Cybersecurity keeps changing at an ever-quickening pace, and, really, it’s probably going to stay that way. Sharon Nelson and John Simek welcome friend and cybersecurity expert David G. Ries to discuss some of the major happenings of the past year and what we should expect for 2022. David gives an overview of current cyber-threats and notable data breaches, discusses government efforts to fight cybercrime, and lays out the latest best practices to help you protect your business.
David G. Ries practices in the areas of environmental, technology, and data protection law and litigation
Special thanks to our sponsors CaseFleet and PInow.
Intro: Before we get started, I’d like to thank our sponsors PInow.com and CaseFleet.
Intro: Welcome to Digital Detectives Reports from the Battlefront. We’ll discuss computer forensics, electronic discovery, and information security issues and what’s really happening in the trenches, not theory, but practical information that you can use in your law practice. Right here, on the Legal Talk Network.
Sharon D. Nelson: Welcome to the 133rd Edition of Digital Detectives. We’re glad to have you with us. I’m Sharon Nelson, President of Sensei Enterprises, a digital forensics, managed cybersecurity, and managed information technology firm in Fairfax, Virginia.
John W. Simek: And I’m John Simek, Vice President, Sensei Enterprises. Today on Digital Detectives, our topic is, “2022 What’s White Hot in Cybersecurity”. Today our guest is David G. Reece who is of counsel in the Pittsburgh PA office of Clark Hill PLC where he practices in the firm’s cyber security, data protection and privacy group. He has devoted his legal career to helping organizations traverse complexed environmental, technology and data protection challenges. It’s always great to have you with us Dave.
David G. Reece: I’m always glad to participate.
Sharon D. Nelson: Well Dave, a lot happened in cybersecurity and 2021. What is the impact in your mind of last year’s developments as we move into 2022?
David G. Reece: Well, I think 2021 was really a game changer in both good and bad ways. In the bad there were high profile vulnerabilities and data breaches, huge list, Accellion, Microsoft Exchange, SolarWinds, Kaseya, Colonial Pipeline, JBS Meat Processing, and the year ending with the log4j vulnerability. Plus, a lot of low-profile ones. But on the good side, we had President Biden’s May 2021 Executive Order on improving cybersecurity. The June Whitehouse Memo on protecting against ransomware. There was adoption of additional recommendations from the Cyberspace Solarium Commission, additional funding and resources for the Cyber Security and Infrastructure Security Agency, enhanced cooperation among federal agencies and with the private sector just to really lot. So, there are big continuing challenges that they’ve encountered by substantial progress in government and private protection and response.
Sharon D. Nelson: I’m with you on that. We certainly thought that a lot has been done recently that had gone undone before. So we’re happy for the forward movement too.
John W. Simek: Dave, can you tell us a little bit more with some of the last year’s high profile data breaches and vulnerabilities were.
David G. Reece: We could spend the whole session talking about them. There was so many of them and I wonder you’ve listed them, but just a few observations. First there were supply chain vulnerabilities and breaches where it didn’t happen to the company or organization was targeted, but it happened outside it. And there are ones like SolarWinds, it is a network management software and attackers compromised it and actually sent fake updates to it to compromise the companies that were using it. There were Accellion, Microsoft Exchange. One for secure file transfer, the other for email and contacts and calendar, both of them there were vulnerabilities in the ones that were installed on customers premises, not in the cloud services. Both of them there were vulnerabilities who are exploited and an awful lot of companies and law firms were compromised. Colonial Pipeline and JBS Meat Processing where the big ransomware attacks that have threatened critical infrastructure, and the year ended with the Log4j vulnerability in Apache software. Jen Easterly who’s the Director of CISA said that it’s one of the most serious if not the most serious that she’s seen in her whole career. Most observers think that there was a really good response by the government and private sector to Log4j probably in large part because of the things that happened earlier in the year to improve the national response to cybersecurity.
John W. Simek: Log4j I guess was particularly bad because of the reach that it had across multiple businesses and multiple environments? I mean, that’s why it just blew up.
David G. Reece: It was estimated that there were hundreds of millions of installations of it worldwide.
