Cybersecurity: It’s a Moving Target
By Sharon D. Nelson and John W. Simek
If you feel like it’s impossible to keep up with cybersecurity, fear not. You belong to a very large club. This field changes, not year by year, not month by month, but day by day. The best advice you can get is to attend at least one information security CLE each year and to keep reading articles like this one! Because this area moves so quickly, we thought we’d highlight recent developments.
THE ABA CYBERSECURITY RESOLUTION
The ABA has weighed in on cybersecurity concerns, always a sign that the states may follow. On Aug. 12, 2014, the ABA House of Delegates passed, without opposition, a new cybersecurity resolution, Resolution 109, which reads as follows:
RESOLVED, That the American Bar Association encourages private and public sector organizations to develop, implement, and maintain an appropriate cybersecurity program that complies with applicable ethical and legal obligations, and is tailored to the nature and scope of the organization, and the data and systems to be protected.
You might be forgiven for thinking as you read the resolution, “Wow, that really says a whole bunch of nothing.” And you’d be right — it is really a cautionary resolution intended to raise awareness.
There is a back story to the resolution, which was, in its original format much longer. The original resolution appeared to command all law firms, large and small, to come up with a cybersecurity program that met national and international standards.
This met with fierce opposition from a number of ABA entities, including the Law Practice Division. The resolution was submitted by the ABA Cybersecurity Legal Task Force and the Science & Technology Law Section.
In answer to the controversy, the language of the resolution (which stands on its own and is not governed by the accompanying report) was watered down to the tepid version above. At the behest of other entities, language in the report was also changed to make it clear that the resolution was not attempting to make a change in lawyers’ ethical duties and to add language recognizing that smaller firms could not be expected to adopt a program that made no sense considering their size and budget constraints.
Clearly, for small firms, the international and national standards cited in the report appeared fearsome. There are standards for smaller firms. The report states: “Small organizations, including small law firms and solo practitioners, can prioritize key cybersecurity activities and tailor them to address the specific needs that have been identified.” For help with this, you might check out “NIST Interagency Report 7621: Small Business Information Security: The Fundamentals.”1 Written in 2009, it’s a bit dated, but many fundamentals remain the same.
Remember that the resolution governs — not the report. So if you hear a vendor quoting from the report to get you to buy something, don’t think the report operates to set standards you must meet.
THE NIST CYBERSECURITY FRAMEWORK
In February 2014, we had begun moving forward toward securing our data and the physical infrastructure protecting it when the National Institute of Standards and Technology released Cybersecurity Framework Version 1.0.
The framework provides a structure that organizations, regulators and customers can use to create, guide, assess or improve comprehensive cybersecurity programs. This came as a result of Executive Order 12636, issued in February 2013, which called for “the development of a voluntary, risk-based Cybersecurity Framework — a set of existing standards, guidelines and practices to help organizations manage cyber risks. The resulting framework, created through public-private collaboration, provides a common language to address and manage cyber risk in a cost-effective way based on business needs, without placing additional regulatory requirements on businesses.”
The framework allows organizations — regardless of size, degree of cyber risk or cybersecurity sophistication — to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure.
The document is called “Version 1.0” because, much like our Constitution, it is supposed to be a “living” document which will be updated to reflect new technology and new threats — and to incorporate “lessons learned.”
Here is where you find the magic words of the document, “identify, protect, detect, respond and recover” that should shape any law firm’s cybersecurity program.
“Identify and protect” was where we started in the early days of cybersecurity — and while those words are still important, “detect and respond” have surged forward as a new focus — along with, of course, recovering from security breaches — no easy task. It is especially tough if you don’t know you’ve been breached — and the average victim has been breached for seven months or more before the breach is discovered!
THE WAY WE WERE: A LOOK BACKWARD
In a more innocent time, we really thought we could keep the barbarians outside the walls that guard our data. Alas, those days are gone.
For years, the emphasis was on preventing villains — cybercriminals, state-sponsored agents, business espionage spies and hackers — out. We went from fairly simple anti-virus software to sophisticated anti-virus software and, finally, to enterprise anti-malware software security suites.
