Category Archives: Cyber Security

App Authentication Gets Easier with Intune

Posted on by
Reply

Remember the early days of MDM (Mobile Device Management)? You know, that company-mandated thing which black-listed your apps, tracked your movements, and monitored which websites you browsed?

We’ve come a long way from those days. Recent developments from Microsoft make authentication and data management easier for both users and for IT admins. Let’s take a look at these newer offerings from Microsoft and how you can benefit from them with our LINK App.

Integration with the Intune SDK and Microsoft Authentication Library

We have integrated the Microsoft Intune SDK and the Microsoft Authentication Library (MSAL) into our LINK App. If you are either an Azure Entra ID user, an Intune user, or both, our integration offers a simpler experience for users and IT alike.

Fewer sign-ins for both frequent and occasional LINK users

Integrating MSAL into our LINK App allows LINK to leverage Microsoft Authenticator as an authentication “broker.” This means that LINK employs the familiar federated sign-in process used by the Office apps from Microsoft. If you are signed-in to Office, you are signed-in to LINK without any additional password prompts. From the security and policy perspective, LINK supports all of your conditional access policies, including:

  • MFA requirements (either with MS Authenticator or a 3rd party such as Duo)
  • Device requirements (e.g., requiring Intune deployment)

Focused security of your data with MAM policies

LINK’s integration with the Intune SDK adds another layer of security and simplicity to managing and securing LINK. In addition to the standard MDM policies and management tools, Intune supports a different type of policy known as Mobile Application Management (MAM). These MAM policies apply to all apps that support the Intune SDK, including the Microsoft suite of apps and 3rd party apps like LINK. Many MAM policies are particularly focused on the careful treatment of corporate data.

Apps with MAM policies can be used together to enable secure workflows. For example, MAM policies allow our LINK App to share a document from a Document Management System to the Word app for secure, yet uncomplicated, editing.

MAM is a great way to ensure the security of your corporate data without asking users to give up any control of their personal devices.

Image Source: Microsoft

LINK for Intune

To add MAM support to LINK, we have released a new app – LINK for Intune. Deploying LINK for Intune offers the same functionality as the “regular” LINK app, and it adds in a deeper integration with Intune so that policies can be applied to LINK even when the device is not MDM-managed.

With these recent developments from Microsoft, we think that the optimal path going forward is:

  • Use the Microsoft Intune SDK and the Microsoft Authentication Library (MSAL) to simplify authentication
  • Advance from “managed devices” to “managed apps” using Intune MAM policies

Are you considering moving to these newer approaches? What questions or observations do you have? You may download our Intune brief here.

-Seth

Seth Hallem is the Mobile Helix CEO, Co-founder, and Chief Architect

Mobile Helix makes the LINK App which is used by attorneys and knowledge professionals to review, edit, annotate, compare, and email documents from a single, secure app.

Cybersecurity: The Workforce Gap & the Career Opportunity

Posted on by
Reply

Recently, I came across a LinkedIn post from a friend who was #Hiring for a cybersecurity role. It got me thinking – just how challenging is it to find and crucially, to retain, experienced cybersecurity staff? According to my friend, it is very challenging. Intrigued, I decided to take a dive into the numbers.

World Economic Forum

71% of organizations are currently unable to fill cybersecurity positions, leading to a concerning skills gap in the workforce. This issue has been highlighted by The World Economic Forum, which warns of the potential impact on infrastructure and society as a whole.

2023 Global Cybersecurity Workforce Gap – ISC2

Globally, there is an estimated 4 million person cybersecurity workforce gap. According to ISC2, the shortfall in the United States alone amounts to half a million roles.

Per Fortinet’s 2023 Cybersecurity Skills Gap Report, 68% of leaders agree that cybersecurity skills shortages create cyber risks for their organization.

An overwhelming 90% of leaders show a strong preference for hiring individuals with technology-focused certifications per the Fortinet report. Their study also brings encouraging news that 90% of leaders are willing to invest in their employees by covering the costs of certification. In alignment with this, the World Economic Forum advocates for the crucial processes of “reskilling and upskilling,” emphasizing the importance of narrowing the cybersecurity skills gap.