Sharon D. Nelson: Well, tell us what’s in President Biden’s May 2021 executive order on improving cybersecurity because there was a lot packed into that
David G. Reece: There was, and I’m sure that it was in the works for a long time. The order didn’t just come out right after a couple of the high-profile breeches and the Whitehouse scrambled to put it together. And it’s obvious that it was in process. So, it’s intended to modernize cybersecurity defenses by protecting federal networks, by improving information sharing between the government and the private sector, and strengthening the country’s ability to respond to cyber incident. So, it is directed to the civilian government agencies and not the ones involved in national defense, the national security. And by the way, President Biden issued a national security memorandum just a couple of days ago to require some of the same things for the national security sector, but it has some specific requirements for CISA and for other federal agencies and then recommends them for the private sector.
John W. Simek: Can you talk a little bit Dave about some of the best practices that are included in that order?
David G. Reece: It was kind of the two steps and best practices is my term for them. The order talks about basic security measures and identifies five of them. The first is to backup data, system images and configurations and to test the backups to update and patch systems promptly. Third, to test the incident response plan or to prepare one if you don’t have it. Four, to check security through some type of third-party review, like penetration testing and five, to segment networks. So, it identifies those five as the basics. Then it goes on to discuss additional safeguards like logging, multi-factor authentication, extended detection and response which are advanced security tools that we’ve talked about in the past. Use of secure cloud services and adopting a zero-trust architecture. So as I mentioned, these are required for federal civilian agencies that are likely to be required for government contractors. They will most likely be considered in determining best practices for everyone else.
Sharon D. Nelson: I have no doubt of that and I’m especially fond of zero trust because when we go out and talk to lawyers which we do a lot, it seems like the average learner does not know anything about zero trust or has only heard the term. So it’s only big law that seems to have really kind of moved to get to zero trust. They’re going to get their first anyway, but it’s coming to everybody, they just need to figure that out. So, can you explain in simple language what zero trust is and why it’s so important to law firms?
David G. Reece: It’s an architecture or an approach. It’s not a specific product or a specific technology like multi factor authentication. It’s a more secure approach to authentication and access control. So, the old approach has been called trust by verify zero trust is never trust and always verify. And just kind of an example, they always used the example of the castle with the wall and the mode, and that’s the network that you’re protecting. In the old system for zero trust, that would be that you have to identify yourself to get over the mode and then the gate, but then if you want to go into the treasury or to another secure place within the castle, you have to identify yourself again and again as you go through different places. Now, we all know that that old model doesn’t work because systems and information or distributed, there are no longer in the castle, but that’s the concept that every time an individual, a user is going to access additional resources, they have to authenticate, and hopefully that’s going to be through technology so people don’t have to manually putting the username and password and MFA for every resource that they accessed. So, it’ll be the current kind of authentication that we’re using today, but then hopefully something that is automated the tags along when the user goes to additional resources.
John W. Simek: One thing that makes people’s heads explode though is that it’s not just about the users, right? It’s access to any data. So even if you have applications that are accessing databases et cetera like that, they need to authenticate as well. And you don’t trust that connection for the entirety of the connection, right? You have to come back and re-verify on a periodic basis and people when they start to hear that they go, “Oh my gosh.” Like a disease. Like I said, their heads explode.
Sharon D. Nelson: They do explode and I think one of the things that we often say that is helpful to them is that they need a little bit of a primer and if you want to do that, there is an article on the Sensei Enterprises site. If you just go to the Articles and it’s free and we don’t want your email and we don’t ask you for any of your information in order to get the article. It’s just out there. It’s really a very simple guide to zero trust and why it’s so important to law firms. So that’s a resource you might start to learn from if you’re not familiar with it.
John W. Simek: Well, before we move on to our next segment, let’s take a quick commercial break.
Advertiser: What could be more important than knowing the facts of your case inside and out? CaseFleets Powerful Software makes it easy to create a chronology of each case and to track the evidence for each fact. With an intuitive interface, full text search and built-in document review, CaseFleet makes fact management easy. Sign up for a 14-day free trial at casefleet.com/DigitalDetectives and get 10% off your first subscription.
Advertiser: Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one-of-a-kind resource for locating investigators anywhere in the US and worldwide. The professionals listed on PInow understand the legal constraints of an investigation are up-to-date on the latest technology and have extensive experience in many types of investigation, including workers’ compensation and surveillance. Find a prescreen private investigator today. Visit www.PInow.com.
Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is “2022 What’s White Hot in Cybersecurity”. Our guest is David G. Reece who is of counsel in the Pittsburgh PA office of Clark Hill PLC where he practices in the firm’s cyber security, data protection and privacy group. He has devoted his legal career to helping organizations traverse complexed environmental technology and data protection challenges.
John W. Simek: So Dave, what can you tell us about CISA’s new playbooks?
David G. Reece: Well, as you know, when we speak and write, we always say that everyone should have a playbook and it’s not a response plan. The president’s executive order in May required CISA to publish standard federal playbooks for cyber security incidents and for vulnerability responses. So, the cyber security incident parts of it are for incidents of all kinds including data breaches. It is a response to the attacks. The vulnerability part is to have a uniform response methodology for dealing with things like the Log4j vulnerability. So, they were published by CISA in November. Interestingly, right after they were published, the Log4j hit and everyone has generally thought that the response was really good to Log4j by CISA and within the federal government. So those playbooks may have had a part. So again, they’re required for covered civilian agencies and some government contractors, but they’re helpful for the private sector including the law firms. Most law firms particularly mid-sized and small ones aren’t going to need plans as sophisticated as those but there’s a lot of good information there and ones with needs for Less complex ones can kind of use them to either to start or to go through and check their existing plan to make sure that they’ve covered everything.
Sharon D. Nelson: Yeah, they are very useful. And I know that the president’s executive order calls for better coordination between government and the private sector and that has been a thorn forever. It hasn’t really happened. Is it happening now?
David G. Reece: I think it’s better. It still has a long way to go. There appears to be progress. In August, the Whitehouse had a Cybersecurity Summit with top executives of major technology and finance companies, including Google, Apple, JPMorgan Chase and there seems to be a lot of high-level agreement that there should be better cooperation. But of course, one meeting doesn’t do that. The proof will be in the pudding as things move forward. There seems to be a movement toward better sharing of information. One of the things that the government wants the private sector to do is to work better with government agencies whenever they have a security incident or data breach.
So, there are two aspects to it. The FBI and the Secret Service and the Department of Justice generally deal with the law enforcement perspective. Finding out who did it and whether or not criminal charges can go against them. CISA has the responsibility for the response and recovery. And those of course, overlap and then pushes to get businesses and others in the private sector whenever they have an incident to promptly report it and get these government agencies involved. There has been some movement toward making that mandatory. It looks like that may happen in Congress. It was in the defense or authorization bill and taken up but there is pretty much strong sentiment in Congress that there should be required disclosure by providers of critical infrastructure if they have a significant data breach and also a required reporting of payment of ransomware. So, we’ll see where that goes. It’s improving but the jury is still adamant on how far it’s going to go.
John W. Simek: Dave, let’s shift gears a little bit and talk about cybersecurity enemy number one which is a ransomware. Talk a little bit about what’s happening in the current government approach in response to all these ransomware attacks.
David G. Reece: As with the government private cooperation, I think we’re seeing a lot better coordination among federal agencies. Now, of course, with the private sector, absolute laws requiring it, the cooperation voluntarily. Within the agencies, the coordination is mandatory if the executive branch requires it, and there’s been more of the move toward that. And again, both with the enforcement, the FBI, Secret Service and DOJ, and with the assistance with responsive recovery, the agencies seemed to be increasing the way they’re working together. One of the things that’s happened is it’s been recognized that cyber threats or national security threats particularly to critical infrastructure. There’s also better international cooperation with the federal agencies working more with foreign countries and we’ve seen that with ransomware. So as part of this process, CISA has opened a stop ransomware website. Its stopransomware.gov and that’s intended to be a one-stop shop for federal information about ransomware from various agencies. We’ve seen a new approach with the FBI, CISA and crypto ransom, at least a couple of times. I don’t know how far that’s going to go. We’ve also seen kind of interesting that the Federal Cyber Defense Community has been working on protection of critical infrastructure. We’ve just had some general statements that the cyber command has been involved. We don’t know exactly what we’re going. Just recently, this year, we saw the Russian arrest of the Regal Ransomware Gang members. We’ll see how that goes. It’s most likely related to the disputes going on now that are wider. I don’t think we’re going to expect that kind of activity in the future. I mean, if that would happen in every country where members of ransomware gangs reside, it would do a lot to stop ransomware, but I’m not holding my breath.
