TABLE OF CONTENTS
The threat to information is ubiquitous. Cybersecurity and protecting information are issues that evoke equal parts of fear and confusion for business leaders, information technology and security professionals, and the legal professionals they rely on for advice. Anyone who has been involved in a real data breach will easily understand why an effective analogy for describing cybersecurity incidents is to imagine being in a building that is on fire. There is panic, there is fear, there is chaos, there is confusion. It is a crisis situation.
What could be worse? Not only could it have been your law firm’s information that was compromised in the cybersecurity incident, but it could have been your client’s most sensitive information such as business plans, litigation strategy, or confidential attorney-client privileged communications. Or, it could have been your client’s most valuable intellectual property that was stolen. These situations will be discussed in more depth in future sections.
Protecting client data requires taking the same precautions that are taken for protecting any other kind of data. Whether the attackers are after employee social security numbers, customer payment card data, embarrassing emails from the CEO, the company’s crown jewel trade secrets, or highly sensitive client data, the central objective is to prevent the attackers from being able to access it. Attackers that are going to try and access this data are going to do so by trying to attack the law firm itself. If they are unsuccessful at attacking the law firm directly, they will likely try gaining access through a third-party by first attacking a third-party with whom the law firm does business and then using that access point to pivot inside the law firm. This is why third-party risk is now a key focus in cybersecurity.
Accordingly, the most important point to remember is that if you want to protect your law firm’s client data from cyber attackers, you must first ensure that your law firm is adequately protected. Second, you must ensure that those third-parties with whom your law firm does business are adequately protected.
While a discussion of highly sophisticated cybersecurity tools and tactics may be more entertaining, if the goal is to improve law firms’ cybersecurity defenses effectively, it must begin with the basics which will be the focus of this guide.
The laws that govern what must be done in response to a cybersecurity incident or data breach are not optional. The author discussed these laws and the legal duties associated with these events, reporting these events to law enforcement, and disclosing them to government regulators in the Guide to Reporting Cybersecurity Incidents to Law Enforcement and Governmental Agencies (“Reporting Guide”). When there is a duty, as explained in the Reporting Guide, in most cases the duty is mandatory.
There is a grave misunderstanding among many business leaders who believe that when their company has had a data breach, notifying the affected individuals and appropriate governmental agencies is optional. Unfortunately, the author encounters this on a regular basis. This problem is perpetuated by there being far too many lawyers who do not practice in the cybersecurity and privacy area of law and, out of ignorance, advise such clients that it is really not that serious and is being blown out of proportion. This advice is wrong and should qualify as malpractice.
If you need further convincing, ask yourself whether you believe that companies like Target, Home Depot, Neiman Marcus, Spec’s, Ashley Madison, and Yahoo aired their dirty laundry publicly solely because they believed it was the right thing to do. They had to—cybersecurity is a legal issue—the laws require companies to disclose this information and mandate how they disclose it, when they disclose it, what information they disclose, what they do for those affected, and to whom it must be disclosed. If you find your company or your client’s company in this position and fail comply with these legal duties, you do so at your peril and their peril.
One reason cybersecurity engenders so much fear is because of how uniquely this area of law, policy, and public perception treat organizations that have experienced data breaches. This is one of the few, if not only, situations where the victim of an illegal act is transformed into the wrongdoer. In the more typical scenario, an organization is attacked by an illegal act or, at a minimum an impermissible act, directed against its computer network. The wrongful act against the organization’s network causes harm to the organization. At that point in time, however, the organization then begins to be viewed as the wrongdoer when the focus of the blame shifts to the organization for allowing itself to succumb to the attack.
Unauthorized access to computers, often referred to as “hacking,” and data breach are two sides of the same coin and more often than not the organization is blamed for both. What is even more unfortunate is that companies’ primary legal vehicle for protecting against these kinds of misuses of their computer networks are the unauthorized access laws, primarily the federal Computer Fraud and Abuse Act (CFAA) and the Texas’ Breach of Computer Security (BCS) law, and there is a growing movement among those in the “no limit” crowd and “security research” crowd that seeks to substantially limit companies’ abilities to use these laws in most cases, especially those in which the misuse is by privileged users (insiders) which accounts for over 70% of all data breaches. This legal schizophrenia puts companies dead center in a conundrum in which there is no upside. Cybersecurity can be scary but it becomes far more dangerous when ignored. Especially for law firms.
Attorneys occupy a position of trust and confidence for their clients and have an ethical duty to protect client information that is more stringent than the duty that most organizations have to protect their customers’ data. According to the American Bar Association Model Rules of Professional Conduct, “A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent . . . .” In this regarding, the duty of an attorney to protect its client’s data is much more akin to the duty of a health care provider to protect its patient’s data.
The Texas standards also require attorneys respect this sacred duty: “A lawyer should preserve the confidences and secrets of a client.” Texas Disciplinary Rule 1.05 addresses the lawyer’s duty to preserve confidences and secrets:
(a) Confidential information includes both privileged information and unprivileged client information. Privileged information refers to the information of a client protected by the lawyer-client privilege . . . . Unprivileged client information means all information relating to a client or furnished by the client, other than privileged information, acquired by the lawyer during the course of or by reason of the representation of the client.
(b) Except as permitted by paragraphs (c) and (d), or as required by paragraphs (e), and (f), a lawyer shall not knowingly:
(1) Reveal confidential information of a client or a former client to:
(i) a person that the client has instructed is not to receive the information; or
(ii) anyone else, other than the client, the clients representatives, or the members, associates, or employees of the lawyers law firm.
There is a clear takeaway from these rules, and may others, the analysis of which alone could comprise an entire article: lawyers and law firms have an ethical duty to maintain appropriate cybersecurity defenses to protect their client’s data.
