在网络犯罪世界,从个人大家的民族国家是一个目标 - 比其他一些更吸引人的,当然。医疗保健机构最近得到最头条,和Internet of Things(IoT) offers an almost unlimited attack surface.
但是,律师事务所有吸引力了。他们认为敏感,机密数据,从个人(离婚,人身伤害)的专业(合同谈判,商业秘密,收购兼并,财务数据等),如果泄露,会导致两者对公司和灾难性破坏其客户端。
The Wall Street Journal reportedrecently that hackers broke into the networks of two of the nation’s most prestigious firms, Cravath Swaine & Moore and Weil Gotshal & Manges, in 2015. The two, “represent Wall Street banks and Fortune 500 companies in everything from lawsuits to multibillion-dollar merger negotiations,” the Journal said.
The FBI and Manhattan U.S. Attorney’s office were investigating to see if the hack was aimed at getting information to use for insider trading.
董事总经理和伯克利研究组的网络安全/调查实践的全球领导者汤姆·布朗说,律师事务所正在有针对性的多,“可能是因为黑客正在寻求最大化其收益。如果成功的话,他们可以通过一个攻击获得多个客户端的信息“。
汤姆·布朗,董事总经理兼全球领导者,伯克利研究组的网络安全/调查实践
But while high-profile cases like those in New York make national news, many others don’t. Or, if they do, the firms are not always identified. TheCybersecurity Law Review(CSLR) reported recently that four firms in northern Virginia were hit by勒索软件attacks late last year. But none of the firms was named.
And few firms are willing to talk publicly about it either. More than half-dozen attorneys did not respond to a request from CSO to discuss law firm breaches. This, according to the public relations representative of one firm, is due to, “sensitivities around the topic.”
敏感与否,它是一个明显的和日益严重的问题。正如杂志所说的那样,在黑客工具和黑客租用的增长的,“对于犯罪分子违反计算机网络更容易的方式来推进一系列罪行,从内幕交易身份盗窃。”
丽贝卡·休斯帕克,管理法律报告组的编辑,说2015年ABA法律技术调查报告found that 23 percent of respondents at firms with more than 100 attorneys reported a security breach, and noted a recentreport that a Russian hacker targeted 48 top law firms对并购的访问信息。
Rebecca Hughes Parker,法律报告集团总编辑
彼得Zeughauser, chairman of the Zeughauser Group, a consultancy to large law firms, said whether it is alerts from the FBI, concerns expressed by clients or news of hacks, “there is a higher level of concern,” about cyber attacks.
在勒索的情况下,即使我们的目标是简单地收钱,而不是使用机密数据,所以一般很麻烦的客户,根据帕克。
“它可以使该公司的一大笔钱来处理,可昂贵的它的名声,”她说。
这一切最明显的反应就是提高网络防御。虽然没有技术完全是防弹的,专家说多年,更好的“安全卫生”可以采取组织开展“低垂的果实”类。
彼得Zeughauser, chairman, the Zeughauser Group
同时,布朗所说的那样,“没有‘的回答,在一箱’,因为每个律师事务所都有自己的风险,”仍有一些一般性原则,这将降低任何公司的risk profile。The following recommendations come from Brown, Parker, Zeughauser and a Q&A by CSLR with John Simek, vice president and co-founder of Sensei Enterprises.
1.更多/更好的员工培训
As has been said numerous times, people are the weakest link in the security chain. And that weakness is being exploited more effectively by criminals who have become much more sophisticated with phishing emails.
“人是问题,”西梅克告诉CSLR。“所有的技术在世界上是不会阻止的攻击。”
律师事务所可以是特别脆弱,因为法庭文件是公开的纪录。攻击者可以很容易地得到记录的律师的名字,并使用他或她的名字,发送钓鱼邮件与恶意附件宣称是从律师更新的投诉。
是的,训练消耗什么本来是计费时间,但是处理勒索或重大违约是昂贵得多。
2.从网络和Internet断开保存备份
With the explosive rise of ransomware, backups should be mandatory. But they will do no good if backup drives are connected to the network, since that will allow malware to infect them as well.
3. Install all patches and updates
补丁做的正是顾名思义 - 补丁在容易受到攻击的软件一个“洞”。几乎所有的都是免费的,所以他们的成本的唯一事情就是注意力和时间 - 时间非常得其所。如果不打补丁的已知漏洞有点像敞开大门,晚上上锁的文件。
美国律师协会
4.更新软件 - 特别是当它不再支持
这种费钱,这是一个重大的原因,许多企业不这样做。的想法是相当于保持一个老车 - 它运行良好,所以没有很好的理由花钱买一个新的。
But that makes sense only as long as the software is supported. After that, it is a bit like continuing to drive the old car when you can no longer get service or parts for it. If the water pump goes, you’re stuck with a much more expensive problem than if you’d upgraded earlier.
当一个系统不再支持,这意味着它不再修补。这是留在门打开综合征的另一个版本。
5.阻止可执行文件,压缩归档和不明用户
虽然人类的失败总是可以破坏的技术,这并不意味着技术不能提供保护措施。如果他们到达用户的收件箱之前名为“.exe”或ZIP文件被封锁,员工无法点击他们永远也看不到。
该网络还应该通过编程来修改文件阻止任何不明身份的用户。
6.如果您使用云存储,确保你的公司控制加密密钥
Simek said some cloud providers don’t allow users to define the encryption key, “because they fear that if the user forgets (it), their backups will be useless. Although that is certainly a possibility, if a firm is planning to use a cloud-based backup, it will want a provider that allows it that control,” he said.
7. Make your cybersecurity program meet the needs of potential clients
An increasing number of clients are using security consultants, “to give them a template that they can tailor to their own needs depending on the type of data they have and the size of the firm they are looking at hiring,” Parker said.
Zeughauser说的话律师事务所的高管之一说“让他们彻夜难眠”是来自客户端的安全性的需求不断增加。“Their clients are telling them, if you don’t do all those things, you’re not going to pass our audit and we’re not going to hire you,” he said, adding that technology is on track to become the second-largest annual expense of law firms, exceeded only by the cost of staff.
“For 60 to 70 years, the second biggest expense has been rent,” he said.
There are standards that will certify a firm’s cybersecurity, including theISO 27001,但帕克表示,只有少数企业就采用了。这可能在很大程度上是因为它是既昂贵又耗时。
但国家标准技术研究所(NIST)的小企业标准,可以达到自我认证,西梅克说。它允许企业以“评估他们的基础设施,以及他们是否有任何弱点,以及是否需要第三方的帮助。”
8.清晰,有效限制远程交流cess and mobile devices
This can be complicated, Parker said, because, “different practice areas at the same firm sometimes can operate as discrete businesses and it can be hard to mitigate cyber risk. Partners also may opt out of certain cybersecurity protocols.”
这是它是有一个CIO或其他执行谁负责和执行数据安全,隐私和信息管理,包括远程访问和BYOD至关重要的区域。
9.设置系统捕获的日志数据,用于法医目的如果发生违约
西梅克说,在应对违反最大的问题是缺乏日志数据。“没有人有先见之明来配置他们的设备或他们的系统,以捕捉信息的持续的基础上。这对于调查一个杀手。
10.共享威胁信息
据华尔街日报,律师事务所在去年形成了信息共享组约网络威胁和其他漏洞交换信息。这是对金融机构的类似组织仿效。
Bill Nelson, CEO of the Financial Services Information Sharing and Analysis Center, which oversees the legal group, said 75 firms have joined the group so far.
This story, "10 ways law firms can make life difficult for hackers" was originally published byCSO 。