The International Legal Technology Association’s 2022 survey is a broad treasure trove of data reported from 541 law firms.
There are 11 major topics including Infrastructure, Document Management, Practice Management, and Business Continuity.
My focus is on four of the twenty-seven questions surveyed in the Security section.
Password managers are one of the most highly recommended solutions for security. They help with: using complex passwords, deterring repeat usage of passwords, and providing secure storage for passwords. There is a learning curve to using a password manager, but once I got up to speed, I wondered how I would live without it. We have so many passwords to juggle these days. I am surprised that 50% of respondents are not providing a password manager.
2. Multi-factor Authentication
Perhaps the single most recommended security mitigation is multi-factor authentication (MFA). Here we see Duo Security (a Cisco company) is the leader at 45%. There are three Microsoft solutions listed which total 27%.
In legal tech, it’s notable when a third-party solution is more widely adopted than a Microsoft solution as most law firms operate on the Microsoft stack.
3. What do You Secure with MFA?
The largest response is VPN/Remote Access (not exactly the same thing to me). Then Office 365. It’s very good to see high adoption of MFA for these widely used applications.
4. Which Phishing, Vishing, Social Engineering, or Security Awareness Program?
KnowBe4 is the stand-out at 62%. Others used are Mimecast, Traveling Coaches, Proofpoint, managed service providers, and solutions developed in-house. Only 7% reported “None.” As phishing and social engineering are the cause of about 90% of exploits, law firms are wise to have these programs in place.
It was wonderful to meet with you all! Last week was the first fully in-person annual educational conference of the International Legal Technology Association (ILTA) since 2019. ILTACON is truly an event of peer-to-peer sharing. Many of the members have relationships dating back decades. Having an in-person event again was fantastic.
Security was one of the most in-demand topics. There were sessions on phishing, ransomware, breaches, and solutions. Here are three takeaways from sessions which I attended on what to do when a breach occurs. Note: I am not a cybersecurity expert. These are commonsense points which anyone can learn from.
At 10 PM on Saturday night, Asher in Support gets a call from an attorney who says, “I’m looking at a screen which says, ‘Your network has been locked!'” Asher was educated to escalate any such messages immediately. Let’s assume that this message gets to the CIO within minutes.
Who does the CIO call first?
Is it a contracted or pre-vetted cybersecurity services provider?
Is it the cybersecurity insurance carrier?
In a session which included both a panelist from a top cybersecurity services provider and a panelist from a major cybersecurity insurance carrier, each argued that they should be the first call. Each may have distinct objectives.
The cybersecurity insurance carrier will immediately send in their SWAT team. This expertise may be quite welcome at the law firm. A good carrier will bring great expertise to bear. At the same time, law firms report that when the insurance carrier team arrives, they lose control of the process. The firm IT team may be sidelined, by contract. The insurance company may have as its top priority forensics. One of their objectives is to discover if the law firm were out of compliance with the policy.
The cybersecurity services company will also send in their SWAT team and bring great expertise and experience to bear. If the firm has vetted the services company their objectives should be aligned with the law firm’s.
Objectives include stopping exfiltration of firm data and business continuity. Law firms will want to safely get back to business-as-usual as quickly as possible.
2. Breach Counsel
One of the first things that the cybersecurity insurance carrier will do is to get their breach counsel engaged in the process so that communications are privileged. Law firms are uniquely positioned to get their own attorneys involved. Whether it is the insurance carrier’s attorney or a firm attorney, involve an attorney on all communications immediately. There will be public communications following the breach and perhaps legal action. Need I say more?
3. CIO Fiat to Shut Down Systems
When there is a breach, time is of the essence. Data may still be exfiltrating. While no law firm wants to do so, the best action may be to shut down all systems immediately. The moment when the firm’s data is flowing out to the hackers is not a good time to educate and negotiate with the firm’s executive team regarding shutting down systems. The CIO should have clear authority in advance to shut down systems.