The products got better and better and better. Sadly, what we learned is that all the would-be intruders were not only matching the good guys step for step, they were outpacing them.
It took a surprisingly long time for everyone to “get it” — but in the end, we realized that if the bad guys are smart enough and target a particular entity, they are going to successfully scale the walls we built to keep them out. And with that realization, “detect and respond” became the new watchwords in cybersecurity.
Mind you, we are still trying to keep the bad guys out — that is our first line of defense. But now that we know that our first line of defense is a Maginot Line2 for sophisticated attackers, we have moved forward in our thinking.
DETECT AND RESPOND FOR LAW FIRMS
“Detect and Respond” means rethinking how you approach the security of your data. Now that you know that you can’t keep a determined intruder out, you know you need to detect them once they’ve penetrated your network. So you need technology and software that will help you detect that you’ve had what is called, in polite circles, “a cybersecurity event” — translate that to “a breach.”
As you can imagine, you want to know of these “events” as soon as possible so you can take action. Today, there are technology solutions that identify “anomalies” in your network (things that are outside the norm) or that look for executables that are unknown but are behaving like malware or some other form of cyberattack. While such solutions may be beyond the need or the budget of solos and very small firms, you don’t have to be very large to start considering heading down this road — the risks of not doing so are simply too great.
Some of these solutions include data loss prevention (DLP) software and appliances, electronic content management systems (ECMs) and security event management systems (SEMS). When you meet with someone who can explain the various solutions to you, brew a pot of espresso — you’re going to need to be highly focused to understand how one solution differs from another — this is really cutting edge technology that changes from month to month (if not day to day).
As for your response to your incident, that may vary. After the initial panic, you will want your in-house or outside technology consultants (and you are likely to need digital forensics technologists, who are more familiar with data breach investigations) to take a look at the situation and see what they can determine. They can also, once they understand what has happened, figure out how to “plug the hole” and otherwise mitigate the breach. Remediation of whatever caused the breach is key.
Hopefully, you already have an incident response policy and plan in place, no matter how big or small you are. For all but the smallest firms, there should also be an incident response team in place to implement the plan.
In all probability, you will want to call a lawyer familiar with data breach laws who can advise you on complying with any of the 46 state data breach notification laws.
And if there is data protected by federal law (such as HIPAA data), you’ll need advice on that front too.
Finally, one of the first pieces of advice you are likely to be given is to call the FBI. While that is anathema to most law firms, it is the appropriate course of action. Remember that the FBI makes no public statements about these investigations and doesn’t show up in flak jackets or otherwise make a public display of your “cybersecurity event.”
Remember what we said about “the way we were?” It still makes good sense to do your level best to keep the bad guys out and the best way to do that is by using encryption. Let us first and foremost dispel a myth — encryption is not hard. It is child’s play to put a password on a Word or PDF document that you want to attach to an email.
All of your laptops should have full disk encryption — laptops are stolen at an alarming rate. Your smartphones must have a PIN.
Encrypt the phone! This is easier to do than you think. Enabling a lock code on the iPhone or iPad automatically encrypts the device. To encrypt a BlackBerry device, all you have to do is enable the “Content Protection.” The last several versions of the Android operating system have built-in encryption. Just make the selection to encrypt the device within the security settings. You may need a third-party application if you are running an older version of the Android OS.
To the best of anyone’s knowledge, even the NSA cannot (yet) break strong encryption. As security expert Bruce Schneier says, “Encryption drives the NSA batty.” That makes encryption a lawyer’s friend!
As we wrote this, we learned of another law firm that just suffered a data breach because an (apparently) unencrypted backup disk was stolen from the locked trunk of an employee’s car. If it had been encrypted, there would have been no danger. But now the firm has suffered reputational damage, is paying for credit monitoring and the notification of clients who are impacted — not to mention dealing with digital forensics experts and law enforcement. Good risk management really demands encryption.
You are never safe. Give that idea up — but sleep soundly if you have done all that you could reasonably do in light of the nature of the data you hold, the size of your firm and the available budget. Don’t let perfection be the enemy of good!
