Guest Article by Andy Pearch, Head of IA Services at CORVID
Andy Pearch outlines one of the biggest cyber threats facing the legal sector, and steps that can be taken to save law firms from the devastating consequences.
Cyber crime is a growing concern for all businesses across every industry, and even more so for those who operate in vulnerable sectors, such as law firms. A threat report from the NCSC highlighted that 60% of law firms reported an information security incident in 2018, an increase of 20% from 2017.
Law firms, as with all modern day working practices, are heavily reliant on technology – the sheer amount of expected connectivity makes everyone vulnerable. Research enforces the scale of the problem: in 2017, 60% of law firms reported an incident, but that’s only those who identified an issue. There has also been a significant 42% increase in reported incidents in the last five years. This could mean that either businesses are more aware so are reporting cases, or cyber crime is on the rise. It's most likely a combination of both.
Facing Vulnerabilities
The legal sector is particularly vulnerable to cyber attacks due to the volume of data, sensitive information, financial responsibility and authority it holds. If a law firm specialises in corporate or property law, they are at greater risk, as the potential for financial gain is unprecedented. Although the main reason law firms are targeted is for financial gain, there is also a growth in cyber adversaries seeking political, economic or ideological goals.
Law firms are perceived to be an easy target – particularly smaller firms, as they don’t have the same resources as larger practices, but still hold significant funds. Also, they most likely have a small team managing their entire business infrastructure, with limited IT security resources available. It is often misconstrued that cyber security is the sole responsibility of the IT department, but the reality is that every department is accountable. Cyber security is part of the bigger information risk management picture, and requires emphasis from business leaders.
Not only do law firms and their clients have to consider the financial impact of a cyber attack, but reputational damage for their practice can be irreversible. Therefore, to ensure law firms are protected, they need to be aware of the consequences of a phishing attack.
Acknowledging Threats
Email is the main route in for cyber criminals. Phishing attacks can take the form of impersonation, intercepted emails and/or malicious attachments. The aim of threat actors responsible for these attacks is to coerce users into making a mistake, such as disclosing sensitive information, providing users’ credentials or downloading malware.
Unfortunately, not a single law firm – or any organisation, for that matter – is exempt from being the next victim of a cyber attack. Law firms need to take action and be prepared. When it comes to mitigating email compromise, law firms cannot expect employees to bear the burden of identifying threats, but instead must utilise the technology available to spot incoming threats as they arise.
The use of multiple detection engines and threat intelligence sources transforms email security and threat protection. Real-time fraud detection and content checking automatically highlight phishing and social engineering techniques, removing the burden from users and bringing a level of sophistication to current cyber strategies that is needed to keep today’s threats at bay. By automatically flagging potentially concerning emails – such as those attempting to mislead, harvest credentials or spread malicious elements – individuals can make fast, informed and confident decisions regarding their legitimacy.
Without doubt, impersonation attacks, payment diversion fraud and business email compromise attacks are on the rise, but there are robust solutions in place to mitigate the associated risks. There is no need for – and indeed no excuse for – passing the buck to the user community. There is an abundance of resources available to help law firms adopt a proactive cyber security mindset – notably, the threat report from the NCSC raises awareness and highlights specific safeguards that can be put in place.
It is time for the legal sector to take cyber security seriously. Failing to do so will only lead to devastating repercussions in the not-so-distant future. For a sector that is so protective of its reputation, every precaution should be put in place to keep it safe.
A UK view on Cybersecurity & Information Security, Everything Computer Security from the very basics to the advanced. A blog with a focus on the latest Cyber Security developments & issues in the UK, including Hacking, Privacy (GDPR), Data Breaches, security standards such as NIST, PCI DSS, Cyber Essentials & ISO27001, all will be simply explained.
Monday, 23 September 2019
Monday, 2 September 2019
Cyber Security Roundup for August 2019
Twitter boss, Jack Doresy, had his Twitter account was hacked at the end of August, with hackers using his account to send a stream of offensive messages to his 4.2 million followers. It appears Jack was using his mobile phone to provide multi-factor authentication access to his Twitter account, a good solid security practice to adopt, however, it appears his Twitter account password and his mobile phone SMS service were both compromised, the latter probably due to either sim card swap fraud social engineering by the hacker, or by an insider at his mobile network service provider.
It was another bumper 'Patch Tuesday', with Microsoft releasing security updates for 93 security vulnerabilities, including 31 which are 'critical' rated in Windows, Server 2019, IE, Office, SharePoint and Chakra Core.
