The Seyfarth law firm has reported it was the victim of a ransomware attack. If it can happen to them, this is a concern for all law firms.
Good primer-type IT security article in ABA Law Practice Today:
Locked Down: Practical Information Security for Lawyers by Sharon Nelson and John Simek is a few years old, but remains a worthy treatise, supplemented by Sharon‘s Ride the Lightning blog. If epic fails amuse you, check out her post about the school board member who revealed more than intended during a virtual meeting.
Irwin Kramer notes that law firms who suffer a ransomware attack may have an ethical requirement to report the incident to clients:
Because law firms maintain huge repositories of sensitive data, they are particularly vulnerable to such attacks. You may not be able to prevent all attacks, but you should consult with a cybersecurity expert to improve your resistance to them. When all else fails, don’t compound the problem by concealing it from affected clients. If you do, your data breach will morph into a breach of ethics.
Another major incentive to take measures to reduce vulnerability to such attacks. The threat is real and the consequences for your legal practice can be severe.
Is it a good idea to spend a lot of time disinfecting your law office? Possibly not, but make sure your clients are aware of this, and other security measures you take. Security theater is real. Make sure it works for you.
Dennis Kennedy and Tom Mighell had a nice discussion of security theater in the June 19 edition of the Kennedy-Mighell podcast, prompted by my question. (Yeah, I’m a little behind in my podcast listening). It has become a timely topic in light of Covid-19.
Another example of security theater at Talking Points Memo provides context:
I’ll have some additional comments on their analysis later, but those interested will want to give it a listen. Check out the show notes (i.e., transcript) at the same link if you’d rather read than listen.
[Disinfecting schools] is mostly mitigation theater, taking action that is high profile and relatively easy because things that would actually make a difference are either too hard or have been ruled out in advance because of difficulty or politics. It’s the germ theory version of looking for the missing keys under the street lamp because that’s where the light is.
The bulk of evidence from the Spring and Summer is that COVID transmission is mainly through the air, either exhalation and inhalation of people in immediate proximity to each other or airborne contagion through recirculated air or contagion that persists in the air for some period of time.
Of course, same thing applies to your law office. That doesn’t mean security theater is necessarily a bad idea. If it makes those in your organization or potential clients feel more secure, it could be a great idea.
The monthly ABA magazine Law Practice Today always has good articles, but the July issue is something special. It is a compilation of some of the magazine’s best articles. In this case, recycling is good.
It’s hard to pick my favorite article, but a top candidate is the summary of the intersection of cybersecurity and legal ethics by David Reis. He’s written several books on related topics was the featured guest in a recent edition of one of my favorite podcasts, Digital Detectives. The interviewers were no slouches, either, being Sharon Nelson and John Simek of the Ride the Lightning blog.
When I used to do more computer security-related work, my go-to resource was the SANS Institute. It’s discouraging but educational that even top pros like them can fall for a phishing attack.
Phishing attacks are probably the most serious computer security threat out there now.
Dennis and Tom in a recent Kennedy-Mighell podcast noted a recent example that tended to show training employees had only limited benefits. Testers sent simulated phishing emails to a firm’s employees after they had been warned that such a test might be performed. Nevertheless, nearly all the employees fell for the phony emails.
Nevertheless, it’s foolish not to at least attempt to attempt to educate your employees. If it prevents even one incident that otherwise might result in ransomware or worse, it would be worth it.
Threatpost has some other suggested defensive tips.
Digital Detectives, a Legal Talk Network podcast, is one of my favorites. This month hosts Nelson and Simek ( interview David K. Reis, who provides some good advice about working at home security issues. After emphasizing the phishing threat, he pointed out a couple of other risks:
One is security for home printers. If you are going to print confidential client information or other confidential firm information, there can be security issues with the printers storing it, if it’s a wireless printer that isn’t configured securely, someone may be able to intercept that. So printers are a second thing other than the phishing and protection against the usual security threats.
A third one is paper documents. If you are printing confidential law firm or client documents at home what do you do with drafts, what do you do with old ones? We all over our shredding bins and security in the office, don’t just throw it in regular trash at home and we actually did an alert on that earlier before the current one on the importance of paper in cybersecurity during the work-at-home.