So, the next question is, what does it take to obtain an affordable cybersecurity certificate? This option seems promising: Google offers a Cybersecurity Certificate through Coursera suitable for these roles:

  • Cybersecurity analyst
  • Security analyst
  • SOC analyst
  • Information security analyst
  • IT security analyst
  • Cyber defense analyst

According to Google, this course can be finished in six months with less than 10 hours of part-time study per week. After a free 7-day trial, Coursera charges a monthly fee of $49, resulting in a total cost of just under $300 for the certificate.

If you’re considering a career change, be encouraged by the fact that the demand for cybersecurity professionals is high. There are even relatively low cost ways to achieve a Cybersecurity Certificate.

Good luck!

-Maureen

P.S. – Google says that the median salary in cybersecurity (with 0-5 years of experience) is $115,000 per year. 🙌

Okta Businesses at Work 2024 – Legal Applications are the Growth Leader

Posted on by
Reply

Okta has application usage data which you simply will not find anywhere else. This year’s report draws data from their anonymized 18,800 global customer base. Okta is a leader in identity and access management products. You may download the full “Okta Businesses at Work 2024” report here.

Growth in app categories: Legal software is the leader in customer growth

Source: Okta (My Annotations) – Growth in App Categories

Okta kicks off this year’s report with a spotlight on Legal applications, which was the leading app category in growth of number of customers.

“There’s no time for deals or
contracts to get hung up in legal. So, as we look
across the most popular app categories, it’s no
surprise that legal tools have locked up a win,
claiming by far the highest growth by number
of customers (35% YoY) and substantial 34%
YoY growth by number of unique users. Apps
including Ironclad, LexisNexis, and LegalZoom
drive this remarkable growth story. (Fun fact:
Ironclad contract management software was
our eighth-fastest-growing app in 2022.)”

-Okta (my bold type)

Let’s look at those three applications:

Ironclad – Offers Contract Management software, which includes moving sales contracts through the processes of review and sign-off to speed the business process.

LexisNexis – Provides legal, regulatory, and business information and analytics, now including Generative AI. LexisNexis is a premier product in legal research.

LegalZoom – Its online platform for business formation helps entrepreneurs by providing legal, tax and compliance products and expertise.

With that promising look at the growth in Legal applications, let’s take a look at four more charts in the Okta report.

Growth of the 50 most popular apps

Source: Okta

There are two leaders here. 1Password is the fastest growing application by number of customers at 39% YoY. Amazon Business with the fastest growing by number of unique users at 89% YoY growth. Law firms are ramping up usage of password managers like 1Password as one of the essential tools to prevent phishing and social engineering exploits.

Not to be missed by law firms is the growth of KnowBe4 at over 20%. KnowBe4 is a Security Awareness Training product, with a focus on phishing awareness. In 2022 I cited that KnowBe4 was the leading Security Awareness solution used by 62% of law firms surveyed in the International Legal Technology Association’s 2022 Technology Survey.

Most popular apps

Source: Okta

It’s easy to see the trend of law firms in the “Overall” ranking. Microsoft 365 is rapidly being adopted, as firms migrate from other Microsoft on-prem products. Number five, Zoom, and number eight, DocuSign, are nearly ubiquitous at law firms. Number ten is KnowBe4, the Security Awareness training SaaS application.

Fastest-growing apps by number of customers

Source: Okta

Data compliance applications make a first time appearance in the fastest growing app ranking by number of customers. Vanta holds the number one position with 338% YoY growth. Drata ranks number six, with 91% YoY growth. Data compliance software is growing at law firms as firms are subject to regulatory and client requirements.

Most popular security tool categories

Source: Okta

Okta entitles this section: “The perimeter shifts.”

