If the movies formed your understanding of cybersecurity threats against the legal profession, you would believe that criminal syndicates are hacking into law firms constantly. These organizations would apparently have endless technology and gadgets, penetrating networks using the most sophisticated “James Bond” techniques that even the best defenses in the world could not possibly thwart. Recent news reports do not paint a much better picture of the many “bad guys” getting access to confidential information and data entrusted to both big and small law firms. The reality is different and much less glamorous and sophisticated than we see in the media.
The truth is, however, that law firms are responsible for safekeeping some of the most valuable, sensitive and highly confidential information of companies and individuals. The breadth and value of that information makes them a lucrative target for so many different types of bad guys that span almost every human threat vector one can model. The other reality is that, while most of these attackers are motivated, very few of them have evil lairs filled with supercomputers and spy gadgets in their arsenal. Unlike the movies, however, they unfortunately do not need those tools to be successful bad guys against law firms.
“Social engineering” is the human side of hacking that does not involve the cracking of passcodes or infiltration of networks. It uses information a bad guy may have gained by, for instance, utilizing a public search engine to find out about a partner, associate, employee or client or even a case or a corporate or real estate transaction, and convincing an individual to click on a malicious (though seemingly bona fide) file directed at them by using accurate information that was easily uncovered from routine Internet searches. Once the file is clicked, all the external “super” defenses the law firm has put in place, such as firewalls, spam filters and dual authentication, have little chance of stopping the theft. Social engineering is targeted at all levels of a firm from the receptionist, paralegals, accounting staff, lawyers, to even the firm’s information technology professionals. It is the single most effective and actively used method by the bad guys in targeting law firms. It is also the cheapest and easiest to effectuate, thus allowing even low-level crooks to be successful.
Social engineering is based on manipulating a person, usually by providing enough relevant information in context to make their requested action appear to be trustworthy. This can be as simple as a legitimate request asking for confirmation of a password or as complex as asking an individual to run software to create false “back-up” files for the law firm’s disaster recovery testing. Social engineering is such a critical tool in hacking a law firm that over 90 percent of successful penetration tests against law firms have social engineering as a foundational element of the attack. Removing or minimizing social engineering from the bad guys’ tool box makes successfully attacking a law firm exponentially more expensive and complex, and therefore less likely to succeed.
The great news is that law firms have readily available steps to dramatically reduce the effectiveness of social engineering ploys and they do not require Mission Impossible technology. Social engineering is all about exploiting gaps in humans’ knowledge and awareness. Law firms investing in cyber social engineering awareness training and regular training of the firm’s employees, contractors and even clients will create a powerful first line of defense against this method of attack and remove the bad guys’ most effective weapon.
The four top methods of social engineering include phishing (email), vishing (phone), smishing (texting) and impersonation (face-to-face). Each method utilizes unique tactics to create trust and authenticity in the ultimate communication used to defraud the recipient. The more repetition there is of personalized, detailed or highly focused communications, the higher the rate of success there will be in convincing the recipient to let down her defenses and for her to click on, open or run malignant communications. Combining each of these different methods, and a hacker may even acknowledge in such communication an individual’s security training, can produce great results for the hacker.
Training and Testing
Training needs to provide tools to help employees validate the bona fides of the sender of the electronic communication regardless of the method of communication used. Also providing varied examples of how social engineering attacks may occur will get employees thinking outside the standard security box. Often, attackers play on an individual’s weakness, susceptibility and curiosity. The email impersonating someone from human resources or finance with a simple sentence of “Bill, do you really think these expenses should be approved?” with a malicious file attached to it will get hits almost every time. After monitoring news accounts and press releases and performing other “due diligence” on an unsuspecting employee, such as a company bookkeeper, sending a feigned wire instruction to him just when a transaction is about to close and indicating that payment needs to be made by a certain time for the deal to close often works like a charm to cause payment to be made to the bad guy. Role playing or gaming in employee training will make individuals more aware of their susceptibility to such ruses.
In addition to social engineering training, which is your first line of defense, do not forget to do regular real-world testing. Bring in security professionals, who understand up-to-date social engineering artifices, to challenge your investment in “behavior modification” training of your employees and hopefully validate it and improve your security system. Empowering your law firm’s employees with such cyber fighting skills also can be a huge morale boost transforming them from victims to warriors in the battle to protect confidential client and law firm information. Building a training and awareness environment which seeks to keep this knowledge and awareness fresh, relevant, frequent and varied in its means of delivery will make it effective.
Security information, resources and tools are provided by many legal associations and, as set forth below, some very practical guidelines offered by the New York State Bar Association at www.nysba.org/nysbacyber/.
Protect firm computers and networks
Install security and antivirus software that protects against malware or malicious software on mobile device and computers used within the firm or accessed from outside the office. Secure electronic communications as appropriate, through passwords or encryption, as well as the transmission of data stored in the cloud, ensuring secure “cloud” storage. Scrub “metadata” from electronic communications. Also, use a firewall program to prevent unauthorized access.
Require Strong Authentication
Ensure that users accessing your firm’s network create strong user IDs and passwords/passcodes for computers, mobile devices and online accounts. Make sure users are accessing official websites when entering passwords/passcodes using a mix of upper and lower case letters, numbers, symbols and/or long, uncommon phrases. Differentiate passwords/passcodes on devices and/or accounts, changing them regularly in order to maintain passwords/passcodes in a secure manner. Be sure to never provide your passwords/passcodes to others.
Provide Frm Education
Establish security practices and policies for all firm employees. Monitor employees and enforce best practices pertaining to Internet usage guidelines for mobile devices, Internet usage, email and social media. Do not update software and apps unilaterally; instead, updates should be done after inquiry to the responsible individual or department. Identify an individual/department responsible for the above monitoring and advise all firm employees of the need to update devices upon consultation with appropriate personnel at the firm.
Access Information on Secure Internet Connections
Connect to the Internet using only secure wireless network connections to ensure a private connection, such as a VPN. Public Internet provided at airports, hotels and/or Internet cafés may not be secure.
Suspicious Emails, Attachments and Unverified Apps/Programs
Be suspicious of opening, forwarding or responding to unsolicited emails and attachments or links from unknown sources and be sure to charge phones on reliable USB ports. Do not download apps/programs from unverified sources to your computer or mobile devices, especially apps/programs that have access to contacts or other information on your mobile devices. Log out of apps/programs instead of simply closing the Internet browser. And avoid file sharing services.
Software vendors regularly provide patches and/or updates to their products to correct security flaws and improve functionality. Ensure timely patches and antivirus software updates are installed in all devices.
Mark A. Berman, a partner at Ganfer & Shore, chairs the New York State Bar Association’s Committee on Technology and the Legal Profession. Ronald J. Hedges, senior counsel at Dentons and a former U.S. Magistrate Judge, is also a member of the Committee. Kennet Westby, Chief Security Strategist at Coalfire, is a member of the Cybersecurity Subcommittee of the Committee.