You cannot effectively fight against something that you do not understand. If you want to be effective in defending your law firm against cyberattacks—and your client data—you must have a better understanding of what cybersecurity entails. To understand the objectives of cybersecurity we must understand what we are trying to protect against and that encompasses many things. First, what kind of activities are we trying to protect against? Second, what kinds of data are we trying to protect? Third, what kinds of attack vectors are we trying to protect? Fourth, what is the most challenging aspect of all – the evolving nature of cyberattacks?
When they hear the words data breach, people usually think of situations where cybercriminals removed data from a network such as in the well-publicized Target, Home Depot, and Neiman Marcus cases. While stolen data certainly constitutes a data breach and a cybersecurity incident, those situations can exist when data is not stolen (commonly referred to as exfiltrated). One of the fundamental principles of cybersecurity is often referred to as “the CIA of security”:
Almost from its inception, the goals of computer security have been threefold: confidentiality, integrity, and availability—the “CIA” of security. Confidentiality ensures that only those individuals who have the authority to view a piece of information may do so. No unauthorized individual should ever be able to view data to which they are not entitled. Integrity is a related concept but deals with the modification of data. Only authorized individuals should be able to change or delete information. The goal of availability is to ensure that the data, or the system itself, is available for use when the unauthorized use or once it.
As a result of the increased use of networks for commerce, to additional security goals have been added to the original three in the CIA of security. Authentication deals with insuring that an individual is who he claims to be. The need for authentication in an online banking transaction, for example, is obvious. Related to this is nonrepudiation, which deals with the ability to verify that a message has been sent and received so that the sender (or receiver) cannot refute sending (or receiving) the information.
What this means is that the objective of cybersecurity must focus on protecting the confidentiality, integrity, and availability of information and making sure that it is authentic and can be verified as such.
While not always an “attacker” in the sense that they have the requisite intent to be a “bad guy,” the reality is, the biggest threat to most organizations’ data comes from their own people. People are the weakest link when it comes to protecting information.
1. Internal Threats.
Statistics show that the vast majority of organizations’ information that is improperly disclosed or taken is done so by people within the organization—insiders. Internal threats can be either accidental or intentional.
a) Accidental Internal Threats.
First, there are those people who are careless, negligent, or poorly trained and do things that accidentally lead to a disclosure of confidential organization information. This often happens by clicking on email links, social media, or websites that are spear phishing attacks. Other times it is through simply talking too much and trusting others when they should not, whether at cocktail parties or in response to direct social engineering attacks. Finally, it can be losing a smart phone, leaving a thumb-drive, or losing a laptop with confidential information.
b) Intentional Internal Threats.
Intentional internal threats come from an insider in your organization who intentionally takes organization information which leads to its disclosure or use against you. A few of the reasons why they may do this is because they:
- contributed to the development of the information and believe they have a right to it
- want to keep a memoir of their work
- want to keep a copy for ideas in the future
- plan to use it to compete against you in the future
- have some ownership in the business and believe they have a right to it
Others may, with the best of intentions, store the information on personal devices or accounts while working for your organization but later, once no longer working there, re-discover the information and decide to use or disclose it at that time.
Regardless of the reason, recent studies show that more than 60% of the insiders who leave an organization take confidential information with them—oftentimes sensitive information—and many plan to use it to compete against the organization. In these situations, these insiders’ activities may violate both the federal and Texas unauthorized access laws which provide for criminal and civil remedies.
c) Warning: Insider Taking Information May Trigger Organization Data Breach.
What is worse is, when they do this, they trigger a data breach by the organization from whom they are taking it. The Texas data breach notification law is titled Notification Required Following Breach of Security of Computerized Data, and provides as follows:
(b) A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made as quickly as possible, except as provided by Subsection (d) or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
The law defines “breach of system security” as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data.”
What this means is that, when sensitive personal information (SPI) is entrusted to an organization and is protected within the confines of the organization, accessible only by its employees who are under an obligation to maintain the confidentiality of such information, it is considered legally “secure.” However, when an employee leaves his or her employment and takes that data with him or her, outside of the legal confines and security of the organization’s network and without that continuing duty of confidentiality of the organization, that is now an “unauthorized acquisition … [that] compromises the security, confidentiality, or integrity of” the SPI and constitutes a data breach. This is certainly not a popular way of viewing the law but the author believes it is accurate.
2. External Threats.
External threats can be either random or targeted.
a) Random External Threats.
Random attacks can occur when your information is taken as part of bigger criminal scheme such as a burglary in which files, data and equipment are stolen.
Random attacks are also how we would describe many hacking attacks, where hackers steal data from organizations without having any idea of what the data actually is and not knowing its value. A hacker’s goal is to penetrate your organizations’ computer system and then establish a connection between your system and theirs to use for exfiltrating data from your computer system. The data is usually packaged with other random data and sold in bulk on the black market (the Dark Net) much the way banks package bad debt to sell to debt collectors. The data is sold based on volume, not the value of its content, which is why your organization’s data is just as valuable as anyone else’s for most random hacking attacks.
b) Targeted External Threats.
Targeted external threats are those situations where someone who is not a part of your organization specifically sets about to steal your organization’s information. An example of this could be a burglar specifically targeting your organization but, in reality, people have found that it is far more efficient to commit crimes using computers than crowbars. More often than not, when your business has information that someone else wants, they will take it with a smartphone camera, video, or directly through your computer system—not a busted-out window. This is most common in corporate espionage cases where a competitor seeks to steal your organization’s information but does not have someone on the inside to assist.
3. Blended Targeted Threats.
Common threats in today’s highly-competitive business environment are blended targeted threats.
a) Departing Insider Leaving for a Competitor.
The most common scenario is when an employee of your business is planning to go work for one of your competitors. Before resigning and while still in a position to have access to your organization’s valuable information, that employee begins taking information and giving it to your competitor to undermine your organization and give an unfair advantage to his future employer.
b) Disloyal Insider Planted for Corporate Espionage.
