we've been hacked! now...
TRANSCRIPT
We've Been Hacked! Now What?
Presented by
Ryan J. Cooper, JD
Uri Gutfreund
Rob Kleeger
OM25
4/4/2017
2:45 PM - 4:15 PM
The handouts and presentations attached are copyright and trademark
protected and provided for individual use only.
1
We’ve Been
Hacked! Now What?
Panelists:
Law Office of Ryan J. Cooper LLC
Ryan J. Cooper, Esq., CIPP/US
Risk Strategies Company
Uri Gutfreund, National Law Firm Practice Leader
Digital4nx Group, Ltd.
Rob Kleeger – Founder and Managing Director
2
Key Learning Objectives:
• Examine the breach response — who
needs to be called, reported to and the
steps needed to best protect the firm.
• Describe good defense strategies…Best
Practices
• Evaluate good cyber insurance policies.
Keeping sensitive
information from falling
into the wrong hands.
The protection of data against the deliberate or accidental access of unauthorized persons. Also known as file security. (Source: Answers.com - www.answers.com)
The means of ensuring that data is kept safe from corruption and that access to it is suitably
controlled. Thus data security helps to ensure privacy. It also helps in protecting personal data.
(Source: Wikipedia - www.wikipedia.com)
[The] protection of data from unauthorized (accidental or intentional) modification, destruction, or disclosure. (Source: The Institute for Telecommunication Sciences (ITS) www.its.bldrdoc.gov)
The protection of data from accidental or intentional but unauthorized modification, destruction or
disclosure through the use of physical security, administrative controls, logical controls, and other
safeguards to limit accessibility.
(Source: US Social Security Administration www.ssa.gov/ gix/definitions.html)
Generic term designating methods used to protect data from unauthorized access (e.g.,
encryption). (Source: US DOJ - Office of Justice Programs www.ojp.usdoj.gov/ nij/publications/
wireless/glossary.html)
The protection of data against unauthorized access. (Source: PC Magazine - www.pcmag.com)
.
Data Security (′dad·ə sə′kyu̇r·əd·ē) Defined
.
3
Data is either…
In Motion -> such as being emailed
or - –
At Rest -> such as stored on your hard drive
It can be vulnerable and you need to be
careful in both situations
Data Defined
• Protecting data-in-motion is a complex challenge.
The Internet provides cheap global
communication, however it has little built-in
security.
• Most technology is built with security as an
afterthought.
• Developers are pressured to “make it work” and
meet tight deadlines.
• Functionality and ease-of-use are deemed top
priority, which automatically makes security
secondary.
• Most communications are sent in clear-text,
meaning anyone who gains access to the info can
easily read it.
Data-in-Motion
4
Security breaches are typically made far worse when the attackers
find troves of data in users’ stored emails and files
Such as:
• Passwords sent-to/received-from others
• Confidential data/reports/financials emailed around
• Files with passwords stored unencrypted
Data-at-Rest
Is Cyber-Security Really a Serious Concern for the Small and Medium-Sized Law Firms represented in this room today?
1.The earliest and most publicized cyber-attacks were against the largest,
most elite law firms in the world.
• FBI Warnings to law firms as potential targets in 2009
and 2010
• FBI Briefing in 2011 to the 200 largest law firms
• Newspaper headlines that the largest and most prestigious law firms
were at risk
2.Today, cyber security in no longer an issue that concerns only the mega-
firms. Cyber attacks now routinely occur at law firms of all types and sizes.
Law Firms Aren’t Immune
5
Why are Law Firms Rich Target for Hackers? What do we have that Somebody
Else Might Want?
1. Money.
2. Credit card information of clients and others.
3. A wide range of Personally Identifiable Information (e.g., health
information, name and address information, account access information,
social security numbers, etc.)
4. Confidential client business information.
5. Client intellectual property, trade secrets and other proprietary
information of our clients.
6. Case and/or Litigation Strategy.
7. Legally privileged communications, including those protected by the
attorney-client privilege.
Law Firms Aren’t Immune
• Law firms face professional liability and fiduciary breach risk from
their clients.
• FBI: law firms are the targets of cyber-attacks.
• Law firms in international IP litigation have been hacked by
foreign interests;
• Personnel have inadvertently permitted hackers to access
client funds held in commercial banks;
• Lost laptops, thumb drives, and handhelds (especially with the
proliferation of BYOD) become keys to unlock a law firm's
network.
• This is a natural consequence of lawyers' and law firms' publicly
identifying their clients, entering appearances in court as attorney,
and listing clients on their own websites.