Bonus: Have a Plan
Your firm is a target. Services, like Dark Utilities, make it easy for hackers to to set up a command center (C2) for malicious operations. Prices for C2-as-a-Service start at EUR 9.99. Easy, inexpensive tools mean that firms of any size are a target for “drive-by” attacks.
Even while your full incident recovery program is in development, it’s time well-spent to have a plan for the three points above in order to respond quickly.
One of the benefits of ILTACON is that we learn what has worked for other law firms in real world settings. Each firm should assess their own response plan.
The 8th annual Okta Businesses at Work report is a treasure trove of data. It’s fantastic that Okta shares this data. Moreover, the report is very visual, full of graphs and charts. Here are four which illustrate enterprise web application usage in 2022.
While the gap between Microsoft 365 and the rest of the pack widens, Google Workspace moves into third place.
Of Okta’s customers who use Microsoft 365, what are the most popular “best-of-breed” apps which those customers also use? One of the stories here is growing use of Google Workspace. Zoom is still growing. Reminder: this is only a picture of Okta’s customers.
Phenomenal growth by these up-and-comers, although you may not be familiar with a few of these applications. Netskope provides cloud-native security products and services. Notion is for collaboration. TripActions covers travel, credit card, and expense. Postman is a platform for building and using APIs.
You can see the steep growth in remote work here. Amongst Okta users, Palo Alto Networks Global Protect and Cisco AnyConnect are the leaders in remote access.
While we may be happy to wave au revoir to 2021, one midnight does not change world circumstances. I think that the following four trends that are not likely to go away in 2022.
Our most popular blog post in 2021, by a factor of 10, was this post by our CEO, Seth Hallem, on the REvil vulnerability and the ensuing ransomware. Many IT and security people were kept busy over the July 4th weekend with the Kaseya VSA exploit. More law firms and more businesses overall were hit with ransomware than the public is aware of. At the risk of stating the obvious, this will only grow going forward.
Unicorns, IPOs, M & A, and healthy funding rounds were undefeated by the pandemic. We covered the capital infusion in #legaltech here.
Early in 2021, we learned from Thomson Reuters that Big and Mid sized Law had been very profitable in pandemic burdened 2020. Work from home meant more billable hours. Legal IT departments got attorney up and running from home in quite literally a weekend. In early 2021 the question was, would work from home end as quickly as it had begun? The profits lead one to conclude that it would not. The Delta and Omicron variants in 2021 ensured no quick ending.
Finally, in the fall of 2021 companies such as Apple and Big Law firms were gearing up for early January or February 2022 “return to the office” dates. Then Omicron swept through the globe. Now all bets are off for when, and if, companies will return to the office.
Some good, some not so good. Overall, we can be grateful for the healthy demand for legal services and that so much of legal work can be done remotely.
Kaseya VSA is used by IT organizations and many Managed Service Providers (MSPs) to track IT assets and to deliver software installations and patches to a network of endpoint nodes.
Over the 4th of July weekend, a ransomware attack perpetrated by the REvil gang and its affiliates was delivered through the Kaseya VSA remote management software.
Each Windows node on the network runs a Kaseya agent, which is responsible for downloading and installing patches and software packages from the VSA server. It is common practice for an MSP to use a single VSA server to manage all of the MSP’s client networks, meaning that one compromised VSA server can create a downstream impact on hundreds of individual businesses.
1,500 businesses may be effected.
The fascinating anatomy of the hack
REvil’s successful hack began with an SQL injection attack against the VSA server. The attacked VSA servers were exposed to the Internet, presumably to allow for remote access to the VSA server by an MSP’s employees. An SQL injection attack was crafted by the hackers to (a) bypass authentication, (b) upload a file, and (c) inject a command to distribute a malicious software patch. This software patch was then dutifully downloaded by Kaseya agents installed on Windows endpoints attached to the compromised VSA server. The technical details of how this was accomplished are explained quite clearly in this article by Sophos.