Sharon D. Nelson: Neither are we. There was an article today talking about how ransomware gangs are a little nervous because if the countries really did take this seriously and arrest people and take their cryptocurrency back and all the other things that the Russians did, in the case of rival including of course arresting and charging these people, that would be quite something. They felt fairly secure and they no longer feel as secure as they once did. But let’s turn to cyber insurance which has been in the news lately. When we lecture, John and I we say it’s pay more, get less, and that’s really the truth of it. So, what are the current developments and why is our motto so true?
David G. Reece: Insurance premiums are going up. That happens often with insurance. Like after we see a hurricane or something of that nature, the property and casualty insurance premiums can go up. One of the limitations of cyber insurance is that it is a newer form of insurance. It hasn’t been around for decades like a lot of the other insurance. And in the traditional insurance, the insurance companies have become very good at underwriting and understanding what the losses are, what the risks are and how much they have to charge to be able to pay for covered losses and also make money since it’s their business.
Over the last few years and particularly in the last year, the loss history has become clear and that is in part because of ransomware, because carriers if there’s coverage are both paying the ransom when that’s authorized and the recovery expenses and those have been very high. So that’s led the higher premiums. With that, we are seeing more limits so the total limit under the policy may be lower than it was in the past. There also are sub-limits and exclusions. So, there might be a lower limit for ransomware than there is for the policy in general. It’s also been reported that some insurers are looking more closely at the insured’s security, telling them that if they do not have things like multi-factor authentication for remote and administrator access, they won’t even write the policy. So, I mean, your summary of paying more for low class is accurate, but it’s important to understand why that is and that there’s a reason for it.
John W. Simek: Well, our carrier didn’t really care whether or not, we’ve got MFA in place or not and have EDR solutions. So, they raised the rates significantly anyway.
David G. Reece: Yeah, and that varies. I’ve had underwriters from carriers tell me that except for very large customers, they don’t worry about the details of the insured’s security, but I think we’re seeing more looking into that and it is going to smaller size in short.
John W. Simek: Well, that’s really been our experience, but we’re fairly new into 2022. Do you have any suggestions for cybersecurity new year’s resolutions for folks?
David G. Reece: I do. I just wrote an alert for our firm on cybersecurity moving into the new year. So basically, what I recommend and for law firms and other types of businesses and organizations that have established cybersecurity program, it’s a good time to review and update them in light of the threats that we saw on the last year and the advances in security safeguards that we saw in the last year. For those that don’t, it’s really an important time to make the commitment to implement a cybersecurity program and not just make the commitment but to carry forward with that on a set time schedule. So it’s evaluating the plans and light of last year’s threats and advances and making sure that there are addressed as well as the traditional review. And my final recommendation is to avoid getting on CISA’s naughty list. CISA has published a list of bad practices. It’s pretty bare-bones at this time. There’s only three things in it and I’m sure we’re going to see increases but the three bad practices on what I’ve called the naughty list are not using multi-factor authentication for remote or administrator access, using end-of-life software, like Windows XP, Windows 7 and at this point, even some of the early versions of Windows 10 and using default and known passwords. That’s particularly on network devices like routers, wireless access points and things and on internet devices. So again, it’s a new list and it’s likely to grow.
Sharon D. Nelson: Yeah, I suspect it’s going to be a very long naughty list upon the time they’re done with it because we certainly see a lot of naughty practices all the time. But we sure thank you for being our guest today, Dave. Our listeners may not know that Dave corresponds with us virtually every day and vice versa and we’re always exchanging the latest information. So, it really is nice having somebody that were so entrenched with in writing and speaking on the program. That part of our lives is a joy and it was really nice to have you on the podcast. Thanks Dave.
David G. Reece: Okay. I’m always glad to do it.
John W. Simek: That does it for this edition of Digital Detectives and remember, you can subscribe to all the additions of this podcast at LegalTalkNetwork.com or on Apple Podcast. And If you enjoyed our podcast, please rate us on Apple Podcast.
Sharon D. Nelson: And you can find out more about Sensei’s Digital Forensics, Technology and Cybersecurity Services at scnscient.com. We’ll see you next time on Digital Detectives.
Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on LegalTalkNetwort.com and in iTunes.