We have spoken on the Ethics of Data Security at Bar Associations across the USA, and we continue to get more and more questions on the topic of data security. I decided to turn to our go-to expert and bring you answers from the source with this Q&A session I had with Tim Rettig of Intrust IT.
Mark: Recently, in the legal industry, a ransomware email was running around targeting lawyers directly. It was an email that claimed the lawyer had an ethics violation charge against them and contained a file attachment. These criminals knew that a lawyer was very likely to be highly concerned with the words ethics violation and would quickly click on the attachment to learn more. Once they clicked on it to open the file, the virus went to work and locked the machine and held the data ransom. Are cyber-criminals getting so organized that they know who has the most confidential information and are able to so narrowly target one area like law firms?
Tim: Yes, absolutely. What you’re talking about is called “spearfishing” in the data security industry. It happens when cyber criminals are going after a very specific vertical market and they use very well-crafted emails. Remember, these are organized crime operations, not a random hacker. They are taking lessons from businesses. Many businesses focus on one vertical niche and are able to know more about their customers due this focus. These organized crime operations are learning from that.
In addition to the legal example you discussed, there was also one about a year ago that was targeted towards chiropractors. The spearfishing email looked like it was from somebody that had just moved into the area that used to go to a chiropractor every other week and is looking for a new chiropractor in town. They add a link to DropBox saying it contains all the charts and information from the previous chiropractor. They ask the targeted chiropractor to take a look so they can let them know if they can help them out or not. It was perfectly written and it looked like a very good email, and what chiropractor wouldn’t be interested in a patient who could become a recurring patient?
Mark: We understand now that this is a focused and organized threat to law firms no matter their size. If I’m a lawyer, what are the minimum things that I should be doing to meet my obligations of confidentiality and to make sure my client’s information isn’t ending up out there in the hands of these criminals?
Tim: Like a lot of things in life, it starts with the basics. People missing the basics often cause a majority of the issues. Just implementing the basic security measures will really reduce their risk.
That means keeping your systems up to date. Out of date systems are often the cause of most security issues. The same Symantec study that I referenced earlier found that the majority of the malicious software being spread targets vulnerabilities that have patches that have existed for months. They wouldn’t be spread if people would keep their systems up to date.
We recently had the big WannaCry ransomware virus that went took down the NHS bureau in the United Kingdom and also caused hundreds of thousands of computers around the world to be infected. This targeted a vulnerability that had been patched three months prior and if people just would have patched their system they would have been safe.
Mark: You are saying that, at a minimum, when my machine pops up a message that says it’s time to update, I should not wait or postpone that even a few days?
Tim: Exactly, and if it comes up and it’s unable to update because of an error or something like that, that is an issue that should be addressed immediately and not ignored, because these are again basics that need to be addressed. Also, when you’re IT person in your office or your IT services company says you’re running an old version of an operating system and there are vulnerabilities, those should be patched or upgraded. That’s what got the NHS in trouble in Europe, they were running operating systems that were 20 years old, that were known to be out of compliance or not even supported anymore and no patches were available. Necessary updates were brought up on multiple occasions with the organization, but they ignored it and they paid a huge price for that.
In addition, you should definitely be running a security product with an endpoint protection on all your systems and making sure all of the people in your organization are covered as well.
Mark: What does endpoint protection software do for me?
Tim: Endpoint protection is often thought of as anti-virus or anti-malware software. The traditional software should be used at a minimum but there are newer versions that are coming out that we like better. If you’re running older endpoint protection software, like Norton Antivirus or Symantec, those are what we call signature-based. Signature-based means go to download a file or a piece of software, the endpoint software looks at and checks it against a list of known signatures in malicious. The problem is that, because the scale of these criminal enterprises, they are creating new malicious software so quickly that it cannot be added to the known lists fast enough.
The newer endpoint protection software actually not only looks to see if the signature is on the blacklist to see if it’s known to be bad, but it actually continues to watch when that software executes and monitor what it’s doing. If the software does anything that looks suspicious, it will prevent it from running and then will notify somebody so they can act appropriately.
Mark: What is endpoint protection software that you would recommend?
Tim: What we recommend a lot is Webroot. It has a good consumer grade version that’s cost effective, and they have enterprise versions available as well. Kaspersky is another one that’s known to do very well, however, it a Russian owned organization and there’s been some recent conversations around whether or not there may be access to systems and software by the Russian government. That’s another dynamic into this whole cloud organization that’s out there—this is a global crisis. In fact there are nation states behind some of these actions, like what happened with Sony. You definitely have to be careful about where some of your technology and where your support is coming from as well, what country it’s in.