They observe that VPN/firewall continues to lead the security tool category, as it has since 2020. However, deployment of VPN/firewall grew 12% last year versus 31% in the prior year. 57% of customers have deployed VPN/firewall tools.

The second fastest growing category in security tools is Endpoint Management and Security, deployed by 43% of customers. This category has grown consistently since the emergence of work-from-home.

For those interested in legal or enterprise technology there is much more in the Okta report worth looking at in detail. You may find the report here.

– Maureen

My Four Favorite Charts from the ILTA 2022 Technology Survey

Posted on by
1

The International Legal Technology Association’s 2022 survey is a broad treasure trove of data reported from 541 law firms.

There are 11 major topics including Infrastructure, Document Management, Practice Management, and Business Continuity.

My focus is on four of the twenty-seven questions surveyed in the Security section.

  1. Password Management
ILTA 2022 Technology Survey

Password managers are one of the most highly recommended solutions for security. They help with: using complex passwords, deterring repeat usage of passwords, and providing secure storage for passwords. There is a learning curve to using a password manager, but once I got up to speed, I wondered how I would live without it. We have so many passwords to juggle these days. I am surprised that 50% of respondents are not providing a password manager.

2. Multi-factor Authentication

ILTA 2022 Technology Survey

Perhaps the single most recommended security mitigation is multi-factor authentication (MFA). Here we see Duo Security (a Cisco company) is the leader at 45%. There are three Microsoft solutions listed which total 27%.

In legal tech, it’s notable when a third-party solution is more widely adopted than a Microsoft solution as most law firms operate on the Microsoft stack.

3. What do You Secure with MFA?

ILTA 2022 Technology Survey

The largest response is VPN/Remote Access. Then Office 365. It’s very good to see high adoption of MFA for these widely used applications.

4. Which Phishing, Vishing, Social Engineering, or Security Awareness Program?

ILTA 2022 Technology Survey

KnowBe4 is the stand-out at 62%. Others used are Mimecast, Traveling Coaches, Proofpoint, managed service providers, and solutions developed in-house. Only 7% reported “None.” As phishing and social engineering are the cause of about 90% of exploits, law firms are wise to have these programs in place.

You may access the full data-rich report or the executive report from ILTA. Here is the download page.

-Maureen

Your Network Has Been Locked: What I Learned at ILTACON 2022

Posted on by
Reply

It was wonderful to meet with you all! Last week was the first fully in-person annual educational conference of the International Legal Technology Association (ILTA) since 2019. ILTACON is truly an event of peer-to-peer sharing. Many of the members have relationships dating back decades. Having an in-person event again was fantastic.

Security was one of the most in-demand topics. There were sessions on phishing, ransomware, breaches, and solutions. Here are three takeaways from sessions which I attended on what to do when a breach occurs. Note: I am not a cybersecurity expert. These are commonsense points which anyone can learn from.

Darkside Ransomware Email – Source: Acronis
  1. First Call

At 10 PM on Saturday night, Asher in Support gets a call from an attorney who says, “I’m looking at a screen which says, ‘Your network has been locked!'” Asher was educated to escalate any such messages immediately. Let’s assume that this message gets to the CIO within minutes.

Who does the CIO call first?

  • Is it a contracted or pre-vetted cybersecurity services provider?
  • Is it the cybersecurity insurance carrier?

In a session which included both a panelist from a top cybersecurity services provider and a panelist from a major cybersecurity insurance carrier, each argued that they should be the first call. Each may have distinct objectives.

The cybersecurity insurance carrier will immediately send in their SWAT team. This expertise may be quite welcome at the law firm. A good carrier will bring great expertise to bear. At the same time, law firms report that when the insurance carrier team arrives, they lose control of the process. The firm IT team may be sidelined, by contract. The insurance company may have as its top priority forensics. One of their objectives is to discover if the law firm were out of compliance with the policy.

The cybersecurity services company will also send in their SWAT team and bring great expertise and experience to bear. If the firm has vetted the services company their objectives should be aligned with the law firm’s.

