Digital Security for the Modern, Mobile Law Firm

Digital Security for the
Modern, Mobile Law Firm
Presented by
Ken Jones
OM02
Friday, 10/11/2013
1:30 PM - 2:30 PM
OM02 - Digital Security for the
Modern, Mobile Law Firm
Ken Jones
Senior Technology Architect
Pileum Corporation
Why Do We Need to be Concerned
About Electronic Security?
• Changes in the way we work
– Increasingly Mobile World
– Blur between Business and Personal Devices
• Ease of obtaining hacking tools
• Regulatory/Legal Requirements
– Al least 44 states have Data Breach Notification laws
– HIPAA, Sarbanes-Oxley Act (SOX); Payment Card Industry
Data Security Standard (PCI DSS); Gramm-Leach-Bliley Act
(GLB) Act; Electronic Fund Transfer Act, Regulation E
(EFTA); Customs-Trade Partnership Against Terrorism (CTPAT); Free and Secure Trade Program (FAST); Children's
Online Privacy Protection Act (COPPA); Fair and Accurate
Credit Transaction Act (FACTA), including Red Flags Rule;
Federal Rules of Civil Procedure (FRCP)
1
Why Do We Need to be Concerned
About Electronic Security?
• Fines
– BlueCross BlueShield of Tennessee (BCBST) is
being fined $1.5 million for a 2009 data breach
in which unencrypted information on some one
million BlueCross members was stolen.
• Remediation Costs
– BCBS already spent $17 million on investigation,
notification and protection
• Professional Liability insurance may not be
enough – Cyber Risk Insurance may needed
2
It Can’t Happen to Me – Can It?
• Hackers are real and persistent
– "Nearly everyone will be hacked eventually,"
says Jon Callas, CTO for Entrust, "The measure of
a company is how they respond."
• Internal employees make up a large
percentage of data loss scenarios
• Most attorneys are more concerned about
convenient access to data than security
• Law firms are a “High Value” targets
3
Missing or Poor
Communication Encryption
Real World Example:
TJX Companies Inc, December 2006
Data transmitted between two Marshall’s
stores were not encrypted properly on a
wireless network in Miami, FL. 94 million credit
cards exposed
Missing or Poor
Communication Encryption
• Danger: Data transmitted can easily be
intercepted and seen by 3rd parties
Danger Areas
Possible Solutions
Remote access without VPN (Remote Require VPN for all remote access
Desktop or Terminal Server sessions)
Hosted E-mail (POP/IMAP)
Review E-mail Provider Encryption
Options
E-mail transmissions without
encryption
Configure TLS for e-mail transmission
4
Malware and Viruses
Real World Examples:
Stuxnet, 2010
Attack Iran's nuclear power program, but also
shows how malware could be used for real-world
service disruption.
ESTsoft, July-August 2011
Attackers uploaded malware to a server used to
update ESTsoft's ALZip compression application.
The personal information of 35 million South
Koreans was exposed.
Malware and Viruses
• Danger: Programs can transmit information
from your PC to outside sources, or use your
PC to attack or gather information.
Danger Areas
Possible Solutions
Compromised web pages that infect
visiting computers
Next generation firewall with deep
packet inspection
Infected e-mail attachments
Antivirus and Malware scanners on
incoming e-mail
Trojan programs (be aware of “free”
programs)
User education and block installation
of non-business programs
5
New Malware Threat – Direct Ransom
Lack of Visibility/Monitoring
Real World Example:
VeriSign, Throughout 2010
VeriSign was attacked but never informed anyone
about the attacks. The incidents did not become
public until 2011, through a SEC-mandated filing.
“How many times were they breached? What
attack vectors were used?”
Verisign’s answer: “We don't know.“
6
Lack of Visibility/Monitoring
• Danger: Your systems may be under attack
and you don’t know it.
Survey Time!
Question: How many of your have experienced
an attempted data breach in the last 12 months!
Answer: You all have! but may not know it!
7
Lack of Visibility/Monitoring
• Danger: Your systems may be under attack
and you don’t know it.
Danger Areas
Possible Solutions
Any servers accessible via the
Intrusion Prevention Systems plus
Internet (e-mail, terminal server, FTP, monitoring/alerting systems
etc)
Any PC with Internet access
Monitor and filter Internet
connections (with notification)
Lack of Security Testing
Real World Examples:
Heartland Payment Systems, March 2008
A SQL injection security hole was used to install spyware
on Heartland's data systems. 134 million credit cards
exposed
CardSystems Solutions, June 2005
Hackers broke into CardSystems' database using an SQL
Trojan attack and sent it back through an FTP. Hackers
gained access to names, accounts numbers, and
verification codes to more than 40 million card holders.
8
Lack of Security Testing
• Danger: Almost two-thirds of data breaches in
2012 could be attributed to negligence/
human error (35%) and system glitches (29%),
according to the annual Ponemon Global Cost
of a Data Breach study.
Danger Areas
Possible Solutions
Firewalls
Review and test configuration
Any server that provides services via
the Internet (Web pages, FTP
servers, e-mail servers, etc)
Perform regular security
assessments to locate and remediate
security problems
Data Partnerships with 3rd
Parties Providing Services
Real World Examples:
Personal Experience - Company Not Disclosed
A Medical billing company works with multiple
hospitals and maintained connections to the
hospitals that were “secure”. We did a security
assessment for one of the hospitals and
discovered that we could go from one hospital to
the medical billing company and then into other
hospital’s networks behind their firewalls!
