Peter S. Vogel 2014-04-28 07:18:30
What are you doing to protect yourself and your clients from cybercriminals? ALL LAWYERS ARE AT RISK OF CYBERATTACKS, AS ARE THEIR CLIENTS, because every lawyer and client uses a computer, cellphone, or tablet to send and receive emails and text messages, search the Internet, and participate in social media. It is imperative that lawyers understand the technology they rely on. While this does not require everyone to have a degree in computer science, lawyers have a duty to protect themselves and advise clients. According to the cybersecurity company McAfee Labs, “Cybercriminal gangs of the 21st century will target cloud-based applications and data repositories because that’s where the data is.”1 Clearly we know that Internet cyberattacks pose a potential risk to lawyers and client files stored on computers, the cloud, or in their offices. HOW SAFE DO YOU FEEL ABOUT PUBLIC WI-FI? Do you use public Wi-Fi? I assume most everyone reading this article does. Based on a recent white paper from Symantec,2 however, most people do not use private encryption tools despite the finding that most Wi-Finet-works are not as they seem. According to the report: Unless the local and server applications have implemented some sort of private encryption protocol, which is atypical, … all traffic [on public Wi-Finet-works (and many private ones as well)] is in plain text on the local network and anyone on that same network can read it. Symantec recommends using encryption security measures including the Secure Sockets Layer,3 but most lawyers generally do not know they are vulnerable, let alone what Secure Sockets Layer is. Without question, it is time that lawyers got to know more about the technology that they and their clients rely on since there are risks associated with the many different types of devices, Internet connections, and technology conveniences. ABA CYBERSECURITY HANDBOOK In 2013, the American Bar Association published a Cybersecurity Handbook written by a number of lawyers.4 In the forward, former ABA President Laurel Bellows explained why the handbook was published: The American Bar Association recognizes that cybersecurity is one of the most important challenges facing our economy and nation. To examine cybersecurity from both the legal business and national security perspectives, the ABA created the Cybersecurity Legal Task Force. The association asked the Task Force to address the tough questions about the appropriate role and responsibility of lawyers in cyber-related incidents and to examine ways that lawyers and businesses can protect their practices and their clients’ confidential information and intellectual property. The handbook was organized by Jill D. Rhodes and Vincent I. Polley,5 who wrote the first chapter and collected materials from a number of widely recognized experts within the ABA. Polley practiced law in Texas for many years as “deputy general counsel to Schlumberger Limited, where (inter alia) he coordinated cybersecurity defense planning, protecting the company’s trove of international oilfield data repositories from then nascent state-actor intrusion.” The handbook provides excellent information about and insight into cyberissues. It could easily become a bestseller for the ABA given the increasing number of connected devices used to practice law as well as the importance of lawyers’ obligations to protect themselves and clients. HOW BIG IS THE CYBERRISK? An additional important source of information is the 2013 Data Breach Investigations Report from Verizon.6 The DBIR explains that the motives of cyberthreats include “money-minded miscreants [who] continued to cash in on low-hanging fruit from any tree within reach.” Verizon published the DBIR with 19 cross-platform partners. The DBIR includes 20 Critical Security Controls that all lawyers (and clients) can use to focus on protecting their law practices and client data: 1. Inventory of authorized and unauthorized devices. 2. Inventory of authorized and unauthorized software, monitoring and notifications regarding unapproved software, application whitelisting, and software identification tagging. 3. Secure configurations for hardware and software on laptops, workstations, and servers. 4. Continuous vulnerability assessment and remediation, including automated vulnerability scanning, port checking, and patch management solutions. 5. Malware defenses, including anti-virus tools, disabling auto-run, traffic analysis, secure email usage, and sandboxing. 6. Application software security through testing and code review. 7. Wireless device identifiers and network access control. 8. Data recovery capability. 9. Security skills assessment and appropriate training to fill gaps. 10. Secure configurations and strong authentication for network devices such as firewalls, routers, and switches. 11. Limitations and control of network ports, protocols, and services, including conservative device configuration and default-deny stance. 12. Controlled use of administrative privileges, including identification and monitoring of administrative accounts, restriction of access to administrative accounts, and securing administrative accounts with strong authentication. 13. Boundary defense, including ingress and egress filtering based on blacklists and default-deny principle, DMZ traffic monitoring, IDS technologies, and application proxies. 14. Maintenance, monitoring, and analysis of security audit logs. 15. Controlled access based on the need to know through network segmentation and logical access control. 16. Account monitoring and control, including account auditing, password parameters, account lockout settings, monitoring attempts to access disabled accounts, and atypical account usage. 17. Data loss prevention by employing mobile hard drive encryption and DLP software. 18. Incident response and management. 19. Secure network engineering though network segmentation and establishment of security zones. 20. Penetration tests and red team exercises, including social attacks in sanctioned penetration testing. If lawyers do not understand these 20 Critical Security Controls, it is time they started working with technology professionals who can help them and their clients. My hope is that this article will serve as a good starting point. NOTES 1. http://mcaf.ee/utjz4. 2. http://www.verisign.com/ssl/ssl-information-center/ssl-resources/whitepaper-protectsidejacking. pdf. 3. http://www.verizonenterprise.com/products/security/identity/ssl/. 4. http://apps.americanbar.org/abastore/index.cfm?pid=3550023§ion=main&fm= Product.AddToCart. 5. www.knowconnect.com. 6. http://www.verizonenterprise.com/DBIR/2013/. PETER S. VOGEL is a trial partner, special master, and arbitrator at Gardere Wynne Sewell. Before practicing law, he worked as a computer programmer, received a master’s degree in computer science, and taught graduate courses in information systems. Vogel has had trials around the U.S. on software implementations, misappropriation of trade secrets, copyright infringement, software patent infringement, and Internet disputes. For more information, go to vogelitlawblog.com.
Published by State Bar of Texas. View All Articles.
This page can be found at http://mydigimag.rrd.com/article/Attack+Plan/1696296/206863/article.html.