We've Been Hacked! Now What?

Presented by

Ryan J. Cooper, JD

Uri Gutfreund

Rob Kleeger

OM25

4/4/2017

2:45 PM - 4:15 PM

The handouts and presentations attached are copyright and trademark

protected and provided for individual use only.

1

We’ve Been

Hacked! Now What?

Panelists:

Law Office of Ryan J. Cooper LLC

Ryan J. Cooper, Esq., CIPP/US

Risk Strategies Company

Uri Gutfreund, National Law Firm Practice Leader

Digital4nx Group, Ltd.

Rob Kleeger – Founder and Managing Director

2

Key Learning Objectives:

• Examine the breach response — who

needs to be called, reported to and the

steps needed to best protect the firm.

• Describe good defense strategies…Best

Practices

• Evaluate good cyber insurance policies.

Keeping sensitive

information from falling

into the wrong hands.

The protection of data against the deliberate or accidental access of unauthorized persons. Also known as file security. (Source: Answers.com - www.answers.com)

The means of ensuring that data is kept safe from corruption and that access to it is suitably

controlled. Thus data security helps to ensure privacy. It also helps in protecting personal data.

(Source: Wikipedia - www.wikipedia.com)

[The] protection of data from unauthorized (accidental or intentional) modification, destruction, or disclosure. (Source: The Institute for Telecommunication Sciences (ITS) www.its.bldrdoc.gov)

The protection of data from accidental or intentional but unauthorized modification, destruction or

disclosure through the use of physical security, administrative controls, logical controls, and other

safeguards to limit accessibility.

(Source: US Social Security Administration www.ssa.gov/ gix/definitions.html)

Generic term designating methods used to protect data from unauthorized access (e.g.,

encryption). (Source: US DOJ - Office of Justice Programs www.ojp.usdoj.gov/ nij/publications/

wireless/glossary.html)

The protection of data against unauthorized access. (Source: PC Magazine - www.pcmag.com)

.

Data Security (′dad·ə sə′kyu̇r·əd·ē) Defined

.

3

Data is either…

In Motion -> such as being emailed

or - –

At Rest -> such as stored on your hard drive

It can be vulnerable and you need to be

careful in both situations

Data Defined

• Protecting data-in-motion is a complex challenge.

The Internet provides cheap global

communication, however it has little built-in

security.

• Most technology is built with security as an

afterthought.

• Developers are pressured to “make it work” and

meet tight deadlines.

• Functionality and ease-of-use are deemed top

priority, which automatically makes security

secondary.

• Most communications are sent in clear-text,

meaning anyone who gains access to the info can

easily read it.

Data-in-Motion

4

Security breaches are typically made far worse when the attackers

find troves of data in users’ stored emails and files

Such as:

• Passwords sent-to/received-from others

• Confidential data/reports/financials emailed around

• Files with passwords stored unencrypted

Data-at-Rest

Is Cyber-Security Really a Serious Concern for the Small and Medium-Sized Law Firms represented in this room today?

1.The earliest and most publicized cyber-attacks were against the largest,

most elite law firms in the world.

• FBI Warnings to law firms as potential targets in 2009

and 2010

• FBI Briefing in 2011 to the 200 largest law firms

• Newspaper headlines that the largest and most prestigious law firms

were at risk

2.Today, cyber security in no longer an issue that concerns only the mega-

firms. Cyber attacks now routinely occur at law firms of all types and sizes.

Law Firms Aren’t Immune

5

Why are Law Firms Rich Target for Hackers? What do we have that Somebody

Else Might Want?

1. Money.

2. Credit card information of clients and others.

3. A wide range of Personally Identifiable Information (e.g., health

information, name and address information, account access information,

social security numbers, etc.)

4. Confidential client business information.

5. Client intellectual property, trade secrets and other proprietary

information of our clients.

6. Case and/or Litigation Strategy.

7. Legally privileged communications, including those protected by the

attorney-client privilege.

Law Firms Aren’t Immune

• Law firms face professional liability and fiduciary breach risk from

their clients.

• FBI: law firms are the targets of cyber-attacks.

• Law firms in international IP litigation have been hacked by

foreign interests;

• Personnel have inadvertently permitted hackers to access

client funds held in commercial banks;

• Lost laptops, thumb drives, and handhelds (especially with the

proliferation of BYOD) become keys to unlock a law firm's

network.

• This is a natural consequence of lawyers' and law firms' publicly

identifying their clients, entering appearances in court as attorney,

and listing clients on their own websites.

Law Firms Aren’t Immune

6

Who is the Weakest Link?

