Recognizing Security Threats in Your Law [email protected] | 407.409.8828 Risk Management Misconceptions •IT (or SOMEONE) is on top of it •We are too small •Data

[email protected] | 407.409.8828

Recognizing Security

Threats in Your Law Firm


LAW FIRMS ARE A TARGET FOR HACKERS


LAW FIRMS TARGETED BY HACKERS

Akin Gump Strauss Hauer & Feld

Allen & Overy

Baker & Hostetler

Baker Botts

Cadwalader Wickersham & Taf

Cleary Gottlieb Steen & Hamilton

Covington & Burling

Cravath Swaine & Moore

Davis Polk & Wardwell

Debevoise & Plimpton

Dechert

DLA Piper

Ellenoff Grossman & Schole

Freshfields Bruckhaus Deringer

Fried Frank Harris Shriver &

Jacobson

Gibson Dunn & Crutcher

Goodwin Procter

Hogan Lovells

Hughes Hubbard & Reed

Jenner & Block

Jones Day

Kaye Scholer

Kirkland & Ellis

Kramer Levin Naftalis & Frankel

Latham & Watkins

McDermott Will & Emery

Milbank Tweed Hadley & McCloy

Morgan Lewis & Bockius

Morrison & Foerster

Nixon Peabody

Paul Hastings

Paul Weiss Rifkind Wharton &

Garrison

Pillsbury Winthrop Shaw Pittman

Proskauer Rose

Ropes & Gray

Schulte Roth & Zabel

Seward & Kissel

Shearman & Sterling

Sidley Austin

Simpson Thacher & Bartlett

Skadden Arps Slate Meagher &

Flom

Sullivan & Cromwell

Vinson & Elkins

Wachtell Lipton Rosen & Katz

Weil Gotshal & Manges

White & Case

Wilkie Farr & Gallagher

List by Flashpoint (via Crain’s Chicago Business

http://www.chicagobusiness.com/article/20160329/NEWS04/160329840/russian-cyber-criminal-targets-elite-chicago-law-firms?X-IgnoreUserAgent=1


Reported Law Firm Security BreachesABA LTRC TECH SURVEY


Reported Law Firm Viruses/Spyware/Malware

ABA LTRC TECH SURVEY


Where are the threats?

• Email

• Lost or stolen devices

• Poor passwords

• Disposal of data

• Social Engineering

• Photocopiers

• Shredding machines

• Flash drives

• Hackers

• 3rd party providers / vendors– Cloud storage

(Google Drive, DropBox, eDiscovery Systems, etc)

– Practice Management Cloud-based services

– E-discovery/ litigation

– Court Reporters -Audio/Video Tapes, Transcripts


Risk Management Misconceptions

• IT (or SOMEONE) is on top of it

• We are too small

• Data stored off-site

• Data stored with a third-party

• Mobile devices are secure because they are password protected


#1 Threat: Email

• Email spoofing/fraud attempt targeting a specific organization or person

• Access confidential data or hold documents for ransom, infect computers

• Education– Understand social media factor

– Ongoing awareness campaign

• Email hygiene / Filtering


#2 Threat: Humans


Your Passwords are Weak

• Use 2-factor authentication everywhere

• Have a STRONG password of at least 12 characters or a pass phrase

• Don’t use the same password everywhere

• Change your passwords regularly

• Change the defaults

• Require screen saver passwords

1.123456 (Unchanged)2.password (Unchanged)3.12345678 (Up 1)4.qwerty (Up 1)5.12345 (Down 2)6.123456789 (Unchanged)7.football (Up 3)8.1234 (Down 1)9.1234567 (Up 2)10.baseball (Down 2)11.welcome (New)12. 1234567890 (New)13. abc123 (Up 1)

14. 111111 (Up 1)15. 1qaz2wsx (New)16. dragon (Down 7)17. master (Up 2)18. monkey (Down 6)19. letmein (Down 6)20. login (New)21. princess (New)22. qwertyuiop (New)23. solo (New)24. passw0rd (New)25. starwars (New)

THE 25 MOST POPULAR PASSWORDS OF 2015 STILL SUCK


Encryption

• Whole disk encryption

• Biometric access

• Backup media should be encrypted

• Make sure the data is encrypted in transit and while being stored

• Be sure that employees of the backup or cloud vendor do not have access to decrypt keys

• Thumb drives should be encrypted


Secure Browsing

Be sure you have…

• Antivirus against online threats

• A security product against spyware

• A pop-up blocker

• A back-up product or system to make sure you are covered in case of disaster

• A utility program to clean unwanted files (temporary Internet files or cookies) and orphan Windows registry files

https://heimdalsecurity.com/blog/ultimate-guide-secure-online-browsing


Aircards / Broadband Cards

• Preferred wireless connection because the data is secured from the very beginning!

• Uses cellular connection

• You don’t have to worry about whether you have an https:// session or not

• $40 – 60 / month

• Add-on to cellular service


Wireless• Wireless networks should be

set up with the proper security– WEP is weak

– the only wireless encryption standards that have not been cracked (yet) are WPA with the AES or WPA2

• Use wireless hot spots with great care– Do not enter any credit card

information or login credentials without seeing https


Consider Client Portals

• Clients now expect

– Access to their documents 24x7

– Access to WIP before the bill arrives

– Notification of all key milestones

– Live feeds of all significant case activity

– Threaded discussions

• Secure client communications

• All matter files and communications in one place


Smartphones and Tablets

• Label devices

• Have strong passcode policies

• Set idle timeouts

• Update, update, update

• Do not "jailbreak" or "root" your devices

• Apps from trusted sources

• MDM if possible

• Find My iPhone or an equivalent

• If supported encrypts storage/ hardware


Laptops

• Strong password, biometrics if possible

• Encrypt hard drive

• Robust firewall

• Bluetooth

• Get privacy screens

• User access controls

• Remove bloatware


Miscellaneous Tips

• Employee termination

• Dispose of anything that

holds data, including a

digital copier, securely

• Scrub metadata,

redact docs

Documents

Recognizing Security Threats in Your Law [email protected] | 407.409.8828 Risk Management Misconceptions •IT (or SOMEONE) is on top of it •We are too small •Data