Law Firms Aren’t Immune
6
Who is the Weakest Link?
A “Cyber” Policy
7
Unauthorized Release of
Private Information
• Reputation
• Down Time
• Cost of Repairs
• Breach Costs
• Regulators / Fines
• Theft of Funds
Privacy Insurance
Security &
Privacy Liability
Media Content
Liability
Network
Interruption
Cyber
Extortion
&/or
Cyber
Terrorism
Data
Restoration
Event
Management
Expenses
Third Party
Coverages
(Negligence)
Retention Each Claim
$5,000 - $1M
First Party
Coverages
(Costs)
8
Event Management
• Data Breach Coach Expenses
• Forensic Investigation (Rob)
• Crisis Management Expenses
• Privacy Breach Notification
• Credit Monitoring
9
The story - Background
• Dewey, Cheetum & Howe, LLP (the “Law Firm”) is a midsized law firm with
offices in New York, Colorado, Illinois, and California. It has an excellent track
record of client service, voted “Best places to work” for several consecutive
years, and has been in business over fifty years.
• The Law Firm has had steady growth and hasn’t been a defendant in any
significant litigations in the past. The firm’s reputation is built largely around its
substantial corporate practice that focuses on real estate and M&A.
• The RE Group is national real estate counsel for a large Real Estate Investment
Trust (REIT) actively purchasing portfolios of bank owned properties (REO).
• The firm’s M&A practice enjoys a strong reputation in the SMB market. In any
given month, the M&A practice group is closing on multiple transactions,
typically involving the sale of closely held family businesses, with a transaction
price anywhere between $10 to $100 million.
The story – Background (cnt’d)
• The Law Firm’s Employee Policy Handbook (all employees sign an
acknowledgment of receipt and compliance), includes the following
provisions:
Firm Information Technology
The Firm’s IT Systems are provided and intended for business purposes. Any
personal use of the IT Systems, including the email systems, that interferes with
the performance of any employee's work, or burdens or compromises the
effectiveness of the IT Systems is strictly prohibited.
…
Only Firm employees may use the IT Systems. Employees must use only their
own passwords and must inform the Firm of their passwords and provide
access to their computer files upon request.
10
The Firm maintains software that provides all time keepers and •
management personnel to access the Firm’s IT Network and document
databases with Remote Access via a Virtual Private Network (VPN).
The Firm has dedicated in• -house IT support at all of its offices, but it also out-
sources a significant amount of IT support, including the firm Help Desk. The
Help Desk uses an enterprise version of a popular consumer remote
connection software.
The Firm also maintains a Password Policy, which requires that all users •
change their password every 120 days, that each password is at least 8
characters, and includes one capital letter, one lower case letter, and one
number.
The story – Background (cnt’d)
The story – Timeline
A senior equity partner on Law Firm’s Management Committee (Mr. Serious)
takes his family on vacation; they go skiing in Colorado. Upon arrival at the
airport, Mr. Serious’ teenage son (R.U. Serious) can’t find his backpack, which
has is smart phone and iPad. This is particularly upsetting to R.U. Serious, since
he and his new girlfriend (L. Gaga) had expected to video chat just about
24/7.
Tired of listening to R.U. Serious complain, Mr. Serious lends his son the Firm’s
laptop so R.U. Serious can ‘check his email.’
Many months later, as September draws to a close, the Management
Committee receives an emergency email at 7:00 pm. The Firm’s IT systems
have been compromised and that client’s are missing money.
11
• Over the next 24 hours, the Management Committee discovers that
hackers had changed the wire instructions in deal documents and
related emails for 4 transactions that had closed over the past few weeks.
• The total amount of money missing was $72 million. In 3 transactions, it
was the Firm’s clients who were the sellers, and who never received the
money paid at closing. In the 4th transaction, the Firm represented the
buyer.
• The Firm’s clients were deeply alarmed but, based on their decades long
relationship with the Firm, are trying to remain calm based on the Firm’s
reassurances that the Firm will sort things out. (Although calm, they are
already interviewing new lawyers.)
• The seller in the 4th transaction has no patience, however. He and his
attorneys have already threatened lawsuits against the Firm and its client
the buyer, and is threatening to make the loss a very public spectacle.
The story – Timeline
The Story – Data Concerns
• A forensic analysis reveals that hackers had obtained log-in credentials for
firm employees. The first credential used was an old VPN log-in for an
employee who had left the firm a year prior. The log-in credentials were
not deactivated and, because the employee never logged in, the 120-
day password prompt never went into effect. (The hacker received the
prompt and changed the password.)