1. http://goo.gl/5Q9Io0 (last accessed Oct. 15, 2014)
2. A line of defensive fortifications built before World War II to protect the eastern border of France but easily outflanked by German invaders. Here it refers to a defensive barrier or strategy that inspires a false sense of security. (Source: Merriam Webster Dictionary)
SECURITY CHECKLIST TIME
Everyone loves a checklist, right? We know the OBA’s own Jim Calloway does. We hope this checklist will get you thinking about things you need to do to prepare. Here are some key security steps to take:
• Have a vulnerability assessment performed,
at least annually
• Remediate any vulnerabilities discovered
• Use enterprise-class anti-malware suites, not single function products like an antivirus program (we like Kaspersky and Trend Micro.)
• Have security policies and plans in place:
• Remote access policy
• Incident response plan
• Disaster recovery plan
• Acceptable Internet and electronic
• Social media policy — More than two-thirds of small businesses do not have such a policy, and yet 18 percent of users have been hit by social media
malware according to a 2011 report
by the Ponemon Institute.
• Employee termination checklist
• Password policy
• Mobile device (includes smartphones) policy (critical if you allow the use of personal devices)
• Background checks for employees
• Employee monitoring policy — It is helpful to have a logon screen that specifically says that there is no right of privacy — that makes it hard for any employee to argue that they didn’t know the policy.
• Guest access policy — Guests are frequently allowed on law firm networks, but they should not be able to reach client data, firm financial information, etc. — and they should be given a password which expires quickly.
• Vendor access policy
• Make sure critical security patches are promptly applied.
• Map your network (you can use a free tool such as Nmap) to identify devices and applications running on the network. Regular scanning will show you what and who should and shouldn’t be on the network. Anything that looks suspicious can be investigated.
• Depending on the size of your firm, you may want to consider an intrusion detection system (IDS). Larger firms may want to use a network behavior analysis tool, which monitors network traffic and detects anomalies, but this is probably beyond the budget of small firms.
• Consider using content filtering, which keeps employees from visiting sites (notably pornographic sites) where the evildoers
are apt to plant drive-by malware.
• Examine the security policies of business partners.
• Verify that your firewall is properly
• Encrypt sensitive data in transit and in storage. This is especially important for mobile devices which are so frequently lost or stolen. Make sure they can be remotely wiped and that they will wipe themselves after a certain number of incorrect passwords are typed in.
• Change all default passwords — these are plastered all over the Internet.
• If you have bent to the pleas of employees to connect their personal devices to your network, make sure you have a mobile device manager, which can help manage security. The new trend is to have two instances (think sandbox) on the phone,
one for business and one for personal
stuff, with the employer tightly managing the business instance of the phone. Since most small law firms are not using mobile device managers, allowing personal devices on the network is a Faustian bargain with
a severe security risk. It is very important that data be encrypted, that passwords
be required and that the devices can be remotely wiped.
• Verify that your wireless network is properly secured.
• Log remote access and limit access to
• Make sure you know where all your data is actually located!
• Make sure you know what experts you would call in the event of a breach.
• Make sure your devices are physically secured
• If you are accepting credit cards, make sure you are following the PCI Data Security Standards (DSS) which may be found at www.pcisecuritystandards.org.
• Get IT and partners to work together. Firm culture is a big problem — it is often true that a partner can refuse an IT security
recommendation by simply saying “I don’t want to work that way.”
• Have a plan for damage control to the firm’s reputation.
ABOUT THE AUTHORS
Sharon D. Nelson is the president of Sensei Enterprises Inc., a digital forensics, information security and information technology firm in Fairfax, Va. She is a frequent author (11 books published by the ABA and hundreds of articles) and speaker on legal technology, information security and electronic evidence topics. She was the president of the Virginia State Bar from June 2013 — June 2014 and currently serves as the president of the Fairfax Law Foundation.
John W. Simek is the vice president of Sensei Enterprises Inc. He has a national reputation as a digital forensics technologist and has testified as an expert witness throughout the United States. He holds the prestigious Certified Information Systems Security Professional (CISSP) and many other certifications. He is a frequent author (10 books published by the ABA and hundreds of articles) and speaker on legal technology, information security and electronic evidence topics.
Originally published in the Oklahoma Bar Journal, OBJ 85 2275 (Nov. 1, 2014)