Fish tempted by fishing hookAs technical security improves, human security vulnerabilities are increasingly in the bulls-eye.  For a fresh look at social engineering, and how best to defend against it, there’s no better source than a hacker.  So, I reached out to Cliff Smith, Ethical Hacker & CISSP at Parameter Security, for his take on the current social engineering battleground.  Here’s what he shared:

Confidence games have been around forever.  Is there anything fundamentally different about social engineering practiced by hackers?

Modern social engineering is no different than the classic con games.  They all run on information, trust, and emotions.  The biggest change in the past 20 years or so is that technology makes the attacker’s job much easier, for several reasons.  First, a skilled practitioner can use countless tactics to make their first contact appear more legitimate, such as spoofing a message’s source or creating a legitimate-looking website.  Second, the average user operates on autopilot much of the time when using their phones or computers.  It’s so easy, for example, to click on a link without stopping to think about the danger, which makes phishing attacks much more likely to succeed.  Third, technology makes the consequences of social engineering much more dire.  In just a few clicks, you can accidentally ruin your financial life, or someone else’s.

It’s commonly understood that phishing is a problem, and that phishing is a deceptive email with a malicious link.  Is it that simple, or are there other social engineering attacks to be concerned about? Continue Reading If you teach a man to phish …

Last Piece of PuzzleWhew – we’ve survived yet another round of states enacting or amending their PII breach notification laws.  If a trial lawyer’s vacation is the time between her question and the witness’s answer, a data security lawyer’s vacation is when state legislatures are out of session.

Back in 2002, California enacted the first state law mandating notification of individuals whose personally identifiable information (PII) is breached.  Now every state has followed suit, with the final two holdouts, Alabama and South Dakota, joining the other forty-eight states, the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands by enacting PII breach notification statutes.  Each state has its own unique approach, and the states continue to expand their requirements, especially their definitions of what constitutes PII and the timing and content of mandated notifications.

These laws are triggered by the affected individuals’ residency, not where the breach occurred. So, when an organization with employees or customers in many states suffers a data breach, it must comply with a wide variety of conflicting and evolving state breach notification laws. And differ and evolve they do: Continue Reading With PII breach notification statutes, the rules keep changing

Empty SafeLast week’s post explored why law firms need data security policies.  Before we move on, I’d be remiss if I didn’t mention another policy that’s absolutely crucial for the law firm’s data security posture – a records management policy, coupled with an up-to-date and legally validated records retention schedule.

What does a records retention schedule have to do with data security?  Simply this – keeping data without a legal or business reason exacerbates data security exposures.

Breached systems frequently contain many times more data than was needed for retention compliance or any valid business or operational purpose.  This unnecessary data multiplies the number of those whose confidential or protected information is compromised, and can also have exponential impact once breached, passing a tipping point on lasting reputational damage or on the economic viability of claims against the firm.

It’s not possible for a breach to compromise the security of information that no longer exists, having already been compliantly disposed of once its legally required retention and business value have expired.

But surely most every law firm has a records retention schedule in place for its records of client matters and firm administration, right?  Actually, far too few firms do. Continue Reading Law firm data retention – they can’t hack what you no longer have

Bare feet of muddy childrenYou’d think, among all types of businesses, that law firms would be at the front of the pack in having a data security policy.  After all, law firms regularly tell their clients how important it is to have effective policies in place for legal compliance and risk management.  And law firms certainly possess large volumes of valuable data, such as confidential client information and individual’s personal data, and are subject to a daunting array of security threats.  But as the saying goes, all too often the cobbler’s kids have no shoes.

How shoeless?  Results from the  2017 ABA Legal Technology Survey are grim.  Less than half of the responding law firms have the following policies and plans, which are crucial to a firm’s security posture:

  • computer acceptable use policy (48%);
  • remote access policy (45%);
  • disaster recovery/business continuity plan (42%)
  • incident response plan (26%); and
  • personal technology use/BYOD policy (24%).

