You might think that all you need to avoid cyber schemes is common sense, but even the biggest law firms require employee training to avoid attacks. In 2017, DLA Piper, the largest law firm in the world, suffered a catastrophic cyber attack. In this episode of Digital Detectives, hosts Sharon Nelson and John Simek talk about how important cyber security awareness training is and potential training methods firms can use to instruct employees and partners. They share basic training tips and expand on the different kinds of common schemes, like phishing, ransomware, and social media attacks.
Special thanks to our sponsors, PInow and SiteLock.
Cyber Security Awareness Training
Intro: Welcome to Digital Detectives, reports from the battlefront. We will discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches; not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.
Sharon D. Nelson: Welcome to the 94th edition of Digital Detectives. We are glad to have you with us. I am Sharon Nelson, President of Sensei Enterprises, a digital forensics, cybersecurity and information technology firm in Fairfax, Virginia.
John W. Simek: And I am John Simek, Vice-President of Sensei Enterprises. Today on Digital Detectives our topic is, Effective Cyber Security Awareness Training for Employees.
Sharon D. Nelson: Before we get started, I would like to thank our sponsors. We would like to thank our sponsor SiteLock, the global leader in website security solutions. Learn more at sitelock.com/legal/digitaldetectives.
We would also like to thank our sponsor PInow.com. If you need a private investigator you can trust, visit pinow.com to learn more.
John W. Simek: Today, we are flying solo, discussing a topic that Sharon and I lecture on all the time these days, employees’ cyber security training has become all the rage over the last two years.
So why don’t you get it started, Sharon.
Sharon D. Nelson: Sure thing. We could maybe start by reviewing some of the statistics that have no doubt contributed to the popularity of our training, which now we are giving three or four times every month, which is an amazing uptick from two years ago when weren’t doing any training, people all of a sudden want that for their folks.
So, from 2017 ABA Legal Tech Report and the new report, we have a draft of but we don’t have the numbers yet for this, but at that time, 22% of firms said they have been breached at some point. And of course, that number would actually be higher because I know a lot of large firms, people don’t find out about breaches. There is just not a need to know if they can contain it at the top. And then over one-third of firms with 10 to 99 lawyers were compromised in 2017 alone.
So that’s a lot of compromises of the smaller firms and I think that’s mattered to a lot of people. And then you have statistics like, suppose you have a social media policy, well that’s supposed to do something, right, but in plain fact, the studies have shown that 77% of people ignore the policies and they will make and runs around them. In the test on phishing, it’s the same 4% of your employees who over and over and over again click on that attachment or click on the link in the phishing e-mail.
And then of course, 50% of your employees are sharing their credentials for various and sundry reasons of their own. But there’s just so many statistics showing that we’re just not very safe that the training has really become increasingly popular.
So John, tell us about DLA Piper. I know we hear all the time is if DLA Piper could be brought to its knees, what chance do the rest of us have?
John W. Simek: Yeah, that’s the big thing there, is DLA Piper is the largest law firm in the world, the number one by revenue. In last year, they got hammered pretty bad. June 27th, they lost their e-mails, their phones were down, some of their network was taken offline. Some of it was precautionary but it manifested itself initially in what was believed to be a ransomware attack happening over I think it was Spain if I memory is right, wasn’t it Sharon, one of their offices over there?
Sharon D. Nelson: Originally, I had heard that and then in one of my other cyber security panels, one of the experts said that they actually traced it somewhere else. So, maybe not. But you know how these things changed.
John W. Simek: Yeah.
Sharon D. Nelson: The initial story and the final story have nothing to do with one another, but I gathered that this turned out to be a form of NotPetya.
John W. Simek: Yeah, it was NotPetya malware initially, so it was actually trying to destroy things and it was exploited by the NSA had the tool, EternalBlue is what it was called that was “stolen” by The Shadow Brokers and then released in the wild.
So that was used to deliver this malware and DLA Piper happened to be one of the unlucky folks that that contracted it. But they were down for almost a week, and I mean totally down like hard down and they had in July 3rd, they issued an email statement that said that they are bringing their systems back up, so now slowly they are starting to get back online.
