Law firms are considered by many hackers to be soft targets with a wealth of valuable information. Data from social security numbers, credit cards, and client confidences is enough to make the criminal mind salivate with malicious intent. Between 31-45% and 10-20% of firms have been infected by spyware or experienced security breaches respectively. But what can a private practitioner or law firm do to prevent these trespasses on their networks?
In this episode of The Florida Bar Podcast, host Adriana Linares welcomes cyber security expert Sherri Davidoff to discuss the dangers to data that exist for law firms today. To begin their dialog, they define what ransomware is and tell us why so many firms give in to its extortion.
Tune in to learn what practitioners can do to counteract or mitigate some of the risks. Spam filters, employee training, role-based access controls, and anti-virus software are among many countermeasures available for even small firms. In addition, lawyers may want to consider network monitoring, cloud-based software platforms, and comprehensive backup and retrieval systems. The key to successfully implementing the latter is to test your IT firm’s ability to restore lost files.
Sherri Davidoff is a nationally-recognized cyber security expert who is a founder and Senior Security Consultant at LMG Security. She has over a decade of experience as an information security professional, specializing in penetration testing, forensics, social engineering testing, and web application assessments. Davidoff is an instructor at Black Hat and co-author of “Network Forensics: Tracking Hackers Through Cyberspace”. She is a GIAC-certified forensic examiner (GCFA) and penetration tester (GPEN), and holds her degree in computer science and electrical engineering from MIT.
Mentioned in This Episode
- Role based access controls
- Email traps
- Anti-virus software
The Florida Bar Podcast: Cyber Security: How to Protect Your Firm and its Clients – 2/26/2016
Advertiser: Welcome to the official Florida Bar Podcast. Where we cover practice management, leadership, and what’s happening in Florida law. Brought to you by the Florida Bar Practice Resource Institute. You’re listening to Legal Talk Network.
Adriana Linares: Hello and welcome to another episode of the official Florida Bar podcast. It’s brought to you by the Practice Resource Institute on the Legal Talk Network. Of course, we all know by now that the Practice Resource Institute is the Florida Bar’s online center for practice management information dedicated to Florida attorneys. I’m Adriana Linares, I’m your host. I’m a legal technology trainer and consultant. I’ve been working in and around Florida for many years. I have the good fortune of occasionally being called upon to help the Florida Bar Board of Governors and their various committees with their technology issues and hot topics and help them try to figure out how to create good programs or ideas for Florida Bar members. I’m pretty thrilled today because the topic at hand is going to be about cybersecurity, which has been an incredibly hot topic over the past couple of years. Certainly more than ever, law firms have always felt protected against a lot of security issues and risks and there’s a million reasons why. We can talk about them and we’re going to do that together with my special guest today, Sherri Davidoff. Sherri is a security expert and a pretty damn good one based out of Montana with her company called LMG Security. Hey Sherri!
Sherri Davidoff: Hi Adriana!
Adriana Linares: Woah! I’m so excited to have you here! Tell us a little bit about yourself, how you got into the world of security and specifically cybersecurity and we’re going to talk about what’s happening in law firms today that we’re both seeing a lot of.
Sherri Davidoff: Absolutely! I am the founder and CEO of LMG Security. We are a cybersecurity consulting, research and education firm based on Missoula, Montana, and we actually work all over the world including with attorneys, as well as financial institutions, healthcare clients, all over the map. So I got started in security 15 years ago back when I was a wee little student at MIT and I responded to an advertisement for people who wanted to stay up late and eat pizza and watch out for computer viruses. I didn’t know it at the time but it was very fortuitous. It was really the beginning of an industry and I had this fantastic opportunity to grow up with the industry and to see cybersecurity evolve and to see a lot of the regulations like HIPAA and the industry standards like PCI evolve with it. So it’s really been a fascinating experience and I also have a book coming out next year called Data Breaches, which is being published by Pearson Education.
Adriana Linares: That is pretty cool! This will be interesting and then I’m going to tell you that I’m super jealous. I also started my career 15 years ago at about the time that legal technology was becoming a thing. And it was specifically at a time when law firms were upgrading their systems from Windows NT, I think, and really moving from WordPerfect to Word and I also have grown up with the industry and watched evolutions and revolutions and changes, so that’s pretty cool. But I have to say that I’m jealous because I wish I had started in security, it’s become something that I really enjoy learning about lately. I think maybe I’m a little bit stale with what I do so I’m super jealous of you and I’m really excited to get to drill you on a few things as far as what you’re seeing happening in law firms. I’ve been telling my clients and the lawyers that I talked to lately that law firms have now been labelled as soft targets. Hackers are starting to really turn an eye towards law firms. Why is that?
