12-19-14 cle for south (p garrett)
TRANSCRIPT
WHY CLIENT DATA IS AT RISK;HOW IT IS AT RISK;
AND HOW TO MITIGATE THE RISK USING SOME SIMPLE SECURITY POLICIES AND
PROCEDURES
South University, CLEDecember 19, 2014
Presented by:
Patrick J. Garrett, J.D.,
Why your client data is risk:
Attorneys have lots of PII (personal identifying information)
Social Security # Medical records Driver's license #
You have client work-product and proprietary information.
Trademark information Business formulas and code
An attacker is using you to get to your client.
Why your client data is risk: It will cost you more money to fix the infection
then the cost of the ransom: IT professional New Hardware Software Loss of data.
Many attorneys simply do not understand information security so they do not take steps to protect the data. They are easy targets!
What are Security Controls?
Policies and procedures that demand and direct users to implement specific security features, or mitigate potential vulnerabilities, that are associated with hardware, software, or the transportation of data; and, to conform behavior and actions to support the three (3) general goals of information security:
1. Confidentiality
2. Integrity
3. Availability
Why you must implement security controls:
Civil Liability for negligence and malpractice. Common law negligence or wantonness
HIPAA: requires “reasonable and appropriate” security.
PCI laws for financial and credit card companies and processors.
Even if you are not obligated to provide certain levels of security, your clients may be obligated.
They may not be able to share their information with you unless you implement and understand the security controls
Your clients will start expecting and demanding that you have controls in place.
Why you must implement security controls:
Ethical obligations to keep data secure: Confidentiality –
Rule 1.6(a), Alabama Rules of Professional Conduct: “A lawyer shall not reveal information relating to representation of a client unless the client consents after consultation, except for disclosures that are impliedly authorized in order to carry out the representation . . .” Digital or electronic information is treated the
same as a paper file. (not just PDF's) Applies to ALL information related to the
representation.
Office of General Counsel, Alabama State Bar, Formal Opinion 2010-02, Retention, Storage, Ownership, Production and Destruction of Client Files
“Like documents that are converted, documents that are originally created and maintained electronically must be secured and reasonable measures must be in place to protect the confidentiality, security and integrity of the document.”
“This requires the lawyer to ensure that only authorized
individuals have access to the electronic files. The lawyer should also take reasonable steps to ensure that the files are secure from outside intrusion.”
“Although not required for traditional paper files, a lawyer must “back up” all electronically stored files onto another computer or media that can be accessed to restore data in case the lawyer’s computer crashes, the file is corrupted, or his office is damaged or destroyed.”
“Lawyers do have an ethical obligation to prevent the premature or inappropriate destruction of client files.”
Additional takeaways from 2010-02:
Using a Cloud provider for backup is ok – as long as the lawyer exercises reasonable care in doing so.
Must keep client files for a mandatory minimum of 6 years from the final disposition or date of closing the file, but . . . “special circumstances may exist that require a longer, even indefinite, period of retention. Files relating to minors, probate matters, estate planning, tax, criminal law, business entities and transactional matters should be retained indefinitely and until their contents are substantively and practically obsolete and their retention would serve no useful purpose to the client, the lawyer, or the administration of justice.” # 2010-02, pg. 7
Must have ability to make the file available for the client during this time as well.
Why you must implementsecurity controls:
Competence – Rule 1.1, ABA Model Rules of Professional Conduct, Comment
[8]: To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.
Alabama has not adopted this yet, its version states: “To maintain the requisite knowledge and skill, a lawyer should engage in continuing study and education.”
Potential current or future obligation to understand the technology that you use.
Ethical obligations in a nutshell: Secure the data
Take “reasonable” measures Risk Assessment Cost-Benefit Analysis Risk Mitigation
Protect confidentiality, security, and integrity of the data.
Authentication Encryption Hashing
Availability – Must store files for at least 6 years. Accessibility Durability Backups
What are your goals?
Comply with your ethical obligations by implementing practical security polices, procedures, and actions that are reasonable for your circumstances to help you ensure three things:
1) Confidentiality Authentication
2) Integrity
3) Availability
Factors to assist you in choosing what controls are right for you:
Where and how is my data stored? How am I transporting my data?. Where are the vulnerabilities when my data is
transported and stored? What threats can exploit these vulnerabilities?. What controls exist to mitigate the threat and
what resources do I have available to me? Based on all these factors, what controls must I
implement? In addition to the required controls, what other controls can I implement?