The hack itself is fascinating from a technical perspective in multiple ways. First, an authentication bypass renders an entire stack of security technology (authentication providers and MFA) entirely irrelevant. There is no password guessing or credential stealing involved in this attack. Second, the MSP model where client networks are intermingled in a single VSA instance is inherently dangerous in that a single compromised server (whether it be a via a 0-day exploit or a more traditional stolen credential) can spread malicious software across many disparate organizations, geographies, and networks. Third, it is perturbing that a piece of software like the VSA server was directly exposed to the Internet. The lack of any intervening, independent authentication (e.g., a VPN or IIS authentication using certificates or Kerberos) places an inordinate amount of trust in the security architecture of a single piece of software (the VSA server).
In general, the best way to mitigate hacks of all varieties is to apply a few principles:
Keep independent networks as separate as possible, and always require authentication to move between them.
Authenticate users and devices in layers that rely on disparate software stacks. Software is built by humans, and humans make mistakes that cause security vulnerabilities. Using independent software stacks to layer together multiple forms of authentication ensures that a hacker has to find multiple, independent mistakes that are exploitable in conjunction.
Because there is still no perfect way to prevent endpoint attacks from happening, effective endpoint protection is essential. The Kaseya exploit relied on anti-virus exceptions on the endpoint to allow a malicious file to be downloaded, decoded into an executable, and run via a shell command. This malicious executable then executed a side loading attack to actually launch the encryption process. Effective anomaly detection could have shut down the encrypting process before it got too far, and an alternative approach to using an anti-virus exception would have stopped the attack when it tried to execute the downloaded executable.
A collective reconsideration of how we protect networks and endpoints is overdue
This latest attack from REvil confirms the obvious – the business of ransomware is here to stay. Whether it is REvil, a spinoff from REvil, or an entirely new organization that is inspired by REvil’s success, a collective reconsideration of how we protect networks and endpoints is overdue. It has become standard practice to disable security software in order to enable functionality, rather than demanding the opposite – that software declare its intended behaviors in order to enable security software to detect anomalous behavior.
A system of specific access vs. access to the entire network
Our LINK system is architected with this last principle in mind. Rather than assume that all mobile devices need access to the company network (e.g., via VPN), LINK assumes that only a small number of applications and data repositories should be mobilized. To configure LINK, IT specifies exactly what intranet applications, email servers, and file repositories (Document Management Systems, One Drive, SMB shares, etc.) should be accessible from a mobile device, and this specification is role-based so that IT can take a pessimistic approach to mobile access (i.e., you can’t access anything unless permission is explicitly granted to you). LINK also uses multiple, independent layers of authentication – SSL certificates to authenticate the device, then traditional password-based authentication if the SSL authentication succeeds. Finally, each LINK installation acts as its own certificate authority for the purposes of SSL authentication. Hence, stealing a certificate for one installation does not grant access to any other installations.
As we expand LINK beyond mobile, our goal is to promote a different approach to endpoint computing. This approach starts with the idea that users, applications and data need to be integrated explicitly, rather than implicitly. This creates a work environment that is easily encapsulated, encrypted, and protected with limited entry points and exit points to move data in and out of this environment. While no approach is perfect, the more explicit we are about how users, applications, and data interact, the better chance we have to stop the ransomware business before it expands any further.
We have developed several editing workflows using the Word app over the years. Our newest one is the easiest one which we have seen anywhere. This is in part because our LINK app securely integrates your Document Management System and Email with the Word app. Therefore, you can choose to edit a file from DMS or an email attachment and it will open directly in Word.
Take a look at our 2 minute, 44 second video to see this workflow.
Here’s what you don’t have to do in our workflow:
No need to copy the file in the Word app. LINK encrypts the file and moves it to Word.
No need to save the file as .docx in the Word file. LINK converts .doc to .docx for you.
No need to delete the file from the Word app after editing. LINK deletes it.
This video shows how straightforward it is to edit from LINK with the Word app.