A “Cyber” Policy

7

Unauthorized Release of

Private Information

• Reputation

• Down Time

• Cost of Repairs

• Breach Costs

• Regulators / Fines

• Theft of Funds

Privacy Insurance

Security &

Privacy Liability

Media Content

Liability

Network

Interruption

Cyber

Extortion

&/or

Cyber

Terrorism

Data

Restoration

Event

Management

Expenses

Third Party

Coverages

(Negligence)

Retention Each Claim

$5,000 - $1M

First Party

Coverages

(Costs)

8

Event Management

• Data Breach Coach Expenses

• Forensic Investigation (Rob)

• Crisis Management Expenses

• Privacy Breach Notification

• Credit Monitoring

9

The story - Background

• Dewey, Cheetum & Howe, LLP (the “Law Firm”) is a midsized law firm with

offices in New York, Colorado, Illinois, and California. It has an excellent track

record of client service, voted “Best places to work” for several consecutive

years, and has been in business over fifty years.

• The Law Firm has had steady growth and hasn’t been a defendant in any

significant litigations in the past. The firm’s reputation is built largely around its

substantial corporate practice that focuses on real estate and M&A.

• The RE Group is national real estate counsel for a large Real Estate Investment

Trust (REIT) actively purchasing portfolios of bank owned properties (REO).

• The firm’s M&A practice enjoys a strong reputation in the SMB market. In any

given month, the M&A practice group is closing on multiple transactions,

typically involving the sale of closely held family businesses, with a transaction

price anywhere between $10 to $100 million.

The story – Background (cnt’d)

• The Law Firm’s Employee Policy Handbook (all employees sign an

acknowledgment of receipt and compliance), includes the following

provisions:

Firm Information Technology

The Firm’s IT Systems are provided and intended for business purposes. Any

personal use of the IT Systems, including the email systems, that interferes with

the performance of any employee's work, or burdens or compromises the

effectiveness of the IT Systems is strictly prohibited.

…

Only Firm employees may use the IT Systems. Employees must use only their

own passwords and must inform the Firm of their passwords and provide

access to their computer files upon request.

10

The Firm maintains software that provides all time keepers and •

management personnel to access the Firm’s IT Network and document

databases with Remote Access via a Virtual Private Network (VPN).

The Firm has dedicated in• -house IT support at all of its offices, but it also out-

sources a significant amount of IT support, including the firm Help Desk. The

Help Desk uses an enterprise version of a popular consumer remote

connection software.

The Firm also maintains a Password Policy, which requires that all users •

change their password every 120 days, that each password is at least 8

characters, and includes one capital letter, one lower case letter, and one

number.

The story – Background (cnt’d)

The story – Timeline

A senior equity partner on Law Firm’s Management Committee (Mr. Serious)

takes his family on vacation; they go skiing in Colorado. Upon arrival at the

airport, Mr. Serious’ teenage son (R.U. Serious) can’t find his backpack, which

has is smart phone and iPad. This is particularly upsetting to R.U. Serious, since

he and his new girlfriend (L. Gaga) had expected to video chat just about

24/7.

Tired of listening to R.U. Serious complain, Mr. Serious lends his son the Firm’s

laptop so R.U. Serious can ‘check his email.’

Many months later, as September draws to a close, the Management

Committee receives an emergency email at 7:00 pm. The Firm’s IT systems

have been compromised and that client’s are missing money.

11

• Over the next 24 hours, the Management Committee discovers that

hackers had changed the wire instructions in deal documents and

related emails for 4 transactions that had closed over the past few weeks.

• The total amount of money missing was $72 million. In 3 transactions, it

was the Firm’s clients who were the sellers, and who never received the

money paid at closing. In the 4th transaction, the Firm represented the

buyer.

• The Firm’s clients were deeply alarmed but, based on their decades long

relationship with the Firm, are trying to remain calm based on the Firm’s

reassurances that the Firm will sort things out. (Although calm, they are

already interviewing new lawyers.)

• The seller in the 4th transaction has no patience, however. He and his

attorneys have already threatened lawsuits against the Firm and its client

the buyer, and is threatening to make the loss a very public spectacle.

The story – Timeline

The Story – Data Concerns

• A forensic analysis reveals that hackers had obtained log-in credentials for

firm employees. The first credential used was an old VPN log-in for an

employee who had left the firm a year prior. The log-in credentials were

not deactivated and, because the employee never logged in, the 120-

day password prompt never went into effect. (The hacker received the

prompt and changed the password.)

• The analysis further determined that once inside, the hacker installed

malware, such as key loggers, and began reviewing the firm’s files and

documents.

