Occam’s Razor — A SolarWinds Perspective for Law Firms

Episode Notes

Transcript

Digital Detectives

Occam’s Razor — A SolarWinds Perspective for Law Firms

02/19/21

[Music]

Intro: Welcome to Digital Detectives. Reports from the battlefront. We’ll discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches; not theory but practical information that you can use in your law practice right here on the Legal Talk Network.

[Music]

Sharon Nelson: Welcome to the 123rd edition of digital detectives. We’re glad to have you with us. I’m Sharon Nelson, president of Sensei Enterprises, a digital forensics, Cyber security and information technology firm in Fairfax, Virginia

John Simek: And I’m John Simek, vice president of Sensei Enterprises. Today on Digital Detectives, our topic is Occam’s Razor, a SolarWinds perspective for law firms.

Sharon Nelson: Before we get started, we’d like to thank our sponsor pinow.com. If you need a private investigator, you can trust, visit pinow.com to learn more.

John Simek: Today, we are lucky to have as our guest Jeffrey R. Wells, the co-chair of the

Cyber security, data protection and privacy team at Clark Hill. He is a Cyber security professional, responsible for keeping organizations safe and protecting the privacy of employees around the world. With over 25 years of global experience, leading Cyber security engagements, Jeffrey engages clients by leveraging existing infrastructure and talent, establishing effective Cyber resilient strategies and responding to immediate incidents and emerging Cyber threats. It’s great to have you with us today, Jeffrey.

Jeffrey R. Well: Thank you for having me. It’s an honor to join you today, especially as my colleague’s relish in reminding me that I am not an attorney, I’m a technologist.

Sharon Nelson: Well, that’s a good thing for our purposes today, because there’s a lot of technology involved in the discussion. SolarWinds has been in the headlines now for a little while. For those who are unfamiliar with it, can you tell us exactly what it is?

Jeffrey R. Well: Yeah, I’ll try to break it down simply. It was an attack that involved

hackers which have now been said to be the Russians who compromised the infrastructure of a company called SolarWinds, one of their products that was used for monitoring

platforms both inside the government and in many commercial firms. The attack then used the access to produce and distribute Trojanized updates to the software users and it has become much bigger than originally thought as the investigation has even recently identified that other threat actors and nation states have been using the vulnerability to gain access across other systems beyond SolarWinds

John Simek: Jeffrey, I know you mentioned that government folks, I know that became really big in the news but it’s not just a government issue, right?

Jeffrey R. Well: Correct. The backdoor was not used just against those government agencies, but importantly, it was used against grid and critical infrastructure operators and more than 400 of the fortune 500, at least, those that have reported it, and we still don’t know the full scope and impact of the number of smaller organizations that were impacted by this greater issue that surrounded the hack.

Sharon Nelson: So, how would you describe the importance or relevance to the private sector and law firms of this incident?

Jeffrey R. Well: Well, this particular case really highlights the importance of understanding and addressing third- party risks as a key component of securing an organization and protecting that organization’s reputation. These are often overlooked by organizations in general. There’s a lot of trust in believing that third parties are safe and doing what they’re supposed to be doing, and so this is very relevant for attorneys who work with their clients throughout an entire contracting process to really fully understand the relationships or relationship and implications of partnering with third parties.

John Simek: Jeffrey, can you talk a little bit more about the third parties and, you know, I’ve

seen it described as a supply chain, right, the attacks and what that risk is?

Jeffrey R. Well: Yeah. And, it’s third party and supply chain. Now, more than ever, organizations really rely on others which are the third parties to offer and deliver services such as email or ERP or HR resourcing programs, billing.

(00:05:00)

Even hardware and personnel are part of this and the supply chain that supports the businesses of today, no matter the size of the business, even if it’s a sole proprietor, there’s an entire supply chain which is really that’s what it is, a chain of businesses that are supplying the service and supporting that organization and that supply chain begins with that, you know, third party provider which becomes a fourth party provider which becomes the fifth party provider and that just keeps on growing into a spider web of interconnectivity that begins to grow exponentially. And as such, the risk grows exponentially and begins to transfer and everything really begins to multiply downstream to those of us who use third parties and I can’t think of anybody who doesn’t.