LINK is integrated with iManage Work® 10, on-prem and in the Cloud; NetDocuments DMS; OneDrive; Network File Shares; and OpenText eDocs is in development. LINK is also integrated with Microsoft Exchange, therefore, you have your Outlook Email, Contacts, Calendar, Tasks, and Notes within the LINK App.
If your attorneys are looking for a simple way to edit files in DMS or in Outlook email with the Word app, email me. We are happy to show you a demo of this workflow.
Last week in my post on Okta’s 2021 Businesses at Work report, I mentioned the F5 Labs 2020 Phishing and Fraud Report. It is cited in the Businesses at Work report for its warning on Office 365. In brief, that warning is that Office 365 is a rich target because if an attacker breaches Office 365, they have access to email and much more, including potentially to SharePoint and OneDrive. F5 Labs warns to use Multi-Factor Authentication (MFA) with Office 365.
The F5 Labs Phishing and Fraud report is full of useful information. It’s a tutorial on phishing, a source of exploit data, and a guide as to how to protect from phishing.
In this post, I share 3 of the many images in the report to tempt you to looking at the full report.
We’ve known for years that phishing is the number one cause of data breaches. F5 Labs estimated, as shown above, that the number of phishing incidents in 2020 was projected to increase by 15% compared with 2019.
As anyone who has an email inbox knows, phishing perpetrators are nothing if not topical. In addition, they prey on fear. These cyber-criminals were quick to capitalize on COVID-19. Starting in March 0f 2020, fear and false information about COVID-19 became a hot subject for phishing, as this list conveys.
The report explains financial fraud, deception techniques such as custom URLs, and the trajectory of phishing in the report. It concludes with pragmatic sections on “Protecting the Business” and “Protecting Users.”
F5 Labs also explains financial fraud, deception techniques such as custom URLs, and the trajectory of phishing in the report. Phishing is a challenging problem. It is social engineering. The attackers’ schemes mutate. We humans are the weak link. F5 Labs has useful research here, free tor the reading.
Each year I look forward to Okta’s Businesses at Work report. Okta anonymizes data from its more than 9,400 customer entities. These are customers which use the Okta Identity Network (OIN) with its over 6,500 integrations with cloud, mobile, and web apps, and with IT infrastructure providers. The report is free, not even a registration is needed. To my knowledge no other public report provides this level of data on cloud application usage.
For data lovers it’s a treasure trove of facts about cloud usage. There are over 28 charts and tables. Download it here. I’ll share a few of my favorite insights from the report.
Most Popular Apps by Number of Customers
Microsoft 365 wins. I attended a legal technology conference in 2014. In a session on SharePoint, hosted by Microsoft, the roadmap showed that Outlook, Exchange, and, yes, SharePoint were all moving to the cloud in the form of Office 365. People exited the room in fury. At that time, most law firms were adamant – No Cloud. While there will always be law firms, especially “Big Law,” which will keep Outlook, SharePoint, and the Office Suite on-premises, the adoption of Office 365 or Microsoft 365 in the legal sector has been swift over the past two years. The Okta data reflects this.
This chart shows that the gap in usage between Microsoft 365 and all other applications, including AWS and Salesforce, has only widened in the past 5 years.
Most Popular Video Conferencing Apps
This graph highlights the steep curve in Zoom usage which we all lived through in 2020. At Mobile Helix, we started using Zoom heavily in 2017. We even perform our LINK system deployments remotely over Zoom in about two hours. When the pandemic hit, we were easily able to deploy LINK with IT staff who were themselves working from home. Customers favor our over-Zoom deployment over an on-site visit as it ends up taking less of their time.
Customers Authenticating With Each Factor
Phishing has been up 220% during the pandemic per F5’s2020 Phishing and Fraud Report (an excellent report on phishing). The Okta report quotes, “F5 warns that the login page of our most popular app, Microsoft 365 (M365), is one of the most popular targets for generic phishing because attackers know that stealing Office 365 credentials can grant them access not only to email but also corporate documents, finance, HR, and many other critical business functions.”
