Embed Size (px)
Citation preview
Cyber Security for Lawyers - What Can We Do?
Stephen C. Sieberson, Professor of Law, Creighton Law School Rich Hoffman, Assistant VP of Forensics, UnitedLex Creighton/OBA Seminar on Ethics & Professionalism, April 7, 2017
"The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location... and I'm not even too sure about that one“ -- Dennis Huges, FBI.
"The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location... and I'm not even too sure about that one“ -- Dennis Huges, FBI.
“There are two kinds of people in America today: those who have experienced a foreign cyber attack and know it, and those who have experienced a foreign cyber attack and don't know it.” -- Frank Wolf, Congressman, lawyer
"The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location... and I'm not even too sure about that one“ -- Dennis Huges, FBI.
“There are two kinds of people in America today: those who have experienced a foreign cyber attack and know it, and those who have experienced a foreign cyber attack and don't know it.” -- Frank Wolf, Congressman, lawyer
“If you have something really important, write it out and have it delivered by courier, the old fashioned way because I'll tell you what, no computer is safe." -- Donald J. Trump, President
Law Firms Are a Target of Cybercrime
By targeting large law firms, hackers can obtain information about hundreds or thousands of companies by breaching a single network with access to:
• Market sensitive information
• Individual financial information
• Intellectual property
• Business strategy
• Litigation strategy
Oleras Threat “Oleras” decided to target over 50 of the country's largest law firms
Hired other hackers to obtain non-public, material information about pending corporate transactions Offered to pay them for providing network access:
• $100,000 plus 50% of trading profits up to $1M and 50% after that. Provided specific keywords to search for on firms’ networks, including:
• Definitive Merger Agreement • Letter of Intent • Share Purchase Agreement • Confidentiality Agreement
Oleras planned to use the information to trade ahead of public announcements
“You brought this upon yourself. You tried to bite at the Anonymous hand
and now the Anonymous hand is B***h slapping you in the face.”
—Anonymous
Project HBGary Federal In 2011, Aaron Barr, the CEO of the security firm HBGary Federal, bragged that his firm had successfully infiltrated the Anonymous group and would reveal the findings at a conference later in San Francisco. In retaliation Anonymous hacked the website of HBGary Federal and replaced the welcome page with a message stating that Anonymous should not be messed with. Anonymous also went on to take control of the company's e-mail, and published 68,000 e-mails online, erased files form servers, and took down their phone system. Anonymous personally attacked Aaron Barr by taking control of his Twitter account, and posted his home address and social security number online. Aaron Barr cancelled his appearance on a DefCon panel titled "Whoever Fights Monsters”. Weeks later Mr. Barr's stepped down as CEO.
The 4 most likely reasons you were hacked 1. Picking your pocket
By far, the vast majority of hacking and malware is for quick financial gain.
2. Adware and spam Malware to pop advertisements, directing to websites or simply sending you or others tons of spam email.
The 4 most likely reasons you were hacked
3. Stealing intellectual property Advanced intellectual property theft and state-sponsored spying. Unlike hackers who want quick, in-and-out financial gain, they often stay for months to years.
4. Turning you into a bot client Hijack your workstation for a botnet attack. This will send service-denying content or malware to specific targets. Botnets can be harnessed to temporarily take down a website, spread malware or spam, or act as a cog in a more elaborate scheme.
Prevention:
1. Update your devices and software.
2. Don't give out your password.
3. Change your passwords often.
4. Password protect mobile devices.
5. Download programs only from reputable sites.
6. Install antivirus & antimalware software on your computer.
7. Make sure you're on an official website when entering passwords.
8. Log out of accounts when you're done with them.
9. Use secured wireless networks.
10. Charge your phone on reliable USB ports.
Best Practices:
• Personal mail accounts should not be used for business correspondence.
• Personal cloud/internet based systems (e.g., DropBox, iCloud, Google Drive) should not be used.
• Firm documents are not to be stored on home computers or storage devices.
• Employees should have a strong passwords and reset at set schedules.
• Should limit USB devices. • TWO FACTOR AUTHENTICATION!!!
Resources:
Evolving Ethical Obligations
Recent Changes to RPCs • R 1.0 – Definition of “Writing” • R 1.1 – Competence • R 1.4 – Communications • R 1.6 – Confidentiality of Information • R 4.4 – Respect for Rights of 3rd Persons • R 5.3 – Nonlawyer Assistance
Recent Ethics Opinions – Nebraska and Iowa
• NE 12-07 (re record keeping): Solo practitioners should give passwords to designated attorney
• IA 08-02: Liability insurer may have requirements on file retention and destruction
• IA 15-01: Lawyer must warn client of risks of third party access to communications and data storage
• IA 14-01 & 15-02: Obligation to ensure tech system security is ongoing
Recent Ethics Opinions – other states
• Train your lawyers and staff • Ensure security of cloud data storage and duty to
warn client of risks • Ensure security of outsourcing service providers • Inform client of your technology – get consent? • Protect mobile devices; avoid public Wi-Fi hotspots • No requirement to encrypt email • No strict liability standard if you are hacked
