What does the cyber threat landscape for law firms look like?

Thursday, February 16, 2017

What does the cyber threat landscape for law firms look like?

Guest Blog by Rob Dartnall, Cyber Intelligence Director, Security Alliance

Towards the end of last year, Security Alliance published a report entitled: The Cyber Threat Landscape for Law Firms. The overall assessment of the report is that the current cyber resilience of the legal sector does not match the severity of the threat, and further incidents similar to the magnitude of Mossack Fonseca breach will continue to occur if proactive cyber-defence strategies are not implemented.

Looking at the lay of the land, this isn’t surprising, given the tenacity with which cyber criminals are targeting the legal sector. The report highlights the following:

  • The type of threat actors seeking to exploit law firms range from state-sponsored Advanced Persistent Threat (APT) groups to organised criminal gangs and cyber-criminals

  • APT groups are seeking to extract market-information such as strategic trading and M&A information and are choosing to target law firms as the best route to access this information

  • Cyber criminals are more commonly seeking to extort law firms, with the rising trend of ransomware attacks being of particular concern

  • Law firms frequently find themselves implicated in geopolitical conflicts between two or more countries trying to assert their power over a region

  • There is a lack of sharing of cyber threat intelligence between firms in the UK

I’m delivering the keynote address on this subject at the upcoming Ascertus Seminar, Cyber Threat Landscape for Law Firms on 23 February 2017. My presentation will:

  • Provide insight into the multitude of cyber threats faced by the legal sector, and how threat intelligence can be used to identify, understand and mitigate some of these threats

  • Outline the key tenets of threat intelligence, how it should be defined, and how it should be practically applied in an organisation

  • Clarify some broad categories of threat actors, from the nation states to insiders, and explain why each category may want to target a law firm

  • Highlight case studies where law firms have been targeted by cyber threat actors

  • Explain how future events and trends may impact the severity of the cyber threat to law firms

  • Offer next steps that explain how intelligence sharing, threat assessments and targeted security can help law firms mitigate the cyber threat

    The seminar is free to attend, do come along. You’ll leave with a good understanding of the issues involved and actionable next steps for your law firm.

    About Rob Dartnall

    Rob is a CREST Certified Threat Intelligence Manager (CCTIM) and Cyber Intelligence Director of Security Alliance - a Bank of England certified Cyber Threat Intelligence provider under the CBEST framework. With specialist interest areas of Insider Threat and Nation State Fusion Warfare, Mr Dartnall has unique experience and insight into the threat landscape.

Thursday, February 9, 2017

The ‘Perfect Storm’ - How Organisational Culture, Coincidence and Con Artists Create the Perfect Conditions to Breach Your Firm

The ‘Perfect Storm’ - How Organisational Culture, Coincidence and Con Artists Create the Perfect Conditions to Breach Your Firm

Guest Blog By Jenny Radcliffe, Social Engineering Expert

Recently, I was commissioned by an organisation of significant size and in a high-risk industry to demonstrate to the Board the vulnerability of its employees to criminal hackers using non-technical means. Using Open Source Intelligence to gather information on a selection of the most senior individuals in the organisation, I was able to reveal how easily and legitimately, I was able to engage with them, physically access their office building; and if had I intended to do so, use the insight to hack into the business. It was an ‘eye-opener’ for the Board!

This is what malicious social engineers do – they leverage the ‘Perfect Storm’ – created by the organisation’s culture, the employees’ frame of mind and lack of security awareness and the ready availability of detailed personal information, to use social engineering and the “human factor” to gain business sensitive information for their own financial gains.

As the technology becomes more complex, many hackers see employees of organisations as “the weakest link”, but to what extent this is the case relies on many factors other than the mere fact of human beings working for an organisation. Several factors in organisations make firms more or less vulnerable to hackers, and it is possible to defend, mitigate and ‘patch’ your own human vulnerabilities.

I’m talking about this issue at the upcoming Cyber Threat Landscape for Law Firms on 23 February 2017:

  • How an organisation can be “profiled” by a malicious criminal, who then uses the information to design a hack that is suited to the culture of the target company

  • Explain why “culture” is an important element in the shape and nature of an attack, communicating the threat to employees and ultimately in the defence against attacks

  • Highlight my own “experiences” as an ethical Social Engineer and share some tricks, tactics and methods that I use to attack organisations via their people.

