Embed Size (px)
Citation preview
Scott B. [email protected]
CYBER SECURITY FOR LAW FIRMSWhat steps your firm should take to
protect against a cyber attack
Steve BrittPartnerBerenzweig [email protected]
Steve RutkovitzCEOChoice Cyber [email protected]
2
Agenda
•Why law firms are vulnerable to cyber attack•What are lawyer's ethical duties •The value of privilege & how to obtain it•The value of the security assessment•The value of continuous security monitoring•Q&A
3
Why law firms are vulnerable to exploitation
• Wiley Rein hacking in 2012
• Cravath, Swain & Moore + Weil Gotshal & Manges hacked in 2015
• Fenwick & West has been hacked twice
• The 2015 ABA Law Firm Survey of 90,000 respondents reported; • 25% of firms with at least 100 attorneys have a breach, • 15% of all firms have had a breach • 34% of 100 law firms have had clients request a security audit • Large clients routinely send security due diligence questionnaires
• Most common types of breaches: Loss or theft of laptops, thumb drives, smart phones or tablets, spear phishing and employees/third parties using unauthorized hardware and software (Evernote/Google Drive)
Current Data Breach Landscape
• Their organization’s protection level is usually weaker than their corporate counterparts (customers)
• Law firms rarely report a breach…
According to the 2015 ABA Legal Technology Survey Report, 15 percent of overall firms and 25 percent of law
firms with at least 100 attorneys have experienced a breach, yet almost half of attorneys say their firms have
no data breach response plan in place. (more here).
Bottom-line: Law firms are great targets for cybercriminals
Confidential details of offshore accounts for 12 world leaders & 128 public officials.
11.5 million confidential documents and 2.6 terabytes of data were stolen.
The firm’s customer facing WordPress website was running an outdated/vulnerable version of a plugin called ‘Revolution Slider’ that enabled a hacker to exploit a well known bug and gain access to its mail servers hosted on the same IP network.
The exploit was well known to the hacker community and published back in October 2014 however the plugin was never updated
Case Study: Mossack FonsecaThe Panama Papers
We have hundreds of law firms that we see increasingly being targeted by hackers.”– Mary Galligan, the special agent in charge of cyber and special operations for the
FBI’s New York Office.
HacktivistPuckett & Faraj, a Washington-area firm, was hacked by activists associated with the group Anonymous, who were angered by the firm’s representation of a U.S. soldier who pleaded guilty in connection with his role in the death of 24 Iraqi civilians. (more)
CyberespionageGipson Hoffman & Pancione, based in Los Angeles, was hacked because of a software piracy lawsuit it filed against the Chinese government. (more)
Financial GainA broker named “Oleras” living in Ukraine was detected attempting to hire hackers to break into firms’ computer systems so he could trade on insider information at Flashpoint, a New York threat intelligence firm. (more)
Insider TradingHackers broke into the computer networks at some of the country’s most prestigious law firms (including Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP). Federal investigators are exploring whether they stole confidential information for the purpose of insider trading, according to people familiar with the matter. (more)
Why?
• The American Bar Association Model Rules of Professional Conduct, requires law firms to protect client information (Model Rule 1.1, 1.4 & 1.6)
• 47 states also have Data Breach Notification Laws. Listed here.
• There are also sector specific requirements – HIPAA, PCI-DSS…
It is your responsibility to protect your client’s data!
• The ABA Commission on Ethics 20/20 added new amendments and comments
• “Lawyers must keep abreast of benefits and risks of technology”
• “Lawyers must take reasonable steps to prevent inadvertent or unauthorized disclosure or unauthorized access to client information.”
• 19 states now have laws dealing with electronic and paper record disposal
Your firm’s reputation is all it has. You never want to have to put out a release like this:
“Last summer, the Firm identified a limited breach of its IT systems. We have worked closely with law enforcement authorities who have jurisdiction over this matter, and we are not aware that any of the information that may have been accessed has been used improperly. Upon identifying the incident we immediately supplemented our IT security measures with the assistance of additional outside security consultants. Client confidentiality is sacrosanct. We continually invest in state-of-the-art systems and procedures and work with clients and security firms to assess the strength of our protections. We will continue to work to ensure our systems are best in class.”