This is astounding, especially given the compelling reasons for law firms to put data security policies in place.

Continue Reading Law firms, data security policies, and cobblers’ kids

Ignorant DoctorIf you had a choice between doctors to perform surgery on you, which would you pick:  a doctor who has sat through training on how to perform an appendectomy; or assurance that your doctor will successfully perform your appendectomy?

The answer seems obvious, but on the topic of dealing effectively with human vulnerabilities in cybersecurity, most of us seem satisfied with “awareness training.”  It’s a check-the-box response to regulatory compliance or client demands.   Sign everyone up for an on-line phishing exercise and you’re done.  Yet the consequences of ineffective training can be dire.  You will most certainly lose productivity, you’ll probably lose money, and you may lose the company.

This is not to say that awareness is unimportant.  But raising awareness is just the first step in effective cybersecurity defense.  Employees—and management—must come to understand why and how security incidents occur and learn how to recognize and guard against them.  In other words, you must develop assurance that everyone in your organization is equipped to protect the company and its assets. Continue Reading How to gain assurance against human security vulnerabilities

Hacker at work with Russian flag on backgroundThe indictment filed last Friday by Special Counsel Robert Mueller explains how Russian military intelligence officers hacked into computer systems of the DNC, the DCCC, and Clinton Campaign employees during the 2016 presidential race.  With sweeping, specific details that have compelled unanimous confidence among Americans (except apparently our President), the 29-page indictment is a textbook on sources and methods.  No, not intelligence-gathering sources and methods, which are of course highly classified.  Instead, the indictment catalogs the sources of data that were stolen, and the methods used by the GRU intelligence units to methodically hack into the targeted systems, exfiltrate the data, evade detection, and weaponize the data through publications timed to inflict maximum impact.

The lessons to be learned from the indictment’s allegations, summarized below, are useful to any organization serious about data security and prevention, detection, and response to hacking, whether state-sponsored or otherwise.

Continue Reading The latest Mueller indictment – what we all can learn about sources and methods

Person hiding head in the sandI keep getting asked about Cambridge Analytica and Facebook.  And no one seems to like my response – I’m frankly amazed that this all took so long to blow up.  How long?  How about since 1973.  That’s when the U.S. Department of Health, Education, and Welfare first articulated the Fair Information Practice Principles (FIPPs or FIPs) in its report Records, Computers, and the Rights of Citizens: Report of the Secretary’s Advisory Committee on Automated Personal Data SystemsThe FIPPs went on to become bedrock global privacy principles, and central to them are the principles of notice and consent.

As the FTC later explained in Privacy Online: A Report to Congress:

1. NOTICE/AWARENESS
The most fundamental principle is notice. Consumers should be given notice of an entity’s
information practices before any personal information is collected from them….

2. CHOICE/CONSENT
The second widely-accepted core principle of fair information practice is consumer choice
or consent. At its simplest, choice means giving consumers options as to how any personal
information collected from them may be used….

These mechanisms – notice and consent – are what make a self-governing privacy system work.  If someone (such as Facebook) is going to obtain and use our personal data, they should first give us notice of how they will use it (such as provide or sell it to others), and then we make a choice – we either consent and provide our data, or we don’t.  The government may enforce these representations and choices under fair trade practices laws, such as FTC Act Section 5, but the rules themselves are made in the marketplace.

There has to be some source of governance.  The alternative to self-governance through notice and consent is governance by government, with legislators and regulators making the rules for how our data is handled.  There’s quite a bit of that in the EU and elsewhere, but in the United States, outside of specific sectors such as healthcare (HIPAA), education (FERPA), and financial services (GLBA & FCRA), there’s little such regulation here.  In the U.S. we’ve made a policy decision to largely self-govern the privacy of personal data.