How your client data is at risk:
Why do I need to know how data is stored, transported, shared, and accessed? Every link in the chain of communication is a
vulnerability. Every other person or machine that you send
your information to is a vulnerability. How you send or share your data or information
can cause vulnerabilities. Everyplace you store your data is another
vulnerability that must be protected.
Vulnerabilities in the transport and storage process:
Interception of your data while communicating with someone else.
Unknowingly sending data to the wrong person or a illegitimate website.
Accessing your data by breaking into your computer or network.
Accessing your data using trickery or a compromised password.
How your client data is at risk:
THREATS TO THOSE VULNERABILITIES Attackers – outside parties trying to trick you or
by breaking into your computer network or system without your consent and knowledge.
Malicious Software – viruses, spyware, malware, etc.
Malicious insiders – disgruntled employees or sometimes clients.
Negligent actions – by you or your employees. Failure to take reasonable precautions.
Understand where and how your data is stored:
Data at rest: Hard drives, USB drives, servers, PC's, laptops,
smart phones, tablets, etc. This isn't just PDF's. Data in transit:
Email, internet, web traffic, network traffic, etc. Backup data
Locally or remotely Data in the cloud
How your data is transported:
Internal network
Internet
Typical Small business or home network
Free Public Wi-Fi
Internet
How your systems interact and communicate.
John Smith
Web Server for ParickGarrett.net
Typical for uploading / downloading files.
Please send me the webPage for Google.com
John Smith
Web Server
Here you go!
Typical request for an unsecured Http:// website.
1. The computer's browser sends the request (data packet) in clear-text.2.The Web server also sends the response in clear-text.
Neither party knows if the other party is who they say they are. Anyone who intercepts the packets can eavesdrop on the
communication because the data is in clear-text.
Where your data can be intercepted:
Internal network
Internet
How your data is intercepted:
Attacker uses software to scan for available wireless networks and return the results along with the kind of security (encryption) being used (ie – WEP, WPA, etc.) If network is unprotected or has weak encryption then
can easily crack it.
Once on the network, attacker uses “packet sniffing” software to capture the data packets to analyze, review, and cracking later.
How your data is intercepted:Impersonation
“Man in the Middle” attack – During your session with a website online, an attacker reads your unprotected communication in real time.
They then change that information before it is sent to the other party or they spoof their IP address and pretend to be the website.
Browser hijacking or Set up a fake website that looks like the legitimate website.
Anatomy of a network attack
Similar to interception, Attacker scans your network first to determine what kind of security you use.
Tries to guess what manufacturer your router comes from. Then looks up the documentation online that gives the default password for that particular router or tries them all.
If the user never changed the password then gets access to the whole network and can then intercept all data that comes through the router and can copy/steal/destroy data from any unsecured computer/server on the network.
Anatomy of a network attack If guessing the router password doesn't work
then use a “port scanner” software to see what ports are open and/or being used on the router firewall.
Attacker analyzes any captured packets and knowledge of commonly used ports to infer what kind of applications and operating system being used.
Forms a profile about your system. Looks up any known vulnerabilities about your OS or applications. Launches specific attack based on the hardware/software profile.
Anatomy of a network attack May try to infiltrate a single vulnerable system on
the network and span out to other systems.
Privilege escalation. If infiltrate single system then tries to get admin access on that system.
Admin access allows attacker to access other systems on the network.
A virus works this way on single computers
A worm spreads to other systems.
Internal network
Accounting / BillingDepartment
PRIVILEGE ESCALATION
Password Guessing/Cracking
Attacker researches you or your staff to gain info about you.
Social media pages, pictures, etc.
Follow you and learn your habits, kids names, pet names, favorite sports teams, etc.
They then use that information and software to try and guess your password. Use Brute force attacks:
Dictionary attack. Rainbow table attacks Can also just try default passwords or typical passwords.
How to mitigate your risks using security policies and procedures:
INTERCEPTION AND IMPERSONATION Only use secure networks.
Free Wi-Fi (Starbucks) is not secure and you have zero privacy.
If on an unsecured wi-fi then use a VPN provider.
On work/home wireless networks make sure you use the right encryption protocol.
WEP can be cracked usually in under an hour. WPA2 is best, but if not available then at least use WPA.
How to mitigate your risks using security policies and procedures:
INTERCEPTION AND IMPERSONATION Only use secure websites and restrict your
employees from accessing only trusted, secure websites. Secure websites start with HTTPS:// and they use
SSL (older) or TLS (newer) security protocols.