Sherri Davidoff: Well law firms are really in this unique position. They have an incredible wealth of information and Sharon Nelson and I who are also speaking at the ABA TECHSHOW coming up, we were talking about that specifically. Law firms have all kinds of sensitive personal information, social security numbers, credit card numbers, as well as confidential and proprietary information; things that business is competitors would want to know. And one of the things that I hope we have time to cover when you and I are speaking at the ABA TECHSHOW – and by the way, world, Adriana and I are speaking at the ABA TECHSHOW. She’s unfortunately stuck with me as a partner.
Adriana Linares: It’s going to be great.
Sherri Davidoff: We’re speaking on phishing and security awareness. But one of the things I hope we’ll have the chance to touch on is that your information is worth money to people. So attackers are just spelunking for information. If they break into your computer, your passwords can be resold on this underground black market and then sold to the highest bidder. And the people who are actually breaking into your computer, these criminals, they’re from organized crime groups. They might now want your computer specifically, they’re just trying to gather up as much data as they can so that they can then resell it. So it’s all about money.
Adriana Linares: That is incredible. And it’s true, there’s a whole marketplace there that the average person doesn’t realize and certainly lawyers aren’t realizing. So one of the big threats I’ve seen lately that I know is one of your favorite topics and I want to lead off with it because it’s just so fascinating is that of ransomware. A lot of our listeners have probably not even heard of ransomware, but I bet you a lot of them – their law firm, whether they’re solos or large law firms – have been infected by and had to deal with ransomware. So why don’t you tell our listeners what that is and what you can do about it, if anything?
Sherri Davidoff: Ransomware has actually been around since 1989 but the idea is that someone takes over your computer and either they lock up your data or maybe they just lock the screen of your computer so you can’t get into it. And until you pay the fine, you can’t get back into it.
Adriana Linares: Pay the fine? That sounds crazy!
Sherri Davidoff: Yeah, I mean you have to pay for what’s rightfully yours. And a lot of attorneys are in this position where either they hae to pay a $500 fee to the people extorting them, or they might have to pay thousands and thousands of dollars to some IT company that would try to recover it and may not even be successful. And a lot of this is about prevention, which we can get to in a little bit. But you can absolutely prevent these problems from happening. Making sure that you have appropriate backup so that even if your data does get locked up, you can restore it from a backup, for example.
Adriana Linares: Let’s back up a little bit and break down some of these points. I’ve had a lot of law firms unfortunately that have had to deal with ransomware. So let’s go through the anatomy of how this happens. The way I’ve seen it happen about four or five times now is as an attachment to an email that someone gets which is a PDF and it’s called something along the lines of a resume, so it looks perfectly innocent. Let’s do some roleplaying, Sherri. You be the hacker, I’m going to be the attorney who receives the email that says “Associate Resume Attached,” and I think, “Oh. I’m not looking for an associate, but you never know, I’m always interested.” So I look at my inbox, I look at my mail, and there’s an attachment. The email looks fine. The attachment actually looks like a PDF. So you know how sometimes when your computer doesn’t recognize a program? You get the Windows symbol or you get something weird, but no. This looks like an actual PDF. So I double click on it. What happens?
Sherri Davidoff: So let’s say your computer is vulnerable. And computers can be vulnerable for different reasons, a lot of times it’s because you aren’t keeping maybe Adobe software up to date. So you double click on that, the PDF opens, and maybe it’s not really a PDF. Maybe it’s really an executable file in disguise or maybe it has some code in it that takes advantage of the vulnerability of the program that’s running. So because of that, it’s able to take over your computer and then what happens next will depend on the type of ransomware that it is. One example is that it could start encrypting your files one by one. So going through all of your files and folders, encrypting each one, and then deleting the original one.
Adriana Linares: I’d die. So basically what happened that you’re saying – if I’m understanding you correctly – is it launches a program, even though it looks like an innocent PDF, it’s not. That program starts going on the hunt. So it starts looking in maybe my documents if I don’t have a network or it looks for shared drives. So a lot of attorneys have a drive that’s called “Clients” that everyone accesses and then inside that client folder there’s an A to Z, and then inside of there there’s the client names. So the virus then starts tunneling its way through all of those networks or even just locally finds what generally Word documents, Excel documents, PDF documents, right?
Sherri Davidoff: Yep, absolutely. It might find all the documents and some of the variants we’ve seen actually encrypt the file name and not just the file itself. So you can’t even see the list of the files that have been encrypted. I want to read to you a breach notification from California.
Adriana Linares: Sure, I love those. I collect those, I have a collection of them.