Objectives include stopping exfiltration of firm data and business continuity. Law firms will want to safely get back to business-as-usual as quickly as possible.

2. Breach Counsel

One of the first things that the cybersecurity insurance carrier will do is to get their breach counsel engaged in the process so that communications are privileged. Law firms are uniquely positioned to get their own attorneys involved. Whether it is the insurance carrier’s attorney or a firm attorney, involve an attorney on all communications immediately. There will be public communications following the breach and perhaps legal action. Need I say more?

3. CIO Fiat to Shut Down Systems

When there is a breach, time is of the essence. Data may still be exfiltrating. While no law firm wants to do so, the best action may be to shut down all systems immediately. The moment when the firm’s data is flowing out to the hackers is not a good time to educate and negotiate with the firm’s executive team regarding shutting down systems. The CIO should have clear authority in advance to shut down systems.

Bonus: Have a Plan

Your firm is a target. Services, like Dark Utilities, make it easy for hackers to to set up a command center (C2) for malicious operations. Prices for C2-as-a-Service start at EUR 9.99. Easy, inexpensive tools mean that firms of any size are a target for “drive-by” attacks.

Even while your full incident recovery program is in development, it’s time well-spent to have a plan for the three points above in order to respond quickly.

One of the benefits of ILTACON is that we learn what has worked for other law firms in real world settings. Each firm should assess their own response plan.

See you in Orlando at #ILTACON23!

-Maureen

Okta 2022 Businesses at Work Report

Posted on by
Reply

The 8th annual Okta Businesses at Work report is a treasure trove of data. It’s fantastic that Okta shares this data. Moreover, the report is very visual, full of graphs and charts. Here are four which illustrate enterprise web application usage in 2022.

While the gap between Microsoft 365 and the rest of the pack widens, Google Workspace moves into third place.

Of Okta’s customers who use Microsoft 365, what are the most popular “best-of-breed” apps which those customers also use? One of the stories here is growing use of Google Workspace. Zoom is still growing. Reminder: this is only a picture of Okta’s customers.

Phenomenal growth by these up-and-comers, although you may not be familiar with a few of these applications. Netskope provides cloud-native security products and services. Notion is for collaboration. TripActions covers travel, credit card, and expense. Postman is a platform for building and using APIs.

You can see the steep growth in remote work here. Amongst Okta users, Palo Alto Networks Global Protect and Cisco AnyConnect are the leaders in remote access.

There is much more:

  • Popular applications by region and sector
  • HR and Workplace management applications
  • Security apps, including Okta Verify
  • Developer apps

I hope that you discovered something new.

You can download the report here.

-Maureen

2021. It’s not farewell. Ransomware, Unicorns, Profits, and Work from Home

Posted on by
Reply

While we may be happy to wave au revoir to 2021, one midnight does not change world circumstances. I think that the following four trends that are not likely to go away in 2022.

  1. Our most popular blog post in 2021, by a factor of 10, was this post by our CEO, Seth Hallem, on the REvil vulnerability and the ensuing ransomware. Many IT and security people were kept busy over the July 4th weekend with the Kaseya VSA exploit. More law firms and more businesses overall were hit with ransomware than the public is aware of. At the risk of stating the obvious, this will only grow going forward.
  2. Unicorns, IPOs, M & A, and healthy funding rounds were undefeated by the pandemic. We covered the capital infusion in #legaltech here.
  3. Early in 2021, we learned from Thomson Reuters that Big and Mid sized Law had been very profitable in pandemic burdened 2020. Work from home meant more billable hours. Legal IT departments got attorney up and running from home in quite literally a weekend. In early 2021 the question was, would work from home end as quickly as it had begun? The profits lead one to conclude that it would not. The Delta and Omicron variants in 2021 ensured no quick ending.
  4. Finally, in the fall of 2021 companies such as Apple and Big Law firms were gearing up for early January or February 2022 “return to the office” dates. Then Omicron swept through the globe. Now all bets are off for when, and if, companies will return to the office.