A database holding over a million fingerprints and personal data was exposed on the net by Suprema, a biometric security company. Researchers at VPNMentor didn't disclose how they were able to find and access the 'Biostar 2' database, nor how long the data was accessible online. Biostar 2 is used by 5,700 organisations, including governments, banks and the UK Metropolitan Police. In a similar fashion, an independent researcher found a 40Gb Honda Motor Company database exposed online.
TfL took their Oyster system offline to 'protect customers' after a credential stuffing attack led to the compromise of 1,200 Oyster customer accounts. A TfL spokesman said 'We will contact those customers who we have identified as being affected and we encourage all customers not to use the same password for multiple sites.' I was also directly made aware that restaurant chain TGI Friday was also hit were a credential stuffing attack(s) after it urgently warned its UK customers on the importance of using strong unique passwords for its reward scheme.
It was another bumper 'Patch Tuesday', with Microsoft releasing security updates for 93 security vulnerabilities, including 31 which are 'critical' rated in Windows, Server 2019, IE, Office, SharePoint and Chakra Core.
Amongst the Microsoft patch release were patches for two serious 'bluekeep' or 'WannaCry' wormable vulnerabilities in Windows Remote Desktop Services, CVE-2019-1181 and CVE-2019-1182. A Microsoft Security Response Center (MSRC) blog post said Microsoft had found the vulnerabilities as part of a project to make Remote Desktop Services more secure, and stated 'future malware that exploits these could propagate from vulnerable computer to vulnerable computer without user interaction.” The fixes for these are available for download in the Microsoft Security Update Guide.
A United Nations report concluded North Korea funded its weapons programme to the tune of $2 billion from profits from cyber attacks. 'Democratic People’s Republic of Korea cyber actors, many operating under the direction of the Reconnaissance General Bureau, raise money for its WMD (weapons of mass destruction) programmes, with total proceeds to date estimated at up to two billion US dollars,' the UN report said. The report referred at least 35 instances of North Korean-sponsored cryptomining activity or attacks on financial companies and cryptocurrency exchanges. The attacks spanned a total of 17 countries and were designed to generate funds the would be hard to trace and elude regulatory oversight.
NEWS
NEWS
- Cybersecurity Firm Imperva Discloses Breach
- Eurofins Scientific Cyber-attack leads to a backlog of 20,000 UK Forensic Samples
- Serious Cyber Attack could trigger full NATO response, says Jens Stoltenberg
- TfL takes the Oyster system offline after Customer Accounts accessed
- TGI Fridays frantically warn customers to urgently change app passwords
- French ‘Cybercops' dismantle Pirate Computer Network
- Twitter boss Jack Dorsey’s account hacked sending out a stream of offensive messages
- BioStar 2 Database Leaked One Million Fingerprints and Facial Recognition Data
- Capital One accused 'breached 30 other organisations’
- A Researcher uses GDPR’s Right of Access to steal others’ personal information
- 700,000 Choice Hotels Customer Records Compromised
- Honda Motors Company databases leaked 40GB of employee data
- North Korea took $2 billion in Cyberattacks to fund weapons program according to a U.N. report
- Pearson Data Breach Impacts thousands of University Accounts
- Google finds 'indiscriminate iPhone attack lasting years'
- Microsoft Patches 93 Vulnerabilities, including 31 Critical for Windows, Server2019, IE, Office, SharePoint & ChakraCore
- BlueKeep-like RCE flaws in RDP among 93 Vulnerabilities Patched by Microsoft
- Adobe Releases Fixes at least 76 ‘important’ Vulnerabilities in Acrobat and Acrobat Reader
- Intel Rolls Out Security Updates for Seven Products lines, three rated as High
- Critical Patches released for Adobe Photoshop
- Cisco issues multiple product updates, fixes critical flaws in small business switches
- U.S. renews temporary license allowing companies to sell to Huawei, adds 45 to blacklist
- Huawei confident UK will resist 'politically motivated' pressure from US over 5G
- MegaCortex variant redesigned a self-executing, incorporates features of the previous version
- Record Future Research: Hacktivism activity and chatter has markedly dropped since 2016
- Exabeam Survey: Red/Blue team exercises show defensive Shortfalls
- Risk-Based Security 2019 MidYear QuickView Data Breach Report: 4 Billion Records Exposed
- Cloud Atlas Threat Group Updates Weaponry with Polymorphic Malware
- New Saefko Trojan focuses on Stealing Credit Card details and Crypto wallets
- LokiBot Malware now hides its source code in Image Files