Fast forward from 1973 and, especially in our Internet-driven, U.S. self-regulatory environment, we’ve got a large, smoking crater – precious little government regulation, and even less personal responsibility.  Let’s face it.  We don’t actually pay attention to privacy policies and terms of use, and we don’t actually make informed choices on our consent to data practices for our personal information.  Under our self-governing privacy system, look in the mirror.  The enemy is ourselves.

Continue Reading (But wait, I didn’t) notice and consent

White hatTesting for technical vulnerabilities is a key part of security risk assessment.  To get the straight scoop on technical vulnerabilities, and how they’re exploited, why not ask a hacker?

Dave Chronister is an ethical hacker, a Certified Information Systems Security Professional, and the co-founder and managing partner of Parameter Security.  To borrow from the Farmer’s Insurance commercials, Dave knows a thing or two because he’s seen a thing or two.  He started early – Dave wrote his first computer program before age 8, and as a teenager he ran a large networked bulletin board system, through which he first experienced war dialing and the underground world of hacking.

Dave and his Parameter Security team perform technical security assessments (ethical hacking penetration services, code & device reviews, and social engineering exercises), post-incident forensic investigation, and training.  Dave regularly appears as a cybersecurity expert on CNBC, CNN, Fox Business, and MSNBC, and he writes and speaks internationally on hacking and system security.

I recently asked Dave for his thoughts on the current hacking landscape, and especially on why technical vulnerability testing is crucial to an overall security risk assessment. Here’s what he shared: Continue Reading So, I asked a hacker about technical vulnerabilities …

ChecklistWould you take a deposition by solely following a template of standard questions, without assessing the unique issues and circumstances of the case?  Or conduct transaction due diligence by simply marching though a generic punch list, without assessing the unique aspects of the company, the deal, and the industry?  Of course not.  Your law firm’s data security posture is no different – you need a security risk assessment to understand your firm’s unique vulnerabilities to security threats, and to identify which security controls are already adequate for your firm and which other safeguards are needed.

But assessing security risks is more than merely a good idea.  Conducting a security risk assessment is also a compliance requirement under virtually every U.S. regulatory data security regime and security standard.  Some of these risk assessment requirements apply directly to lawyers and firms, such as rules of professional conduct and, for firms that are business associates of HIPAA covered entities, the HIPAA Security Standards.  Other such laws directly govern the firm’s clients, which in turn increasingly require them of their law firms as service providers.  And taken together, these statutes, regulations, and standards requiring security risk assessments have coalesced into general expectations for what constitutes reasonable data security.

Continue Reading Security risk assessment is not just a good idea – it’s a compliance requirement

Driver looking under the car hoodI had a nagging worry that something was wrong with my car, so I finally decided to take it to the dealer.  I couldn’t exactly describe my concern, except there was an intermittent, “funny noise” coming from somewhere in the front end.  An unscrupulous dealer would have taken me down a long path of parts replacement, beginning with tires, then wheels, then tie rods, and on and on, perhaps never fixing the real problem.  Fortunately, my dealer was honest and performed diagnostics, ultimately discovering that the rack and pinion was failing.  The part was under warranty, so the repair cost me nothing and my funny noise is gone.

Was my worry constructive?  Yes.  It also went hand-in-hand with my own risk assessment.  What were the chances that the noise foretold a failure that would cause an accident?   Would I or others be hurt in the accident?  As it turned out, a failure could have been catastrophic.   In this scenario, I could prudently act on my worry because I had a basic understanding and control of the situation.  But it’s not always easy to act on worries—particularly if you don’t understand the issues or potential risks.

It’s reasonable these days for everyone, particularly lawyers, to have a nagging worry about information security.  That’s where independent risk assessment comes in.  Most lawyers know just enough about accounting and finance to help them profitably manage their firms, calling in experts when needed.  The same should be true for information security.  An independent security risk assessment not only identifies risk, it also helps to educate regarding likely threats and vulnerabilities. Continue Reading Security Risk Assessment: You can’t fix what you can’t see.