Some good, some not so good. Overall, we can be grateful for the healthy demand for legal services and that so much of legal work can be done remotely.

I wish you the best for 2022!

-Maureen

REvil has struck again. What can we do? Design for explicit access.

Posted on by
1

At a glance… 

  • Kaseya VSA is used by IT organizations and many Managed Service Providers (MSPs) to track IT assets and to deliver software installations and patches to a network of endpoint nodes.  
  • Over the 4th of July weekend, a ransomware attack perpetrated by the REvil gang and its affiliates was delivered through the Kaseya VSA remote management software.  
  • Each Windows node on the network runs a Kaseya agent, which is responsible for downloading and installing patches and software packages from the VSA server. It is common practice for an MSP to use a single VSA server to manage all of the MSP’s client networks, meaning that one compromised VSA server can create a downstream impact on hundreds of individual businesses. 
  • 1,500 businesses may be effected. 

The fascinating anatomy of the hack 

REvil’s successful hack began with an SQL injection attack against the VSA server. The attacked VSA servers were exposed to the Internet, presumably to allow for remote access to the VSA server by an MSP’s employees. An SQL injection attack was crafted by the hackers to (a) bypass authentication, (b) upload a file, and (c) inject a command to distribute a malicious software patch. This software patch was then dutifully downloaded by Kaseya agents installed on Windows endpoints attached to the compromised VSA server. The technical details of how this was accomplished are explained quite clearly in this article by Sophos

The hack itself is fascinating from a technical perspective in multiple ways. First, an authentication bypass renders an entire stack of security technology (authentication providers and MFA) entirely irrelevant. There is no password guessing or credential stealing involved in this attack. Second, the MSP model where client networks are intermingled in a single VSA instance is inherently dangerous in that a single compromised server (whether it be a via a 0-day exploit or a more traditional stolen credential) can spread malicious software across many disparate organizations, geographies, and networks. Third, it is perturbing that a piece of software like the VSA server was directly exposed to the Internet. The lack of any intervening, independent authentication (e.g., a VPN or IIS authentication using certificates or Kerberos) places an inordinate amount of trust in the security architecture of a single piece of software (the VSA server). 

In general, the best way to mitigate hacks of all varieties is to apply a few principles: 

  1. Keep independent networks as separate as possible, and always require authentication to move between them. 
  1. Authenticate users and devices in layers that rely on disparate software stacks. Software is built by humans, and humans make mistakes that cause security vulnerabilities. Using independent software stacks to layer together multiple forms of authentication ensures that a hacker has to find multiple, independent mistakes that are exploitable in conjunction. 
  1. Because there is still no perfect way to prevent endpoint attacks from happening, effective endpoint protection is essential. The Kaseya exploit relied on anti-virus exceptions on the endpoint to allow a malicious file to be downloaded, decoded into an executable, and run via a shell command. This malicious executable then executed a side loading attack to actually launch the encryption process. Effective anomaly detection could have shut down the encrypting process before it got too far, and an alternative approach to using an anti-virus exception would have stopped the attack when it tried to execute the downloaded executable. 

A collective reconsideration of how we protect networks and endpoints is overdue 

This latest attack from REvil confirms the obvious – the business of ransomware is here to stay. Whether it is REvil, a spinoff from REvil, or an entirely new organization that is inspired by REvil’s success, a collective reconsideration of how we protect networks and endpoints is overdue. It has become standard practice to disable security software in order to enable functionality, rather than demanding the opposite – that software declare its intended behaviors in order to enable security software to detect anomalous behavior. 

A system of specific access vs. access to the entire network 

Our LINK system is architected with this last principle in mind. Rather than assume that all mobile devices need access to the company network (e.g., via VPN), LINK assumes that only a small number of applications and data repositories should be mobilized. To configure LINK, IT specifies exactly what intranet applications, email servers, and file repositories (Document Management Systems, One Drive, SMB shares, etc.) should be accessible from a mobile device, and this specification is role-based so that IT can take a pessimistic approach to mobile access (i.e., you can’t access anything unless permission is explicitly granted to you). LINK also uses multiple, independent layers of authentication – SSL certificates to authenticate the device, then traditional password-based authentication if the SSL authentication succeeds. Finally, each LINK installation acts as its own certificate authority for the purposes of SSL authentication. Hence, stealing a certificate for one installation does not grant access to any other installations. 

