Cyber Security For Business

Cyber Security for Law Firms
Dr Adrian McCullagh
Ph.D. (IT Security), LL.B. (Hons), B. App. Sc. (Computing)
ODMOB Lawyers
Email: ajmccullagh57@gmail.com
Mob: 0401 646 486
Disclaimer
PLEASE NOTE: the information disclosed in the presentation is NOT the
provision of Legal advice or Professional Services advice. If a
reader/attendee has an issue then they should seek appropriate
legal/technical advice. The author/presenter makes no warranty as to
correctness of anything contained in this presentation. The topic of this
presentation is ever changing at a rapid rate and as such this
presentation is the sole opinion of the author/presenter and must not be
relied upon as either legal or technical advice. Every situation is different
and as such proper analysis must be undertaken when seeking
professional advice.
Consequently, the author/presenter takes no responsibility for any errors
that may exist in this paper and certainly takes no responsibility if any
reader/attendee takes any actions based on what is (expressly or by
implication) contained in this paper/presentation.
All readers/attendees take full responsibility for anything they
may do in reliance of anything contained in this
paper/presentation.
Dr. Adrian McCullagh: ajmccullagh57@gmail.com
1/6/2016
Agenda
Introduction or why are lawyers under threat
What is a Cyber Attack
Hackers
Ransomware
Planning for an attack
Security risk analysis
Treating cyber risk
Mitigation of cyber risk
Data Breach notification laws
Ethics rules : Aust Sol Conduct Rules Rule 9.1
What to do if ransomware infection
Before an attack
Post attack
Conclusion
1/6/2016
Preface: Law firms are just another

small business:
The content of this presentation was directed towards law
firms.
It was a presentation to QLD law firms at the request of the
Queensland Law Society
The content can also be equally applicable to all businesses
whether large, medium or small.
Of course the ethical rules noted in this presentation only
apply to Law firms but other aspects in this presentation can
be advantageous to non law firms.
The central issue is how to protect an organisation against a
cyber-security attack and in particular a ransomware attack.
1/6/2016
Introduction or why are lawyers under threat

5
1/6/2016
Lawyers are prime target- Why

Lawyers are prime targets because they hold client
information.
Large firms are being targeted because they deal with
prime clients especially M&A transactions
BUT Do not think you have to be a large firm to be target
Small firms are being targeted through ransomware
1/6/2016

All small business are targets to ransomware
Small law firms are relatively easy prey for cyber criminal
gangs
Computer security is not easy: if it was then criminals would
not succeed as they do
There are many reasons for hackers to target Law Firms. From
a value perspective, Law firms hold some of the highest
quality data concerning their clients. Mossack Fonseca
attack Panama Papers. 2.4 terabytes of data leaked
Whether intellectual property, strategic business data, or
litigation-related information, firms hold some of the most
sought-after information on target companies.
Do not under-estimate the industrial hacker.
1/6/2016

The risks to law firms are no longer limited to random
infection by malware. Law firms like other business
professionals have become targets by:
(1) attackers who are capable of exploiting known
vulnerabilities, Zero day attacks
(2) attackers who are better funded and more expert and
sophisticated at discovering new vulnerabilities in systems
and exploiting them, and
(3) certain state-sponsored attackers capable of actually
creating vulnerabilities in systems, including systems that
are otherwise strongly protected.
Terrorists are becoming hackers so as to fund their
operations.- Al Qa-eda; ISIS etc.
1/6/2016
What is a Cyber Attack

9
1/6/2016
10
Cyber attacks
A cyber attack is any intentional unauthorised disruption
by a third party to an organisations IT environment.
Attacks to information security vary greatly in terms of
who is conducting an attack, the purpose of the attack,
and the means of conducting it.
Cyber attacks can take many forms such as:
Mobile device attacks (SS7 attack);
Hacker attacks usually zero day attacks;
Phishing attacks/ social engineering attacks;
Malware attacks:
Ransomware;
Viruses;
1/6/2016