John Simek: So, the big movement to the cloud though is certainly driving a lot of that, right?

Jeffrey R. Well: It certainly has, you know, and it’s sort of the, you know, the lower cost to enter into the market space and the move to the cloud has created tremendous business opportunities, but with those business opportunities, you know, the risks and those terms and conditions that associate those, it pays now more than ever to really be aware of those documents.

John Simek: The ones they don’t read, you mean.

Jeffrey R. Well: Yeah, exactly.

Sharon Nelson: Yeah, those.

Jeffrey R. Well: Now it’s time to read and pay a little bit closer attention which, yeah.

Sharon Nelson: It’s always been time to read, but they never do.

Jeffrey R. Well: They just keep getting smaller and longer.

Sharon Nelson: Exactly. That’s exactly right. So, when we were chatting via email, you came up with the title which references Occam’s Razor which I’m pretty sure a lot of our listeners have no clue what that means. So, can you tell me the reference and why you chose to use it?

Jeffrey R. Well: Yeah, it was funny. A good friend of mine is a part-time magician, retired technologist, but decided that, you know, doing Houdini tricks would be a good way to spend his retirement, but his wife has asked him to stop doing that. It’s a little too dangerous. But we were talking, you know, about Occam’s Razor which is an old principle that, you know, often the most obvious solution is the real solution and that the most complicated solution or answer is not necessarily the correct one. As I contemplated and began to do some research and have been following the SolarWinds case from the very beginning and listening to everyone begin to dissect, you know, the very interesting and technical aspects of the attack which are unique and they’re interesting for a technologist, it became evident to me that it really was a simple failure to perform the human aspects of securing an organization and what I mean by that is, you know, is the very simple aspect of knowing how, you know, in the old days when storefronts were open, you would go in to the store and you knew who you were doing business with. And I kind of liken this to knowing who you’re doing business with and who they’re doing business with and then understanding the associated risks of doing business with both of them and that’s really, you know, it gets back to as I said before is, there’s a lot of technical and very interesting espionage and lots of, you know, there’ll be some wonderful books that probably are inspired by this but it comes down to the basic tenets of security which are the human is responsible for securing the organization and that goes with understanding who you’re doing business with.

Sharon Nelson: Yeah, I looked it up online a little bit, just to to get the historical background to Occam’s Razor. It was interesting that Occam did not even come up with the principle. That was kind of weird to me, but, I mean, a lot of people defined it in essence as keep it simple, and that is what has come out of that and I think that’s what you were also driving at.

Jeffrey R. Well: Exactly.

John Simek: But I love it that a technologist goes into magician, you know, into magic because that’s what the vast majority of people think technology is, it’s just magic.

Sharon Nelson: It’s magic. Well —

Jeffrey R. Well: It is. Can’t you magically just push a couple of buttons and fix it?

Sharon Nelson: That’s right. That’s right. Computers are magic. I mean they don’t really care how they work, they care that they work.

Jeffrey R. Well: Exactly. And they’re in — and computers just like magic are really irrelevant until the human comes into play.

John Simek: There you go. Well, before we move on to our next segment, let’s take a quick commercial break.

[Music]

Midtro: Does your law firm need an investigator for a background check, civil investigation or other type of investigation?

(00:10:01)

Pinow.com is a one-of-a-kind resource for locating investigators anywhere in the U.S. and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up-to-date on the latest technology and have extensive experience in many types of investigation including workers’ compensation and surveillance. Find a pre-screened private investigator today. Visit www.pinow.com.

[Music]

Sharon Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today, our topic is Occam’s Razor, a SolarWinds perspective for law firms. Our guest is Jeffrey R. Wells, the co-chair of the Cyber security data protection and privacy team at Clark Hill.

John Simek: Jeffrey, before we went off to break, we were talking about keeping things simple, but are you really saying that rigorous security systems are not that important though, as a result?