As we expand LINK beyond mobile, our goal is to promote a different approach to endpoint computing. This approach starts with the idea that users, applications and data need to be integrated explicitly, rather than implicitly. This creates a work environment that is easily encapsulated, encrypted, and protected with limited entry points and exit points to move data in and out of this environment. While no approach is perfect, the more explicit we are about how users, applications, and data interact, the better chance we have to stop the ransomware business before it expands any further. 

-Seth Hallem, CEO & Co-founder, Mobile Helix

Word App Editing Just Got Easier for Lawyers with LINK

Posted on by
Reply

We have developed several editing workflows using the Word app over the years. Our newest one is the easiest one which we have seen anywhere. This is in part because our LINK app securely integrates your Document Management System and Email with the Word app. Therefore, you can choose to edit a file from DMS or an email attachment and it will open directly in Word.

Take a look at our 2 minute, 44 second video to see this workflow.

Here’s what you don’t have to do in our workflow:

  1. No need to copy the file in the Word app. LINK encrypts the file and moves it to Word.
  2. No need to save the file as .docx in the Word file. LINK converts .doc to .docx for you.
  3. No need to delete the file from the Word app after editing. LINK deletes it.
https://vimeo.com/530569777

This video shows how straightforward it is to edit from LINK with the Word app.

LINK is integrated with iManage Work® 10, on-prem and in the Cloud; NetDocuments DMS; OneDrive; Network File Shares; and OpenText eDocs is in development. LINK is also integrated with Microsoft Exchange, therefore, you have your Outlook Email, Contacts, Calendar, Tasks, and Notes within the LINK App.

If your attorneys are looking for a simple way to edit files in DMS or in Outlook email with the Word app, email me. We are happy to show you a demo of this workflow.

-Maureen

contact @ mobilehelix dot com

F5 Labs on Phishing in 2020

Posted on by
Reply

Last week in my post on Okta’s 2021 Businesses at Work report, I mentioned the F5 Labs 2020 Phishing and Fraud Report. It is cited in the Businesses at Work report for its warning on Office 365. In brief, that warning is that Office 365 is a rich target because if an attacker breaches Office 365, they have access to email and much more, including potentially to SharePoint and OneDrive. F5 Labs warns to use Multi-Factor Authentication (MFA) with Office 365.

The F5 Labs Phishing and Fraud report is full of useful information. It’s a tutorial on phishing, a source of exploit data, and a guide as to how to protect from phishing.

In this post, I share 3 of the many images in the report to tempt you to looking at the full report.

Phishing Incidents Dealt with by F5’s Security Operations Center – F5 Labs

We’ve known for years that phishing is the number one cause of data breaches. F5 Labs estimated, as shown above, that the number of phishing incidents in 2020 was projected to increase by 15% compared with 2019.

Sample Phishing Subject Lines – F5 Labs

As anyone who has an email inbox knows, phishing perpetrators are nothing if not topical. In addition, they prey on fear. These cyber-criminals were quick to capitalize on COVID-19. Starting in March 0f 2020, fear and false information about COVID-19 became a hot subject for phishing, as this list conveys.

Steps in a Phishing Attack – F5 Labs

The report explains financial fraud, deception techniques such as custom URLs, and the trajectory of phishing in the report. It concludes with pragmatic sections on “Protecting the Business” and “Protecting Users.”

F5 Labs also explains financial fraud, deception techniques such as custom URLs, and the trajectory of phishing in the report. Phishing is a challenging problem. It is social engineering. The attackers’ schemes mutate. We humans are the weak link. F5 Labs has useful research here, free tor the reading.

-Maureen