– Cravath, Swaine & Moore LLP
• ACP protects communications between clients and their lawyers in a confidential setting that relate to legal advice and do not further a crime or fraud, as long as the privilege has not been waived
• This privilege is subject to several constraints
• It doesn’t apply based on the parties mutual agreement
• In most cases it will not apply to agents of the client unless the agent is necessary to transmit the privileged communication (e.g., translators)
• Lawyer-agents CAN be subject to the attorney-client privilege if the agent is assisting the lawyer in providing legal advice (United States v. Kovel, 296 F2d. 918 (2nd Cir. 1961)
The Value of Attorney Client Privilege
• Here are the best practices to demonstrate the necessity of an agent’s role in legal advice;
• Lawyer should document the need for agent's assistance and how it will be used
• Agent should work under the lawyer's direction – not the client’s
• Lawyer should incorporate the agent’s work into the lawyer’s legal advice, rather than simply forwarding the agent’s work, and
• Lawyer should document how he or she used agents work in its advice
A Lawyer-Agent’s Role
12
The value of the security assessment
• Most of the industry is “Winging it”
• No Comprehensive Approach
• Lack of a Controlled Framework
• No Structured Solution
Lack of Structure
End to End Solution
The Choice Cybersecurity Approach:
• Assess with a Gap Analysis
• Address vulnerabilities with a multi layered approach
• Maintain an acceptable level of risk through continuous monitoring and scanning
Risk Assessment
• In order to move from Protection to Detection you must identify your assets
• Questions to ask:• What is important to your firm?• What are you trying to protect?• What are your threats?• How would a breach affect your
firm?• How would you respond to a
breach of confidentiality?
Data Assets
• Data can be anywhere
• Cloud
• Mobile
• Servers
• Workstations
• Phones
• Tablets
• Laptops
What is Sensitive Data?
1. Social Security Numbers
2. Credit Cards
3. Date of Birth
4. Driver’s License
5. Passport
6. IP Address
7. Digital Identity
Failed Assessment Example
• 666,732 Files Scanned
• 2,162 Suspected Incidents Found
• 327 Files with Suspect Data
• $888,600 Liability
2 Parts of the Risk Assessment
• Identify Vulnerabilities• Software • Hardware• Firewall• Sensitive Data
Executive Summary
Executive Summary
21
The value of continuous monitoring
Antivirus doesn’t work allthat well anymore…
“Crypting Service”
Example: http://execrypt.com “This is an automatic online service ExeCrypt which can help you to obfuscate binary data. Our service is indispensable tool to get secure your program content form curious researchers and prevent detection by antivirus programs.”
Follow Gartner for EP Protection Platforms
Protect the Endpoint…
• Firewall• Unified Threat
Management• Next Generation Firewall• Managed Firewall• Intrusion Protection
System (IPS)
Great, but not enough…
Firewall - Protect the Front Door!
• Malware Exploit!!!• Clicking on Phishing messages
and bad links• Running outdated software with
security vulnerabilities (Flash, Java, Windows…)
• Downloading risky software (TOR, BitTorrent, Telnet, Android apps…)
• Going to explicit websites• Sending info over the internet in
clear text
Continuous Monitoring – Know when someone lets the bad guy through the front door….
• Tools used for pen testing are widely available for anyone to leverage (metasploit, nmap, openvas etc..) all great but can be used against you too..
• https://showdan.io
Continuous Monitoring – Know when a bad actor is inside your network…
• Security hygiene • Lack of rigorous policy &
plans• Lack effective monitoring
What’s the Issue?
• Command & Control Malware• Ransomware• Spyware
Continuous Monitoring – Know when you are being exploited!
• Managed Security Service• Easy to install• Easy to use• Accurate• Affordable
• For as low as $299 a month
Continuous Monitoring – Know your score!
29
Q&A
Thank You
Scott B. [email protected]
Steve BrittPartnerBerenzweig [email protected]
Steve RutkovitzCEOChoice Cyber [email protected]