Strong Multi-Factor Authentication (MFA) should be used with M365. The chart above shows that of Okta customers authenticating with a factor in addition to, or instead of a password, 82% use Okta Verify. The good news here is that weaker factors such as SMS and security questions are on the decline.
One of the positive conclusions from Okta’s 2021 Businesses at Work report has to be that as difficult as 2020 was, with 38M people applying for unemployment, if it had happened even 10 years earlier, how many people would have been unable to work from home? The growth of web-based applications, cloud-based services, and mobile apps resulted in most office jobs successfully transitioning to work-from-home in two or three weeks.
iOS has solid encryption, there is no backdoor, hence, your firm’s data is safe under lock and key, correct? Not necessarily. Enlightening new research by cryptographers at Johns Hopkins University (1) has surfaced weaknesses in the iOS and Android encryption schemes. Ironically, in the case of iOS, part of the weakness is related to a security hierarchy which is often unused.
“Apple provides interfaces to enable encryption in both first-party and third-party software, using the iOS Data Protection API. Within this package, Apple specifies several encryption “protection classes” that application developers can select when creating new data files and objects. These classes allow developers to specify the security properties of each piece of encrypted data, including whether the keys corresponding to that data will be evicted from memory after the phone is locked (“Complete Protection” or CP) or shut down (“After First Unlock” or AFU) …
… the selection of protection class makes an enormous practical difference in the security afforded by Apple’s file encryption. Since in practice, users reboot their phones only rarely, many phones are routinely carried in a locked-but-authenticated state (AFU). This means that for protection classes other than CP, decryption keys remain available in the device’s memory. Analysis of forensic tools shows that to an attacker who obtains a phone in this state, encryption provides only a modest additional protection over the software security and authentication measures described above.” (JHU – bold is our addition)
The reality is that most of our iPhones are commonly in “After First Unlock” state because we rarely reboot our phones. To achieve maximum security, we would have to power down our iPhones and authenticate after each use. That is, scores or hundreds of times per day. Otherwise, all data in the AFU state is vulnerable to law enforcement agencies or criminals with the right forensic tools. As the Hopkins researchers noted, “Law enforcement agencies, including local departments, can unlock devices with Advanced Services for as cheap as $2,000 USD per phone, and even less in bulk, and commonly do so.”
“There’s great crypto available, but it’s not necessarily in use all the time,” says Maximilian Zinkus, Johns Hopkins University. The Hopkins researchers also extended their analysis to include the vulnerability of iCloud services and device backups:
Device owners may take actions to ensure greater security. Apple Insider cites a few user actions including: Use SOS mode; use the setting which locks iOS devices after 10 failed login attempts; and don’t use iCloud back-ups. But these user-optional mitigations are not adequate for enterprise security, and they don’t address the forensic techniques used to steal data in the AFU state. Enterprises need systematic approaches across all firm-managed devices.
Why Secure Containers Are Needed
Sophisticated attackers and government agencies have a variety of available tools at their disposable to extract sensitive data from a seized or stolen device. The preponderance of evidence shows that law enforcement is largely successful in cracking open a device and extracting sensitive information as needed. Evidence further suggests that these techniques are ported to even the latest iOS versions and devices (take a close look at https://www.grayshift.com/ – they offer the state-of-the-art in device forensics). What can you do to truly protect sensitive data? The built-in capabilities of the operating system are not sufficient.
Secure containers provide an additional layer of encryption by implementing an entirely independent encryption mechanism to protect data. To examine the protection offered by secure contain apps, we will refer to our LINK app in this discussion. LINK not only uses its own, independent encryption scheme, Link also uses its own built-in encryption technology. In other words, the LINK encryption software stands entirely independent from the operating system, regardless of whether that operating system is intact or compromised. As long as encryption keys are protected well, then secure containers can provide the kind of locked-down encryption that law firms want to protect email and documents, which encapsulate a large majority of a firm’s most sensitive data.