  • Offer tips and guidance on how to “wake up the workforce” to the threat of Social Engineering, and how to maintain engagement of staff to prevent cyber threats

My presentation will be fast paced, humorous and revealing! Hope to see you there!

About Jenny Radcliffe

Jenny Radcliffe is an ethical expert in Social Engineering, negotiation, persuasion and influence, non-verbal communication and deception. She uses her skills to help clients – from global corporations and law enforcement to poker players, politicians and the security industry – to protect themselves from cyber criminals.

Monday, February 27, 2017

Security Operations – Operating Beyond IT Security

Security Operations – Operating Beyond IT Security

- Lars Wittmaack, QuoScient Security Operations Principle Consultant

Recently, three Chinese citizens were charged in the U.S. courts after it was found that they hacked U.S. law firms and then used the stolen information for insider-trading that netted them $4 million dollars. This is a prime example of "clever" hackers earning money on the financial market, but not by hacking a bank. It also illustrates the value of law firms to hackers.

Within the financial sector, due to the security requirements that are demanded by financial regulations in the various regional jurisdictions, one of the biggest challenges for organisations is how much to spend on security. Regulators such as the European Central Bank expect security to be an integral part of financial businesses – sometimes with a simple reference to confidentiality, integrity and availability; sometimes with detailed expectations. In any case, the trend is towards a cyber security framework that regulators perform audits against. Essential part of today’s cyber security is threat intelligence and sharing. Besides understanding when it would really hurt and where, and if the threat is increasing; regulators want to be notified about security incidents and see sharing initiatives as the cornerstone to reducing exposure to financial markets. Compliance can be understood as ticking a box, but it is ultimately about establishing the right people, processes and technologies to minimise financial markets manipulations.

These regulatory-driven security requirements feed into the policies and procedures of financial institutions and are a part of contracts and Audits with third parties, including law firms. Banks expect partners, such as law firms, to adhere to their institution’s security policies and/or have adequate organisational policies and security of their own to reduce the threat exposure of their business. Typically, banks’ contracts with law firms contain clauses that allow the financial institution to audit their legal services providers.

Policies in the first place must meet internal and regulatory requirements. If there is no specific vendor policy or other policy defined by contracts, law firms obviously inherit the security expected from financial regulators. So, for the law firm, it can be tricky – what is the right level of security to have in order to meet the contractual and audit requirements of their bank? In any case, as for any Audit, it is essential that law firms are able to factually demonstrate the execution of the policies and controls that were accepted as part of the contract.

From a contract perspective for law firms, it’s about where the liability is; from a compliance perspective, it’s about whether the agreed controls are in place; from a security perspective, it’s about identifying, preventing, detecting and responding to changing threats to ultimately reduce financial market manipulations. This is important as cyber criminals are continuously adopting different tactics to breach security and today, they are shifting to indirect attacks like in the Chinese example mentioned above.

Therefore, a Security Operations-led approach is needed, going beyond traditional IT security. In analyst house, Gartner’s words: ““Security operations centers must be architected for intelligence, embracing an adaptive security architecture to become context-aware and intelligence-driven. Security leaders should understand how intelligence-driven SOCs use tools, processes and strategies to protect against modern threats.”

Intelligence-driven Security Operations cover the full life-cycle of threats so that reactive and proactive threat management become par for the cause. It delivers Adaptive Threat Processing encompassing everything from assessing new relevant threats, adaptive controls, detecting manifesting threats, mitigating the impact and monitoring threats and their evolution. A ‘big’ picture, as facilitated by Security Operations is essential to mitigating threats.

Note: This is a summary of Lars Wittmaack’s presentation at the recent Ascertus Cyberthreat seminar in London.

About Lars Wittmaack

Lars Wittmaack heads up QuoScient's Security Operations Consultancy Services. He has 15 years of experience in the IT Security industry. Lars started his career as security consultant for a company with expertise in cryptography. For six years, he headed a large international financial institution's Security Operations Centre including Security Incident Management.