Sherri Davidoff: I collect those too! See, I knew that we were like soul sisters. I actually have my wall of data breaches which are framed, letter breach notification letters on the wall of my office and they’re fascinating. Target, for example, Fazio Mechanical, and then all these other organizations. And it’s interesting to see how they evolve over time. But here is one that I think is a fairly landmarked data breach notification letter, it’s from Ziprick & Cramer, LLP and it came out in February of 2015. They sent a letter saying, “Dear client, it’s almost a daily occurrence that we read about cyberattacks in the news.” And then skipping ahead, they said, “Our firm was the victim of a cyberattack. A relatively new variant of a cryptolocker type ransomware. It infected one of our workstations with the virus encrypting data on the workstation and then it traveled to the in-house server where data was also encrypted on shared folders. Accordingly, we’re sending this letter to all clients.” So you can see what happened. It got on one person’s computer. One person in your firm clicks on a link or clicks on an attachment and then that piece of malware – and by malware I mean malicious software – then it just goes systematically and tries to encrypt every single file or folder that that person’s account can access. And that means it could encrypt whole storage arrays. All of the shared files in the system, if different people’s accounts can access it.
Adriana Linares: And even if you happen to have a USB stick plugged in and have a bunch of files in there, it’ll find it and encrypt those files too. So tell us what you mean by encryption just in case there’s a couple of listeners out there who don’t really know or understand what happens when a file gets encrypted.
Sherri Davidoff: Sure. So encryption is just a mathematical algorithm, a one way mathematical function on a file and there’s different kinds of encryption. So I’m going to level up for a second and tell you about asymmetric key encryption.
Adriana Linares: Woah.
Sherri Davidoff: I know, it’s a big word there. You’re attorneys! They’re smart, and I’m going to make this easy, I promise.
Adriana Linares: Okay.
Sherri Davidoff: So let’s imagine you have a box and there’s two keys to the box. There’s not one key, there’s two keys. One key can lock up the box but that key can’t unlock the box. Only the other key can unlock the box. So that’s cool. Let’s say you put it outside your house and you want people to be able to drop off packages. You can leave what we call a public key right next to the box. Anybody can use that to lock the box. And the only person who can unlock it is you, with the other key, which we call your sacred key or your private key. That is basically how asymmetric key encryption works. And it’s super important to know for things like encrypted email. The reason we care about it in this case is because most of the time, attackers are locking up your files with one key and they have the other key. You can’t just unlock it with the key that may be in the malware.
Adriana Linares: Right. That’s amazing. So it gets locked up and then this is where the ransom part of ransomware comes in, right? You have X number of days to pay them back. And it’s not as if you can go down to the local Target and pick up an American Express gift card and send it off in the mail. It’s done oftentimes through Bitcoin. And that alone can take lawyers or their IT people a couple of days to get set up, right?
Sherri Davidoff: Yeah, let’s say you’re a solo practitioner or small law firm and this hits you. Maybe you pay a ransom of $300 and they send you a key. What do you do with it? And this is interesting because now there’s this whole new economy. You find now new IT companies that specialize in these negotiations with the people who are holding your data hostage and they specialize in getting the key and then helping you to decrypt your data. It’s kind of like hostage negotiations-
Adriana Linares: That’s unbelievable.
Sherri Davidoff: Yeah, absolutely. And you can get insurance to help cover the cost, by the way, which you might want to look at.
Adriana Linares: Yep. I think that’s a great suggestion to see if we can encourage some lawyers to think about some cyber insurance. I had a good friend, actually an attorney here in town – I’m in Orlando today – and she’s a solo practitioner with a paralegal and an associate assistant. They got the cryptolocker virus and it started at $300 on day one, 24 hours to send us the $300. But then it increased $300 every day. By the time her IT guy got around to setting up the Bitcoin account, getting everything figured out, it was 4 days later. She paid the $1,200. Is there a way – how can I prepare and get my law firm in a position so that if this does happen to me I don’t have to pay? What are the types of solutions that law firms can put in place which would prevent this from being suc ha hassle? We could just say, “Ah ha! I have outsmarted you, hacker!”
Sherri Davidoff: Right. Well first of all, you can prevent it from happening in the first place. Number one, really good spam filtering, good education, training people what to look out for in these emails-
Adriana Linares: Yes, my favorite word, training.