A less common, but more egregious situation is where a competitor has a disloyal employee (or contractor, member of cleaning crew, housemaid, etc.) planted as a trusted insider within your business (or home) and that person stays there, continuously providing a point of access to your computer system or directly exfiltrating your valuable information to the competitor over an extended period of time. The bigger problem with this is, when you are dealing with information, you cannot see it disappearing as you can with physical assets being stolen, and it can go on for years undetected. This is a classic example of corporate espionage. Not only are private businesses involved in this type of espionage but there are also many foreign state-sponsored corporate espionage operations directed toward American businesses.
Cybercriminals attack businesses to attempt to gain access to many different kinds of data that the organization has, or has access to, that it may not even realize it has. The obvious starting point is the organization’s own company data but beyond that, organizations usually have their workforce’s data and customer and client data. From there, they often have data belonging to third parties that it may have collected through its work including that of its third-party business associates that could prove to be very valuable. These are just some examples of the data that businesses must protect from cybercriminals.
Virtually every business has some form of intellectual property, that is, something unique or remarkable about the way it makes a product or provides a service that sets it apart from the competition. This is something that gives it a competitive advantage and is usually something it has spent significant time and resources to develop, many times in the form of trade secrets. Unfortunately, in today’s business environment, honor and integrity are not always the rule and many businesses find their intellectual property is being taken and used to compete against them. When considering the data that needs to be protected, businesses should pay special attention to their intellectual property.
Law firms in particular have very sensitive—and very valuable data, for hackers. Instead of having to steal information from company after company, one at a time, they can attack the law firm which has a treasure trove of information for many companies, all in one place. Law firms have their clients’ sensitive attorney-client privileged and work product information that could be extremely valuable to any of their litigation opponents, negotiating partners, or business competitors. They have clients’ financial data, corporate plans and projections, business strategies, trade secrets and intellectual property (oftentimes while still private, before filings are complete), and they often have their sensitive customers’ or workers’ personal information, as well as protected health information.
Cybercriminals will use any means of attacking a business that they can find. The most direct means of attack is against the company’s network through vulnerabilities that can be found by what some like to refer to as “security research” which, many times is legitimate, but many times is not. Attackers will attempt to gain access into the company’s network by focusing on its website, email system, company owned and BYOD devices that employees use as well as portable devices such as infected USB drives to gain an entry point into the network.
In some cases they may use sophisticated GSM / mobile telephone type devices to exfiltrate data from the network outside of the firewall or intrusion detection or intrusion prevention systems. They may also infect websites of third-parties that they know company insiders will visit so that, upon visiting the sites, the company insiders will then download the malware into the company’s network.
Speaking of third-parties, third-party risk or, what is often referred to as supply chain risk management (SCRM), is now one of the hottest trends in cybersecurity. And, for good reason. What we have learned is that the more a company prepares its own defenses and hardens itself against cyberattack, the more the attackers evolve their techniques by doing things such as using vulnerable third-parties with a connection to the intended target to be the vehicle that facilitates their attack.
Have you heard of the national retailer that what was hit with a perfectly timed cyberattack on Black Friday ’13 that resulted in credit card data from roughly 110 million customers being taken? The company is Target. Target, however, was not attacked directly. Cyber criminals launched an email spear phishing campaign at Fazio Mechanical Services — Target’s third-party HVAC vendor — and someone at Fazio opened the email, clicked on the link giving the criminals access to their system where they sniffed around until they found the login credentials that Fazio used to log into Target’s vendor portal, which they then used to gain access into Target’s computer system.
Sun Tzu on Cybersecurity.
The lessons of Target, Fazio, and third-party attacks go back to the great Sun Tzu on Cybersecurity:
- “In all fighting the direct method may be used for joining battle, but indirect methods will be needed to secure victory.”
- “You can be sure of succeeding in your attacks if you attack places which are not defended.”
- “The spot where we intend to fight must not be made known; for then the enemy will have to prepare against a possible attack at several different points; and his forces being thus distributed in many directions, the numbers we shall have to face at any given point will be proportionately few.”
Most businesses focus their energy on securing their own networks but focus very little on examining the networks of their business associates and other third parties that they allow to access their networks.
Around 500 B.C. Sun Tzu taught that if an enemy — a cyber criminal — wants to attack your company’s computer network, they would be wise to do so by attacking indirectly, such as through your company’s business associates and other third-parties who have access to your network. Cyber criminals may be a lot of things, but they are not dumb … the successful ones, anyway.
Combatting the unique and unprecedented nature of business cyber risks is the essence of cybersecurity. Cyber risks are continuous and evolving, therefore, cybersecurity must also be a continuous process that is always evolving to anticipate and defend against the threats. This work is never done. Such is the nature of cybersecurity. When defending against cyber risks, there are known-knowns that we can prepare for and there are unknown-knowns that we can learn about and then prepare for. But, there are also unknown-unknowns that do not even exist at this moment but that are quickly becoming unknown-knowns. These are the real challenge but that is where it is most evident that cybersecurity is not a science, it is an art.
Exfiltrating data is not the only way a bad actor does can cause harm. Consider the effectiveness of the Stuxnet malware. Delivered by an employee who could not resist the temptation to pick up a free (infected) USB drive left in the parking lot of an otherwise secure facility, once inserted into the network, the malware covertly made its way to the computer program running the Siemens industrial control systems that it was designed to attack. Once there, it subtly increased the speed at which the supersonic uranium-enrichment plant centrifuges operated so that they would tear themselves apart. The sophisticated Stuxnet was designed to then eliminate all traces of its existence from the network, leaving investigators with no clue as to what caused the problem.
Does this state-sponsored cyberattack sound too fantastic to happen to companies in the business world?
