Key Take Aways for Law Firms from the Ascertus Cyber Security Seminar

Wednesday, March 1, 2017

- Roy Russell, CEO, Ascertus Limited

Six industry experts presented at our Cyber Threat Landscape for Law Firms seminar last week, with all broadly agreeing on the key cyber security issues facing law firms and the measures they must take to mitigate the impact on their organisations. The highlights are as follows:

  • Law firms are marked

Several threat actor categories are targeting law firms including Nation State, Organised Crime Gangs (OCGs), Hacktivists and Insiders – each motivated slightly differently. For example, Nation States want to gather intelligence on mergers and takeovers, pinch intellectual property or gain intelligence that offers them a favourable position in trade negotiations. OCGs see great scope in monetising data from law firms – be it by selling insider intelligence to rogue traders or stealing money. Furthermore, different threat actors operate differently in different sectors. As firms develop their cyber defences, it’s wise to incorporate future requirements, looking at the business and threat scenario three to five years ahead.

  • Hackers love email

Ransomware holds the number two spot for malware popularity among criminals. It’s easily delivered via email, the most ubiquitous application in business today; and isn’t too complex to put together. For the same reason, phishing attacks are increasing too. A friendly, legitimate-looking email from the boss explaining via an attached spreadsheet why the individual wasn’t given the desired salary raise is all it takes to infect the employee’s PC. Similarly, criminals are able to easily breach people’s PC and wider organisational infrastructure such as network shares via attachments such as PDFs, which end-users perceive as ‘being safe’ to send and receive.

A ‘herd alertness is critical’ organisation-wide to ensure security. It’s imperative that firms develop cyber-resilience via a combined approach to prevention, continuity and recovery.

  • People and culture are weak links

A vast number of hackers are social engineers, exploiting the vulnerabilities of people and the culture of organisations to breach for financial gain. Social engineering isn’t rocket science, it requires little technical knowledge, a great deal of patience, people skills and good research. A disgruntled employee could easily be exploited (unbeknown to the individual) by a hacker to gain information that helps breach the organisation, physically or online.

A major blind spot that hackers often manipulate is people’s view that they aren’t important in the firm and hence not a hacker target. A hacker could potentially take advantage of a pre-occupied receptionist to gain important information on the physical security procedures of the organisation to then exploit. Firms must ‘know’ their employees, but also ‘grow’ their own social engineers, educating them in the ways and the mindset of hackers so that they can spot potential breaches.

  • Behavioural analytics is a must

Behavioural analytics can help firms ‘know’ their employees. Data is a law firm’s crown jewels, how and when they are accessed can serve as strong indicators of security. With behavioural analytics, every employee has a ‘finger print’, which can be a tell-tale sign for a potential breach. For instance, a hacker using a litigation lawyers ID to access sensitive M&A files on a matter would be instantly flagged up to the IT department as an anomaly, for appropriate action to be taken.

  • Security, legal, privacy and compliance must work together

There are three principles of information security including confidentiality, integrity and availability. Based on these tenets, security, legal, privacy and compliance professionals in law firms must all work together to influence how data is accessed and managed, today and in the future. This approach will grow in importance with trends such as Big Data and regulations such as the upcoming EU General Data Protection Regulation (GDPR).

  • Intelligence-driven security operations are needed

Cyber criminals are continuously adopting new tactics to breach security. Law firms need to adopt a Security Operations-led approach that goes beyond traditional IT security. This approach delivers Adaptive Threat Processing that facilitates a big picture of the threat landscape encompassing everything from assessing new threats, adaptive controls, detecting manifesting threats, mitigating the impact as well as monitoring threats and their evolution.

Over 50 people attended the seminar and the feedback has been excellent with comments including “very interesting”, “very informative”, “excellent seminar” and “good range of presenters and materials”. Watch out for future Ascertus seminars being planned for locations across the UK and Europe.

