Академический Документы
Профессиональный Документы
Культура Документы
Dr Adrian McCullagh
Ph.D. (IT Security), LL.B. (Hons), B. App. Sc. (Computing)
ODMOB Lawyers
Email: ajmccullagh57@gmail.com
Mob: 0401 646 486
Disclaimer
PLEASE NOTE: the information disclosed in the presentation is NOT the
provision of Legal advice or Professional Services advice. If a
reader/attendee has an issue then they should seek appropriate
legal/technical advice. The author/presenter makes no warranty as to
correctness of anything contained in this presentation. The topic of this
presentation is ever changing at a rapid rate and as such this
presentation is the sole opinion of the author/presenter and must not be
relied upon as either legal or technical advice. Every situation is different
and as such proper analysis must be undertaken when seeking
professional advice.
Consequently, the author/presenter takes no responsibility for any errors
that may exist in this paper and certainly takes no responsibility if any
reader/attendee takes any actions based on what is (expressly or by
implication) contained in this paper/presentation.
All readers/attendees take full responsibility for anything they
may do in reliance of anything contained in this
paper/presentation.
Dr. Adrian McCullagh: ajmccullagh57@gmail.com
1/6/2016
Agenda
Introduction or why are lawyers under threat
What is a Cyber Attack
Hackers
Ransomware
Planning for an attack
Security risk analysis
Treating cyber risk
Mitigation of cyber risk
Data Breach notification laws
Ethics rules : Aust Sol Conduct Rules Rule 9.1
What to do if ransomware infection
Before an attack
Post attack
Conclusion
Dr. Adrian McCullagh: ajmccullagh57@gmail.com
1/6/2016
1/6/2016
1/6/2016
1/6/2016
1/6/2016
1/6/2016
1/6/2016
10
Cyber attacks
A cyber attack is any intentional unauthorised disruption
by a third party to an organisations IT environment.
Attacks to information security vary greatly in terms of
who is conducting an attack, the purpose of the attack,
and the means of conducting it.
Cyber attacks can take many forms such as:
Mobile device attacks (SS7 attack);
Hacker attacks usually zero day attacks;
Phishing attacks/ social engineering attacks;
Malware attacks:
Ransomware;
Viruses;
Dr. Adrian McCullagh: ajmccullagh57@gmail.com
1/6/2016
1/6/2016
12
1/6/2016
13
1/6/2016
14
1/6/2016
15
1/6/2016
16
1/6/2016
17
1/6/2016
18
1/6/2016
19
1/6/2016
20
There does exist special cyber risk insurance but this type of
insurance is immature.
Before taking out such insurance not only ask what it covers but
also ask what it does not cover. For example make sure it covers
the impact of ransomware.
In this regard seek specialist advice before hand.
Dr. Adrian McCullagh: ajmccullagh57@gmail.com
1/6/2016
1/6/2016
22
Notification Laws
On 3 December 2015, the Fed Govt released exposure draft of
1/6/2016
23
Notification Laws
The notification must include:
the identity and contact details of the entity who has
been breached;
a description of the breach and the reasonable
grounds upon which the entity believes the breach
occurred;
the kinds of information involved in the breach; and
recommended steps for the individual to take in
response to the breach.
1/6/2016
1/6/2016
25
1/6/2016
26
9.2.4 the solicitor discloses the information for the sole purpose of
avoiding the probable commission of a serious criminal offence;
9.2.5 the solicitor discloses the information for the purpose of
preventing imminent serious physical harm to the client or to
another person; or
9.2.6 the information is disclosed to the insurer of the
solicitor, law practice or associated entity.
Dr. Adrian McCullagh: ajmccullagh57@gmail.com
1/6/2016
27
1/6/2016
28
ASCR: UK equivalent
In 2011, a UK lawyer (Mt Andrew Crossley) who was the sole
principal of the firm ACS: Law was fined 1000 pounds by the UK
Information Commissioner for a major data leak from the firms IT
system.
The UK Information Commissioner admitted that if ACS: Law had
not ceased to trade the Commissioner would have fined the
Law firm 200,000 pounds. Such a fine would have then been the
largest single fine for a data breach.
The unauthorised disclosure of ACS: Law involved the personal
details of thousands of alleged file sharers along with various of
emails from Mr Crossley and other litigants.
Dr. Adrian McCullagh: ajmccullagh57@gmail.com
1/6/2016
29
ASCR: UK equivalent
His Honour Judge Birss noted that the security system
implemented by ACS: Law was barely fit for purpose for a non
commercial environment otherwise known as a domestic
environment.
As his honour stated Sensitive personal details relating to
thousands of people were made available for download to a
worldwide audience and will have caused them
embarrassment and considerable distress.
1/6/2016
1/6/2016
31
1/6/2016
32
1/6/2016
33
1/6/2016
Ransomware
34
1/6/2016
35
Ransomware
Other well known ransomware applications are:
Cryptolocker this ransomware will encrypt all files and the decryption key
will not be provided unless payment is made. FireEye has developed a tool
that will decrypt the encrypted files without the need to pay the ransom.
Microsoft also ahs a tool that can be sued to rectify a cryptolocker attack:
SAMSAM this ransomware attacks the JBOSS webserver. This was the first
attack vector that attacks a webserver. It not only encrypts data stored on
the server but also waits for the backup and encrypts all of the backup
data. A solution to this is to only do incremental backups. Check backups
on an offline machine for recovery purposes and store all clean backup
data offline daily.
JigSaw as you will see in the next slide this ransomware not only encrypts
you data but on after 24 hours on an hourly basis it will delete data until
payment is made or everything is deleted within 72 hours. Again payment is
by bitcoin the pseudo-anonymous virtual currency.
Dr. Adrian McCullagh: ajmccullagh57@gmail.com
1/6/2016
36
Never forget any of the above and engage an expert in the area. The
local IT consultant will not in my opinion have the necessary expertise.
1/6/2016
37
Conclusion - Checklist
1/6/2016
38
Conclusion
Lawyers are an increasing target
In general Professional Indemnity Insurance may not
cover a cyber attack and as such practitioners may
want to review the professional indemnity insurance
policy to satisfy themselves that their professional
indemnity coverage includes cyber incidents.
Ransomware is a major problem as this attack will
include small and large law firms.
Cyber security is not easy so engage an expert (not the
local IT person).
1/6/2016
39
Conclusion/ checklist
Back up data and test the data and store the data offline
Note that Data breach laws are changing
Test your security framework on a regular basis, at least once
per year. An appropriate pen test is the best approach.
1/6/2016
40
Conclusion/ checklist
1/6/2016
41
Conclusion/ checklist
Manage the use of privileged accountsno
users should be assigned administrative
access unless absolutely needed, and only
use administrator accounts when necessary.
Configure access controls, including file,
directory, and network share permissions
appropriately. If users only need read specific
information, they dont need write-access to
those files or directories.
1/6/2016
42
Conclusion/ checklist
Disable macro scripts from office files
transmitted over e-mail.
Implement software restriction policies or
other controls to prevent programs from
executing from common ransomware
locations (e.g., temporary folders supporting
popular Internet browsers,
compression/decompression programs).
1/6/2016
43
Conclusion/ checklist
Business Continuity Efforts
1/6/2016
Any questions?
44
1/6/2016