In 2014, a German steel mill was the target of a sophisticated cyberattack in which hackers surreptitiously attacked and took control of the production management software for the steel mill, took over most of the plant’s control systems and caused substantial material damage to the physical site. That is, they altered the integrity of the software data. While this may sound like the plot of a James Bond movie, the reality is, the intrusion into the steel mill’s network was not terribly complicated. In fact, it started with a basic spear phishing email:
In other words, hackers send fraudulent emails seemingly coming from sources that were well-known or reliable to the recipient, which usually encourage the recipient to open an attached document or visit a website containing a malware. In this case it was an attached file. Once the file was opened the malware was injected into the sales software of the plant. From there, it made its way through the network while damaging numerous systems and industrial automation components.
While attacks like Stuxnet and the German steel mill can now easily be carried out by non-state actors, they do not have to be. Do you think countries like China, Iran, North Korea, and Russia are not directing their cyber-based industrial espionage activities toward companies in the United States?
Sony would certainly beg to differ after the November 24, 2014 when the North Koreans attacked with malware that spread from computer to computer erasing everything stored on 3,262 of the company’s 6,797 personal computers and 837 of its 1,555 servers topped off with a deleting algorithm that overwrote the data seven different ways so that nothing could be recovered. To make matters worse, not only did the attackers destroy Sony’s data, but they had also stolen it before they began that phase of the campaign:
Over the next three weeks they dumped nine batches of confidential files onto public file-sharing sites: everything from unfinished movie scripts and mortifying emails to salary lists and more than 47,000 Social Security numbers. Five Sony films, four of them unreleased, were leaked to piracy websites for free viewing. Then the hackers threatened a 9/11-style attack against theaters, prompting Sony to abandon The Interview’s Christmas release.
The attackers destroyed Sony’s data (availability), exfiltrated sensitive data of Sony’s employees (confidentiality), exfiltrated highly valuable intellectual property (confidentiality) and obtained a trove of highly-confidential and embarrassing emails from Sony’s executives that gave rise to one of the first examples of shame hacking, that is, using hacked data for embarrassing or extorting people by threatening to expose such compromising data if they do not comply with the demands made of them.
We have been observing an evolution in hackers’ tactics from going after data that could be directly monetized, such as payment card data, to going after data that can be monetized indirectly through extortion, such as the Ashley Madison data. The hack of Brazzers porn site is similar to the Ashley Madison hack in that the real opportunity for monetization lies not in the intrinsic value of the data itself, but in the opportunity to use the data to embarrass and extort others into paying money to keep it secret.
The Brazzers data dump from the hackers includes email addresses, user names and passwords spelled out in plain text, which can certainly lead to embarrassment for those who would not want their spouses, significant others, co-workers, employers, employees, parents, children, pastors, congregation, or constituents to know they are members of such a site. But, it gets worse. This wasn’t just a porn site, it was a forum that porn fans used for discussing their favorite porn scenes, favorite performers, and their own fantasies.
1. Sophisticated attacks are often by non-state actors.
Do you think that only state actors like those involved in Stuxnet or the Sony attack have the capability to execute such cyberattacks? The code for the Stuxnet malware made its way into the cyber-wild and has been modified and used by private actors many times. Information on how to carry out similar attacks, even if to a somewhat lesser degree, is readily available on YouTube—and certainly the Dark Web, where one can also purchase the actual tools needed to carry out the attack.
2. Cyber attacks are used to destroy physical assets.
The Stuxnet and German steel mill attacks both demonstrate how effectively cyber attacks can be at destroying physical assets. For the former, it was uranium enrichment centrifuges and the latter was manufacturing equipment.
3. Cyber attacks are used to destroy data by making it inaccessible to its owners.
The North Korean cyber attack on Sony demonstrates that these attacks are oftentimes carried out to make information inaccessible, not just to steal information. In this example, the attackers installed malware with a deleting algorithm that overwrote the data seven different ways so that nothing could be recovered. Clearly their intention was to cause substantial harm, not just steal data.
4. Cyber attacks are used for “shame hacking”—i.e., using sensitive information for extortion or embarrassment.
The Sony case also demonstrates that cyber attacks are used for obtaining sensitive data that may not be intrinsically valuable but can be used for extortion or embarrassment if it is revealed. In the Sony case, the hackers released its Executives’ information from their email folders and all of the personally and professionally embarrassing email conversations they had exchanged.
In the Ashley Madison, Brazzers, and Adult Friend Finder breaches we saw a similar form of shame hacking. In those cases the hackers obtained information about who were members of the services and their sexual preferences and fantasies, such information not being intrinsically valuable, however, of the nature that would cause tremendous embarrassment to those individuals should such information become public. Because of this, after obtaining the information the hackers tried to monetize it by making extortion demands on the companies.
One more timely example of this could be that of a well-known politician whose campaign chair fell for a simple Gmail phishing attack that led to the revelation of sensitive embarrassing emails that were revealed to the public during the campaign. While it makes many people feel better to say this was the product of a sophisticated state-sponsored cyber attack orchestrated by the Russians, the reality is, even an amateur lone hacker is capable of carrying out an email phishing campaign.
5. Humans are the weakest link and social engineering is the most common means of attack regardless of sophistication.
The most important point to realize is one that is rarely emphasized about both the Stuxnet and German steel mill attacks, which are considered to be truly sophisticated attacks, is that social engineering was the entry point for those attacks and is far and away the most common avenue of attack for all cyberattacks.
Social engineering is, generally speaking, using deception to trick people into doing dumb things. With Stuxnet, it was picking up a USB drive from the parking lot and plugging it into a secure network environment. In the German steel mill case, it was clicking on a file that was included with a phishing email. For Target, it was the clerical employee working at Fazio that clicked on the link in the phishing email. For the politician, it was the campaign chair responding to a phishing email by entering his account login credentials to a fake site designed to collect such information.
