This paper was originally written over the course of a weekend prior to a CLE given for the KCMBA Family Law Section. It grew over time and has now been delivered at the Missouri Bar Association Annual Conference, the UMKC 15 Hour Review of the Law and the KCMBA Bench Bar and Boardroom conference.
I've retired the talk for now, but I suspect that it will return some time in 2014 or when the right opportunity comes along.
Client-Lawyer Relationship Rule 1.6 Confidentiality Of Information
(a) A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b).
It's not very often that so many words can say so much. To our clients, confidentiality is almost as important as the quality of our work. They trust us with their most personal feelings, thoughts, documents and secrets so that we may serve them better. The obligation of confidentiality didn't used to be so difficult with which to comply. Now with computer intrusions on the rise and ever present temptations to share things with the world through social networking it can be more difficult to meet this obligation.
This text will explore the reasons why lawyers and law firms are attractive to criminals, the motivations and methods employed by a wide range of attackers, how to harden systems and respond after a computer has been compromised.
While our obligation to maintain the confidentiality and security of our client data and communications may seem daunting, by understanding the methods employed by attackers and putting up layers of defenses against them security can once again fade into the background of our attention.
2 WHY ARE LAWYERS TARGETS
Attackers are becoming smarter by the week and in developing their strategy to achieve whatever result they are looking for, they will act just as many of us do every day: by matching the highest potential reward with the most effective and efficient approach.
2.1 HIGH VOLUMES OF SENSITIVE DATA
No matter what kind of law an attorney practices, they are entrusted with an impressive amount of sensitive information. Employment lawyers will often be entrusted with spreadsheets full of personally identifiable information such as Social Security Numbers (SSNs), full names and dates of birth. Patent attorneys hold highly confidential source code and design documents. Family lawyers hold personally identifiable information, in addition to the communications between their clients perhaps before a divorce proceeding officially begins. Transactional attorneys are clued in to major transactions which could have major impacts on stock value if publicly disclosed. Litigators end up holding all of these types of information during during corporate litigation, and dissemination of internal client communications regarding strategy can have devastating effects on businesses for the long term.
Of course all individuals and companies have this sort of information on hand as well. The difference in respect to target data, is the density of such information and the presence of this information for many clients at once.
Skilled attackers looking to execute an attack to steal significant amounts of information from a major corporation are always looking for the weakest point of entry with the highest potential payoff. Why attack the large company with its ultra secure network and staff of people trained to respond to security breaches when they can go after their law firm instead. A successful intrusion and exfiltration leads to not only the data (organized and indexed) from their target, but other clients as well.
2.2 TOOLS, KNOWLEDGE AND BUDGET
In comparison to other fields, attorneys are often less savvy than others in the realm of technology. None of us went to law school to become security engineers, and there isn’t enough time in the week to keep up on the latest developments in software vulnerabilities. Our busy schedules and tight budgets often lead to insecure habits and the use of outdated software. The tight economic climate has forced firms large and small to cut overhead and security staff and technology are easy targets.
Rich information environments with a highly restricted time and attention to devote towards technology maintenance and security combine to create a very attractive target for attackers of just about any motivation.
3 UNDERSTANDING ATTACKER MOTIVATION
Computer attackers have a wide variety of motivations and goals. The tools and techniques used to successfully execute an attack will depend on their desired outcome.
3.1 BOTNET BUILDING
Botnets are large networks of compromised computers which are controlled remotely to execute different tasks for their operator. This can be as mundane as sending more email about male enhancement or as exotic as executing distributed denial of service attacks as part of extortion schemes.
3.2 IDENTITY THEFT
Identity thieves will target either individuals using social engineering techniques or companies to mine for personal information. Those targeting individuals, or phishers, will try to extract bank account or other personal information from a target. The classic example is the request from a relative of a foreign official looking to transfer some money to the United States. More modern schemes will employ pleas for money from someone “traveling abroad” who needs some cash wired to them. As people have begun to communicate and identify people that they trust through social networks like Facebook, attackers have begun compromising accounts and sending messages instead of relying solely on email. These breaches can be especially effective if the attacker compromises someone actually abroad, which people readily reveal on Facebook.