“Ransomware,” or hacker blackmail attempts to extort money by threatening to release confidential/embarrassing information, is on the rise. “Phishing” or its variant, “spear phishing” seem to be the most common vector.
- “Phishing” is basically spam that contains a poison pill in the form of a trojan horse attachment or link to a drive by download website.
- “Spear phishing” is the same, except it’s targeted to make it more attractive to a particular organization or even a particular person.
Thanks to Ben Schorr for an interesting example: The University of California San Francisco paid hackers $1.14 million (after negotiating them down from $3 million). BBC News has a transcript of some of the negotiations.
But Jan Op Gen Oorth, from Europol, which runs a project called No More Ransom, said: “Victims should not pay the ransom, as this finances criminals and encourages them to continue their illegal activities.
“Instead, they should report it to the police so law enforcement can disrupt the criminal enterprise.”
Brett Callow, a threat analyst at cyber-security company Emsisoft, said: “Organisations in this situation are without a good option.
“Even if they pay the demand, they’ll simply receive a pinky-promise that the stolen data will be deleted.
“But why would a ruthless criminal enterprise delete data that it may be able to further monetise at a later date?”
Phishing and is worse than a nuisance: It can destroy your business. Specialized software can help, but the first line of defense is high quality training of your employees. Supplement this by testing their responses to test break-in attempts–and embarrassing the employees who show themselves to be too gullible.
The conventional wisdom is that the resilient nature of Internet protocols makes it difficult or impossible for an attacker to take down or cripple the Internet. A couple of respected Washington Post columnists have some doubts about the conventional wisdom. I think they have a point.
David Ignatius advises:
America’s botched response to the coronavirus pandemic is a warning that, unless our broken political and administrative systems are fixed, the country could experience a similar breakdown in future national crises, such as a massive cyberattack.
This stark message was contained in a little-noticed white paper recently released by the bipartisan Cyberspace Solarium Commission, titled “Cybersecurity Lessons From the Pandemic.” As the paper highlighted, the covid-19 outbreak has been a stress test for our national crisis-management system — and that system has, to a frightening extent, failed. The challenges of a cyberattack would be even greater. …
Part of the problem with our covid-19 response is specific to Trump, who seems to view unpredictability and lack of planning as positive management tools. But another president, with better management skills, would still face bureaucratic blockages that are endemic to our system. White House coordinators similar to the proposed cyber director — the U.S Trade Representative, say, or the Office of Science and Technology Policy — struggle in any administration to frame coherent government-wide policy, as noted in a recent Lawfare essay by Mieke Eoyang and Anisha Hindocha.
Economics columnist Robert J. Samuelson thinks Big Tech’s privacy/monopoly/abuse of power issues are small potatoes next to the threat of a crippling cyberattack:
The consequences of a massive cyberattack could make the disruptions caused by the pandemic seem like child’s play. There might be simultaneous assaults on the nation’s power, communication, financial and transportation networks. People would stumble about in a cyber fog with public and private communications channels, from email to cable TV, disabled or overwhelmed.
A major Washington DC property management company is putting out guidance on reducing Covid-19 risks.
Some of their recommendations make sense. Taking employee temperatures when they report to work every morning seems reasonable.
Some are dubious. Requiring retesting temperature when employees return from lunch is almost certainly overkill.
Security theater is not new. Bruce Schneier, a leading IT security expert defined security theater and provided an example in his essay Beyond Security Theater:
“Security theater refers to security measures that make people feel more secure without doing anything to actually improve their security. An example: the photo ID checks that have sprung up in office buildings. No-one has ever explained why verifying that someone has a photo ID provides any actual security, but it looks like security to have a uniformed guard-for-hire looking at ID cards.” [Emphasis added]
Is security theater always bad? To the extent it reduces anxiety, it can be beneficial.
Other benefits are possible. One D.C. law firm decided that even though they could cover everything needed in their Covid-19 safety briefings in 20 minutes, they should last at least an hour.
Wasted time or wise precaution? Not sure, but if the law firm’s seriousness ever came into question, in litigation or otherwise, hour-long sessions might have at least some symbolic value.