• Over the next few months, the hacker steadily obtained additional

credentials, including Administrator log-in credentials from emails

between the Firm’s IT staff and the outside Help Desk.

• At this point, the hacker had identified the most promising targets for

upcoming deals, and used the Administrator credentials to begin

intercepting email in real time.

12

The Story – Data Concerns

In August, the hacker honed his skills and familiarity with the Firm’s system,

monitored a number of on-going deals, and set his traps.

Finally, the four deals closed in the last week of September. In each one, the

hacker had revised deal documents, Funds Flow memos, and emails to add

wire instructions that sent the funds to the hackers bank. The first stop was a

legitimate bank in the United States, but the hacker then immediately wired

the funds on to additional banks in Africa and Asia.

The analysis also determined that the hacker spent a significant amount of

time reviewing documents related to a transaction involving a publicly traded

company (that was buying a firm client).

The hacker also accessed the Firm’s Human Resources files, although the logs

related to these files indicate that the files were accessed but for less than a

minute each and that none were copied, moved or altered.

Best Practices For Better Data Security

STOP. THINK. CONNECT.

13

Where Is Your Data?

Your company’s technology infrastructure holds a lot of private data,

such as:

• Social Security numbers (including yours!)

• Credit card numbers

• Client lists

• Financial data

• Passwords

• Business plans

• Proprietary information

What would someone find?

14

Identification and protection of • “crown jewels”

Develop a security plan• : Short term, Long term, and most importantly Ongoing.

Define • – How Much?, How Good?, and/or When is “Good Enough”?

Accept the general rule of thumb:•

Good Security– = Compliance

Compliance– ≠ Good Security

What’s worth protecting?

Data Protection and Privacy:

Protecting data from internal and external attacks.

• Know what data you possess.

Preserving confidentiality by controlling access, use, and

dissemination to the extent required by law, contract, or business

needs.

• Know where that data is kept.

• Know who has access to that data.

Securing data and systems.

• Assess, test, and evaluate your policies – often.

Top Data Security Issues?

15

Passwords – Best Practices

• Do not use names, dates, or dictionary words.

• Use long passphrases which are easy to remember.

• Length matters. Passwords should be at least 8 characters and contain

numbers, capital letters and symbols.

• Change passwords on at least a quarterly basis.

• Always used two-factor authentication if offered by the provider.

• Never use the same password in different accounts.

• Use http://www.passwordmeter.com/ and

https://www.grc.com/haystack.htm to assess the strength of your

passwords.

Passwords – Best Practices

16

Rules

Don• ’t write your password down on a sticky-note attached to your screenDon• ’t keep your passwords written

in a text file on your computerDon• ’t write them down in plaintext anywhere!Instead, • Use secure pass-phrases that you can remember, orUse an encrypted password storage •

program, like KeePass or LastPass

How to store

Conduct Independent Ethical Hacking Assessment:• An attack your network and computer systems using real-world tools and techniques in

order to find security weaknesses.

Assessment Objectives:• Uncover vulnerabilities• Provide a road-map for making your networks secure• Identify the sensitive information • Greatly increase your level of security

Develop a comprehensive security and data breach plan for your law firm.• It should include your Crisis Response Team (internal and external)• Conduct breach response drills annually• Media/PR Strategy

Training: • Users should be considered the first line of defense in any security infrastructure.• Train attorneys and support staff on security and data issues frequently.• A robust training program that will heighten users’ sensitivity to phishing attempts and

other exploits.

17

Monitor changes in technology that affect security considerations.

• Understand security issues that may arise in any cloud computing services, and mobile devices, used by your firm.

• Minimize production of personal information where possible. When production is unavoidable, make an agreement regarding treatment of the personal information.

Encrypt information as much as possible, whether produced to others or stored on your computers.

Physically secure computer equipment and file rooms.

• Have a proper file and data destruction policy.

• Ask clients if any of their data warrants special protection and discuss how that data should be protected.

Make sure vendor and expert contracts include provisions for security and confidentiality.

18

Robert Kleeger, Founder & Managing Director

Digital4nx Group, Ltd.

T 973.699.0167 | rkleeger@digital4nxgroup.com

Contact Information:

Ryan J. Cooper, Esq., CIPP/US

Law Office of Ryan J. Cooper LLC

T 908.514.8830 | ryan@ryanjcooperlaw.com

Uri Gutfreund, Law Firm Insurance Guru

Risk Strategies Company

T 212.826.9744 | ugutfreund@risk-strategies.com

Your opinion matters!

Please take a moment

now to evaluate this

session.