The Ascertus Security Thought Leadership Series
Phishing and Ransomware are Linked – Here’s What Law Firms Should be Thinking About
The sophistication with which cyber criminals are using social engineering to trick people to divulge sensitive and confidential information is growing not only in volume, but also technique. As noted in The Law Society article ‘Cybersecurity: What are the biggest threats for the legal sector?’ published on 30th January 2019; during the last year 60% of law firms reported an information security incident, an increase of 20% over the previous 12 months.
Today, Phishing remains the primary concern of law firms. It’s prevalent in the following forms:
1. Vishing – Criminals use phone calls to surreptitiously draw out confidential information from individuals. Do you recollect a caller pretending to be from your bank, cleverly asking for account details, address, password etc.? Or a caller professing to be from Microsoft informing you of a problem with your PC and offering to fix it via remote access to the device? These are examples of Vishing.
2. Smishing – This refers to Phishing via text messaging. Legitimate looking messages (e.g. from banks or service providers) ask the recipient to click on the link to register, confirm details or such. On doing so, the malware sits on the device and potentially has access to all the information on the phone. Worryingly, criminals can purchase mobile numbers for as little as £2 and spoof them so they look like the messages are from the authentic source. They can be hard to detect as the spoofed number will even appear on the message or call history as from the genuine sender – i.e. bank or such organisation.
3. Whale phishing – These are spoof email addresses of senior executives such as CEO, CFO, partner or colleagues. Often employees are compelled to respond to them or click on links due to the seniority of the ‘spoofed sender’ or familiarity with the individual.
4. Spear phishing – These are aimed at organisations with a demand to undertake specific actions via the link provided. It has been noticed that when breaches in organisations are made public, spear phishing increases as criminals expect the firm to be sending out security related communications to customers and stakeholders – and recipients are unsuspecting at that time!
Firms must take a variety of measures to pre-empt such attacks:
1. Staff training and awareness – Aside from the routine cyber security training initiatives, undertaking surprise internal Phishing campaigns has proven to be very effective in helping employees build up their ability to spot malicious emails. Such campaigns mimic the email templates that criminals use, thereby providing a ‘real world’ situation to enable staff to help identify attacks. Important to note is that criminals are constantly changing their templates, so internal Phishing campaigns shouldn’t be one-off exercises, rather conducted regularly so that employees always remain alert.
2. Technical solutions – There are a range of solutions available that IT and security teams in firms must take advantage of. For example, DMARC is a domain authentication protocol, makes it easier for email senders and receivers to determine whether or not a given message is legitimately from the sender. It makes it easier to identify spam and phishing messages and keep them out of peoples’ inboxes. It is free to implement and is backed by the National Cyber Security Centre. A major UK government organisation reduced the volume of Phishing emails by nearly 80%.
Similarly, individuals and firms can check if their password is on the Dark Web through services such as the Ghost Project. These sites provide visibility of passwords in clear text.
The private sector is also bringing out solutions such as BitDam, among others, to help curb the Phishing onslaught through common communications channels such as emails, cloud storage and instant messaging. This kind of software scans the communication – say an email – for the original source code of Office 365. If there is any difference in the code, it sandboxes it to enable further investigation. Such software helps stop zero-day attacks.
Given the single-minded focus of criminals, it’s imperative that firms take a thorough approach to prevention and pre-emption – and one that is supported by technical solutions alongside staff education, training and awareness. There are no short cuts!
Ransomware
Protecting law firms against Phishing attacks is critical as it often leads to ransomware. An inadvertent click on a link can result in malicious software infiltrating the network leading to encryption of the hard drive or entirely locking down the network.
The advice is always never to pay the ransom – there are no guarantees the firm will get the data back, they may only get part of the data with demand for more ransom and should the data be returned, it’s almost a certainty that the data will still be sold on the dark web. A better approach is:
1. Backup policy – A robust policy that includes regular backups alongside frequent reviews of policy to ensure it’s always fit for purpose. The grandfather-father-son back up rotation scheme is a good one to follow. Also, backups must be regularly tested. In the hour of need, it’s not unusual for firms to find that their backups are corrupted, defeating its very purpose.
2. Offline, offsite and onsite backup – Backups must be stored offline and not connected to the network. In the event of a ransomware attack, the backup will be instantly encrypted by the criminals, making the data inaccessible. Similarly, backups must also be stored offsite (in the event of a physical disaster) and onsite too.
Such an approach will ensure minimal disruption to the business in the event of an attack. The firm will be able to wipe the system clean and quickly be able to upload the back up to resume operation.
Given the single-minded focus of criminals, it’s imperative that firms take a thorough approach to prevention and pre-emption – and one that is supported by technical solutions alongside staff education, training and awareness. There are no short cuts!
About Shelton Newsham
Shelton Newsham is a manager and lead at the Yorkshire and Humber Regional Cyber Crime Team, advising public and private sector and individuals (including at Board level) on threat mitigation. He is a Certified ISO 27001 ISMS Lead Implementer, ISMS 27001 Auditor, Certified in information Security Management Principles (CISMP), ISO 22301 BCMS Lead implementer and Certificate of the Business continuity institute (CBCI). With over 17 Years’ experience in law enforcement, Shelton has extensive experience in incident response, critical incident management, intelligence assessments, threats to life, incident investigation, safeguarding the vulnerable, public order, and large-scale operations, working at a strategic level.