11
1/6/2016
12

According to a well known US based Hacker there are
two types of organisations:
Those that know they have suffered an attack;

Those that have suffered an attack but do not know it
yet.
According to the Chief Security Officer for FireEye in his

testimony to Congress the average time between an
attack and knowing that there has been an attack is
209 days (nearly 7 months).
It is usually the Law Enforcement who notifies the victim.
1/6/2016
13

Interestingly, there are currently no laws which require a
victim to report a crime that has been perpetrated
against them.
This may change in the near future as the Federal
Parliament is currently considering breach notification
laws. That is if there is a data breach involving the
unauthorised disclosure of third party personal
identifiable information held by an APP entity or the
data concerns sensitive personal information then all
affected persons will need to be promptly notified as
well as the Privacy Commissioner.
1/6/2016
14

This legislation will be an amendment to the Privacy Act
1989 (Cth), which impacts all organisations that have >
or = to $3 million annual gross revenue threshold except
when it comes to health records which will obviously
affect personal injury claims.
Consequently. If a law firm has an annual revenue of
<$3 mill but holds personal health data as in a personal
injuries matter then the breach notifications laws will still
apply.
1/6/2016
15

The issue is whether the law itself should be altered in
general when it comes to reporting criminal incidents by
victims.
I believe that if the impact of the criminal activity not only
affects the primary victim but also impacts secondary
victims then there should be an obligation to inform law
enforcement.
The Primary victim will be the firm/organisation that is the
subject of the hack.
The secondary victims will all or the persons to whom the

unauthorised disclosed personal information
relates.
1/6/2016
16

Lawyers have a duty to safeguard their own business
records, including intellectual property, lawyer work
product, and financial and employment records, to name
a few.
Electronic records are an integral part of every lawyers
business.
Client information is held on a fiduciary basis and as such
confidentiality must be maintained.
Even though there is this fiduciary position in Australia
confidential information is not property.
BUT what does the requirement concerning
confidentiality be maintained mean?
1/6/2016
17

Information security involves the AIC Model:
Availability of the information must be upheld. If the relevant
information is not available then the other 2 elements have
no importance;
Integrity of the information will be the basis of future decision
making. If you cannot trust the information then its value is
substantially diminished;
Confidentiality requires a need to know structure. Not all
information held will necessarily involve confidentiality.
Lawyers in relation to confidentiality must know what data
they have, where it resides, its level of sensitivity, and how it is
secured.
1/6/2016
18

Implementing a security framework is actually not easy.
Some of the things that lawyers MUST do are:
Staff awareness training. According to IBM more than
90% of all hacker incidents can be attributed to some
human failure which could involve:
Failure to properly configure some acquired security
technology like:
Firewall;
Data Loss prevention technology.
Intrusion detection technology
Failure of some staff member who downloads some malware;
Failure to patch systems regularly and promptly.
1/6/2016
19

The Law firm may want to consider separate insurance that
is specifically designed to cover cyber incidents.
In general professional indemnity insurance policies are

NOT designed cover a cyber attack.
Clause 2 which covers the indemnity for Civil Liability states
as follows:
Lexon shall indemnify the Insured against any civil liability
(including Claimants costs and Defence Costs):
2.1.1. arising from any Claim first made against the Insured
during the Period of Insurance; and
2.1.2. arising from the provision of Legal Services by the Insured.
The definition of Legal Services warrants careful reading.
1/6/2016
20

Though the security of client data is integral to the provision of
legal services it is arguable that the security of client data does
not fit within the definition of providing legal services.
Other types of insurance available include general commercial
liability insurance but this also may in general terms not cover a
cyber attack. Some GCLI specifically excludes cyber-attacks.
There does exist special cyber risk insurance but this type of
insurance is immature.
Before taking out such insurance not only ask what it covers but
also ask what it does not cover. For example make sure it covers
the impact of ransomware.
In this regard seek specialist advice before hand.
1/6/2016
Data Breach notification laws

21
1/6/2016
22
Notification Laws
On 3 December 2015, the Fed Govt released exposure draft of
Privacy Amendment (Notification of Serious Data

Breaches) Bill 2015.
The bill has not yet been passed into legislation.

