David G. Ries practices in the areas of environmental, technology, and data protection law and litigation. For over 20...
Sharon D. Nelson is president of the digital forensics, information technology, and cybersecurity firm Sensei Enterprises. In addition to...
John W. Simek is vice president of the digital forensics, information technology and cybersecurity firm Sensei Enterprises. He is...
Russian cybersecurity firm Kaspersky Lab is considered a leader in the cybersecurity field, but recently they experienced some controversy when they were accused of working with Russian military and intelligence. In this episode of Digital Detectives, hosts Sharon Nelson and John Simek talk to David Ries about whether Kaspersky Lab is safe for lawyers to use, diving into where the controversy started and what the results have been so far. David also provides suggestions for lawyers who are interested in changing from one security software to another, whether they mistrust Kaspersky Lab or are simply unhappy with their current software.
David Ries is of counsel in the Pittsburgh, Pennsylvania, office of Clark Hill PLC, where his practice includes environmental, technology, and data protection law and litigation.
Kaspersky Lab: Friend or Foe?
Intro: Welcome to Digital Detectives, reports from the battlefront. We will discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches; not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.
Sharon D. Nelson: Welcome to the 85th edition of Digital Detectives. We are glad to have you with us. I am Sharon Nelson, President of Sensei Enterprises.
John W. Simek: And I am John Simek, Vice President of Sensei Enterprises. Today on Digital Detectives our topic is Kaspersky Lab, is it safe to use this Russian company’s security software?
Sharon D. Nelson: Before we get started, I would like to thank our sponsors. We would like to thank our sponsor SiteLock, the global leader in website security solutions. Learn more at HYPERLINK “http://www.sitelock.com/legal/digitaldetectives”sitelock.com/legal/digitaldetectives.
We would also like to thank our sponsor PInow.com. If you need a private investigator you can trust, visit HYPERLINK “http://www.pinow.com”pinow.com to learn more.
John W. Simek: Our guest today is longtime friend and colleague David G. Ries, who practices in the areas of environmental, technology and data protection law and litigation. For over 20 years he has increasingly focused on cybersecurity, privacy and information governance. He has used computers in his practice since the early 1980s and since then has strongly encouraged attorneys to embrace technology, appropriately and securely.
David is a coauthor of two ABA books, “Locked Down: Practical Information Security for Lawyers, 2nd Edition” and “Encryption Made Simple for Lawyers”.
Thanks for being with us today Dave.
David G. Ries: Thanks. It’s always great to work with you and Sharon.
Sharon D. Nelson: Well, thanks. We return the compliment. And as we get started here, I know the three of us know a lot about Kaspersky Lab, but I am sure there are some listeners who do not. So, can you talk a little bit about the company itself?
David G. Ries: Yeah. Kaspersky Lab is a leading global cybersecurity company that’s been in business for about 20 years. Its headquarters is in Moscow and it’s owned by a UK-based holding company called Kaspersky Lab, Ltd. It has an affiliate in the US, Kaspersky Lab, MA, which is based in Massachusetts. It reports having about 270,000 corporate clients worldwide, about 400 million users and 4,000 employees
John W. Simek: Well Dave, what about the men at the top of the pile, Eugene Kaspersky, give us some insight into who he is and some of his activities?
David G. Ries: He is a Cofounder of Kaspersky Lab. He is a Russian citizen, but I understand that he lives mostly in the UK. He is widely recognized as a leading cybersecurity expert.
He graduated from what was then the technical faculty of the KGB higher school and that’s KGB as in the Russian intelligence group. He is currently the CEO of Kaspersky Lab. And there is some concern because of his prior work for the Russian military and his education at a KGB sponsored technical college. But he is widely viewed as both a leader in cybersecurity and in the business of cybersecurity.
Sharon D. Nelson: And I am guessing that there are a lot of people who are listening who do know about the products and services that Kaspersky provides, but a lot probably don’t. So, talk about that if you would Dave.
David G. Ries: Well, Kaspersky Lab has leading threat intelligence and research offering and through that it offers a variety of software products for large companies, midsized, and small businesses, as well as for consumers.
It has products for desktops, laptops, mobile devices, servers and enterprise management tools. It’s been widely used in the US, including a number of companies and until the present US government agencies. But it’s a wide offering, management tools, security software; it’s right in there with many of the others in terms of the breadth of its offerings.