The problem with all of this is, while many businesses (and others, like politicians) claim they have been victimized by the super sophisticated “unprecedented” exotic, real, James Bond-like hacking attacks, the legitimate ones are rare. The vast majority of the cybersecurity incidents businesses experience are because of much simpler things like lost USB drives, stolen laptops, or highly-effective phishing scams. Here are a few excerpts of Verizon’s well-respected 2016 Data Breach Investigations Report that confirm that businesses that spend their resources addressing the basics will be focusing on a significant part of the cybersecurity problem:
- “Phishing has continued to trend upward … and is found in the most opportunistic attacks as well as the sophisticated nation-state tomfoolery.” (p. 12)
- “The majority of phishing cases feature phishing as a means to install persistent malware.” (p. 21)
- “63% of confirmed data breaches involved weak, default or stolen passwords.” (p. 24)
The point of this discussion is not to say that businesses do not need advanced cybersecurity defenses—they certainly do—but they must not neglect the basics. Businesses that want to improve their cybersecurity must focus on how to defend against the threat of social engineering and the most effective way to do that is by training their employees to recognize social engineering attempts and resist the temptation to fall for them.
The following is a non-exhaustive list of critical cybersecurity measures that law firms must implement in order to improve their cybersecurity defenses. There are many more that should be considered, however, these points are discussed here because many times they are overlooked and not addressed in many traditional “cybersecurity defenses” discussions.
Law firms must not only obtain “buy in” by firm leadership but must also have leadership so committed to cybersecurity that they are the leaders in establishing and fostering a culture of security.
A compelling meme recently circulated on LinkedIn which depicted two scenes. The first had 3 people pulling a block labeled “business” and on top of the block was an individual sitting at a desk pointing forward. The person sitting on the business, at the desk, was labeled “boss.” In the second, 4 individuals were now pulling the business and no one was sitting on it. In this, the person in front was labeled “leader.”
Within any organization, the culture always starts at the top in works its way down. When it comes to establishing a culture of cybersecurity this principle remains true. Moreover, when it comes to lapses in cybersecurity in many cases the company executives are the first to fail. Oftentimes this is because they believe they do not need to abide by the same policies and procedures that are imposed on the employees and they have themselves exempted from them, not understanding that they to need the protections of those policies and procedures.
The cybersecurity industry has become a FUD (fear, uncertainty, doubt) inspired, gadget driven space where each day someone is anxious to sell others on why their new product or service is the latest-greatest solution to solve all your company’s cybersecurity worries. And, they are always “DOD approved”! The problem is, while everybody is touting their own preferred solution and businesses are buying one here, one there, and another over there, there is rarely anyone who is standing back looking at the big picture to see if all of the security gaps are being filled, how well the solutions play with each other (or whether they counteract each other), and whether anybody even knows how to work it all. Most organizations are missing a head coach and they desperately need one to establish and understand the overall strategy and make sure it is executed.
Cybersecurity and physical security are inextricably intertwined such that you cannot have adequate cybersecurity without adequate physical security. Many cybersecurity incidents are caused by lost or stolen devices, such as laptops, mobile phones, USB drives, and even servers being stolen from locations such as office buildings. Unless such devices are properly encrypted, each of those thefts are data breaches for the organization from which they were stolen.
Beyond that, however, one of the first steps that cybercriminals take when launching a cyber-attack is to try and gain physical access to the computer network infrastructure of the adversary which makes it much easier to install malware, key loggers, credential sniffers, or even GSM devices to exfiltrate information outside of the organization’s network firewall and data loss prevention systems. Many times, such access is available because the organization does not have their physical facilities adequately secured and has their critical network components stored in a location that is easily accessible. In other cases, however, they do attempt to protect against physical access but the hackers are creative and will do things such as use social engineering to pretend they are part of IT maintenance or a copier, telephone, or other type of repairman to gain such assess. At other times they will do things such as “tail gate” kind and helpful employees through secured entrances that require credentials to enter. Or, they may recruit members of the janitorial service that services the facilities and use their access to gain entry.
In the past, the following measures were recommended for companies and their employees because it was generally understood that they were the ones with access to your law firm’s data and networks. As previously discussed, however, third parties have become a primary vector of attack and in many cases, third parties also have access to your law firm’s data and networks for various purposes. Accordingly, where appropriate and possible, the measures that are recommended for within your law firm are also recommended for any third parties that have such access. The objective, after all, is to focus on and protect the data and network—wherever it may be and however it may be accessed.
1. Policies and Procedures.
2. Training of All Employees.
3. Phish All Employees (Especially Executives).
4. Password Policies.
5. Security Questions.
6. Signature Based Antivirus / Malware Detection.
7. Multi Factor Authentication.
8. Backups Segmented from the Network
Close your eyes and envision this scenario: Your most lucrative client—or your firm CIO—calls and tells you that someone just clicked on a link in a phishing email and now all of the company’s (or firm’s) network has been encrypted with ransomware and the attackers are demanding a $50,000 Bitcoin payment to provide the decryption keys and if it is not paid within 72 hours, the decryption keys and the data will be destroyed forever.
This is a very real scenario and at this time is one of the most common methods of successful cyberattack on a global scale. You could try and pay the ransom but there are several problems with that (in addition to the FBI publicly discouraging it):
- First, you are relying on there being honor among thieves and trusting that the attackers will honor their word if you pay the ransom. Some of these criminals are known for upping the demand after receiving their first payment.
- Second, do you even know how or where to get $50,000 in Bitcoin?
- Third, can you even get $50,000 in Bitcoin within 72 hours (it is very difficult)?
- Fourth, do you have the ability to spend $50,000 on this anyway?
- Fifth, assuming you can comply and actually pay it, if they provide the decryption keys and the data is decrypted, will you be back up and running as though it never happened? The author has had one client describe this situation as purchasing a brand-new Cadillac and while driving it home from the dealership having a collision that totals out the car such that it is in thousands of pieces then taking those pieces to the nearest “shade tree mechanic” and asking that person to put it back together—that is what your network will “run” like after being decrypted assuming all else goes well.