• The analysis further determined that once inside, the hacker installed
malware, such as key loggers, and began reviewing the firm’s files and
documents.
• Over the next few months, the hacker steadily obtained additional
credentials, including Administrator log-in credentials from emails
between the Firm’s IT staff and the outside Help Desk.
• At this point, the hacker had identified the most promising targets for
upcoming deals, and used the Administrator credentials to begin
intercepting email in real time.
12
The Story – Data Concerns
In August, the hacker honed his skills and familiarity with the Firm’s system,
monitored a number of on-going deals, and set his traps.
Finally, the four deals closed in the last week of September. In each one, the
hacker had revised deal documents, Funds Flow memos, and emails to add
wire instructions that sent the funds to the hackers bank. The first stop was a
legitimate bank in the United States, but the hacker then immediately wired
the funds on to additional banks in Africa and Asia.
The analysis also determined that the hacker spent a significant amount of
time reviewing documents related to a transaction involving a publicly traded
company (that was buying a firm client).
The hacker also accessed the Firm’s Human Resources files, although the logs
related to these files indicate that the files were accessed but for less than a
minute each and that none were copied, moved or altered.
Best Practices For Better Data Security
STOP. THINK. CONNECT.
13
Where Is Your Data?
Your company’s technology infrastructure holds a lot of private data,
such as:
• Social Security numbers (including yours!)
• Credit card numbers
• Client lists
• Financial data
• Passwords
• Business plans
• Proprietary information
What would someone find?
14
Identification and protection of • “crown jewels”
Develop a security plan• : Short term, Long term, and most importantly Ongoing.
Define • – How Much?, How Good?, and/or When is “Good Enough”?
Accept the general rule of thumb:•
Good Security– = Compliance
Compliance– ≠ Good Security
What’s worth protecting?
Data Protection and Privacy:
Protecting data from internal and external attacks.
• Know what data you possess.
Preserving confidentiality by controlling access, use, and
dissemination to the extent required by law, contract, or business
needs.
• Know where that data is kept.
• Know who has access to that data.
Securing data and systems.
• Assess, test, and evaluate your policies – often.
Top Data Security Issues?
15
Passwords – Best Practices
• Do not use names, dates, or dictionary words.
• Use long passphrases which are easy to remember.
• Length matters. Passwords should be at least 8 characters and contain
numbers, capital letters and symbols.
• Change passwords on at least a quarterly basis.
• Always used two-factor authentication if offered by the provider.
• Never use the same password in different accounts.
• Use http://www.passwordmeter.com/ and
https://www.grc.com/haystack.htm to assess the strength of your
passwords.
Passwords – Best Practices
16
Rules
Don• ’t write your password down on a sticky-note attached to your screenDon• ’t keep your passwords written
in a text file on your computerDon• ’t write them down in plaintext anywhere!Instead, • Use secure pass-phrases that you can remember, orUse an encrypted password storage •
program, like KeePass or LastPass
How to store
Conduct Independent Ethical Hacking Assessment:• An attack your network and computer systems using real-world tools and techniques in
order to find security weaknesses.
Assessment Objectives:• Uncover vulnerabilities• Provide a road-map for making your networks secure• Identify the sensitive information • Greatly increase your level of security
Develop a comprehensive security and data breach plan for your law firm.• It should include your Crisis Response Team (internal and external)• Conduct breach response drills annually• Media/PR Strategy
Training: • Users should be considered the first line of defense in any security infrastructure.• Train attorneys and support staff on security and data issues frequently.• A robust training program that will heighten users’ sensitivity to phishing attempts and
other exploits.
17
Monitor changes in technology that affect security considerations.
• Understand security issues that may arise in any cloud computing services, and mobile devices, used by your firm.
• Minimize production of personal information where possible. When production is unavoidable, make an agreement regarding treatment of the personal information.
Encrypt information as much as possible, whether produced to others or stored on your computers.
Physically secure computer equipment and file rooms.
• Have a proper file and data destruction policy.
• Ask clients if any of their data warrants special protection and discuss how that data should be protected.
Make sure vendor and expert contracts include provisions for security and confidentiality.
18
Robert Kleeger, Founder & Managing Director
Digital4nx Group, Ltd.
T 973.699.0167 | [email protected]
Contact Information:
Ryan J. Cooper, Esq., CIPP/US
Law Office of Ryan J. Cooper LLC
T 908.514.8830 | [email protected]
Uri Gutfreund, Law Firm Insurance Guru
Risk Strategies Company
T 212.826.9744 | [email protected]
Your opinion matters!
Please take a moment
now to evaluate this
session.