If passed the Act will require:
Any APP entity that has reasonable grounds to believe that a
serious data breach has occurred must notify the Privacy
Commissioner and take reasonable steps to notify the affected
individuals of the breach.
A breach is serious if it gives rise to a real risk of serious harm to the
affected individual, such as identity theft.
1/6/2016
23
Notification Laws
The notification must include:
the identity and contact details of the entity who has
been breached;
a description of the breach and the reasonable
grounds upon which the entity believes the breach
occurred;
the kinds of information involved in the breach; and
recommended steps for the individual to take in
response to the breach.
1/6/2016
Ethics rules : Aus. Sol. Conduct Rules

Rule 9.1
24
1/6/2016
25
ASCR: Rule 9.1

Confidentiality 9.1
A solicitor must not disclose any information which is

confidential to a client and acquired by the solicitor
during the clients engagement to any person who is not:
9.1.1 a solicitor who is a partner, principal, director, or
employee of the solicitors law practice; or
9.1.2 a barrister or an employee of, or person otherwise
engaged by, the solicitors law practice or by an
associated entity for the purposes of delivering or
administering legal services in relation to the client,
EXCEPT as permitted in Rule 9.2.
1/6/2016
26
ASCR: Rule 9.1

9.2 A solicitor may disclose confidential client information if:
9.2.1 the client expressly or impliedly authorises disclosure;
9.2.2 the solicitor is permitted or is compelled by law to disclose;

9.2.3 the solicitor discloses the information in a confidential setting,
for the sole purpose of obtaining advice in connection with the
solicitors legal or ethical obligations;
9.2.4 the solicitor discloses the information for the sole purpose of
avoiding the probable commission of a serious criminal offence;
9.2.5 the solicitor discloses the information for the purpose of
preventing imminent serious physical harm to the client or to
another person; or
9.2.6 the information is disclosed to the insurer of the
solicitor, law practice or associated entity.
1/6/2016
27
ASCR: Rule 9.1

NOTE: the Exclusions to clause 9.1 as set out in paragraphs 9.2.3
through to 9.2.6 only apply to the case where the Solicitor
intentionally discloses the client confidential information.
When a successful hack attack occurs there is no intention on
the part of the Solicitor. There is an unauthorised disclosure of
client information which will not fall within the noted exceptions
detailed in clause 9.2.
Further, if the law firm has annual revenue of not less than $3 mil
then the Australia Privacy Principles may apply.
APP 8 requires all APP entities to deploy reasonable security
measures in the protection of Personal Information and
especially sensitive personal information.
1/6/2016
28
ASCR: UK equivalent
In 2011, a UK lawyer (Mt Andrew Crossley) who was the sole
principal of the firm ACS: Law was fined 1000 pounds by the UK
Information Commissioner for a major data leak from the firms IT
system.
The UK Information Commissioner admitted that if ACS: Law had
not ceased to trade the Commissioner would have fined the
Law firm 200,000 pounds. Such a fine would have then been the
largest single fine for a data breach.
The unauthorised disclosure of ACS: Law involved the personal
details of thousands of alleged file sharers along with various of
emails from Mr Crossley and other litigants.
1/6/2016
29
ASCR: UK equivalent
His Honour Judge Birss noted that the security system
implemented by ACS: Law was barely fit for purpose for a non
commercial environment otherwise known as a domestic
environment.
As his honour stated Sensitive personal details relating to
thousands of people were made available for download to a
worldwide audience and will have caused them
embarrassment and considerable distress.
1/6/2016
What to do on ransomware infection