Some other products would be Bitdefender or Trend Micro. As the software improves, it is getting to the point where they can start offering insured protection which is very new for the industry. We are testing out some new endpoint protection software that has a million dollar guarantee behind it for ransomware. They are doing behavioral-based monitoring.
Mark: Lawyers interact with clients, opposing counse and the courts. all on email. The belief by many is that email is a secure system. But it isn’t, right?
Tim: That is another basic thing that we need to make sure that our users at the office understand—the fact that they need to be suspicious of the email that is coming in. This is because so many of these attacks that we’re seeing, these data breaches, are from human error. It’s social engineering where hackers are tricking people into clicking on and doing things they shouldn’t.
Just recently there’s been an uptick in mortgage fraud and it doesn’t require any hacking at all. What’s happening is people are using the same password on multiple websites; the same password for emails, Dropbox, the same password everywhere. When just one of those sites gets compromised, your passwords are now out there, and hackers use that to test to see if you’re using the same password for Gmail. They get into your account and then they see that you are currently communicating with a bank or mortgage broker for your house. They just sit back and watch, use some tools to monitor to look for certain phrases are happening and when the request from the homeowner goes through to say “hey, where should I wire this money?” The hacker will stop the email that comes back from your bank to say where you should wire it and they will put a different email in your inbox that has different wiring instructions and people will wire to the wrong bank. This has actually been happening on a regular basis now.
I’m also familiar with a large property management company that wasn’t hacked but still ran into security issues. The hackers figured out all the different properties that company managed then they reached out to quite a few of the properties renters and posed as the property management company. They used a fake email that looked similar enough to the property manager’s email and said: “we’ve changed our banking arrangement, can you please wire your monthly payment to this new address.” The property tenants, started wiring their money to the wrong bank, months went by, managers started sending demand letters to those tenants and several ignored it because they knew they paid their rent. More time went by and they figured out it was a ruse and someone had tricked these tenants. They discovered the issue about half a million dollars in rent later.
That company didn’t do anything wrong, all the systems were secure, but it was the tenants that got tricked and now they are the ones that will be liable for that loss, not the company. But, from the management standpoint, if they go after these tenants that makes the company look bad.
In terms of law firms, many criminals start by going right after the money. If there’s any case that would involve money, like maybe they have to put money into escrow or any type of financial transaction where there’s money that has to be wired, cybercriminals are going to insert themselves into that conversation. The law firms’ communication is fine, their systems may all seem secure, but if the client’s email has been compromised then the hacker is able to insert new information into the thread on the client side. Since this is necessary communication between attorneys and their clients, whenever there is wiring instruction, we also need to follow it up with a call some other means of communication.
Mark: You mentioned passwords, a lot of passwords are hacked. I understand that I shouldn’t be using simple passwords, but should we really be using a different password for each different online service?
Tim: Interestingly enough, using the same very complex password everywhere is a bigger risk than using a different, simpler password for each service. This is because every time you use the same password in another location, your risk goes up exponentially. We aren’t as worried about the security systems in place for large cloud vendors, but it’s likely that the small website where you’re buying a team shirt for your kids gets compromised, and if you’re using the same password as your Gmail account, criminals can use the information to try to login to Gmail or other sites to get into your accounts. Use a different password everywhere. And for accounts that are extremely important, take the time to set up 2-factor authentication. It may seem strange to set up 2-step authentication on LinkedIn, Gmail, and Facebook, but it’s going to protect you in the long run from looking foolish.
I have a friend of mine who would use the same password everywhere online. Someone got a hold of his password in a data breach and then they logged into his LinkedIn, his Facebook, his email and took over all his accounts. It is very difficult to get all of those accounts back if someone changes the password on you. That person communicated with all of his friends, and said that he was overseas and that his credit cards had all been lost, that he lost his wallet and needed someone to send him money. Some people fell for it, others didn’t. It disrupted his life and he looked like a fool to everyone. It took him quite awhile to get that cleaned up.
Social media accounts may not seem like they’re important to you, but many times, especially as a lawyer in your community, that’s your personal reputation online. If someone takes over, it can make you look very bad and could result in a prospect not calling you.
Mark: Microsoft, Google, Apple—they all have kind of their own multi-factor identification. Are there any that you would recommend? Should you be looking at other systems or vendors for this?
Tim: That’s one of the difficult things about two-factor authentication is that everybody has their own unique take on it. The website Two Factor Auth shows you all the different sites that are on the internet and the ones that support two-factor authentication, those that don’t and what type they support. Whether it’s a text, a phone call, or it’s a piece of software and then there are also links to the websites to show you how to set it up. This includes banks, financial institutions, all the different sites.
