October 20, 2017

Five Cybersecurity Tech Tips: Worries to Give You the Willies

Editor’s Note: This post originally appeared on Attorney at Work on January 29, 2016. Reprinted with permission. See below for information about ordering Colorado CLE’s homestudy for our program, “Data Privacy & Information Security: Meeting the Challenges of this Complex and Evolving Area of the Law.”

By Sharon Nelson and John Simek

A keyboard with a red button - Privacy

A keyboard with a red button – Privacy

There are lots of cybersecurity worries to give you the willies in the wee hours of the morning, but we were asked to pick five. So here are some of the most common threats for lawyers to keep in mind.

1. Ransomware. We continue to see law firms struck by ransomware, which is a type of malware that encrypts your data (restricting your access to it) and then demands a ransom payment — usually in bitcoins — to get your data back. Training your employees not to click on suspicious attachments or links in email will help. They should stay away from suspicious sites as well since ransomware can be installed by just “driving by” an infected website.

Overwhelmingly, from a technological standpoint, you can defeat ransomware by having a backup that is immune to it. This can mean, particularly for solo lawyers, that you back up and then disconnect the backup from the network. For others, it means running an agent-based backup system rather than one that uses drive letters. Make sure your IT consultant has your backup engineered so that backups are protected — that way, even if you are attacked with ransomware, you can thumb your nose at the thief’s demands for money because you can restore your system from your backup. Of course, this means backups need to be made frequently to avoid any significant data loss.

2. Employees. Employees are by nature rogues. Every study made shows employees will ignore policies (assuming they exist) to do what they want to do. This often means people bring their own devices (BYOD) which may be infected when they connect to your network. They may also bring their own network (BYON) or bring their own cloud (BYOC). Certainly, your policies should disallow these practices (in our judgment) or, at least, manage the risks by controlling what it is done by implementing a combination of policies and technology.

Oh, and employees steal your data or leave it on flash drives or their home devices, too. This means you have “dark data” — data you don’t know about and over which you have no control. This means you may miss data required in discovery because you don’t know it exists. Your data may not be protected in compliance with federal or state laws and regulations. And you have no way to manage the data because you don’t know it is there. Once again, a combination of policies and technology should be in place to prevent these issues.

3. Targeted phishing. This is perhaps the greatest and most successful threat to law firm data. Someone has you in their sights — often they have done research on your law firm. They may know the cases you are involved in — and who your opponents are. They may know the managing partner’s nickname. Everything they know about you, they may use to get you to click on something (say, an email from an opponent referencing a specific case and saying “The next hearing in ___ case has been rescheduled as per the attachment). Many a lawyer has clicked on such attachments — or a link within an email.

The best solution to protect yourself from targeted phishing is training and more training — endlessly. One California firm was targeted by multiple phishing attacks but survived them because the lawyers and staff who received such emails questioned their authenticity.

Forget the loss of billable time. The loss of money, time and even clients due to a data breach can be far worse.

4. Interception of confidential information. Start with the proposition that everyone wants your data, including cybercriminals, hackers and nation states (including our own). Frankly, if they want your data and they have sophisticated tools, they will get it. So shame on you if you are not employing encryption (which is now cheap and easy) to protect confidential data transmitted and received via voice, text, and email. Encryption today is a law firm’s best friend. You may choose to use it always or in cases where it is warranted — but you surely should have the capability of encrypting.

5. Failure to use technology to enforce passwords policies. First, let us say that you should use multi-factor authentication where available and use it to protect sensitive data. But failing that, we recognize that passwords are still king in solo practices and small to midsize firms. Therefore, have your IT consultant assist you in setting up policies that can be enforced by technology, requiring that network passwords be changed every 30 days, not reused for an extended period of time — and mandating strong passwords (14 or more characters in length, utilizing upper- and lowercase letters, numbers and symbols). Passphrases are best. Iloveattorneyatwork2016! would do nicely.

There are many other “willies” out there, but address them one digestible chunk at a time!

Sharon D. Nelson (@SharonNelsonEsq) and John W. Simek (@SenseiEnt) are the President and Vice President of Sensei Enterprises, Inc., a digital forensics, legal technology and information security firm based in Fairfax, VA. Popular speakers and authors, they have written several books, including “The 2008-2015 Solo and Small Firm Legal Technology Guides” and “Encryption Made Simple for Lawyers.” Sharon blogs at Ride the Lightning and together they co-host of the Digital Detectives podcast.

 

CLE Homestudy: Data Privacy & Information Security — Meeting the Challenges of this Complex and Evolving Area of the Law

This CLE presentation took place Friday, January 22, 2016. Order the homestudy here: CDMP3 audioVideo OnDemand.

Five Things to Know About Heartbleed

heartbleedThe news media has been abuzz with talk of the Heartbleed bug, a recently discovered vulnerability to commonly used security software. Here are answers to some common questions about Heartbleed.

1. What is Heartbleed?

Heartbleed is a vulnerability to OpenSSL, a widely used encryption program. The vulnerability was inadvertently created while trying to fix a different bug. Although the Heartbleed vulnerability has been present in OpenSSL for two years, it was only recently discovered. The vulnerability created by Heartbleed could allow hackers to steal passwords, credit card data, or Social Security numbers from websites, home routers, smartphones running older Android operating systems, and other web-connected devices.

2. Which websites were affected?

Many commonly used websites use OpenSSL, including Facebook, Google, Gmail, YouTube, Yahoo, and Wikipedia. A website called LastPass has a handy Heartbleed checker, where you can enter a URL and see if it is vulnerable or safe. Another website, Mashable, created a “Heartbleed Hit-List” compiling vulnerability info for many sites.

3. Which websites were not affected?

Fortunately, most banking websites use more stringent security measures, so they were not affected by Heartbleed. Websites that were not affected include Amazon, AOL, Bank of America, Chase, LinkedIn, Hotmail, Outlook, PayPal, U.S. Bank, and Wells Fargo, among others. The CBA and CLE websites also were not compromised; neither uses OpenSSL.

4. What can I do to protect my information?

Most of the affected websites have issued patches by now. If the website was not vulnerable, you do not need to do anything (except keep up with regular password changes). If the website was vulnerable but has now been patched, change your password immediately. Secure passwords contain combinations of letters, numbers, and special characters, and should not be names, birthdates, or any other easily discoverable information. It is advisable to use different passwords for each website you frequent; websites like LastPass can help you keep track of these as well.

5. What about confidential client information?

Hopefully, most confidential client information would not have been vulnerable to Heartbleed. Aaron Street of The Lawyerist wrote a great article called “Heartbleed: What Lawyers and Law Firms Need to Know” that explains why client information is probably not susceptible. He also addresses the important question of safety in the cloud, particularly after Heartbleed and the Target data breach last fall.

As technology advances and its use becomes more widespread, safety breaches like Heartbleed will become more common. Heartbleed is a reminder that internet safety is important for everyone.