But we really don’t know what the source, the initial source of the problem was, but when you think about that, it’s such a large organization that way, something isn’t right, something wasn’t engineered right within their technology in order to go down that hard. These days it doesn’t cost you a lot of money, e-mail as an example.
You should be able to, as a minimum, spool e-mail or use some sort of another cloud service as your backup. And so the outside world wouldn’t really even know that you were impacted at all or if you were impacted, you should be able to recover very quickly. And I know that’s one of the things we do for our clients. They are back online within minutes if not within an hour or so.
So something technology wise wasn’t right at DLA Piper for obvious reasons. But that’s certainly the example that a lot of the — especially the solo small folks use was when they hear about that, and then we start talking about cyber security awareness and there are going, wait a minute, DLA Piper they are this number one in the world by revenue and it happened to them. So what can we do?
So there are some things though that the smaller folks can do and the smaller firms can do in order to increase their cyber security awareness for their employees and therefore minimize the risk, because that’s really what this is all about, right Sharon?
Sharon D. Nelson: Absolutely, and down that vein, there are some tips for employers who would like to do cyber security training, and we have done enough of them now that we kind of see what works or what doesn’t work and who does it right.
Generally speaking, it appears that it’s not a good idea to do any of this at the end of the day, people are tired. It’s not a good idea to do this first thing in the morning because people will show up late. So most firms have settled on doing it at lunch, which seems to be the perfect compromise because people are in fact there.
So and having food you might think that’s a bit of a distraction but as long as you let them get their food and then sit down, it doesn’t seem to be. So we have liked that as a way of doing it.
Also, make it mandatory and make them sign-in, seriously they will do anything to avoid coming to these things and the partners particularly will plead that there’s this case or that case, and they needed as much as anybody else, so make them sign-in and make it mandatory, make them silence their cell phones because otherwise the phones will be out and they can’t concentrate on two things at one time, no matter how much they think they can, no laptops.
And I think the best thing to do is not to have cyber security training done by somebody who is in-house, who provides your IT support, but actually by an outside third-party. And the reason I think that is because to them it’s just — well, that’s just Jack, that’s just Jill, they have a relationship with these people, it may be good, maybe bad, whatever but the big bad is swung I think by outsiders; especially if they do in fact know something, and if they have a gift for doing both entertainment and education because you are going to lose them. If you try to just teach them without any entertainment, it just doesn’t work.
So for instance as you know John, one of the things I do is true confessions and people have to raise their hand and fess up if they’ve ever done one of a certain series of things, including sending the wrong attachment or including the wrong person in an e-mail and they get tickled because you and I always participates. So our hands go up because we have done it too. And then they laugh to think even the experts have done it.
So that’s an immersive way to educate and entertain, and so we try to do stuff like that and other speakers do as well now.
Now, what should you expect to pay for this kind of thing? Frankly, doing the kind of thing we do for a business and a little bit, we consider this as a loss leader because if we go in and do an hour for $500 or two hours for a thousand, people tend to come back to us for cyber security or IT work or forensic.
So that’s our pricing is a little bit based on that. And you will find very, very expensive pricing too, that’s the other side. So do look around, get — if you know other law firms, ask them who they have used, so that you can get somebody who can really do quality training and I don’t think any kind of online training is the same as in-person, I definitely think it needs to be in-person.
John W. Simek: But don’t you also think that it’s an advantage too if they can relate to the industry, like law firms in this case, into what are the hot buttons, right for the paralegals and the office managers and the partners and all those kinds of things?
Sharon D. Nelson: Absolutely and I think that’s of course one reason why my being an actively practicing lawyer is very useful because I understand both the ethical implications for the law firm as well just how the business runs.
John W. Simek: Well, let’s talk a little bit about what the Big Kahuna is these days and that’s phishing. So what phishing is, hopefully our listeners know what it is, but I will run through it quickly here. If not, it’s really e-mail or some communication mechanism that purports to come from somebody that or somewhere that it really isn’t.
So it’s a falsified e-mail message and you’ve probably seeing these things show up in your Inbox, your FedEx delivery notice or a e-greeting card, congratulatory thing or something along those lines.
But the whole purpose of this broad-based phishing e-mails is to get the user to do something, to click on something, to open an attachment or do something like that where malware then gets delivered to their machine or something bad is going to happen to them.