Other identity thieves are looking for large amounts of personally identifiable information to sell on the black market. These attackers will try to compromise the enterprise through any number of means and pivot to stores of information. In some instances, they may target individual businesses who accept credit cards and handle them insecurely. A restaurant with a point of sale unit connected to an insecure wireless network can yield batches of credit card information which can be exfiltrated and erased prior to transmission to the processing center at the end of the day. The attacker has the information he was looking for, while masking the specific location where those numbers were acquired.
Computer attacks are increasingly being used to facilitate activism. There are three possible results that are sought by the activist attacker: defacement, denial of service and information dissemination.
Website defacement has been a goal of attackers since the dawn of the web. Attackers take over a web server, replacing the content of the owners with their own message. Victims of defacement may be targeted due to their high volume of traffic or because of what the website does. Website defacement groups will target web applications and web servers do gain permissions on the target web servers.
Denial of service attacks can also be politically motivated. The group calling themselves Anonymous has often executed such politically motivated attacks against organizations such as Sony, The Church of Scientology or PayPal. One specific attacker, known as th3j35t3r, targets sites run by radical Muslim organizations, Wikileaks or the Westboro Baptist Church. The Jester is a unique and interesting character in the world of activist attackers, describing himself as a “Hacktivist for good. Obstructing the lines of communication for terrorists, sympathizers, fixers, facilitators, and other general bad guys...” Denial of service can occur through brute force using a distributed denial of service attack or through direct penetration of a web server.
Information dissemination by groups of attackers has become much more prevalent over the past year. Most notorious of these examples is the distribution of US State Department communications by Bradley Manning through the website Wikileaks. The attacks on Wikileaks by federal authorities, The Jester as well as the revocation of funding and hosting resources for the site puts its future in question. We should expect dissemination of information to move to decentralized distribution channels such as BitTorrent or sites like pastebin.
Attackers with the end goal of information dissemination will use a number of methods to gain access to information including client side, social engineering and physical attacks.
Once the attackers have acquired the information they look to distribute, they can turn to peer to peer networks or central repositories like Wikileaks to get the information to the public.
3.4 ESPIONAGE AND THE SO CALLED ADVANCED PERSISTENT THREAT
While many of us as individuals may scoff at the idea of becoming targets of espionage, this is a real concern for large private and public institutions. These attacks are perpetrated by highly skilled individuals and can utilize a wide range of attacks. These kinds of attackers have recently come to be referred to by many as the “advanced persistent threat.” These attackers can spend weeks gathering intelligence about the target before beginning the attack. Once inside an organization, the attacker gains access to individual systems, compiling the information they seek slowly and methodically, culminating with the exfiltration of information. To gain access to an organization, the attacker will utilize social engineering, client side attacks, non-disclosed vulnerabilities and tools that they have built themselves. Once inside the organization, they will establish ways to maintain access and pivot from one system to another while taking steps to avoid detection and erase traces of their presence. These are exactly the types of attackers that attorneys should anticipate being targeted by, especially if they handle high value information on behalf of their client.
Many attackers will perform attacks out of simply looking for something to do. Penetration can be an enjoyable challenge, and while many members of the hacker community restrict their activities where they have total permission to manipulate networks and computers, sometimes they stray from the reservation. They often don’t have malicious intent, even if they succeed in fully penetrating a system. These attacks are most prevalent in places where you find bored people such as airports, hotels, college campuses or coffee shops. The real danger is that once a machine has been compromised, even by someone who has no malicious intent, doors to the system may be left open to others.
The tools used by the bored attacker are often very advanced, however, and would be utilized by highly motivated attackers looking to acquire large amounts of information for dissemination or corporate espionage.
These attacks can include password and traffic sniffing, session hijacking, and direct penetration of individual machines on public wireless networks.