John W. Simek: Well Dave, I know I have had some personal experience with their products and they have always done fairly well, at least for me and for our company here, but give us an insight as to how their products have performed and how they have been reviewed by a lot of these testing agencies as compared to maybe even some of their competitors.
David G. Ries: Sure. Many of Kaspersky’s products have been viewed as the leaders or among the leaders, and that’s because they have performed very well in independent tests and reviews. They have often been first or in the top three in the various independent reviews, and that’s over at least the last several years. I haven’t watched them much before that, but over the last several years they have been right up there.
For example, in 2016 they received 55 first place awards and 70 top three ratings, so that’s pretty high in this area.
They go through independent reviews by services like Virus Bulletin and AV-Comparatives. And these look on a one-time basis, but also over time how much malware do they detect. They use samples of malware, including some of the latest and test the various products to see how they perform and over periods of time Kaspersky’s products have often been at a 100% or very close to it.
So, they have been highly rated for effectiveness and also for ease of use, so very leading products.
John W. Simek: Well, all good stuff. So, before we move on to our next segment, let’s take a quick commercial break.
John W. Simek: At least 80 of the 100 biggest law firms in the country have been hacked since 2011. Protect your firm and your clients from cyber attacks with SiteLock. Their industry leading cloud-based suite of website security solutions includes website scanning, web application firewall, including Distributed Denial of Service mitigation, and 24×7, 365 US-based customer support. Give your firm and your clients peace of mind knowing their information is secure. Learn more at HYPERLINK “http://www.sitelock.com/legal/digitaldetectives”sitelock.com/legal/digitaldetectives.
Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is Kaspersky Lab, is it safe to use this Russian company’s security software? Our guest is longtime friend and colleague Dave Ries, who practices in the areas of environmental, technology and data protection law and litigation.
So, Kaspersky has found itself in the middle of a firestorm, Dave. You want to tell us what the current controversy is about?
David G. Ries: Yes, I want to start with a quick disclaimer and that is that everything I know about it is from what I have read in the popular press and in the information security press. I have looked at a lot, but I don’t have any personal knowledge about it, so I am explaining it as I understand it.
John W. Simek: You don’t want the KGB coming after you, huh Dave?
David G. Ries: Right, right, or Kaspersky. So, during 2015 there was some press coverage about ties of Kaspersky with the Russian Government, along with denials by Kaspersky, and that was in some of the popular press. There were several articles, but it kind of seemed to go away after that flurry of activity.
The allegations resurfaced again this past summer with a lot of discussion in the popular press and information security circles, and when the initial discussion started, I think it was about May or perhaps June, Kaspersky Lab offered to let the US Government review its source code, so that the government could see what the products did and what they didn’t do and look under the hood.
The real firestorm hit on September 13, when the Department of Homeland Security issued an operational directive that instructed all US Federal Agencies within 30 days to develop detailed plans to remove and discontinue the use of any Kaspersky products, they were to discontinue that use within 60 days, and within 90 days they were supposed to have it out of the system. So, the plans were supposed to be fully implemented.
Interestingly, the Operational Directive did give Kaspersky Lab an opportunity to respond. The Directive was qualified by unless based on new information, DHS changed the Directive. So that was the big hit because there were a number of Federal Agencies using Kaspersky and of course Homeland Security directing agencies not to use it would affect commercial use too.
Then on October 10 The New York Times published a story, the headline was, ‘How Israel Caught Russian Hackers Scouring the World for U.S. Secrets’. So, I am just going to read a quick introduction, because they put it so well.
It was a case of spies watching spies watching spies: Israeli intelligence officers looked on in real time as Russian government hackers searched computers around the world for the code names of American intelligence programs.
What gave the Russian hacking, detected more than two years ago, such global reach was its improvised search tool – antivirus software made by a Russian company, Kaspersky Lab, that is used by 400 million people around the world, including by officials at some two dozen American government agencies.
So, The Times was reporting that Russian intelligence was actually using Kaspersky’s products to search for American intelligence programs. It reportedly included a set of hacking tools that were on the home computer of an employee of an NSA contractor.
So, the Russian intelligence reportedly got these NSA hacking tools to run this individual’s computer and it got them through the use of Kaspersky’s antivirus or security programs.