In contrast to that, so that’s the wide brush approach of phishing e-mails. But there is also very targeted phishing and that’s called Spear Phishing. So now, you’ve got a small subset, so you’re maybe you’re targeting a particular law firm or a particular case, a particular case might be at attack where somebody has been watching it and they are trying to get you to wire money as a result of settlement proceedings or whatever. So there is those kinds of things.
And then it takes a little — what this industry keeps making up terms, right Sharon, then there is smishing, which is the phishing by a text message. We even did a podcast on Digital Detectives about smishing, do you remember that one?
Sharon D. Nelson: Absolutely. Absolutely.
John w. Simek: So that’s really what we’re — and that’s the single biggest mechanism, at least today, in trying to deliver malware, trying to infect something, trying to compromise and get access to people’s data is through phishing. I mean it’s a huge thing and it’s the human being. They are counting on the human being a.k.a. your employees, your personnel that’s in your law firm to take some action to click on something or to open something.
And so that’s why we do these training sessions, we’re trying to educate about phishing and how to potentially recognize this, because to be honest, they’re getting better and better. Aren’t they?
Sharon D. Nelson: Oh they are. And of course, somebody doesn’t necessarily even know they have been phished because you click on a link, you click on the attachment and it might make no sense to you, but sometimes you actually go to a website that looks perfectly normal. You have no idea that malware is being downloaded behind-the-scenes. So they just don’t get that.
And you might wonder why so many people click and there has been a fair amount of research done on that. The number one reason is actually curiosity. So apparently if you have as an attachment, racy New Year’s photos, we are compelled, compelled to open the racy New Year’s photos. So this is from a PhishMe study that done before PhishMe was acquired by Cofense.
The number two reason is fear and we had that here in Virginia. Some of our listeners will know that I am a former Virginia State Bar President, so I follow all this stuff that happens with the Virginia State Bar and we had an epidemic of people receiving phishing e-mails that said a bar complaint against them had been filed and was attached.
And another dead giveaway is that it said, you had to respond in 24 hours. Now needless to say, the Bar does not attach or send by e-mail bar complaints and you certainly would not have to respond in 24 hours. But the fear made a lot of people open it up.
So we actually had to send out an alert and we were, I think one of 4, 5, 6 states that ended up sending out those alerts because we are plagued by them. So anytime you see urgency which is factor number three, you need to stop and think, an urgency is usually a part of some of the phishing e-mails where they say, the boss needs this done right away.
So whenever a partner needs something done, people tend to move a little too quickly and they’re not really thinking. So now they will click on something because somebody powerful needs something.
The fourth reason is recognition. We may have noticed amongst all of us that lawyers have just a trace of vanity from time to time, and so if they have received some sort of an award or recognition and there is a link to that or an attachment showing what they got, they are inclined to click on that. So that’s problematic.
And then really these, these phishing e-mails are getting better and better and better because now they’re hiring native English speakers to help them compose and they even will delineate between English speakers and English speakers who speak British or Canadian English, which is an entirely separate languages we all know.
So they know how to write that kind of English too. So it’s a lot harder to recognize, just for the poor grammar and the messed up words etc. etc. But the subject lines have gotten a lot better and there is really kind of a science now to what kind of subject line to put. So there have been all kinds of them, building evacuation plans, that’s been very successful because of all the act of shooting incidents we’ve had.
You need to reset your password, well that’s, people get those actual subject lines from their own internal folks. So that’s been very successful. I think a couple of ones that made us laugh was employee bonuses to be announced on Monday, everybody of course needs to know that, that’s curiosity; and of course, you might be one of the lucky ones. And then the other one that got about 100% was list of employees to be fired on Monday and you can see how that would be a luring, you need to know that.
And I will tell you that we send out phishing e-mails here at Sensei too and the last couple of ones that we have gone out were a small firm, 16 employees, but we have had three to four people, each time to click on the phishing e-mail.
Now, mind you they are very good e-mails, they are well done, but still it’s really nothing out of the realm of what might be real and one of them actually had a picture of three cute chicks dancing, how could they be dangerous. And it claimed to have an e-mail from an admirer at work who wanted to compliment you or something. And so people clicked on that including — I think it was two of our IT guys and our CEO, who has forever been hanging his head in disgrace since clicking on that.
