Ed. Note: This is the latest in a new series of articles, Cybersecurity: Tips from the trenchesby our friends at Sensei Enterprises, a boutique provider of IT, cybersecurity and digital forensics services.
“What do you see in light of the Russian attack on Ukraine?”
This is the question that lawyers and journalists most often ask us these days. There were great concerns when the attack began on February 24, 2022.
The Cyber Security and Infrastructure Security Agency (CISA) immediately made it clear that all U.S. organizations should have their “shields” given the potential threats. CISA is our favorite “cybersecurity resource” for lawyers, and its Shields Up website is full of useful information that is simple and written to be understood by the general public – which most government cybersecurity resources are not.
And unlike cybersecurity providers, information is public – you don’t have to give them your name, email and phone number. Often, “white papers” and other offers from cybersecurity providers are not very helpful, except that they now have your contact information so they can harass you by phone and email.
Although we agreed with CISA’s warning of readiness, we did not see the expected impact of the Ukrainian war on the United States – the attacks actually decreased. More than 80% of the cyber attacks since March 20 were aimed at Russia or Ukraine. That, of course, could change in an instant.
There are an army of hackers attacking Russia, more than 130,000 so far, and many Russian government websites have been torn down or severely crippled. Anonymous, one of the most famous hacker groups, has literally declared war on Russia.
Multifactor authentication is becoming increasingly critical.
At this point, we believe that the use of multifactor authentication is ethically necessary as a reasonable measure to protect client confidential data.
We need to stop complaining that the MFA is inconvenient and simply recognize that the MFA’s short extra steps make us far safer. The vast majority of MIP’s time is free, so it’s not a budget issue. The MFA stops more than 99% of account retrieval attacks and doesn’t get much better than that.
When implementing an MFA, there are essentially four possible methods to provide an additional factor. The methods under discussion have been identified from the least to the safest. The most common way is to receive the code via SMS text message. This is the most insecure of the MFA methods and is susceptible to SIM card replacement attacks. Although text messages are the least secure, it is still much safer than not using MFA at all. Forget about receiving MFA code on your email, which is completely worthless in protecting your email account.
The next way to get MFA code is to use authentication applications such as Google Authenticator, Authy, Duo, Microsoft Authenticator, etc. The authentication application will generate a code that changes every 30 seconds. Just enter the code when prompted. This method is more secure than text messaging.
The next method is push notifications within the authentication application. Instead of entering code taken from a text message or generated in an application, the notification is “pushed” to your authentication application requesting approval. All you do is accept or deny access. No code required.
The safest way is to use a physical token such as Yubikey, Titan security key, etc. Nothing to type, just connect the key to your device.
When configuring the MFA, select the most secure method available. For example, if SMS and the authentication application are options, select the authentication application.
Endpoint Detection and Response (EDR) is the next generation of security software.
EDR is different from your typical antivirus / security software and is much more sophisticated. EDR uses artificial intelligence, heuristics, machine learning, etc. to establish the basis for the normal operation of the device. If there is any activity that is suspicious and not normal, some kind of action will be initiated.
This action may include quarantining files, blocking a task or service, or even automatically removing devices from the network. Some EDR solutions are integrated with the SOC (Security Operations Center) to add a human element to the analysis and verification of actions taken. There is also the possibility of returning the device to a known good condition.
EDR ranges from an independent lawyer to large companies. There are very affordable solutions for independent and small lawyers. We now believe that EDR is ethically necessary as a reasonable measure to protect confidential customer data. EDR is a great alternative as a defense for ransomware. If an abnormal activity is detected (such as a file encryption process), the process may be aborted and the system restored to its pre-attack state.
Zero Trust is a term that law firms need to be familiar with.
The term Zero Trust has been around for some time, but it is gaining more and more attention and focus as law firms and firms migrate to a more hybrid type of work environment, and the use of cloud services is growing. The perimeter security model is not working today and will be replaced by the Zero Trust network architecture. Zero Trust is not a product you can buy on the shelves. Its complexity often confuses lawyers.
Basically, Zero Trust means just that. Do not trust any device, person or access and check everything. In other words, don’t trust anything and keep checking, even if access has been previously granted. Zero trust gives new meaning to Ronald Reagan’s words: “Believe, but check.” Our government requires government agencies to implement the Zero Trust by the end of 2024. Businesses will surely follow this leadership. Many larger law firms are well on their way to establishing a zero-trust environment.
All law firms need to learn about zero trust, budget for it and start taking steps to implement it. These boring ethical rules require you to take reasonable steps to be competent with legal technology and to take reasonable steps to ensure the confidentiality of your clients ’information. You can’t avoid the Zero Trust – so start your self-education now!
Sharon D. Nelson (snelson@senseient.com) is a lawyer and president of Sensei Enterprises, Inc. She is a former president of the Virginia Bar Association, the Fairfax Bar Association and the Fairfax Law Foundation. She is the co-author of 18 books published by ABA.
John W. Simek (jsimek@senseient.com) is the Vice President of Sensei Enterprises, Inc. He is a Certified Information Systems Security Expert (CISSP), a Certified Ethical Hacker (CEH) and a nationally renowned expert in the field of digital forensics. He and Sharon provide legal technology, cybersecurity and digital forensics services from their Fairfax, Virginia firm.
Michael C. Maschke (mmaschke@senseient.com) is the CEO / Director of Cyber Security and Digital Forensics at Sensei Enterprises, Inc. He is an EnCase Certified Examiner, a Certified Computer Examiner (CCE # 744), a Certified Ethical Hacker, and an AccessData Certified Examiner. He is also a certified information systems security expert.
Comments are closed.