Sherri Davidoff: Training, training, training, and it really works. It really does. Also making sure that you have proper role based access control. This is a huge deal. And to back up a second, law firms have been getting hacked for years. I think that they’ve been getting hacked way more than most people realize partly because we’re not actively monitoring our networks. Especially for smaller firms, it’s really hard to do that, to have visibility to our networks. Also, think about the kinds of data that you hold. If you have a merchant like Target, that loses 100,000 credit card numbers, well, the credit card companies are going to trace that back to Target. But let’s say you lose all of your client emails. Somebody steals them or somebody is stealing trade secrets, proprietary information that actually belongs to your client. How is anybody going to know that that came from the law firm? And so because of that, we haven’t really been getting good feedback in the past and law firms haven’t had a vested interest in taking the next step in security, it’s hard to justify the cost. And finally that is changing. So role based access control to get back to the question of prevention, role based access control just means that people have access based upon the role that they have. And a lot of companies, it’s much easier just to say, “Okay, everybody has access to every file.”
Adriana Linares: That’s how most law firms operate. So most law firms, especially in the mid size and the small firms which is where most lawyers live, it’s an open community. Everybody does have access to every file, every matter, every client related matter. If you think about some of the document management systems that are popular in the largest law firms in the world to the smaller ones, that’s how they work. Everybody has access to everything.
Sherri Davidoff: Right. And it’s an efficient system, we’re a very trusting community. We trust each other and when worst comes to worst, you might have to put a disclaimer on something or get someone to sign something. But unfortunately, your hackers in Romania don’t really care if there’s a disclaimer saying this email is confidential. But you know, I think good things are going to come out of ransomware the same way that good things came out of all those big viruses in the early 2000’s. Blaster, Slammer, those were a huge pain in the neck. But you know what? They made us strong. We came through stronger and we had more secure networks because of it. And attorneys can really learn from what we’re seeing now with ransomware. So with role based access control, you have to think about how your organization works. What cases do people need to have access to or what types of cases and how can you limit the types of access that people have? And that’ll help not just in ransomware prevention, but that will make it so that if Joe Shmo’s in the corner’s computer gets infected, the ransomware won’t encrypt every file on your network.
Adriana Linares: And that’s because his computer, through this role based access, doesn’t have the rights to see another set of documents because his role doesn’t require him to have access to those files or documents.
Sherri Davidoff: Precisely, precisely. So it really limits the damage that could be done with that one person’s account. But when you think about it, we have problems every day with staff that are leaving who maybe trying to take file with them or things like that. So it just makes sense from general organizational health to be restricting access anyway. I think clients like to know that you have controls in place to protect their confidentiality and to limit the spread of their information.
Adriana Linares: Well certainly in the larger law firms that’s managed and controlled by pretty sophisticated IT departments. But when you’re a solo or mid sized or a small firm, some of the suggestions that we might have for them are to think about – and this is weird and they’re going to freak out. I know that this is not what they’re expecting to hear. But when you are using a Cloud-based program, it becomes a lot harder for viruses like this to tunnel through because your documents aren’t stored locally. So there’s a point for Cloud. This becomes a lot harder and I can guarantee you that my clients who have been affected by ransomware, it was not their documents that were being stored in Net Documents or Clio or Rocket Lawyer or Box. It was the documents they hold onto locally that were easy for the malware to funnel to. The other thing I want to suggest – and I’m going to let you talk about this because it was something that you mentioned earlier – is really having good backups. That’s another thing that law firms are really bad about or they just think someone else is taking really good care of that situation. Can you talk a little bit about that?
Sherri Davidoff: Yes, absolutely, and I’m so glad you brought this up, it’s critical. You mentioned earlier that the ransomware can encrypt all the files on a USB that’s attached to the computer. I know quite a few smaller organizations that backup computers with a USB drive attached to it. And again, the problem is that if the computer gets infected, the USB drive can also be encrypted as well. So you want to do one way backups where the backup can pull data off of your workstation, but the workstation can actually access the backup server and delete things. That’s one way to handle it. Also if you want to do it on the cheap, backup your data and physically take that drive away. Put it in a safe deposit box if you’re a tiny little firm, maybe one or two people. That is the poor attorney’s way of actually getting offsite backups done. It’s not what I would recommend for a midsize to large firm, but it’s a simple and relatively inexpensive way to do it. It’s hard for small firms to handle IT with the same level of sophistication as the big firms, but we really do need to perform at the same level. So you could really leverage the Cloud and take advantage of scalability. If you do store your data in the Cloud, make sure you’re doing your due diligence. You don’t want to just throw it up in DropBox because it’s easy. We’re attorneys. Read the terms of service. Make sure they’re not mining the information that you put up there. You might think, why would they do that? And the answer is so they could make a buck.
