As the Panama Papers made brutally obvious, law firms contain vast amounts of confidential information about clients. Some of that information might not reflect positively on those clients (such as huge offshore accounts), but some of that information could help make hackers or their customers rich.
At least, that was the apparent intention when law enforcement came upon a “criminal-seeks-hacker” posting on the “dark web.” According to an alert sent to American Bar Association members by the FBI’s Cyber Division, the criminal was looking for a hacker to break into the networks of international law firms as part of an insider trading scheme.
The FBI’s alert didn’t specify as much, but presumably the alert involves the recently reported hack into a number of elite U.S. and U.K. law firms.
Unfortunately, law firms are seen as softer cyber targets than some other sectors because they haven’t uniformly adopted rigorous cybersecurity protocols. It’s a safe bet that’s now about to change. We’ve always been protective of our clients’ confidential information in the analog sense, i.e. in what we say publicly, the storing of physical records, and in all other “real world” situations. And that’s as it should be. Some the issues we deal with involve incredibly valuable information, particularly if it’s in the wrong hands.
Now, apparently, it’s time for lawyers and law firms to step up our game on the digital front. Hackers literally have nothing better to do with their time than find ways to steal confidential information, so it’s incumbent on law firms to do everything they can to thwart them.
The FBI passes along these tips to deter hackers:
- Educate personnel on appropriate preventative and reactive actions to known criminal schemes and social engineering threats, including how employees should respond in their respective position and environment.
- Scrutinize links contained in e-mails, and do not open attachments included in unsolicited e-mails.
- Disable macros. Be careful of pop-ups from attachments that require users to enable them.
- Only download software – especially free software – from known and trusted sites
- Create a centralized Information Technology e-mail account for employees to report suspicious e-mails.
- Change network default passwords, configurations, and encryption keys. Use strong passwords.
- Recommend your company’s IT professional(s) review, test, and certify the need/compatibility of a patch or update prior to installing it onto the operating system or software.
- Monitor employee logins that occur outside of normal business hours.
- Restrict access to the Internet on systems handling sensitive information.
- Install and regularly update anti-malware solutions, software, operating systems, remote management applications, and hardware.
- Do not use the same login and password for multiple platforms, servers, or networks.
- Monitor unusual traffic, especially over non-standard ports. Close unused ports.
- Monitor outgoing data, and be willing to block unknown IP addresses.
- Isolate sensitive information within the network.
- Only allow required processes to run on systems handling sensitive information.
- Implement two-factor authentication for access to sensitive systems.
- Ensure proper firewall rules are in place.
- Be aware of the corporate footprint and persona facing the Internet. Conduct searches using multiple search engines on multiple Internet domains of company names, Web addresses, key personnel, and projects to determine if there is an accidental weak point in the network security. Conduct infrastructure look-ups in the public domains to ensure additional information is not inadvertently advertised.
ABA members can click here to subscribe to future Cyber Alerts.