Cyber warfare is real. Every law, justice and court organization is vulnerable for a cyber attack. The harsh reality is that lawyers are especially in danger because their biographical information is so easily accessible. These attacks come in many different forms – everything from stolen data held for ransom, to sensitive information being put at risk and opening the door to impeded workflow, liability, and loss of clients.
Legal organizations handle large amounts of highly sensitive personal identifiable information (PII), data, and money making them very appealing to malicious actors. Keeping client sensitive information safe should be one of the highest priorities of a law firm.
The American Bar Association and the U.S. Department of Justice report that 25% of all law firms have experienced some form of data breach. Consider that the New York entertainment and media law firm Grubman Shire Meiselas & Sacks was hacked and the ransom demand was $42 million. Many of the demands are smaller, but still costly and difficult from which to recover.
The Threat Actors at Work
Criminal enterprises, nation-states, inside attackers, hacktivists and other malcontents lurk in the cyber sea waiting to feed on unsuspecting victims. Legal organization leaders not only must worry about criminal enterprises and nation-states, but to a greater extent, must prepare for potential insider attacks or other lone wolf malcontents.
There are also other attack types including keyloggers (a software program or device designed to secretly monitor and log all keystrokes). They pose a serious threat to users, as they can be used to intercept passwords and other confidential information entered via the keyboard. As a result, cyber criminals can get PIN codes and account numbers for e-payment systems, passwords to online gaming accounts, email addresses, user names, email passwords, and almost any other information imaginable.
Rootkits are a type of malware designed so that they can remain hidden on a computer. While they might not be noticed, they are active. Rootkits give cybercriminals the ability to remotely control a computer.
Cyber criminals also use back door attacks – accessing a system through unsecured points of entry.
These are commonly known as advanced persistent threats (APT). With nation-states, the objective with an APT is to remain undetected on the network, gather data and intelligence, learn what controls are on servers, get the network architecture, and then start searching for vulnerabilities they can use to either disrupt the organization, steal intellectual property or make money off of it by selling client data.
These are not “might happen” scenarios. The most common distribution methods, known as attack vectors, include email attachments, apps or Excel spreadsheets, Word documents, or other files that deliver a payload once the file attachment is opened on the computer. Ransomware can also be delivered by a drive-by hit on a compromised website. That is why websites must be secure.
Even legitimate advertising networks – especially those that provide news and information and have ads - can be fooled into spreading malware. Malicious USB drives are a great delivery mechanism to attack a system. They are effective in gaining access to or compromising a network.
Users must practice good password hygiene and never reuse the same credentials on multiple websites. If a criminal gains access to an email account the next step is to use the credentials to get into bank accounts, other websites, and steal identities. Even with good security hygiene, hackers can use simple penetration testing tools to identify open ports on a network. When the tool finds an open port it lets the hacker looks for vulnerabilities, unpatched software, and other ways to exploit the service. Just like that, the hacker has access to data.
Take the Prevention Stance
To prevent this, an organization must secure its information. Imagine an onion - the core of the onion are the assets to protect such as servers. Assume that administrative, technical, and physical controls can break so the best defense is NOT an unhackable single layer. Multiple layers are the only way to target attack vectors. Dozens of layers could be added to a security posture to protect core assets and devices, data, and customer information. The key is to make certain any holes in the layers are not aligned to allow penetration. The security strategy must take into account the hazard, technology, process and people to prevent loss.
Even so, there are vulnerabilities – mostly human error – which makes constant security awareness training crucial.
Hacking Has Come a Long Way: The Email Attack Vector
Hackers are professionals. Long gone are the days of broken English and misspelled words. Especially in the case of spear phishing attacks, the techniques are very refined. The criminals learn about an organization and then use tactics such as sending an email that looks legitimate. For example, an email from an executive authorizing a $50,000 wire transfer. Layered security is the defense.
Choose tools to authenticate the mail server and to prove to ISPs, mail services and other receiving mail servers that senders are truly authorized to send email.
Again, it cannot be stressed enough that organization leaders must create and foster a security-first environment. Everyone who has access to any kind of computer or device on a network must have security awareness training. Continuously. No one is exempt.
Understanding the Tools and Building a Security Toolbox that Works
A best practice is to employ a cybersecurity expert who has email and domain access within the organization. Understand that a security expert and IT professional are not the same. They complement each other.
The job of a spam filter is to trap emails with potentially malicious attachments. It is a first line of defense in a ransomware attack. Once criminals have open access to a network, they can access an encryption key. Then file encryption on the target begins, and tests run to make sure the files can be unencrypted once the victim pays the ransom. Ironically, distributors of malware have good customer service. Some actually have 800 numbers and use screen sharing support to help make sure the victim’s files get unencrypted, and offer assistance with ransom payment using Bitcoin, View Cash, or other methods.
In addition to a spam filter, a known DNS filter will trap the request and the files will never get encrypted because no key was shared. Tools such as Windows Defender will defend against Trojans, but for malware attacks that is not enough. Endpoint detection and response (EDR) is necessary. If all other physical controls fail, the savior is EDR which uses behavioral analytics and artificial intelligence to see if the commands are normal and behaving as expected. This is a different way to look at security. In the past users were assumed to understand threats such as phishing attacks and be diligent about handling email attachments. Macros were assumed not to be malicious. That is not true today.
Orchestrating Prevention and Solutions
The complexity of these attacks builds the case for security designed to allow time to orchestrate mitigation.
All of the tools available are useless without orchestration – properly assessing the risk, having the technical tools ready, plus understanding administrative, technical, and physical controls. The best case scenario is a security provider with multiple vendors and best-of-breed products, practices, and policies.
In the final analysis, whether a law, justice or court organization decides to handle security in-house or outsource it, the key to success is having both a management and policy-driven remote access strategy with the ability to monitor the hardware devices on a network and analyze the logs to see if they are showing any abnormal behavior.