Download and use “HTTPS Everywhere” for Firefox or Chrome browsers. Will force websites to use Https by default if it is available.
Research website security if you will be providing it with your personal / banking information.
Uses Certificates to Authenticate and Encrypt Uses Asymmetric and Symmetric encryption.
John Smith
Typical request for an secured Https:// website.
Public key
Encrypted symmetric key
Certificates: authentication
Used for Confidentiality because it authenticates the person sending or receiving information.
Issued internally or a third party company known as a Certificate Authority (CA).
CA verifies identity of website owner. Digitally signs the certificate (akin to notarizing). The CA has built up credibility, trust, and name
recognition so when the CA vouches for the website, people will then trust the website.
Certificates: encryption
Used for Confidentiality because they are used to encrypt communications.
Use asymmetric encryption: have a public key listed on their certificate. Users use the public key to encrypt information to
send to the web site.
Only the website has the private key to decrypt, so if someone steals the data they can't read it.
Most often just use asymmetric encryption to encrypt a symmetric key because its faster.
How to mitigate your risks using security policies and procedures:
NETWORK ATTACKS Change default password on router and make it
something complex. Make sure the firewall on router is adjusted to
restrict what type of traffic can come into and leave the network.
Use encryption on your hard drives, individual computers, and mobile devices in case your network is compromised.
How to mitigate your risks using security policies and procedures:
NETWORK ATTACKS Harden each individual computer on the
network. Firewall and Anti-virus on and updated. Good patch management: always make sure
most recent OS and application updates are installed.
Remember “Patch Tuesday” for Windows: releases its updates (if any) every 2nd Tuesday of the month and sometimes the 4th Tuesday as well.
This is important because these often fix the “known vulnerabilities” that attackers look for.
How to mitigate your risks using security policies and procedures:
NETWORK ATTACKS Use Restricted Access accounts to counter
malware and escalated privilege attacks. Never actively use the administrator account.
When creating an account only give it the minimum access needed.
Rename the admin account something else other then “administrator” or “admin”.
How to mitigate your risks using security policies and procedures:
PASSWORD CRACKING Use long, complex passwords that include
symbols, numbers, and capital letters. Never send your password / username through
email. Change your password at least a couple times a
year. By the time an attacker figures out the password, he will have to start all over with a new password.
Set password settings to prevent using same password that have previously used.
How to mitigate your risks using security policies and procedures:
DATA THEFT OR DESTRUCTION Always back up your data to a remote location.
You are required to keep the file for at least 6 years. Use encryption on all devices, computers, and
hard drives in case the data is stolen. Encryption will make it very difficult if to read
without the key.
When using cloud providers for storage make sure they are using encryption on their servers as well as the upload/download process.
How to mitigate your risks using security policies and procedures:
DATA THEFT OR DESTRUCTION Tips for using encryption:
Premium editions of Windows 7 have ability to encrypt at file level using “Bitlocker”
File level encryption can store all your sensitive data. Good if don't want to encrypt entire hardrive.
If use a commercial encryption software, go with AES (Advanced Encryption Standard) or Twofish.
AES is used by government, banks, etc. Twofish is strong as well and is generally faster. AES-256 (AES with a 256 bit private key) is best
available.
MalwarePrevention: Anti-virus protection
Only use reputable vendors: Avast, McAfee, Etc. Firewalls – Windows, Apple OSX have built in
firewalls. Also implement the ones on your modem/router.
Make sure your operating system (OS) is up to date. Often times, malware exploits vulnerabilities in
these in order to gain access.
Ransomware comes in many types
Develop an overall security policy:
Put it in writing. Educate your staff on it and then review it at least
twice a year. It should address the following issues at
minimum: Acceptable use of the computer
Which websites or type of websites are acceptable to visit and which should not be used, etc..
Password policy. Require at least 12 characters (with symbols and numbers) No password shall be reused.
Develop an overall security policy:
How often backup should be done.
Where the backup will be stored (cloud provider, removable harddrive, offsite computer or server)
Patch Management: all systems set to automatically update or calendar patch Tuesdays for updates.
Email Policy: no opening emails from unknown persons unless you are expecting it. No clicking links within emails.
Network access: no free wi-fi in your office. Password changing for routers.
Physical security: No one left with computers, etc.
Other non-technical things you can do
Draft a file retention policy. If you voluntarily hold on to the file longer then you are required to then you are increasing your cost of securing the file and risk of a breach. (applies to Category 2 & 3,
see Formal Opinion 2010-02) Take the same actions on your home office. Train, Educate, and Enforce.