Adriana Linares: I just realized that I gave one bit of misleading and bad information so let’s clarify this. I mentioned Cloud based products like Netdocuments, Clio and Rocket Matter. So those are practice management programs and document management systems that store things behind some very sophisticated security measures that are managed by the companies and that’s one of the things you pay for. But let’s talk about one of the most popular products used by law firms. You just mentioned it, the D word. If I’m using DropBox on my home computer, Sherri, and I get ransomware and I think, “I don’t care, I’ve got these DropBox files on my home computer. I’m just going to go home and get these files that are not on my computer.” What happens?
Sherri Davidoff: I guess you are phishing for something because have you seen a case like this?
Adriana Linares: Just the misunderstanding of what DropBox and Box do, which is not backup but they synchronize.
Sherri Davidoff: Also, the latest versions of Cryptowall, they’re not just ransomware. They also install spyware on your computer and they steal your passwords. And that means that if you log into a Cloud account with your username and password, an attacker could theoretically log in there too, right? And these big servers that many people use are more likely to be targeted.
Adriana Linares: So I want to recap the suggestions that we have for them, which is you want to get good training for your staff and yourselves about what types of things to look for. I had a firm in Palm Beach call me a couple of months ago and say, “Please come do some training on our people even though we tell them over and over again. They keep clicking on things they shouldn’t click on and downloading things.” And even though the IT department can put in enough measures to stop a lot of the issues that get through, there’s still work that needs to come through the pipe. So anyway, getting training is one, having a good backup, and then confirming that the backup works and that you can pull documents off of there. How often do you see that problem? “We have a backup! We’re fine, we’re fine!”
Sherri Davidoff: One of the reasons I wanted to talk about ransomware is I had a colleague of mine, unfortunately, whose firm got hit by ransomware and said, “No problem, we have backups,” and they went to restore the backups and it turned out that the IT company that they had contacted wasn’t doing proper backups.
Adriana Linares: I see this all the time. You have GOT to talk to your IT people especially if they’re outsourced and confirm. You want to stand behind them and tell them to restore a file from backup before your very eyes and make sure that it’s working because every IT person you can talk to right now will tell you that we see this problem all the time. So we talked about good training, having the right systems in place.
Sherri Davidoff: Have a third party and that’s where firms like mine come in. Have a third party check. If you’re not a technical person, have a third party once a year just come in and double check and make sure that everything is as it should be.
Adriana Linares: Sherri, what are some reasonably priced and good off the shelf – for a lack of a better word – antivirus and malware programs that lawyers who aren’t with the bigger firms and have to be cost conscious at some level could think about looking at and installing? What are your favorites?
Sherri Davidoff: So I really like Kaspersky and it works of course on a variety of different operating systems. In our forensics lab, we do digital forensics. We will scan hard drives for viruses and I tend to find that Kaspersky catches more than the other antivirus solutions that I’ve seen. And obviously, we’re not Consumer Report, but I do like the way that it performs. You can also use McAfee, Sophos, but of course any antivirus software suffers from this limitation where you have to know about a virus where you have to protect against it. So it’s not a silver bullet. It’ll help make sure you’re not the low hanging fruit, and that’s important.
Adriana Linares: Well, this has been incredibly helpful. I can’t tell you how much I appreciate your time. Before I let you go though, would you tell our listeners how they can read more about you? Tell us your website, your Twitter handle. Any other information that’s helpful for people to keep an eye on you.
Sherri Davidoff: Sure, absolutely. My website is www.LMGSecurity.com. And my Twitter Handle is @SherriDavidoff, also my company’s Twitter handle @LMGSecurity, and I will be speaking with you at the American Bar Association’s TECHSHOW.
Adriana Linares: I know, that’s really exciting. Come see us in March in Chicago. Well, Sherri, thank you very much. I really, really appreciate it. Of course, for all of you listeners who would like to learn more about what you’ve heard today, make sure you visit the official Florida Bar Podcast on the PRI section of the Florida Bar website. That brings us to the end of this show. I’m Adriana Linares and thank you for listening. Join us next time for another great episode of the Florida Bar Podcast.
Advertiser: The views expressed by the participants of the program are their own, and do not represent the views of, nor are they endorsed by, Legal Talk Network, its officers, directors, employees, agents, representatives, shareholders, and subsidiaries. None of the content should be considered legal advice. As always, consult a lawyer. Thanks for listening to the official Florida Bar Podcast, brought to you by the Florida Bar Practice Resource Institute and produced by the broadcast professionals at Legal Talk Network. Join host, Adriana Linares, for her next podcast on practice management, leadership, and what’s happening in Florida Law. Subscribe to the RSS feed on LegalTalkNetwork.com, or in iTunes.