsbritt@berenzweiglaw.com

Steve RutkovitzCEOChoice Cyber Securitysteve@choicecybersecurity.com