Notes and summary from the 2014 ILTA Legal Sec Conference Key Note presentation by Christopher Pierson.
In 2009, the FBI published a cyber-security threat matrix that declared the legal industry to be the ‘soft underbelly’ of information security worldwide. Not just litigation firms, not just corporate law, not just firms in the U.S. – virtually all of them. A 2013 report by Mandiant disclosed that hackers, including the Chinese, had successfully compromised the information security of 141 organizations, 80 of which were law firms.
Happens all the time, right? Turns out, it’s happening a lot more than people think and many governments, IT professionals and the hackers are all taking notice. Why?
Law Firms are a Gold Mine of Information
The reasons law firms are increasingly a target for security breaches include:
- One-stop-shops – Law firms contain a wide array of ‘good’ data. Personal information, corporate information, intellectual property – all in one place!
- Quantity and quality of the data – The attorney client privilege ensures that there is a host of great information in one place
- Demanding audience – Lawyers expect all their information to be maintained at arm’s reach. This makes it much easier for nefarious resources to harvest that information as well.
- Latest technology – Many lawyers love to use the latest toys but they often fail to protect them. Policies to secure phones and tablets are difficult to craft and even more difficult to enforce (sometimes). Unlocked ‘toys’ represent a ‘back door’ to all the corporate data.
- No end point – Law firms have no end point for access. Mobile workforce, personal devices, mixed devices, other people’s devices (traveling or on a shared device) mean that there is no endpoint to close the loop on security. There is almost always an access point.
Hackers come in all shapes and sizes
Armed with an understanding of why law firms make good target, Pearson pointed out that we should look at the possible data ‘hacks’ in 4 separate categories:
- Data breach – Agents looking to acquire the ‘good stuff’. The good stuff includes things like Social Security numbers, account information, etc. The best targets for this information include employment firms.
- Intellectual property hack – Targeting trade secrets, trademarks, patents, research and development, etc.
- Destruction of data hack – The goal here is to destroy information and this has been the least common in the legal industry. That said, the more firms rely on hosted solutions to manage information, the higher the risks become for this type of event.
- Hack the medium – Breaches where the hacker targets the very systems designed to keep things safe.
The mode of attack to the legal community fall into two primary categories – phishing and (what I call) shadowing. Phishing tactics often employ emails where the malicious code is introduced through an internal resource clicking on an email link. This is especially easy in law firms as so much work is done through email. Shadowing is another approach where hackers target individuals with access to the firm’s network and data. The find ways to watch you access your company’s network from home, through remote access or most importantly – through social media. Both options offer a direct means to private client data.
So if we understand the reasons firms are targeted and what information is being targeted – what is a firm to do?
Preventing Infiltration (The Castle Approach)
The vast majority of the products and services in place today are what many refer to as the ‘Castle Approach’. Build the castle walls, moats, more walls, towers and defensive lines to one thing – keep the bad guys out. Firewalls, Antivirus, DMZ’s and authentication are all products and tools of the Castle Approach.
Much of the new discussion, however, is about blending this approach with the second – which is data exfiltration.
Preventing Exfiltration (You can go, but the data stays here)
The primary focus of any data exfiltration detection technique is to identify both legitimate and malicious information communication within your network. Exfiltration exercises, sometimes called ‘red-teaming’, can come from people, computers or even by accident. The two methods for infiltration listed above have proven very effective in gaining access to legal networks. Thus working to keep information from leaving is an equally important element to avoiding client data loss for the firm.
For the small to midsized (SMB) firms with limited means to invest in the latest exfiltration technologies should look to first identify security or risk vulnerabilities. Questions such as:
- What information is most sensitive and where is it stored?
- Is this information widely available once users have access to the network?
- Do we restrict the movement of this information within the company?
- Is our network configured to recognize the movement of information outside the network and can it ‘close the door’ if it identifies substantial outbound data movement?
It is critical for law firm administrators, IT professionals and firm executives to reflect on these questions and include the detection of data exfiltration as a key component of their overall approach to security. There are many considerations and technology options to accomplish this however, the first step should simply be the training and education of the employees. Your team needs to understand the risk of managing your client data and the rules for keeping it safe (and confidential). Many of the issues faced by the SMB legal industry can be avoided with proper training, advanced planning for security and a plan for handing threat intrusions when they do happen. The second step is to discuss technical options with your IT / Security team to see what tools may fit your business, rick tolerance and budget.
Overall, the shift is underway to blend the old with the new and create much stronger playbook for law firms to leverage in their fight against cybercrimes. It’s only a first step, but is definitely a more comprehensive approach to battle the ever expanding threats facing today’s law firm.