This blog is based on the presentations by The Security Alliance, iManage, Mimecast, DocuSign, Jenny Radcliffe and QuoScient at the Ascertus Cyber Threat Landscape for Law Firms seminar on 23rd February 2017 at the Bird and Bird LLP auditorium.

Monday, February 27, 2017

Security Operations – Operating Beyond IT Security

Security Operations – Operating Beyond IT Security

- Lars Wittmaack, QuoScient Security Operations Principle Consultant

Recently, three Chinese citizens were charged in the U.S. courts after it was found that they hacked U.S. law firms and then used the stolen information for insider-trading that netted them $4 million dollars. This is a prime example of "clever" hackers earning money on the financial market, but not by hacking a bank. It also illustrates the value of law firms to hackers.

Within the financial sector, due to the security requirements that are demanded by financial regulations in the various regional jurisdictions, one of the biggest challenges for organisations is how much to spend on security. Regulators such as the European Central Bank expect security to be an integral part of financial businesses – sometimes with a simple reference to confidentiality, integrity and availability; sometimes with detailed expectations. In any case, the trend is towards a cyber security framework that regulators perform audits against. Essential part of today’s cyber security is threat intelligence and sharing. Besides understanding when it would really hurt and where, and if the threat is increasing; regulators want to be notified about security incidents and see sharing initiatives as the cornerstone to reducing exposure to financial markets. Compliance can be understood as ticking a box, but it is ultimately about establishing the right people, processes and technologies to minimise financial markets manipulations.

These regulatory-driven security requirements feed into the policies and procedures of financial institutions and are a part of contracts and Audits with third parties, including law firms. Banks expect partners, such as law firms, to adhere to their institution’s security policies and/or have adequate organisational policies and security of their own to reduce the threat exposure of their business. Typically, banks’ contracts with law firms contain clauses that allow the financial institution to audit their legal services providers.

Policies in the first place must meet internal and regulatory requirements. If there is no specific vendor policy or other policy defined by contracts, law firms obviously inherit the security expected from financial regulators. So, for the law firm, it can be tricky – what is the right level of security to have in order to meet the contractual and audit requirements of their bank? In any case, as for any Audit, it is essential that law firms are able to factually demonstrate the execution of the policies and controls that were accepted as part of the contract.

From a contract perspective for law firms, it’s about where the liability is; from a compliance perspective, it’s about whether the agreed controls are in place; from a security perspective, it’s about identifying, preventing, detecting and responding to changing threats to ultimately reduce financial market manipulations. This is important as cyber criminals are continuously adopting different tactics to breach security and today, they are shifting to indirect attacks like in the Chinese example mentioned above.

Therefore, a Security Operations-led approach is needed, going beyond traditional IT security. In analyst house, Gartner’s words: ““Security operations centers must be architected for intelligence, embracing an adaptive security architecture to become context-aware and intelligence-driven. Security leaders should understand how intelligence-driven SOCs use tools, processes and strategies to protect against modern threats.”

Intelligence-driven Security Operations cover the full life-cycle of threats so that reactive and proactive threat management become par for the cause. It delivers Adaptive Threat Processing encompassing everything from assessing new relevant threats, adaptive controls, detecting manifesting threats, mitigating the impact and monitoring threats and their evolution. A ‘big’ picture, as facilitated by Security Operations is essential to mitigating threats.

Note: This is a summary of Lars Wittmaack’s presentation at the recent Ascertus Cyberthreat seminar in London.

About Lars Wittmaack

Lars Wittmaack heads up QuoScient's Security Operations Consultancy Services. He has 15 years of experience in the IT Security industry. Lars started his career as security consultant for a company with expertise in cryptography. For six years, he headed a large international financial institution's Security Operations Centre including Security Incident Management.