Jeffrey R. Well: No. And this is not just the technologist in me speaking, but no not at all. While technology really is an essential part of security, it’s just one piece and, you know, there’s sort of the — there are three pieces that are essential is the, you know, the humans that use it, the technology and then when those two pieces interact is when the security becomes real and, in the aftermath, and i think we’re still in the aftermath, but just over, you know, the last nine weeks, I’ve seen a lot of organizations, product and services company reacting to SolarWinds from a very technical perspective saying, “We have a software or hardware solution that can, you know, help prevent the next SolarWinds,’ and while I think that those technologies are, you know, as I said, essential, I don’t know that we need more red blinking lights telling us that there are problems. It’s hard enough to monitor all the problems that are there, the complexity that exists already has become almost unburdensome which I think was part of the problem in this particular case. And so, you know, we kind of need it to find and rebalance, take this time to really look at the simple things that we need to address in order to reduce risk and increase resiliency to organizations or even our individual, you know, situations uh at home.

John Simek: Yeah, I was reading that there are a lot of businesses that had SolarWinds installed, but they weren’t even using it.

Jeffrey R. Well: Yeah.

John Simek: That seems simple. Uninstall it.

Jeffrey R. Well: Exactly. You know, and not even knowing that it’s there, and so, you know, I was talking with the organization just the other day and said, “Can you just provide me an inventory of the software and services and hardware that you are using?” And they said, “That’ll take us probably a couple of weeks to put together.” And look at the number of pieces of software they’re running on probably your laptop at the moment, you couldn’t tell me all of them. I couldn’t probably tell you all that are running on mine.

Sharon Nelson: So, what is your whole answer to John’s question? What does that mean? What’s the practical impact for law firms and attorneys, Jeffrey?

Jeffrey R. Well: As the non-attorney, I believe that this is really where the five main principles of sort of legal ethics come into play, especially at that intersection where law firms and attorneys meet the challenges that come with dealing with third parties and technology, because law firms and technologies are the last line of trusted counsel to help their clients really understand and identify, and then come up with ways to address the risks presented by working in this interconnected world that we all have no choice but to really operate in.

John Simek: Jeffrey, I’m not an attorney either and I’m a technologist, but can we talk a little bit about some of the practical considerations, I guess, going forward because, you know, as we talked earlier, there’s this big push and movement to the cloud services and and third parties and, you know, you’re exactly right we’re trusting all these third parties to not have mess ups, right? And a lot of lawyers I know, they’re using cloud-based practice management. I mean, they’re entrusting their client confidential data to these folks, but yet, at the end of the day, it’s the attorney that’s responsible and “liable” if you will.

Jeffrey R. Well: And I’d say is, you know, there very much so is don’t leave your reputation in someone else’s hands. And certainly, outsourcing has its clear benefits, you know, from lowering the cost to, you know, to increase efficiencies and productivity but, you know, the value that third parties really bring are eroded by those associated risks and I always like to say, “Trust but verify.”

(00:15:00)

And so, in working with these third parties, if you do look at the fine print of those agreements that you often engage in, you know, it does say that they will conduct annual vulnerability tests or complete a SOX compliance. And I say, “Show me your annual vulnerability assessment. Show me your SOX compliance. Don’t just tell me that you have them. And the vulnerabilities that were identified, what are you doing with those? And who else are you doing business with? And what is the state of their vulnerabilities and their security?” You know, as I was talking with somebody the other day, a major international organization that said, “Oh, the provider that does that for us outsources that particular aspect to the web host designer, and here’s their contact information. Maybe you can find out for us.” And I contacted that the designer and they said, “Well, here’s the link to the cookie policy verification system that we use.” And i clicked on that particular link and it actually was just the evaluation page for that particular plugin and it had one star. And I said, “You know, I’m not so sure, you know, that that’s the way you want to do it.” But sort of doing some due diligence much as, you know, especially with the web is just look to see as someone that you’re doing business with had a challenge, an incident of some sort, whether that’s technical or in the public space, you know, just do a quick search and if they’ve had some challenges, you know, ask them about that or at least begin to figure out ways to address the risks that those provide. But at least you’re aware of what you’re getting into earlier rather than later, because whether they have the problem or not, you know, it’s their reputation, and their problems really just truly become your problems once the news — you know, now that we’re calling this the SolarWinds hack, even though the designers weren’t from that particular company.

Sharon Nelson: Well, your answer makes me laugh a little bit, because we are always using Ronald Reagan’s trust but verify phrase when we lecture in webinars because people do trust and they do not verify. And that doesn’t make any darn sense in this world.