So and he just said, it just seems so innocent and he said, I was curious. Yeah, that’s what does it all right, and that’s what we lecture about.
John W. Simek: Well before we move on to our next segment, let’s take a quick commercial break.
Sharon D. Nelson: At least 80 of the 100 biggest law firms in the country have been hacked since 2011. Protect your firm and your clients from cyber attacks with SiteLock. Their industry leading cloud-based suite of website security solutions includes website scanning, web application firewall, including DDoS mitigation, and 24×7, 365 US-based customer support. Give your firm and your clients’ peace of mind knowing their information is secure. Learn more at sitelock.com/legal/digitaldetectives.
Advertiser: Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one of a kind resource for locating investigators anywhere in the US and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up-to-date on the latest technology, and have extensive experience in many types of investigation, including workers’ compensation and surveillance. Find a prescreened private investigator today. Visit www.pinow.com.
Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is “Effective Cyber Security Awareness Training for Employees”. So let’s talk a little bit about attacks via social media.
Now, these can come in all kinds of forms, there is just tons and tons and tons. So for instance, you could be in Facebook, this actually happened to me, and you could click on a link that appeared to be totally innocent and it could be that the image was infected which you would have no way of knowing, and all of a sudden you get a pop up, and it already knows what model phone you have because of course you’ve allowed Facebook to know that.
So it references your model of phone and then it tells you, you have some kind of malware or something and you have to click below to fix the problem, don’t click below that’s a hint. So just leave that alone and find out on the Internet how to take care of it, which usually means closing out all programs, clearing the cache and powering down the phones, which is worthwhile.
We’ve also seen attacks, phishing attacks via social media using both Facebook and Twitter. So you have to be very, very careful about those. There are all kinds of social media attacks, coupons have been big and what was the most recent one I told you about, John, it was a $175 for — who was it, you remember?
John W. Simek: No, it wasn’t Bed Bath & Beyond.
Sharon D. Nelson: No, that’s a real one that we clipped out.
John W. Simek: No I know it was just pass — just this last week.
Sharon D. Nelson: Yeah, it was just last week and it was a new one, I can’t remember now which store it was, but 175, I mean that ought to raise your eyebrows anyway, that that’s probably too much. But we have seen them for instance, Bed Bath & Beyond, we’ve seen Home Depot, we’ve seen Ross.
I mean there is all kinds of things. So you have to be very, very careful on social media and people will play on your emotions. So if there has been a disaster somewhere, they will say that they have a real story, something that pulls at your heartstrings so you want to click on it, resist that if you don’t know the source.
John W. Simek: So, some of the other things that to be worry off are and the FBI is kind of slapped all the stuff together, and it’s called Business Email Compromises, BEC. So it’s like any agency in the government we have acronyms for everything, right. But it’s really big business and what BEC is, or the Business Email Compromises are primarily it manifest itself in two main ways that we see a lot of and one is where it’s instructions to wire money or send a check or some of those kinds of things. So it’s for financial gain or it has to do with payroll information, W-2 type information.
And that’s kind of seasonal, and I know the IRS every year sends out notices to people, warning them around the end of the year, these things tend to get much, much larger, these phishing attacks where the BEC comes out and it says, well, it purports to come from maybe the Chief Financial Officer or the CEO or the President of the company and it tends to be going to somebody in the payroll group or an HR or whatever it is.
And it will say, we have a new vendor that we’re going to be doing work with, and we need to have all the employees’ information or maybe it’s a new benefits package or something like that. And can you send all of last year’s W-2 information and Social Security numbers, all that stuff, to this new person, this new vendor and these people will go and send it out.
And then what happens is they receive this information and they go and file fraudulent tax returns, and that’s one way to do it. Another way is to — and we have seen this as you know Sharon in legal cases, where the case itself has been under target where the settlement proceedings and somebody has been watching it, they do a little bit of advance reconnaissance and they send an e-mail, purporting to come from maybe opposing counsel or from the opposing party or maybe it’s your own client with a change in the wiring instructions and how to send money over to some place.