- Finally, assuming you are willing to pay $50,000 to support and encourage more criminal activity, actually do pay the ransom and can get back up and running, the cybercriminals now know that you have money and are willing to pay up. Do you think you are now safe from future attack? In many cases, they will have latent malware in your network that will open the door to a future attack. Even if they don’t, however, these criminals communicate with one another and word spreads quickly.
Shortly after the CIO makes this call, she realizes that the company has a backup of the network from yesterday that can be restored to avoid paying the ransom. She is excited and your client is excited because she just realized that the company’s most valuable intellectual property—the software technology that is highly proprietary, has never been revealed to anyone else, and is the sole reason for the company being in existence—is on the network and that is the only source for it in existence. Without this asset, there is no company.
Within 5 minutes, the CIO calls back: the backups were also encrypted by the ransomware. There goes the company and, with it, your most lucrative client.
It has become well known that the best defense to ransomware (right after training employees not to click on links or open email attachments) is to have a reliable backup of the network that can quickly be restored. Cyber criminals have learned this and following the teachings of Sun Tzu, have adapted their strategies by writing malware that will not only encrypt the primary network but will also seek out and encrypt all backups that can be reached. The way businesses began adapting to this tactic has been to have the backup segmented from the network so that the ran somewhere could not reach it. This has proven to be an effective tactic and is something all businesses should be doing at this time.
Unfortunately, as always, the attackers are aware of this strategy and are again adapting their techniques even as this guide is being drafted. Understanding that shortly after an attack, businesses that have a segmented backup will move quickly to restore that backup and bring it online, they have begun installing latent “time bomb” type malware that will lurk in the system and wait until the backup is brought online and then encrypt that as well. Because of this evolving tactic, it is important that any business that has a ransomware attack obtain the assistance of a highly-qualified cybersecurity forensics firm to seek out and destroy all traces of the ransomware.
“Encryption is the process of encoding information so that only the sender and the intended recipient can use that information.” According to noted computer security expert, technologist, rocket scientist and encryption evangelist Ronald L. Chichester, “[e]ncryption is viewed widely as the single best security measure that one can take to secure digital information.” According to Chichester, “all forty-seven states that have data breach/notification laws cite encryption as a valid mechanism (“safe harbor”) to protect data and preclude the need to notify victims if the security of an information system is breached.” Appendix B contains Chichester’s excellent article, Be a Hero: Encrypt Documents for Free in 3 Steps, and Learn Enough to Teach Your Clients and Opposing Counsel, in which he explains more about what encryption is, why it is important to encrypt sensitive client data (and other information that needs to be kept secure), and more importantly, how to encrypt and where to obtain free tools to do so effectively!
Encryption, however, like other cybersecurity protections is not guaranteed and as more sophisticated hackers obtain more powerful computers, such as through quantum computing, much of what we consider to be securely encrypted files may no longer be secure. For information that is so sensitive that no chances can be taken, such as the secret formula to Coca-Cola, such information should be encrypted and also air-gapped. “An air-gapped computer is one that is neither connected to the internet nor connected to other systems that are connected to the internet.” “A true air gap means the machine or network is physically isolated from the internet, and data can only pass to it via a USB flash drive, other removable media, or a firewire connecting two computers directly.”
It is now essential that companies use adequate logging to detect intrusions and unauthorized activity in their network. Intrusions will happen and it has become virtually impossible to stop all intrusions. However, as the author explained in the Reporting Guide, not all intrusions into the network are data breaches or even incidents, some may be relatively harmless cybersecurity events. The problem is, how do you know whether an intrusion was an event, incident, or a full-blown data breach and, if so, the extent of the breach? In other words, how do you know if you need to notify 100 employees of something like their personal W-2 information was accessed or 1 million customers around the world that their banking information was stolen?
The most valuable thing your law firm can have at this time is accurate and detailed logging data that shows when the intrusion occurred, where it came from, how long they were in your network, what they accessed while in your network, and what if anything was exfiltrated from the network or infiltrated into your network. When you seek help from law enforcement, the first thing they will want to see is the logging data to aid them in doing their forensic analysis. It is critical to any investigation.
This means the law firm must retain these logs for an adequate period of time. Statistics often show that the average length of time before an intrusion is detected is 205 days and in some cases it can be much longer.
Centuries ago the great Sun Tzu, in his teachings on cybersecurity, explained that when it comes to data security, you must be wary of your business associates and other third parties. A prime example of this is how the hackers that attacked Target did so by first attacking one of its vendors, Fazio Mechanical Services, and then using that access to pivot their way into the Target network environment. This attack was discussed previously.
In early 2014, as the world was learning the details of this indirect means of attack used against Target, people began to gain a better understanding of what it means to focus on third party risk and supply chain risk management (SCRM) in the cybersecurity context.
The Federal Trade Commission (FTC) was paying attention as well. In the enforcement action In re GMR Transcription Services, Inc., it required GMR to follow the following 3 steps when working with third party service providers that will have access to or store confidential customer data: (1) investigate the service provider’s cybersecurity practices before hiring them; (2) obligate the service provider to adhere to the appropriate level of data security protections, which is done through contractual obligations; and (3) verify (i.e., audit) that the data service providers are complying with those contractual obligations.
The Securities and Exchange Commission (SEC) was also paying attention and produced a document titled OCIE Cybersecurity Initiative for the National Exam Program of the Office of Compliance Inspections and Examinations. In this, the SEC devoted an entire section to Risks Associated With Vendors and Other Third Parties and strongly indicated that it would be focusing on cybersecurity protections for investor data maintained in third party databases.