Jeffrey R. Well: It doesn’t and, you know, the interesting thing is that there is a trust but

verify kind of at the beginning, but, you know, at the year two of the renewal or, you know, if there’s a piece in where it’s six months down the line, you know, nobody tends to follow that up and there’s a lot of reasons why there may not be a third-party management program or even the ability to effectively kind of keep control of that, depending on the size of the organization. But it is, you know, maybe putting those calendar reminders just to send out a quick email to your third-party provider and say, “Hey, it’s time for your vulnerability assessment. Can i see what the results were? Or those types of — I just want to keep verifying, so i can trust you.”

Sharon Nelson: absolutely and you should, but having addressed the risks, you also mentioned an opportunity. What is that, Jeffrey?

Jeffrey R. Well: I think the opportunities, especially for law firms and attorneys on top of organizations is to help to establish, you know, robust regulatory understandings and the offer and service offerings around those, especially regulations that deal with data and, you know, with the rise domestically with CCPA and CPRA and then in Europe to GDPR and I believe there are 23 data privacy laws on the books around the country at the moment is kind of understanding that piece as an opportunity I think for attorneys and firms and then to, you know, to help clients know where their data is because not knowing where that data is doesn’t just pose security problems, you know, it does have real potential regulatory impact and regulatory pressure around data protection and privacy is increasing and the ramifications of non-compliance broaden significantly when you think about all of the third parties in that spider web that are essential to an organization’s daily operations. I’d say another area is helping clients to get contracting right and this, again, I’m going to say trust but verify but it’s, you know, assisting clients and understanding and navigating the risks that exist in the supply chain and develop addendums and agreements that help to mitigate or at least address those risks, and then as I mentioned before you know is asking for proof of those audits and compliance reports and assessments and where possible, you know, even, you know, if you’re a small organization, it could still establish, you know, vendor management procedures that uh require timely reviews so that there’s at least, you know, a modicum of understanding of the risks that this true chain in the supply chain offers to their clients.

(00:20:20)

John Simek: Jeffrey, I know there’s a lot of lawyers and law firms that are out there now they’re probably scratching their heads going, “Oh, geez, all right,

I get it. I guess I got to read the terms of service now. I got to do some due diligence. I have to trust and verify, but are there other issues that that attorneys and law firm should be considering?

Jeffrey R. Well: Yes. As much as, you know, a doctor needs to go see his own doctor is that these don’t just apply to clients or sole practitioners but it, you know, this applies to attorneys and for firms that, you know, I recommend that they should be developing and maintaining effective third-party risk management programs and looking at their agreements helping to ensure that their vendors have strong controls in place to protect their organizations, you know, from all of the fiscal operational regulatory and reputational risk. You know, you can probably recover from fiscal and operational and regulatory risks but reputational risk is one of the hardest to recover from.

Sharon Nelson: Absolutely true. And I hope those who are listening to us get that message, but I think they do. And we sure want to thank you for being our guest today, Jeffrey. I love talking to technologists which is probably part of why I married john.

Jeffrey R. Well: Makes a perfect pair.

Sharon Nelson: Yes. Thank you. Thank you. So, lawyers were not all that excited about the SolarWinds thing until they found out that the federal court system had been breached. That caught their attention.

John Simek: Yeah.

Sharon Nelson: But I think listening today, because most of our listeners are in the legal profession, they’re certainly going to be very interested in everything that you had to say. So, thank you for sharing your technical expertise with us. It was great.

Jeffrey R. Well: Well, thank you so very much for inviting me to share today and I hope that the listeners did find some value in this and I wish you both and everyone happiness and good health.

John Simek: Well, that does it for this edition of Digital Detectives. And remember, you can subscribe to all the editions of this podcast at legaltalknetwork.com or an Apple Podcasts. And if you enjoyed our podcast, please rate us on Apple Podcasts.

Sharon Nelson: And you can find out more about Sensei’s Digital Forensics technology and Cyber security services at senseient.com. We’ll see you next time on Digital Detectives.

[Music]

Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on legaltalknetwork.com and in iTunes.

[Music]

[00:22:58]