And those usually, as you had said earlier, right that its expediency, there is a big rush for things, so these things tend to come like on the last day of Friday of the week, and I need to have this done by the end of business, those kinds of things, and so it gets people jump in.
But as the FBI pointed out, it’s big money. I mean between October of 2013 and May of 2018, they estimate over $12 billion has been tagged towards BEC attacks.
Sharon D. Nelson: It’s just amazing, isn’t it?
John W. Simek: Yup.
Sharon D. Nelson: There are so many things to train on and here we only have such a short amount of time, but another one that we focus on is social engineering, because a really good social engineer can turn your employees into puppets. So we all have to do better about training our employees.
One in three employees will fall for social engineering and there’s all kinds of social engineering, but let me give you a couple of the prime examples we see. Number one is somebody calling usually from Microsoft and of course, they’re not from Microsoft, surprise. But they claim to be and they tell you there’s something wrong with your computer and they may just want money and so they are going to fix it.
But they want access to your computer which of course you should never do. They make taking to a website in fact which looks like a Microsoft website, and so you might be inclined to do some of this. But falling for these calls and no, Apple support does not make any of these calls either.
If somebody from these companies purports to be calling you, it’s not from those companies. They just don’t do it. And how did they know that something is wrong with your machine. What they are going to do is they are going to access your machine and they are going to take you to something which is perfectly innocuous but it looks like maybe it’s not innocuous.
And so you are going to be fooled a little bit and go along and we have had partners in law firms, much too smart for falling for this but they been with these people for an hour and a half, and so they’re compromising their machine. If you’re lucky, they’re not about compromising your machine. They just want your money and they want a quick $300 or $400 to “fix your machine”. And then they go away and they’re not compromising your data.
But they could be compromising your data so don’t do that. And the other thing we see is calls from what purports to be someone from your IT company, because of course, if you think it’s someone from your IT company, and it’s not hard to find out who your IT company is, then you’re very likely if they say this is Adam at your IT company, then you’re very likely to give Adam your credentials if Adam can make up a credible story about why he doesn’t have the list or whatever, and he needs to fix something by the end of the day, and he knows the partner’s name and he’s been in touch with the partner and yada yada.
So be careful of that one as well.
John W. Simek: But also we’ve seen recently too Sharon is that the message box that pops up with a toll-free number for you to call.
Sharon D. Nelson: Oh yes, yes, yes good one, yes.
John W. Simek: So that’s one of the latest iterations of that. But the oldie but goodie is still ransomware. So ransomware for those folks who don’t know is malware whose intent is to encrypt or make your information inaccessible and then hoping that you pay a ransom to get the decryption key, to decrypt that information. So certainly that has been going on for the last several years.
It’s still at a high growth rate but don’t pay that ransom that’s the going in advice; although, when it’s a business decision, you may end up paying it. But understand that you’re probably only going to get that decryption key, a valid working decryption key in about 50% of the cases at least recently, but the FBI even acknowledges that.
They say don’t pay it but if it means that you are going to be out of business for a long of period of time it’s going to impact your business, you might want to consider that. And I think it was a medical institution right on California Sharon that decided that it was cheaper to pay the ransom they could recover faster than it would be for them to restore all of their data.
By the time they took all of their data and put it all back in, they would have been out of business much longer than if they actually pay the ransom. So they made that business decision to do that.
Sharon D. Nelson: Hospitals frequently have made that decision.
John W. Simek: Yeah, well because they want to get back online, very, very quickly, and I mean they should.
Sharon D. Nelson: And there could be deaths associated with them and that’s just not an acceptable risk compared to the amount of cryptocurrency that’s being asked for as ransom.
John W. Simek: Right. So the new kid on the block coming round is called Cryptojacking and Cryptojacking is again it’s malware but what it does is it actually uses those computer resources of your machine to mine for cryptocurrencies. The big one today is Monero, that cryptocurrency, because it is an anonymous cryptocurrency, they are not doing Bitcoins or any of those things, and it’s more efficient, you don’t need as much power to generate these, the Monero cryptocurrency.
But it gets installed two different ways and typically, they will go and attack the machine or attack you both ways. One is through a phishing email, where again, you try to click on something, you try to do whatever, it might do a pop-up or it might not do anything, it might send you to a website like you said Sharon.