Wednesday, March 8, 2017

Information Security – The Past, Present and Future

Guest Blog by Niamh Muldoon, EU Information Security Director, DocuSign

“It will always be about protecting data”

The Past:

In the past, Information Security frameworks were inwardly focused organisationally, predominantly consisting of policy, standards and procedures that the organisation adhered to. The majority of data and information was stored in-house within the business technology perimeter. Data and information assets existed in both electronic and physical formats. The ability to technically share data and information was very limited and when permitted, subject to stringent Information Security Framework controls. Technology departments’ management tooling supported security teams with the administration of tooling, protecting the perimeter and businesses’ data.

Businesses that understood data and classified their electronic data were considered to be mature; they had appropriate controls in place, and their data was accessible internally and externally. The perimeter-to-perimeter connectivity was mainly focused on a one-to-one relationship, including underpinning network topology using leased private telecom lines progressing to the virtual private network concept.

The cyber-security threat landscape of the past was very different to the present day. In 1988, we saw the first piece of malware being introduced. Robert Morris created the ‘worm’ type of malware. The ‘Morris Worm’ impacted over 6000 computers and it’s said that it would have cost $96 million if it hadn’t been stopped. Not too many years later, we had the first well-publicised Distributed Denial of Service attack (DDOS).

The Present:

Fast forward to 15 years later to where we are today, and really the only way to say this is – the Internet has exploded. We all, in our personal and business lives, have embraced digitalisation and digitisation using Internet-based technologies.

To support this digital transformation, businesses have transformed to a ‘perimeter less’ ecosystem and Information Security Framework. With the starting point of the Framework commencing at the law level, the required laws that businesses need to adhere to for the data they manage and use, including global and country-specific laws, need to be considered. The next level up is the data protection regulations for the jurisdictions of operation – adding industry compliance standards that have a data component and industry best practice standards. These four levels all support businesses to digitally operate globally. Businesses need to internalise these requirements into policies, standards and procedures for data management that the internal organisation must then adhere to.

Operating at a global level using Internet/cloud based technologies means that businesses need an Information Security Framework that not only protects the Information Asset categories from cyber security attacks, but also supports safeguarding the authorised use of those assets including their transfer across geographical borders.

The requirement for understanding data, classifying it into Information Asset types and protecting them has become even more granular. Today’s cyber security threat landscape is very different to the past. The means, opportunity and motive to attack have not only grown, but have advanced.

There were a total of 2,260 reported data breaches in 2016. Motives for attacks vary, but because hackers have the means and opportunity, it’s become far too easy to be a target for attack with the highly likely result of a data breach ensuing.

The Future:

We won’t know what the future will look from a technology advancement perspective, however we do know that data transformation to digitalisation will continue or be complete. Pro-actively managing and protecting Information Assets types is proven to be the foundation of success, enabling businesses to reduce the risk of security breaches and associated cyber security attacks – this will remain fundamental in the future.

At DocuSign, we have on average 130,000 new users joining the DocuSign Global Trust Network every day and our user-group is spread across 188 countries including regulated industries.

DocuSign has chosen ISO 27001 to be the core for its Security Standard model and it allows customers to take ISO 27001 results and map them into their vendor management programmes. DocuSign has also invested heavily in a cyber-security programme, investing 3 million into the Centre of Excellency. The Binding Corporate Rules programme is underway and the company continues to provide assurance with Compliance certifications.

About Niamh Vianney Muldoon

Niamh has over 15 years’ experience as an information security professional. Prior to DocuSign, she was the EMEA Technical Compliance programme manager at Workday where she established and grew the organisation’s EMEA Privacy and Compliance team. Through her Information Security programme manager role at the Irish online eGaming company, Paddy Power Betfair, she transformed the team from being an IT Security function to a mature Information Security function. Niamh spent over 12 years at the Irish Financial Institution, AIB; where she commenced her Information Security career and had many successes in relation to technology risk assessments frameworks and establishing Enterprise Information Security & eDiscovery functions. In her spare time, Niamh likes to give back to the Information Security Industry working with (ISC)2 sitting on the global scholarship review panels. She I is also a part-time evening lecturer in cybersecurity at the National College of Ireland.