9
Data Partnerships with 3rd
Parties Providing Services
• Danger: Data connections to 3rd parties or
locations might be used as a bridge
Danger Areas
Possible Solutions
3rd
Any configuration that allows
parties to connect to your network
Always connect to a firewall and use
DMZ zones to limit access
3rd Parties working within your office Question and get answers to any
(copy center, litigation support,
vendor about their security policies
billing, etc)
and practices
No Control or Management
of Mobile Devices
Real World Examples:
Personal Experience - Company Not Disclosed
Senior attorney took iPhone on vacation to China. They lost
the phone while there with an active connection to firm’s email system. Firm had no way to wipe or block phone. (and
they were not even notified about it for 3 weeks until the
attorney returned to work)
Personal Experience - Company Not Disclosed
An attorney was experiencing a highly contested divorce. His
wife took his iPad and donated it for spite. Too bad it still
had client data on it. Firm had no way to wipe data.
10
No Control or Management
of Mobile Devices
• Danger: Sensitive data is stored on devices
that regularly leave your firm, possibly with no
passwords, encryption, or management.
Danger Areas
Possible Solutions
No or poor password requirement
Mobile device management tool
Use of public internet exposes
devices to hackers
Personal firewall should be enabled
Lost/Stolen devices
Mobile device management tool
Mixing of personal and firm data
Keep them separate – require
different accounts
11
Bringing Unnecessary Data
Out of the Office
Real World Example:
Department of Veterans Affairs, May 2006
A laptop with an unencrypted national database was
stolen from an employee’s home. Personal information
including names, dates of birth, Social Security
numbers, and other information for 26.5 million
veterans, active-duty military personnel and spouses
was lost. The VA estimated it would cost $100 million to
$500 million to prevent and cover possible losses from
the theft.
Good news: The thief returned the laptop
Bringing Unnecessary Data
Out of the Office
• Danger: It is easy to take large amounts of
data out of the office on devices that can
easily be lost or stolen.
Danger Areas
Possible Solutions
Laptops/Flash Drives/Hard Drives
with client information taken
Outside the office
Encrypt all hard drives in case they
are lost/stolen
User Education (don’t leave them in
cars overnight)
Data copied to home computers
Use virtual desktops or terminal
servers for remote access from nonfirm computers
Business Center PC’s used for client
business
User training
12
Deliberate or Accidental
Employee Actions
Real World Examples:
Fidelity National Information Services, July 2007
A database administrator of a FIS subsidiary was fired. Before he left he
stole 3.2 million customer records including credit card, banking and
personal information. He allegedly sold the data to a data broker, who in
turn sold it to various marketing firms.
AOL, August 6, 2006
AOL Research mistakenly posted info on one of its websites containing 20
million search keywords for more than 650,000 users over a three-month
period. Data on more than 20 million web inquiries, from more than
650,000 users, including shopping and banking data were posted publicly
on a web site.
Survey Time!
Question: Would your employees fall
for a scheme to enter their login
password on a external web page?
Answer: Experience says “Yes”
Pileum was hired to test security at a large,
technology related entity. Pileum put together a
Phishing attach and had better than 40% success
in obtaining user passwords from “fake” e-mails.
13
Deliberate or Accidental
Employee Actions
• Danger: Sensitive data can be disclosed
publically. Most of the time this is accidental,
but could be deliberate.
Danger Areas
Possible Solutions
E-mailing sensitive data
E-mail Data Loss Prevention systems
Deliberate data theft
Monitoring/Logging systems
Business systems used by family
members
User Education
Phishing and scams
User Education
Weak, Missing, Repetitive,
or Shared Passwords
Real World Examples:
Gawker Media, December 2010
A group called Gnosis attempted to hack their
network. Users had the same passwords for email,
Twitter, and other systems. Once one password
was compromised they had access to multiple
systems. E-mail addresses and passwords of about
1.3 million users was disclosed plus the theft of
the their custom-built content management
system.
14
Weak, Missing, Repetitive,
or Shared Passwords
• Danger: Passwords are the basic keys to all
security and must be treated accordingly.
Danger Areas
Possible Solutions
Users share passwords with others
User education
Users allowed to use basic
passwords
Passwords should be complex and
changed frequently
Old Software or
Missing Patches
Real World Example:
Google/other Silicon Valley companies, Mid-2009
The Chinese government launched a massive
attack on Google, Yahoo, and dozens of other
Silicon Valley companies. The Chinese hackers
exploited a weakness in an old version of Internet
Explorer to gain access to Google's internal
network.
15
#?
Vulnerability Disclosures 2002 – 2013
Microsoft Security Intelligence Report – 10 year review Special Edition (National Vulnerability Database)
16
Vulnerability Disclosures 2002 – 2011
Hardware versus Software
Microsoft Security Intelligence Report – 10 year review Special Edition (National Vulnerability Database)
Old Software or
Missing Patches
• Danger: Patches are published to address know,
published exploits. If not installed it is like leaving
a door unlocked
Danger Areas
Possible Solutions
Windows Operating Systems
Windows Update, WSUS
End of Life software (Windows XP!)
Upgrade
All software
Patch Management Solutions - KACE,
Shavlik, etc.
17
So – Are You Scared Yet!
18
Practical Steps
• Make a decision – creating a secure network
does not happen by chance
• Passwords, Passwords, Passwords
• Patch or replace old software
• Get a security checkup
• Perform employee security training
• Invest in security hardware/software/services
My Contact Information
Ken Jones
PILEUM CORPORATION
Senior Technology Architect
[email protected]
Office: 601.352.2120
Mobile: 601.214.5788
190 East Capitol Street, Suite 175
Jackson, MS 39201
19