30
1/6/2016
31
Ransomware (its Prevalence is

Growing)
Ransomware is software that prevents a legitimate user from
using the IT system for its proper purposes.
Such impediments include:
Preventing an authorised user from access the IT system;
Unauthorised Encryption of data files;
Disruption of the proper use of the relevant IT system.
Aligned with these impediment will be some notification by

the perpetrator for some form of ransom to be paid in order
to remove the impediment.
Some ransomware involves scareware which scares the
authorised user to enter into some corrective
service.
1/6/2016
32
Ransomware (its Prevalence is

Growing)
All types of ransomware are illegal but that does not
help anyone who is subject to this type of attack.
Perpetrators are now requiring payment by bitcoin
which is a pseudo-anonymous virtual currency.
If you are a victim you should, though you do not have
to, inform the police. They will have a number of tools at
their disposal which may help but more importantly they
need to know so as to understand how the crime is
being deployed.
QLD Police have one of the most sophisticated
cyber crime forensics team in Australia
1/6/2016
33
Ransomware JIGSAW Application
1/6/2016
Ransomware
34
Courtesy of Microsoft Security
Crowti is also known as cryptowall
1/6/2016
35
Ransomware
Other well known ransomware applications are:
Cryptolocker this ransomware will encrypt all files and the decryption key
will not be provided unless payment is made. FireEye has developed a tool
that will decrypt the encrypted files without the need to pay the ransom.
Microsoft also ahs a tool that can be sued to rectify a cryptolocker attack:
SAMSAM this ransomware attacks the JBOSS webserver. This was the first
attack vector that attacks a webserver. It not only encrypts data stored on
the server but also waits for the backup and encrypts all of the backup
data. A solution to this is to only do incremental backups. Check backups
on an offline machine for recovery purposes and store all clean backup
data offline daily.
JigSaw as you will see in the next slide this ransomware not only encrypts
you data but on after 24 hours on an hourly basis it will delete data until
payment is made or everything is deleted within 72 hours. Again payment is
by bitcoin the pseudo-anonymous virtual currency.
1/6/2016
36
Ransomware: how not to be a victim

Things to do in order to reduce the risk:
Have a patch management procedure that is regularly reviewed. Do not just
think it is being automatically being done once it is set up. The review should be
at least every 3 months. It is not a hard task once. Audit logs are the best way to
check.
Train staff and retrain staff (refresher courses) about not downloading any
attachments that they are not expecting;
Implements appropriate security measures like; firewalls, anti-virus software,

regular backup procedures, disaster recovery procedures that are tested every 6
months, every back up no matter how small should be tested for recovery
purposes once a month or sooner and stored offline, implements data loss
prevention technology, implement intrusion detection technology;
Never forget any of the above and engage an expert in the area. The
local IT consultant will not in my opinion have the necessary expertise.
1/6/2016
37
Conclusion - Checklist
1/6/2016
38
Conclusion
Lawyers are an increasing target
In general Professional Indemnity Insurance may not
cover a cyber attack and as such practitioners may
want to review the professional indemnity insurance
policy to satisfy themselves that their professional
indemnity coverage includes cyber incidents.
Ransomware is a major problem as this attack will
include small and large law firms.
Cyber security is not easy so engage an expert (not the
local IT person).
1/6/2016
39
Conclusion/ checklist
Training is an important risk management aspect. In doing so

it is advisable to have refresher courses on an annual or semi
annual basis.
ODMOB Lawyers provides a training practice so as to
minimise the risk of human error.
Deploy appropriate security technology like anti-virus
software, firewall, intrusion detection and data loss prevention
technology.
Back up data and test the data and store the data offline
Note that Data breach laws are changing
Test your security framework on a regular basis, at least once
per year. An appropriate pen test is the best approach.
1/6/2016
40
The FBI on 29 April 2016 issued the following checklist