The focus on third party risk and SCRM in cybersecurity has grown steadily. In January 2017, the National Institute of Standards and Technology (NIST) issued a proposed draft update for the Framework for Improving Critical Infrastructure Cybersecurity, more commonly known as the Cybersecurity Framework. While the Cybersecurity Framework is not binding on most private organizations, technically, it is viewed by the FTC and other regulatory agencies as being the gold standard and something they look to in evaluating organizations’ cybersecurity practices in enforcement actions. According to NIST, the proposed update focuses on “[p]roviding new details on managing cyber supply chain risks, clarifying key terms, and introducing measurement methods for cybersecurity, the updated framework aims to further develop NIST’s voluntary guidance to organizations on reducing cybersecurity risks.” The proposed framework adds “Supply Chain Risk Management (SCRM)” as a “Framework Core” function and highlights the following 4 key goals for organizations and their business partners: (1) coordinating cybersecurity efforts with suppliers of IT and OT (operational technology); (2) enacting cybersecurity requirements through contracts; (3) communicating how cybersecurity standards will be verified and validated; and (4) verifying that cybersecurity standards are met. Do you notice the familiar theme?
We are nearing a point where the minimum standard of care for any type of organization will require that it have an Incident Response Plan (IRP) for cybersecurity incidents. The SEC recently reinforced this statement in its consent decree with SEC v. R.T. Jones Capital Equities Management in which it stated, “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.” The IRP should be long enough and short enough to be effective for using in a time of crisis. To gain a better understanding of what this means, consider the Cybersecurity Incident Response Checklist in Appendix A which identifies many of the basic things that need to be done when responding to a data breach. Then, develop an IRP that will make it more efficient to do those things.
There is more, however, than simply having an IRP. Recognize that when your organization needs an IRP, it will be in a time of extreme crisis in chaos because it will have just had a data breach. To put this in context, all but the smallest of buildings and offices likely have a plan in place for how to respond to a building fire. But, is that all? Usually, no, because what good is a plan if no one knows about it, knows they have a role in the plan, or understands how to execute the plan? Accordingly, there are things called “fire drills” where the key people who have a role in executing the plan will assume their roles in a simulated building fire situation and practice executing the plan.
That is exactly what organizations need to do with their IRP. This is what is called tabletop testing of an IRP and is something that should be done at least annually but preferably more often. Through this tabletop testing, the people involved will discover weaknesses in the plan, new developments within the organization that require modification of the plan, and other information that indicates the plan should be reassessed and revised to be more effective. This process never ends and, fortunately, results in a more efficient incident response team and a more effective IRP that is perpetually evolving.
The Federal Trade Commission (FTC) published a guide for businesses to evaluate their cybersecurity practices against FTC enforcement action decisions, Start with Security: A Guide for Business. This guide is as useful for law firms as it is for businesses and recommends taking the following steps:
- Start with security.
- Control access to data sensibly.
- Require secure passwords and authentication.
- Store sensitive personal information securely and protect it during transmission.
- Segment your network and monitor who’s trying to get in and out.
- Secure remote access to your network.
- Apply sound security practices when developing new products.
- Make sure your service providers implement reasonable security measures.
- Put procedures in place to keep your security current and address vulnerabilities that may arise.
- Secure paper, physical media, and devices.
THE IMPORTANCE OF PREPARING TO RESPOND TO AN INCIDENT: “YOU DO NOT DROWN FROM FALLING INTO THE WATER.”
While there is little that any organization can do to change the cybersecurity law schizophrenia, there are things that organizations can do to minimize the harm that results from cybersecurity incidents. Much of this chaos and confusion can be limited by having a written Cybersecurity Incident Response Plan that key players understand and has been practiced. Having such a Plan is essential.
You do not wait until your building is on fire to start planning how to get out. Similarly, you should not wait until you are in the middle of a cybersecurity incident to start planning how your company will respond. You cannot plan for everything, but you can plan for a lot, and doing so removes a lot of the confusion and chaos and gives some order to how to approach and handle the situation. Consider this saying and then apply it to cybersecurity: “You don’t drown by falling in the water; you drown by staying there.”
Organizations do not face catastrophic loss simply because they have a cybersecurity incident; they face catastrophic loss when they have not prepared and are unable to respond to or recover from a cybersecurity incident. An Incident Response Plan is critical for helping companies respond to and recover from cybersecurity incidents.
The author has guided many organizations through the data breach incident response process and has assisted many with preparing their Incident Response Plans. Appendix A to this guide is the Cybersecurity Incident Checklist that the author has prepared which shows some of the most common steps that must be taken during the incident response process. Many of these steps should be completed within the first few hours after learning of the incident, certainly within the first few days which further highlights why it is so important to be prepared. It is important to note that this is only an abbreviated checklist. It is neither a comprehensive incident response policy nor an incident response plan and should not be substituted as such.
The Federal Trade Commission (FTC) published a guide for responding to data breaches, Data Breach Response: A Guide for Business, that recommends companies take the following steps:
o Fix Vulnerabilities
o Assemble a team of experts
§ Identify a data forensics team
§ Consult with legal counsel
o Secure physical areas
o Stop additional data loss
o Remove improperly posted information from the web
o Interview people who discovered the breach
o Do not destroy evidence
o Think about service providers
o Check your network segmentation
o Work with your forensics experts
o Have a communications plan
o Determine your legal requirements
o Notify Law Enforcement
o Did the breach involve electronic health information?
§ Health breach resources
o Notify affected businesses
o Notify individuals
APPENDIX B: BE A HERO: ENCRYPT DOCUMENTS FOR FREE IN 3 STEPS, AND LEARN ENOUGH TO TEACH YOUR CLIENTS AND OPPOSING COUNSEL (by Ronald L. Chichester)
 Shawn E. Tuma, Guide to Reporting Cybersecurity Incidents to Law Enforcement and Governmental Agencies, Business Cybersecurity Law, (Dec. 4, 2016), https://shawnetuma.com/cyber-law-resources/guide-reporting-cybersecurity-incidents-law-enforcement-governmental-regulatory-agencies/
 Computer Fraud and Abuse Act of 1986, Pub. L. No. 99–474, 100 Stat. 1213 (codified at 18 U.S.C. § 1030 (2008)).