John W. Simek: Well, I know Dave that a lot of the resources that I look at too, the security professionals, were kind of standing back on, well, there really isn’t any proof and we really don’t know all the details and I am sure that’s going to come forward as time goes on, but how has Kaspersky responded to those allegations?
David G. Ries: Well, I mentioned back in 2015, during the first set of allegations, Kaspersky offered to let the US Government review its source code, so they were able to see what the various software products could do and couldn’t do, and Kaspersky Lab denied any knowledge or involvement in the hacking, and they made a statement that Kaspersky Lab has never helped, nor will help any government in the world with its cyber espionage efforts. And it asked Homeland Security for verifiable information to support the claims.
And as you mentioned, a number of folks in the information security community asked for the same thing. They said where is the proof of what’s happened, because there are other innocent explanations, which I will talk about in a few minutes?
John W. Simek: Did the government actually take them up on the offer to review the code?
David G. Ries: I am not aware that they did, and that might be behind the scenes.
Sharon D. Nelson: Indeed, I think it might. But one thing I think that’s poorly understood and I will ask it in the form of a question, why does security software “phone home”, as they say, in quotes?
David G. Ries: Well, I mean phoning home of course is a piece of software or an operating system reporting back to the servers of the company that published the software.
And before I turn to security software, Microsoft Windows 10 is notorious for phoning home, and there was some controversy when it first came out from privacy advocates about how much it phoned home.
So, the reason that security software phones home is for at least two reasons that I know of. Number one, just to report performance of the software, any breakdowns in it and things of that nature, so the publisher can fix them to see how it’s performing.
But more importantly for security software, it is used to send samples of the malware that it detects back to the security company so that they can make sure that they fully understand that it is part of their threat detection and if necessary tweak the security software to catch variants.
So, it’s part of threat intelligence gathering and virtually all of the security software companies do that. There is usually a way to opt out, but that’s part of the way they get information to help all their users.
So, a possible innocent explanation of what happened here is that the Kaspersky Lab’s security software on a contractor’s computer detected the malware, sent samples of the malware back to Kaspersky as part of the usual analysis of samples. Now, how Russian intelligence got involved, if they did, and how they got it is a different question, but the fact of security software finding malware on a computer and sending a sample back is typical.
John W. Simek: And I am glad you pointed out Dave about the opt-out, because I know Kaspersky does have that, the default is to send the information back, but you can in fact opt out of sending that data.
Let’s talk about lawyers and their usage of Kaspersky. In your opinion, is it safe for the lawyers and the companies in the US to use Kaspersky products?
David G. Ries: Well, I mean generally I think it is, absent more information coming out, but I have heard kind of two different schools of thought. One is, why take a chance. Attorneys have a duty of confidentiality and if there’s any question about any of the security products or other technology products that you are using, and there are other ones about which you don’t have that concern, why take a chance. So that’s the most protective.
Kind of the other that I have heard a lot of people express is that unless you are doing something that you have a concern that the Russian intelligence is interested in, that absent that, that you are probably okay using, and particularly for home users, again, unless they are covert foreign agents or something like that, there shouldn’t be that much concern, but keep monitoring it in case something more comes out, but that’s kind of it.
So, there’s a cautious, don’t use it even if it’s safe; there’s the more moderate, if you are not in a position to be concerned about Russian intelligence, go ahead and use it.
Sharon D. Nelson: Do you think Dave — I mean in essence, do you think that they have gotten a bad rap?
David G. Ries: I think I can just say that they might have, because I don’t know, if they were cooperating with Russian intelligence and let them use Kaspersky’s systems to gather this kind of data, then of course it’s not a bad rap. But if it was just collected in the routine operation of the software, nothing malicious about it, they did get a bad rap. I mean they could also be somewhat of a victim if Russian intelligence infiltrated Kaspersky and without Kaspersky’s knowledge or consent, they took data from Kaspersky’s servers, then maybe they are a victim.
Although with the sophistication that Kaspersky has in security, it’s questionable whether somebody could get into their system at least long-term without them knowing it.
John W. Simek: Those Israeli guys though, they are pretty good Dave, you have got to admit.
David G. Ries: Yeah. Well, they were in for a while and I think they eventually — I think Kaspersky eventually found them, but they were in for a while. And the Israelis are some of the most talented.