If you have Gmail and you use Office365, you might have to use each of their independent two-factor authentication to keep it simple, but what that means many times is that you’re going to have Google authenticator for Gmail, Microsoft’s for 365, and a different third party one for another website. For your whole law firm, there is software and tools that simplify this by consolidating and reducing the amount of 2-factor authentication you have to use. If you are looking at this as an individual consumer though, you’re going to likely end up with many different two-factor authentication methods and tools. You may find that one bank texts you, a credit card company sends verification through emails, and Amazon works with a third-party software tool.
For example, when I was choosing a bank, my deciding factor was which banks support two-factor authentication, I went to the website I mentioned above and they have banks in their category and I chose the ones I wanted to decide between because this was such a big problem.
Mark: In our CLE presentations, one thing we have talked to lawyers about is using a tool to track all of their passwords. It seems that LastPass has a very large presence. I know they stumbled a bit early on but apparently gotten their security game back up. There are other tools too, like 1Password. What are your thoughts?
Tim: LastPass is one that I definitely recommend because once you start using different passwords on different websites, trying to capture all of those and keep track of them is very difficult. The last thing you want to do is put them in an Excel spreadsheet that could easily be compromised. To be honest, even writing them down by your keyboard may be better than using the same password on all the websites, but it’s going to get to the point where it’s difficult to write them all down. It’s slow and cumbersome. Getting a password manager is something we definitely recommend that users do.
LastPass is one that I recommend, it has all the bells and whistles, and it also has a really nice enterprise solution, so everyone in your organization can have access to just their passwords or some shared company passwords.
Mark: So, if I’m a law firm, I need a bunch of people to access various accounts. Instead of having to write that down, using a tool like LastPass I can share it with all the people that need it and they would have access to the passwords, without having them in some unencrypted document?
Tim: That’s right. Another benefit is that these password management tools have plugins on your internet browser so that when you go to that site, it automatically fills the username and password in for you. Or, the first time you go to that site, put the username and password in, it’ll say, do you want to save this in LastPass? It sure makes having better security minded passwords a lot easier.
I personally use LastPass as well. I have it on my laptop and on my home computer and I sync it to all my devices so I can get to my passwords automatically. It also allows you to share passwords outside your organization. In fact, I use that feature with my wife, as our passwords and our information to our financial accounts are in a shared folder. If I happen to need to change my password to a financial institution, it syncs automatically and she has also has the password automatically.
Another I am familiar with that I set my parents up with is DashLane, it is a nice simple one, that a lot of people use and are happy with. And two other ones are Keeper and Roboform. The reason I keep the list to those four is that they all support two-factor authentication, which I believe you should absolutely have when you’re putting all your passwords into one location.
The point about LastPass stumbling that you made was that they have had a few incidents where they have had some small data breaches, however, they’ve done a great job communicating that to their users, putting a very quick fix in place that prevented any passwords from getting out and resolving the issue very quickly. There’s always going to be some type of security incident that’s going to happen with all this software that’s out there because humans are behind it and they’re going to make a mistake. It’s how you react to it next and fix the problem and show that the architecture is such that if there’s a vulnerability to one piece of the software, it doesn’t expose everything.
In the LastPass case, they had a security vulnerability that exposed some of the user data on the site, but it did not expose any keys that allowed anybody’s passwords to get out. It showed that the way their system is set up, it’s segmented enough that you’re not going to get into the entire thing.
Mark: Something else I like is that if someone is utilizing LastPass for their entire company if their team is not being as good at using a different password, it’ll let you know over time and review your passwords for you. For example, when Yahoo was breached, they could tell you if the password that was breached is the same as other passwords in your LastPass repository.
Tim: That’s a great point, it will tell you how good your passwords are and notifies you if you have those deficiencies in your passwords or in the organization. There is a website out there called Have I Been Pwned?. It’s run by a very well known, white hat hacker, who is very reputable and speaks at a lot of conferences and has done a lot for the IT security industry. After a site gets breached the hacker organization may take that information and utilize it for a couple years and not let people know. But at some point, they want to brag that they compromised the site or they’re done with the data so they will release it out to the space and they will say, here’s all the date to prove that we compromised this, or here’s the data and do with it what you want.
Have I Been Pwned takes that data and puts it into a big database of all the data that’s been breached over the years. If you sign up for the free notification service they will send you an email if your address or username is ever part of any of those data breaches. I got one last year that said my email address was part of the LinkedIn breach that happened two years prior. It was good for me to know that I needed to change my password. That’s a great service.
This interview has been edited and condensed.