 Tex. Penal Code § 33.02. Texas’ Breach of Computer Security is a criminal law that has a civil cause of action if the conduct constituting the violation was committed knowingly or intentionally, which is Chapter 143 of the Texas Civil Practice and Remedies Code, titled the Harmful Access by Computer Act (HACA). See Tex. Civ. Prac. & Rem. Code § 143.001.
 ABA Rule 1.6: Confidentiality of Information, http://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/rule_1_6_confidentiality_of_information.html
 Canon No. 4, Code of Professional Responsibility.
 Texas Disciplinary Rule 1.05, https://www.legalethicstexas.com/Ethics-Resources/Rules/Texas-Disciplinary-Rules-of-Professional-Conduct/I–CLIENT-LAWYER-RELATIONSHIP/1-05-Confidentiality-of-Information
 Greg White, CompTIA Security+, p. 7 (3rd Ed. 2011).
 For a more in-depth discussion of these laws as they apply to insider misuse, see, Shawn E. Tuma, Federal Computer Fraud and Abuse Act and Texas Computer Crime Statutes, (June 17, 2016), http://www.slideshare.net/shawnetuma/federal-computer-fraud-and-abuse-act-and-texas-computer-crime-statutes
 Texas Bus. & Comm. Code § 521.053 (emphasis added).
 See David Kushner, The Real Story of Stuxnet, IEEE Spectrum (Feb. 26, 2013), http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet
 See Shawn E. Tuma, What Does CFAA Mean and Why Should I Care?” A Primer on the Computer Fraud and Abuse Act for Civil Litigators, 63 S.C. L. Rev. 141, 145 (2011).
 Cyberattack On A German Steel-Mill, Sentryo (May 31, 2016), https://www.sentryo.net/cyberattack-on-a-german-steel-mill/
 Shawn E. Tuma, David Beckham’s Exposed Emails Exemplify Shame Hacking Threat, Business Cybersecurity Law, (Feb. 6, 2017), https://shawnetuma.com/2017/02/06/david-beckhams-exposed-emails-exemplifies-shame-hacking-threat/
 Ben Gilbert, Hillary Clinton’s campaign got hacked by falling for the oldest trick in the book, Business Insider, (Oct. 31, 2016), http://www.businessinsider.com/hillary-clinton-campaign-john-podesta-got-hacked-by-phishing-2016-10
 Shawn E. Tuma, 1 Step to Improve Your Company’s Cybersecurity Today, Business Cybersecurity Law, (Apr. 25, 2016), https://shawnetuma.com/2016/04/25/1-step-to-improve-your-companys-cybersecurity-today/
 2016 Data Breach Investigations Report, Verizon, http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/
 Ronald L. Chichester, Be a Hero: Encrypt Documents for Free in 3 Steps, and Learn Enough to Teach Your Clients and Opposing Counsel, http://18.104.22.168:8080/Plone/publications/be-a-hero_v1.pdf/@@download/file/Be%20a%20Hero_v1.pdf (see Appendix B).
 Kim Zetter, Hacker Lexicon: What is an Air Gap?, Wired, (Dec. 8, 2014), https://www.wired.com/2014/12/hacker-lexicon-air-gap/
 Shawn E. Tuma, Guide to Reporting Cybersecurity Incidents to Law Enforcement and Governmental Agencies, Business Cybersecurity Law, (Dec. 4, 2016), https://shawnetuma.com/cyber-law-resources/guide-reporting-cybersecurity-incidents-law-enforcement-governmental-regulatory-agencies/
 See Dwight David, Cybersecurity 101: The criticality of event logs, (Nov. 21, 2016), http://www.csoonline.com/article/3143618/techology-business/cybersecurity-101-the-criticality-of-event-logs.html
 David Martin, The average time to detect a cyberattack is 205 days — here’s how to protect your company, Business Insider, (Jul. 13, 2016), http://www.businessinsider.com/heres-how-to-protect-your-company-from-a-cyber-attack-2016-7
 Consent Order, In re GMR Transcription Services, Inc. (Aug. 14. 2014), https://www.ftc.gov/system/files/documents/cases/140821gmrdo.pdf
 OCIE Cybersecurity Initiative, SEC, (Apr. 15, 2014), https://www.sec.gov/ocie/announcement/Cybersecurity-Risk-Alert–Appendix—4.15.14.pdf
 Id. at p. 4.
 NIST Releases Update to Cybersecurity Framework, NIST, (Jan. 10, 2017), https://www.nist.gov/news-events/news/2017/01/nist-releases-update-cybersecurity-framework
 Cybersecurity Framework Draft Version 1.1, NIST, (Jan. 10, 2017), https://www.nist.gov/sites/default/files/documents/2017/01/30/draft-cybersecurity-framework-v1.1-with-markup.pdf
 Consent Decree, SEC v. R.T. Jones Capital Equities Management, https://shawnetuma.com/2015/11/27/sec-v-r-t-jones-shows-the-sec-has-a-role-in-regulating-cybersecurity/
 Shawn E. Tuma, Cybersecurity: How Long Should an Incident Response Plan Be?, Business Cybersecurity Law, (July 1, 2016), https://shawnetuma.com/2016/07/01/cybersecurity-how-long-should-an-incident-response-plan-be/
 Federal Trade Commission, Start with Security: A Guide for Business, https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf
 Edwin Louis Cole, https://www.brainyquote.com/quotes/quotes/e/edwinlouis170162.html
 Federal Trade Commission, Data Breach Response: A Guide for Business, https://www.ftc.gov/system/files/documents/plain-language/pdf-0154_data-breach-response-guide-for-business.pdf.