John W. Simek: Yeah. Before we move on to our last segment, let’s take a quick commercial break.
Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one of a kind resource for locating investigators anywhere in the US and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up-to-date on the latest technology, and have extensive experience in many types of investigation, including workers’ compensation and surveillance. Find a prescreened private investigator today. Visit HYPERLINK “http://www.pinow.com” www.pinow.com.
Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is Kaspersky Lab, is it safe to use this Russian company’s security software. And our guest is litigator Dave Ries.
So, Dave, do you have any suggestions for lawyers or companies that have made up their minds, maybe using Kaspersky now, but now they want to change security software?
David G. Ries: Or if they want to change from one product to another just because they stopped liking it or whatever. There’s a lot of good security products on the market and kind of the preliminary point is that if you use any supported version, that’s currently under support, with all current updates, you are substantially better off than not having security software.
There are a lot of products out there, I am just going to give a few examples, not necessarily the particular ones I would recommend for a particular use, but Bitdefender, ESET, McAfee, Norton Symantec, Sophos, Trend Micro, Webroot, there’s a lot of them out there. They also typically offer basic, advanced and premium security suites so I tend toward the premium that has a lot of additional features.
The first thing is to ask somebody who is knowledgeable, like John or Sharon, who is familiar with it on their experience, look at reviews in respected security and tech publications like SC Magazine, PC World, Computerworld, Tom’s Guide, even Consumer Reports does analyses of security software.
For enterprise versions, for law firms or businesses, Gartner and Forrester and other tech consulting firms publish ratings. Tech groups like ILTA, the ABA’s Legal Technology Resource Center publish information. And look at how they do in these independent reviews, not just whether an editor liked them or didn’t like them, look at their ratings from Virus Bulletin, AV-Comparatives and you want one that catches it all or most of it. You don’t want one that’s easy to use if it only gets 80% of the malware.
So that’s basically an overview. Just do some due diligence. But if you get a named product, you probably can’t go wrong if it’s current and keep everything up-to-date, typically with automatic patches.
John W. Simek: Well Dave, for a last question here I am going to throw you a softball, because I know you live and breathe and eat this whole security world here, but how does security software fit in the comprehensive information security program?
David G. Ries: Well, up-to-date security software is part, and I stress part of a comprehensive security program. It’s not the whole thing. And unfortunately, there’s no silver bullet in security. There’s not one thing that will protect you. And even if you put everything together, you may not be protected with the kind of threats we face today.
But I mean, I will end with a quote from one of our favorite information security experts and that’s Bruce Schneier; he is a great security expert, recognized internationally and comes out with some just really great sound bites that are good for teaching, and the one here is, “Security is a process, not a product”. So, the security software is a critical step in security, but one step.
Sharon D. Nelson: It is a process that’s for sure and there is no such thing as set it and forget in cybersecurity, right Dave?
David G. Ries: That’s right.
Sharon D. Nelson: Well, thanks a lot for joining us today Dave. It’s always a pleasure, we always enjoy working and writing with you, speaking with you, and I know that you follow this stuff as closely as we do. So, your expertise as always — I know our listeners always appreciate it. So, thanks again.
David G. Ries: Okay, I am always glad to do it.
John W. Simek: Well, that does it for this edition of Digital Detectives. Remember, you can subscribe to all the editions of this podcast at HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com or in Apple Podcasts. And if you enjoyed our podcast, please rate us on Apple Podcasts.
Sharon D. Nelson: And you can find out more about Sensei’s digital forensics, technology and cybersecurity services at HYPERLINK “http://www.senseient.com” senseient.com.
We will see you next time on Digital Detectives.
Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com and in iTunes.
Sharon D. Nelson and John W. Simek invite experts to discuss computer forensics as well as information security issues.
Sharon Nelson and John Simek help give guidance for lawyers with cybersecurity paralysis, and have a discussion on how to improve security based on...
Darius Davenport discusses how he helps his clients deal with cybersecurity concerns and privacy matters.
Joe Meadows has a discussion with John Simek and Sharon Nelson about internet defamation.
Brett Burney talks about what lawyers need to know about digital forensics on mobile devices.
Sherri Davidoff talks about her career as a penetration tester and what she has developed with the companies in the area of cybersecurity.
Doug Austin talks about the most prominent trends in eDiscovery.