But in the background, it has installed software in your computer, so it’s actually using your electricity and your processing power in the background to mine these cryptocurrencies.
And if you have this whole botnet of all these people that are doing this, you get — you think about thousands of machines and they are just generating a little bit of cryptocurrency, you can make some big bucks. I mean people are making $300,000 a month doing this.
But I think — and maybe I will let you expound on one of the latest things now is the sextortion campaigns, right Sharon, where they send us –
Sharon D. Nelson: You know what he says that, come on, come on, the reason why –
John W. Simek: Because I never got one. I never got one.
Sharon D. Nelson: I know. You are not one of the cool kids, you are not one of the cook kids that I am telling you. So many people got that sextortion email, where basically the subject line is a password. In my case, it was a password that back in the innocent days when we all reuse passwords, I have reused it a lot back and we were talking the beginning of the digital era here.
But I recognize –
John W. Simek: Were you that old?
Sharon D. Nelson: Don’t ask if you want to go home with me dear. So I looked at that and of course, was struck by the fact that it was one of my known old passwords and when I look at the e-mail, of course, it wanted a payment in Bitcoin of $3,200 and what the author claimed was that the author had been filming me watching pornography.
So both had captured what was on the screen and me as I was watching it. And you can imagine some people would have a great deal of fear if that had in fact happened for obvious reasons. I, on the other hand was fearless. So knowing that I had not been doing this, I simply ignored the thing but we had people call us and mention no names here John, not even professions, but we had people who had sleepless nights which told us something about them.
John W. Simek: We had relatives too.
Sharon D. Nelson: Yes and calling us first thing in the morning because they were so afraid. So anyway that’s sextortion.
So let’s move on to our last topic and we will do this a little bit quickly because we are toward the end of our time here, and that is passwords.
As I mentioned before, 50% of people share them, people reuse them all the time. The average user has about 40 sites that require a password but only five passwords. So what does that tell you? And using very weak passwords so the list of passwords, it’s the most common passwords of 2017, it’s the usual culprits, 123456, password, QWERTY, let me in, I love let me in, football was on the list, I love you was on the list.
So there is — but these are obviously all ones that have been compromised in the past, not smart to use.
So we train employees about that and not reusing these passwords and using the same password over and over again. And also there are new rules about passwords. The National Institute of Standards and Technology has now declared after a study by Carnegie Mellon that they agree that length beats complexity.
Now if you add a little complexity, you can make it stronger still, but a password that is between 14 and 64 characters and now I don’t have a 64 character password and never will, but you can use a passphrase and maybe just intersperse with a special character at the end or in the middle.
So we talk about the fact that the old Batman sitcom Robin was always saying holy something Batman. So if you had — and this is a real line from the series, if you had Holy Switcheroo! Batman, with an exclamation point as a passphrase, that is a strong passphrase.
So that is something you can do, and we teach them about password managers because of course that makes remembering passwords a non-issue, you only have to remember the password for the password manager and that’s it.
And though there is much more we could say, we are at the end of our time, so I will say that this podcast today covered only the tip of the iceberg and that’s an understatement, because this is easily a two-hour presentation, and we’ve done two hours on it before, but we do try to hit some of the high points quickly in the relatively short time we had.
Believe it or not, if you do get good speakers, your employees will be fascinated by the training and they will learn enough to make a difference to your security. In fact, each time you train, they say your risk of being successfully phish goes down by 20%.
So do you have any final words, John?
John W. Simek: No, I think just — don’t count on the technology. Too many people think that well, I’ve got antivirus software, I have got a Firewall or whatever, and they are trying to count on the technology to stop these attacks and to make them safe. And it’s really your people, it’s your carbon based units, they are the ones that need to practice smart computing, and that’s what this training is all about.
Sharon D. Nelson: Well said.
John W. Simek: Now that does it for this edition of Digital Detectives. And remember, you can subscribe to all of the editions of this podcast at legaltalknetwork.com or in Apple Podcasts. And if you enjoyed our podcast, please rate us on Apple Podcasts.
Sharon D. Nelson: And you can find out more about Sensei’s digital forensics, technology and cybersecurity services at senseient.com.
We will see you next time on Digital Detectives.
Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on legaltalknetwork.com and in iTunes.