4 COMMON ATTACKS
In order to defend against common and effective attacks, individuals should have a rudimentary understanding of how each attack works. The attacks which will be examined here are those which will most likely lead to the dissemination of confidential client information that would be used by advanced attackers.
4.1 MALWARE AND BOTNETS
In the age of information warfare, attackers will often seek to create networks of centrally controlled computers called botnets. Instead of making an actual investment in computers, though, botnet commanders compromise hundreds or thousands of individual computers around the world to do their bidding. These networks of computers are then used to execute things called denial of service attacks against websites and companies. These decentralized attacks can be difficult to combat and often lead to downtime for businesses. Often botnets are made available for lease through the black market. Organized crime organizations will often use the threat of denial of service attacks to extort money from e-commerce or online gambling operations. These typically coincide with high traffic events, such as the holiday shopping season or major sporting events like the Kentucky Derby, NCAA tournament or the Super Bowl. Computers that are part of botnets don't always just sit, waiting for its next command. They can also be used to distribute spam, or to capture additional login information. Combating botnet builders requires that users patch their computers, run appropriate anti-virus and anti-malware countermeasures and remain behind hardware firewalls (don't freak out..that's your router) to avoid infection. Adware and scareware should be familiar to anyone who used a computer between 2000 and 2005 should be painfully familiar with the way these attacks occur. One moment you're surfing away on the internet, and another you're staring at a pop-up ad for herbal male enhancement, offers to win free stuff, or warnings that your computer is infected, asking you to purchase some tool to remove the infection. The attack vectors used here are very similar to those used by botnet builders, but the infections themselves are very clear. Unfortunately these attacks have become more effective and insidious. The most disturbing trend is that of highly malicious scareware. A user sees a message that they are infected and that they should buy a tool to remove the infection. Not only does the victim have their financial data compromised when they type in their credit card number, the software that is provided is actually additional malware which can be used in any number of ways. Nastier variations will hold data hostage by hiding files or in some instances even encrypting them.
4.2 PROXIMITY ATTACKS
Proximity based attacks are distinguishable from malware based attacks in that the attacker is much more likely to be skilled, and either has little motivation beyond passing the time or uses such attacks as part of a larger infiltration. Some of these techniques can also be used to compromise individual accounts for purposes of identity theft, however there is a low rate of return for this and it is more likely than other techniques to attract the attention of local law enforcement after a significant number of identity theft victims emerge showing a similar pattern of movement or behavior. Any time that you connect to a wireless access point that you don't control, you should consider all of your activities to be monitored by others. If you're using so called "clear text" protocols to connect to any system, the other people on the wireless network can see and interact with the traffic.
4.3 CLIENT SIDE ATTACKS
So called “client side attacks” don’t target a company or individual’s big server systems, but the workstations and software used by end users. Even though the attacker may not find the information he’s looking for on that computer, he can use the victim’s computer to pivot to more interesting places on the network. Vigilant software patching and smart user behavior can keep the odds of client side attacks to a minimum but will always remain one of the easiest ways for attackers to infiltrate an organization.
5 SECURING DATA GENERALLY
It’s unfortunate that in this day and age we actually need to pay so much attention to information security. One of the loneliest jobs available is that of the corporate information security officer. The best day for a CSO (Chief Security Officer) is one where their users don’t even know they exist. The worst day is one where they have to explain to someone that there has been a data breach or a piece of malware has taken the company network down for an extended period of time. Nobody in the legal profession ever wanted to have to become experts at technology at all, let alone the tedious process of securing data. Luckily by creating good computing habits and making smart decisions when buying technology, security can get out of your way and let you do what you love.