concerning proactive protective measures in dealing
with Ransomware attacks:
Prevention Efforts
Make sure employees are aware of ransomware and
aware of their critical roles in protecting the
organizations data. Training; Training; Training.
Patch operating system, software, and firmware on
digital devices (which may be made easier through a
centralized patch management system).
Ensure antivirus and anti-malware solutions are set to
automatically update and conduct regular scans.
1/6/2016
41
Manage the use of privileged accountsno
users should be assigned administrative
access unless absolutely needed, and only
use administrator accounts when necessary.
Configure access controls, including file,
directory, and network share permissions
appropriately. If users only need read specific
information, they dont need write-access to
those files or directories.
1/6/2016
42
Disable macro scripts from office files
transmitted over e-mail.
Implement software restriction policies or
other controls to prevent programs from
executing from common ransomware
locations (e.g., temporary folders supporting
popular Internet browsers,
compression/decompression programs).
1/6/2016
43
Business Continuity Efforts
Back up data regularly and verify the integrity

of those backups regularly.
Secure your backups. Make sure they arent
connected to the computers and networks
they are backing up
1/6/2016
Any questions?
44
1/6/2016

Cyber Security For Business

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Cyber Security For Business

Загружено:

Авторское право:

Доступные форматы

Cyber Security for Law Firms

Preface: Law firms are just another

Introduction or why are lawyers under threat

Dr. Adrian McCullagh: ajmccullagh57@gmail.com

Lawyers are prime target- Why

Dr. Adrian McCullagh: ajmccullagh57@gmail.com

Lawyers are prime target- Why

Lawyers are prime target- Why

What is a Cyber Attack

Dr. Adrian McCullagh: ajmccullagh57@gmail.com

Planning for an attack

Dr. Adrian McCullagh: ajmccullagh57@gmail.com

Planning for an attack

Those that know they have suffered an attack;

According to the Chief Security Officer for FireEye in his

Planning for an attack

Planning for an attack

Dr. Adrian McCullagh: ajmccullagh57@gmail.com

Planning for an attack

The secondary victims will all or the persons to whom the

Planning for an attack

Planning for an attack

Planning for an attack

Planning for an attack

In general professional indemnity insurance policies are

Planning for an attack

Data Breach notification laws

Dr. Adrian McCullagh: ajmccullagh57@gmail.com

Privacy Amendment (Notification of Serious Data

The bill has not yet been passed into legislation.

Dr. Adrian McCullagh: ajmccullagh57@gmail.com

Dr. Adrian McCullagh: ajmccullagh57@gmail.com

Ethics rules : Aus. Sol. Conduct Rules

Dr. Adrian McCullagh: ajmccullagh57@gmail.com

ASCR: Rule 9.1

A solicitor must not disclose any information which is

ASCR: Rule 9.1

9.2.2 the solicitor is permitted or is compelled by law to disclose;

ASCR: Rule 9.1

Dr. Adrian McCullagh: ajmccullagh57@gmail.com

What to do on ransomware infection

Dr. Adrian McCullagh: ajmccullagh57@gmail.com

Ransomware (its Prevalence is

Aligned with these impediment will be some notification by

Ransomware (its Prevalence is

Ransomware JIGSAW Application

Dr. Adrian McCullagh: ajmccullagh57@gmail.com

Courtesy of Microsoft Security

Dr. Adrian McCullagh: ajmccullagh57@gmail.com

Crowti is also known as cryptowall

Ransomware: how not to be a victim

Implements appropriate security measures like; firewalls, anti-virus software,

Dr. Adrian McCullagh: ajmccullagh57@gmail.com

Dr. Adrian McCullagh: ajmccullagh57@gmail.com

Dr. Adrian McCullagh: ajmccullagh57@gmail.com

Training is an important risk management aspect. In doing so

Dr. Adrian McCullagh: ajmccullagh57@gmail.com

The FBI on 29 April 2016 issued the following checklist

Dr. Adrian McCullagh: ajmccullagh57@gmail.com

Dr. Adrian McCullagh: ajmccullagh57@gmail.com

Back up data regularly and verify the integrity

Dr. Adrian McCullagh: ajmccullagh57@gmail.com

Dr. Adrian McCullagh: ajmccullagh57@gmail.com