-By Chris Ries, David Ries, and John Simek (adapted from the written materials for their upcoming”Fighting Back: Tools for Tracking Hacks to Secure Your Practice” session during ABA TECHSHOW 2014)
Chris Ries currently works for Oracle’s Java Vulnerability Team, where he focuses on software security. Before joining Oracle, he was a Senior Information Security Engineer with Carnegie Mellon University’s Information Security Office, and also performed independent software vulnerability research.
David Ries is a member in the Pittsburgh office of Clark Hill Thorp Reed, where he practices in the areas of environmental, commercial and technology law and litigation.
John Simek is the Vice President of Sensei Enterprises, Inc., a digital forensics, information security and information technology firm located in Fairfax, VA.
Chris Ries and Simek will discuss specific tools, strategies, and resources to combat these security breaches in their “Fighting Back: Tools for Tracking Hacks to Secure Your Practice” session Friday, March 28, 9:15 AM – 10:15 AM during ABA TECHSHOW 2014.
It is critical for law firms to implement, maintain, and update comprehensive information security programs, including procedures and tools for responding to, containing and recovering from attacks. A comprehensive approach is necessary because confidential data in computers and information systems, including those used by attorneys and law firms, faces greater security threats today than ever before. They take a variety of forms, ranging from phishing scams and social engineering attacks to sophisticated technical exploits resulting in long term intrusions into law firm networks. These threats are a particular concern to attorneys because of their duty of confidentiality.
Effective information security requires an ongoing process that addresses people, policies and procedures, and technology. This paper explores current threats and provides an overview of information security principles to address them. It then explores selected tools for discovering, tracking, and responding to security incidents.
For years, we’ve been warning lawyers that it’s not a question of whether law firms will become victims of successful hacking attacks – it’s a matter of when. We pointed to numerous law firm incidents of dishonest insiders and lost or stolen laptops and portable media, but there were not disclosed incidents of successful hacking attacks. We’ve now reached the “when” – successful attacks have occurred and are occurring – and attorneys and law firms need to comprehensively address security.
Law firm data in computers and information systems faces substantial and real threats. The American Bar Association’s 2013 Technology Survey reports that15.2% of all firms reported that they had suffered a security breach, broken down by size of firm as follows:
- Solo 13.7%
- 2-9 10.8%
- 10-49 23.9%
- 50-99 21.2%
- 100-499 12.6%
- 500 or More 15.%
- All Firms 15.3%
25.2 percent reported that they didn’t know whether their firm had suffered a security breach in the past.
A December 2009 FBI alert warned that law firms and public relations firms were being targeted with spear phishing e-mails containing malicious payloads. In January 2010, the FBI issued another alert, this time warning law firms about counterfeit check schemes that used e-mails to lure them into relationships with fraudulent overseas “clients.”
In a March 20, 2010, article, “Law Firms Are Lucrative Targets of Cyberscams,” the San Francisco Chronicle discussed recent attacks, ranging from phishing scams to intrusions into a law firm network to steal lawsuit-related information. It noted that:
Security experts said criminals gain access into law firms’ networks using highly tailored schemes to trick attorneys into downloading customized malware into their computers. It is not uncommon for them to remain undetected for long periods of time and come and go as they please, they said.
These kinds of attacks can be very sophisticated. A February 3, 2010, Wired Magazine article reported on advanced persistent threats (APTs), a particularly nasty form of coordinated and extended hacking attack. It discussed an example of a 2008 APT attack on a law firm that was representing a client in Chinese litigation:
The attackers were in the firm’s network for a year before the firm learned from law enforcement that it had been hacked. By then, the intruders harvested thousands of e-mails and attachments from mail servers. They also had access to every other server, desktop workstation and laptop on the firm’s network.
This attack was investigated by Mandiant, a leading information security firm that specializes in investigations of data breaches. Mandiant discovered that the network had been breached for more than a year before the law firm was tipped off to the breach by law enforcement. They could not determine the initial attack vector because the law firm did not have system logs available. The intruders at the law firm were able to obtain more than 30 sets of user credentials, compromise approximately three dozen workstations, and harvest thousands of e-mails and attachments from mail servers. They also had full access to all servers and computers on the network for an extended time. This breach is reported as a case study in Mandiant’s M-Trends [the advanced persistent threat] (2010).
A March 8, 2010, National Law Journal article reported that Mandiant assisted over 50 law firms after security breaches. A Mandiant forensics specialist stated in an interview that Mandiant spent approximately 10% of its time in 2010 investigating data breaches at law firms.
Successful attacks on law firms have continued. Bloomberg News published “China-Based Hackers Target Law Firms to Get Secret Deal Data” on January 31, 2012. It described a group of major hacking incidents in which attackers successfully targeted 7 Canadian law firms and 2 Canadian government agencies. The article reports that Mandiant estimated that 80 major law firms were hacked during 2011.
In November, 2011, the FBI held a meeting for the 200 largest law firms in New York to advise them about the increasing number of attacks. Bloomberg News reported the following about the meeting:
Over snacks in a large meeting room, the FBI issued a warning to the lawyers: Hackers see attorneys as a back door to the valuable data of their corporate clients.
“We told them they need a diagram of their network; they need to know how computer logs are kept,” Galligan [the head of the FBI cyber division in New York City] said of the meeting. “Some were really well prepared; others didn’t know what we were talking about.” (www.bloomberg.com/news/2012-01-31/china-based-hackers-target-law-firms.html)
The SANS Institute, a highly regarded information security research, education, and certification organization, has published an interview with the managing partner and IT partner of a New York law firm that had been hacked. They stated that all of their client files had been found by the FBI on a server overseas. (www.sans.org/security-resources/cybersecurity-conversations.)
On June 25, 2012, the Wall Street Journal published “Client Secrets at Risk as Hackers Target Law Firms.” It started with:
Think knowing how to draft a contract, file a motion on time and keep your mouth shut fulfills your lawyerly obligations of competence and confidentiality?Not these days. Cyberattacks against law firms are on the rise, and that means attorneys who want to protect their clients’ secrets are having to reboot their skills for the digital age.
In February, 2013, the FBI gave a keynote presentation on law firm security threats at LegalTech New York. In an article reporting on it, Law Technology News, “LegalTech Day Three: FBI Security Expert Urges Law Firm Caution” (February 1, 2013), the special agent in charge of the FBI’s cyber operations in New York City is quoted as stating:
“We have hundreds of law firms that we see increasingly being targeted by hackers. …We all understand that the cyberthreat is our next great challenge. Cyber intrusions are all over the place, they’re dangerous, and they’re much more sophisticated” than they were just a few years ago.
Security threats to lawyers and law firms are substantial and real – attacks have occurred and are occurring. It is critical for attorneys and law firms to address them through comprehensive information security programs.
Implementing, maintaining, and updating a comprehensive information security program is essential for attorneys and law firms. Critical components of an effective program include procedures and tools for responding to, containing, and recovering from attacks. A law firm security program should be periodically reviewed, at least annually, to address the constant change in threats, technology, and available security.