5.1 CHOOSING HARDWARE AND SOFTWARE
Whether you’re a sole practitioner or an attorney at an AmLaw 100 law firm, you should be choosing tools that allow you to keep overhead costs to a minimum while enabling users to maximize productivity. That means choosing technologies which are well supported and easy to secure. Ten years ago, users were essentially forced to use Microsoft Windows which has proved to be difficult and costly to secure. While running Windows ensures compatibility with certain legacy systems, in the long term it may make more sense to choose an alternative operating system which doesn’t come with so many additional security costs. Windows 7 has made great strides in security, but still requires additional security layers to run on top of the operating system which can hinder performance and increase annual costs. Depending on your practice type, Windows may still be your only option. Windows XP has served us for many years and runs very quickly on modern hardware but carries additional costs of security software and will eventually see the end of support from Microsoft. New features such as full disc encryption aren’t available through the operating system like OS X or Windows 7 either. Mac OS X wasn’t really a viable alternative for the business user a few years ago, but is seeing some impressive growth in businesses. There are many tools that fit directly into the attorney’s workflow for OS X and the rise of the universal PDF file as the document exchange format of choice means that it doesn’t matter to the recipient which operating system was used to make the document they are trying to read. OS X isn’t vulnerable to many of the threats affecting Windows and therefore doesn’t require anti-malware programs. The Linux operating system is an interesting option for law firms running on a shoestring IT budget. Much like OS X, Linux doesn’t fall victim to many of the drive by attacks lobbed towards Windows users, but maintaining a Linux desktop can take additional time and probably shouldn’t be considered as a viable alternative for the practicing attorney desktop.
5.2 THE IMPORTANCE OF PATCHING
Keeping up with your computer’s system updates is a critical part of keeping your client’s data safe and secure from attackers. Software vulnerabilities sometimes emerge before a patch from the vendor is available, but these circumstances are more rare than you may think. Patching is tedious and breaks up your workflow, but unless you keep those patches applied it can only be a matter of time before someone drives right through the holes in your system. Windows updates are issued monthly, but when there is a flaw discovered that is particularly nasty then Microsoft will issue a critical patch to users. Apple issues patches on a less regular schedule, but both Windows and OS X notify the user as soon as updated are available. Updating your operating system isn’t the only thing that needs to see regular maintenance. All of your applications should be kept up to date including Adobe Flash, Acrobat, Microsoft Office and Java which can be found on almost any computer. In many instances, you’ll only see that the applications have updates available when you open them. Since it’s a fair guess that rarely do you open Acrobat for the specific purpose of seeing if there is an update, if you don’t apply the update immediately, try to come back to it soon.
5.3 PASSWORD SECURITY
Whether you’re talking about access to your bank, Netflix, the New York Times, your computer or your master encryption key the password you choose is often one of the weakest links in the security chain. Passwords can be attacked through a number of methods including dictionary attacks and simple brute force. In order to mitigate these types of attacks it’s important to use long, complex and random passwords. Every time that you sign up for any account online and give them a password, you’re hoping that they don’t fall victim to an attack where the password is compromised. Attackers who gain access to account passwords, especially when they are coupled with email addresses, will seek other sites where victims have accounts. This is especially true in phishing attacks where the attacker gains access to the victim’s email account. Quickly searching for the word “password” in an email account can yield a disturbing amount of actual passwords and password reset links to other accounts. To mitigate this threat, it’s important not to use the same password twice. In practice this sounds impossibly difficult with the number of login credentials that we’re responsible for. To make this easier, consider using a password keeper. Good password keepers should be available everywhere you could possibly need them, generate passwords for you and provide desktop and mobile interfaces. With a password keeper, you only need to remember the master password which will allow the password keeper to pass your credentials along to the login form.
Although this writing focuses primarily on protecting client data from intruders, it’s important to make sure that data is safe from hardware failure and file corruption through the use of a solid backup system. Generally you should have no fewer than three copies of all of your data. The first is your working copy, the second is a local backup which can protect you from accidental file edits and deletions and the third is an offsite backup to protect against theft, fire, tornado or other disasters. Offsite backup can be tricky. Although bandwidth available to users has dramatically increased over recent years, upload speeds remain stuck in the late 20th century. This can make the use of online backup services such as Carbonite or BackBlaze a challenge to set up depending on your data volume. On the other hand, cycling hard drives can be cost effective, but it requires that you remember to actually perform the backups and take them away from the office. No matter what option you choose, the most important thing is that the system has been tested and works for you.