LINK’s data protection exceeds iOS in a few significant ways:
LINK is an app, and iOS apps are routinely removed from memory. Hence, while LINK does necessarily keep encryption keys in memory when the app is active, once the app is removed from memory its encryption keys are too. This stands in contrast to iOS’ “AFU” encryption.
LINK allows IT to identify data that is only accessible when the device is online. This makes it awfully difficult to get the encryption keys for that data, especially once the device has been identified as lost or stolen and flagged for a remote wipe.
LINK’s online encryption keys are really hard to guess. Offline keys are hard to guess too, as long as your organization uses complex A-D passwords. Online keys are not derived from a user’s passcode or even a user’s A-D password. LINK’s encryption keys are derived from randomized 32-character strings that are generated on the LINK servers using entropy available on the server. Brute-forcing the key derivation is unlikely to work, which means an attacker would have to compromise the LINK Controller that sits safely inside our customers’ networks, then break the encryption scheme protecting sensitive data stored in our Controller database. Getting LINK data is a lot more complicated than stealing or seizing a mobile device.
LINK aggressively limits the amount of data available on the device, online or offline. We do so by simply expiring away data that sits unused on the device. This is a really simple way to limit exposure without much practical impact on a user. Users can always go back to their email (via search) or to the document management system to find what they were working on. There is no practical reason to store lots of old, unused data on a device that is easy to steal and, as it turns out, compromise once stolen.
LINK’s data is useless when obtained from an iCloud backup or a local backup to a Mac device. LINK’s encryption keys are never backed up. An attacker’s best hope is to brute force both the iOS device passcode and the user’s A-D password before IT notices that the device is lost or stolen. This is incredibly difficult to accomplish given Apple’s built-in protections against brute-forcing passcode and given a reasonably complex, hard-to-guess A-D password.
The JHU research simply reminds us that Apple’s interests diverge widely from those of an individual law firm. Apple has to balance the needs of law enforcement and users to make data accessible while still providing a reasonable degree of protection. Law firms’ best interests lie in maximally protecting data against unauthorized access. In order to achieve this latter goal, Apple’s built-in technology simply won’t suffice.
Seth Hallem is the CEO, Chief Architect, and Co-Founder of Mobile Helix, makers of the LINK App. With LINK professionals can review, annotate, compare, and email files, as well as use the firm intranet, using a single secure container app. www.mobilehelix.com
No. I’m not referring to the now infamous GoDaddy employee $650 holiday bonus email. Employees who responded to the email with the requested information were later informed that they had failed the company phishing test. If you have not yet read that dispiriting story, it’s here.
I am referring to this charming email which I received this morning.
It is from: “Mobilehelix passwordexpiration.”
Presumably, that would be warning enough for your employees to hit the “Delete” button posthaste.
If not that, then maybe those over-sized blue bands which overlap the line below would be a tip-off.
(I have obscured the recipient’s email address.)
This is a very good opportunity for me to show you a security feature in our LINK App. When you open an email in LINK you will always see the alias and below it the sender’s email address. You don’t have to tap or do anything else to display the email address. It’s there.
In this case the alias is the aforementioned, “Mobilehelix passwordexpiration.”
And the email address is, “firstname.lastname@example.org.”
If your employee were uncertain as to whether to hit that “Delete” button, I think that seeing that the email is from “email@example.com” would be the icing on the cake. This email is definitely not from the company IT department. Delete.
We are serious about security at Mobile Helix. Much of what we build into the LINK system, such as certificate-based device registration in the new user registration process, is behind the scenes. It’s invisible to your employee and works in the background.
But this security feature is a designed to help your employees to be watchdogs for senders with devious intentions. 90% of organizations experienced targeted phishing attacks in 2019. Humans are the weakest link. This is one simple tool to help all of us to be vigilant.
Originally published in LinkedIn on December 28, 2020