Law360 | New York | June 2, 2016
Whether they know it or not, lawyers are high-value targets for cybercriminals. Time-strapped attorneys have habits that make it easy for hackers to breach their systems. Experts say lawyers need to cultivate data security awareness or risk exposing confidential client information.
The perpetrators of corporate espionage, hacktivism and sophisticated fraud schemes want the information lawyers have. But rather than relying on generic email blasts and shady online offers, attackers may target attorneys after months of research on them and their work, making a general sense of awareness crucial, according to cybersecurity professionals.
Joseph M. Lawlor, an associate managing director in the U.S. cyber investigations and incident response practice at K2 Intelligence, said attorneys commonly underestimate how valuable they are as targets for cyberattackers.
Lawlor said that, as an initial matter, attorneys need to understand the likelihood that cybercriminals will go after them, whether to steal confidential data for its own sake or to use in hitting another target, such as a client.
“First and foremost, they should cultivate awareness that they are definitely a target. We are talking about large-scale operations targeting a wide range of people in many fields,” Lawlor said.
Here are five things attorneys do that leave their firms and clients vulnerable.
Putting It All Out There
Lawyers are no exception to the growing tendency to live life online, posting about travel, interests and family via social media and other sites. But experts say those posts offer clues for would-be attackers.
“Because of how connected we are in our lives, we leave so much information out there,” Lawlor said. “These are all things an attacker can use to strategize.”
Attacks on high-value targets increasingly employ social engineering — gathering and using knowledge of targets’ affiliations and interests to fool them into compromising their security.
“Social engineering attacks are successful because they prey on human inclinations such as the willingness to help others or to promote ourselves,” said Richard D. Lutkus, a partner at Seyfarth Shaw LLP who advises clients on data breach prevention and response.
Taking Emails at Face Value
One kind of social engineering attack that experts say attorneys walk right into through a lack of awareness is a so-called “spear phishing” attack.
Like more prevalent “phishing” emails, spear phishing campaigns request information via email, but are tailored to specific organizations or even specific individuals.
Attorneys may already be wary of generic-looking emails from businesses. But what about an email from a hacked address at a professional organization? Or an email that appears to come from an attorney or staff member within the firm?
Jim Ambrosini, a managing director with CohnReznick Advisory Group, advises attorneys to be wary of unsolicited emails asking for information or containing attachments, even if they appear to come from a familiar source. Protocols such as calling the individual to confirm the request before sending over data can make the process more secure, he said.
“We are in an age now where you can’t trust email alone,” Ambrosini said. “If you receive an unexpected email asking you for client or firm information, there should be additional controls in place to verify the sender.”
Logging Onto Random Wi-Fi Networks
Attorneys’ frequent travel mixed with stringent deadlines leads to another bad habit: Using public Wi-Fi networks without added protection. You could be logging into a hacker’s network where the data you send is all cataloged, Lutkus said.
“It’s trivial to set up a fake Wi-Fi access point that looks like a legitimate connection offered by a business, organization or government,” Lutkus said. “An untrained user can’t spot the difference.”
Lutkus, who holds ethical hacker certification denoting his knowledge of incursion methods, says attorneys who need to rely on public connections from time to time should “religiously” use a virtual private network, or VPN, which shields the user’s data from prying eyes.
Lawlor noted that even having a mobile device set to automatically search for and connect to known networks hands out free information on where the device has connected before. To prevent that, Lawlor recommends disabling Wi-Fi when it isn’t in use.
Using Thumb Drives
Despite the convenience they offer, experts say lawyers can expose their firms to data breaches by using USB drives, as their design often makes it easy to hide malicious software.
Ambrosini noted that attorneys may turn to the devices in a pinch, such as at a conference where they could be asked to load presentation materials onto one. But the risk is never worth it, since such devices are often secretly full of pernicious programs, Ambrosini said.
In a more nefarious kind of attack, a hacker might leave USB devices branded with the firm’s logo or the logo of a client in seemingly innocuous locations within the firm itself and rely on natural curiosity to let it find its way to a computer, he said.
“Hackers have moved to the weakest link in the cybersecurity chain, which is always the human element,” Ambrosini said.
Lutkus added that an attacker could also use information gleaned from online sources to deliver a thumb drive meant to seem as if it came from a professional association or charity the lawyer supports.
Choosing the Wrong Passwords
So you changed your LinkedIn password after the professional social media site announced its passwords had been dumped online. But was that password also your login for other sites?
Using the same or similar passwords across myriad services might make them easier to remember, but it’s like making a hundred copies of your house key and leaving them scattered around, experts say.
All a would-be cybercriminal needs is to find one to start prying into various services that could hold valuable firm data or personal information that allows them to mount a more sophisticated attack, according to Lawlor.
Lawlor also pointed out that social media can provide clues that enable attackers to guess passwords. And even with a secure password, many sites rely on security questions — about your favorite things, your family or your vacations — that aren’t difficult to answer with a bit of digital diligence into the target’s social media profiles, he said.
He counsels clients not to answer their password questions directly, but instead to use the question to remind them of a second, unrelated question, and provide answers to that.
–Editing by Katherine Rautenberg and Kelly Duncan.