6 THREAT MITIGATION
In order to help prevent intrusions of any kind, individuals should take a number of steps to avoid being taken by electronic attackers.
Malware continues to be primarily a problem for users of Microsoft Windows. Malware can arrive at a user’s doorstep merely by visiting pages on a website or opening an email attachment. Users should run up-to-date anti-virus software which includes heuristic scanning, anti-malware software like Malware Bytes and the use of an alternative web browser such as Google Chrome or Mozilla Firefox over built-in browsers like Internet Explorer or Safari.
6.2 SOCIAL ENGINEERING
Social engineering exploits the weakest part of any security system: the user. As individuals we tend to be trusting and can be manipulated by others to unwittingly assist them in their attacks. Social engineering can often occur in person or on the telephone. Often attackers will call the help desk while impersonating a user, and request a password to be reset. Sometimes the opposite is true and individual employees will receive calls from someone proportion to be in IT asking for the user’s password. Social engineering can also be used to gather intelligence on what kind of internal systems and controls are in place. Attorneys and staff should understand what protocols are in place for password management and support, as well as what information should be kept private when talking to vendors or third parties. Social engineering can also be utilized through email. One crude example is the basic phishing attack where a user receives an email from someone they do not know, asking for bank account information. At this point, many users understand this threat and don’t fall for them. More advanced social engineering attacks will exploit existing networks of trust through the impersonation of a person that they trust making what’s seemingly a normal request. These attacks are known as spear phishing. The attacker researches an individual or organization and determines a strategy for communicating with the target and then sending an email while spoofing the sender. For example, an associate may receive an email message from the managing parter containing an attached PDF copy of a resume from a potential new hire. Seeing that the email came from someone that the associate trusts containing an attachment with they would typically consider safe, they open it up and take a look. What’s actually happening, however, is the delivery of a carefully crafted PDF file which exploits a vulnerability in Adobe Acrobat which opens a connection from the associate’s computer back to the attacker. The attacker can then directly transfer data back, or use the associate’s machine as a beach head from where they execute attacks against other systems. They may move to another system which also connects back to them to avoid detection once the associate realizes that he may have been compromised after talking to the managing parter afterwards. Social engineering is so effective, that when penetration testers are hired to do vulnerability assessments, they are forbidden from using social engineering. The only way to protect against social engineering is for each and every user to understand how requests for information or support should arrive. For email based social engineering, they should understand that attachments should always be considered to be malicious unless the attachment is both expected and coming from a trusted source.
Whenever a user attaches to a wireless network, there is a chance that others on the network can monitor and otherwise manipulate that user’s data. This can come in the form something innocuous like the sniffing of all image files transferred over the network or malicious like sniffing for passwords or other credentials. In order to avoid such attacks, users should avoid using public wireless access points without the use of something to encrypt all of their traffic such as an SSL proxy.
7 INCIDENT RESPONSE
Although there are many tools which claim to clean computer systems of malware such as viruses, spyware, adware and the others, any computer that has been compromised should be considered a total loss. As you'll soon see, antivirus circumvention has become trivial. It's likely that additional services which help the attacker maintain access have been installed and there are few ways to detect and destroy advanced tools. This is where data backup becomes critical. If a user has access to a recent backup, it's relatively easy to restore to a prior state or simply wipe the computer, reinstall and transfer all the working files from backup. If you don't, then you find yourself in the trap of trying to remove the malware without reinstalling. This becomes an endless cycle of anguish until a full reinstallation is performed. As soon as you suspect that your computer has been compromised, it should be removed from the network immediately. Keyloggers have likely been downloaded so logging into any website could provide the attacker with access to other systems. Back your data up to an external drive, scan the files with a known clean machine, and then restore them once you've finished reinstalling.
Unfortunately for those of us who would like to use computers instead of spending time fixing and administering them, information security will continue to be a concern for the forseeable future. Through a greater understanding of the methods, techniques and tools used by the wide range of attackers, attorneys can control the risks that their client data is exposed to.