CYBERSECURITY When Will You Be Hacked?

CYBERSECURITY When Will You Be Hacked?

SUFFOLK ACADEMY OF LAW The Educational Arm of the Suffolk County Bar Association 560 Wheeler Road, Hauppauge, NY 11788 (631) 234-5588 CYBERSECURITY When Will You Be Hacked? FACULTY Victor John Yannacone, Jr., Esq. April 26, 2017 Suffolk County Bar Center, NY Cybersecurity Part I 12 May 2017 COURSE MATERIALS 1. A cybersecurity primer 3 – 1.1. Cybersecurity practices for law firms 5 – 1.2. Cybersecurity and the future of law firms 11 – 2. Information Security 14 – 2.1. An information security policy 33 – 2.2. Data Privacy & Cloud Computing 39 – 2.3. Encryption 47 – 3. Computer security 51 – 3.1. NIST Cybersecurity Framework 77 – 4. Cybersecurity chain of trust; third party vendors 113 – 5. Ransomware 117 – 5.1. Exploit kits 132 – 6. Botnets 137 – 7. BIOS 139 – 7.1. Universal Extensible Firmware Interface (UEFI) 154– 8. Operating Systems 172 – 8.1. Microsoft Windows 197 – 8.2. macOS 236– 8.3. Open source operating system comparison 263 – 9. Firmware 273 – 10. Endpoint Security Buyers Guide 278 – 11. Glossaries & Acronym Dictionaries 11.1. Common Computer Abbreviations 282 – 11.2. BABEL 285 – 11.3. Information Technology Acronymns 291 – 11.4. Glossary of Operating System Terms 372 – 2 Cyber Security Primer Network outages, hacking, computer viruses, and similar incidents affect our lives in ways that range from inconvenient to life-threatening. As the number of mobile users, digital applications, and data networks increase, so do the opportunities for exploitation. Cyber security, also referred to as information technology security, focuses on protecting computers, networks, programs, and data from unintended or unauthorized access, change, or destruction. Government agencies, the military, corporations, financial institutions, hospitals, and other groups collect, process, and store a great deal of confidential information on computers and transmit that data across networks to other computers. With the growing volume and sophistication of cyber attacks, ongoing attention is required to protect sensitive business and personal information, as well as safeguard national security. Cyber Security Glossary of Terms Cyber security terminology from the Department of Homeland Security. Access - The ability and means to communicate with or otherwise interact with a system, to use system resources to handle information, to gain knowledge of the information the system contains, or to control system components and functions. Active Attack - An actual assault perpetrated by an intentional threat source that attempts to alter a system, its resources, its data, or its operations. Blacklist - A list of entities that are blocked or denied privileges or access. Bot - A computer connected to the Internet that has been surreptitiously/secretly compromised with malicious logic to perform activities under the remote command and control of a remote administrator. Cloud Computing - A model for enabling on-demand network access to a shared pool of configurable computing capabilities or resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Critical Infrastructure - The systems and assets, whether physical or virtual, so vital to society that the incapacity or destruction of such may have a debilitating impact on the security, economy, public health or safety, environment, or any combination of these matters. Cryptography - The use of mathematical techniques to provide security services, such as confidentiality, data integrity, entity authentication, and data origin authentication. 3 Cyber Space - The interdependent network of information technology infrastructures that includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers. Data Breach - The unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information. Digital Forensics - The processes and specialized techniques for gathering, retaining, and analyzing system-related data (digital evidence) for investigative purposes. Enterprise Risk Management - A comprehensive approach to risk management that engages people, processes, and systems across an organization to improve the quality of decision making for managing risks that may hinder an organization's ability to achieve its objectives. Information Assurance - The measures that protect and defend information and information systems by ensuring their availability, integrity, and confidentiality. Intrusion Detection - The process and methods for analyzing information from networks and information systems to determine if a security breach or security violation has occurred. Key - The numerical value used to control cryptographic operations, such as decryption, encryption, signature generation, or signature verification. Malware - Software that compromises the operation of a system by performing an unauthorized function or process. Passive Attack - An actual assault perpetrated by an intentional threat source that attempts to learn or make use of information from a system but does not attempt to alter the system, its resources, its data, or its operations. Penetration Testing - An evaluation methodology whereby assessors search for vulnerabilities and attempt to circumvent the security features of a network and/or information system. Phishing - A digital form of social engineering to deceive individuals into providing sensitive information. Root - A set of software tools with administrator-level access privileges installed on an information system and designed to hide the presence of the tools, maintain the access privileges, and conceal the activities conducted by the tools. Software Assurance - The level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its lifecycle, and that the software functions in the intended manner. Virus - A computer program that can replicate itself, infect a computer without permission or knowledge of the user, and then spread or propagate to another computer. Whitelist - A list of entities that are considered trustworthy and are granted access or privileges. 4 A CNA PROFESSIONAL COUNSEL GUIDE FOR LAWYERS AND LAW FIRMS SM Law Firm Cyber Security Practices Data breaches within law firms are rarely reported in mainstream news outlets, and those law firms affected by data breaches usually prefer not to publicize the breaches. This general underreporting of data breaches within the profession has led many lawyers to greatly underestimate their own data security risks. As a result of this misplaced sense of security, many law firms have failed to take necessary steps to improve their data security. This is one situation where “no news” is not necessarily “good news.” Law firms suffer data breaches not only from hacker intrusions, but also from many other sources and causes. Those law firms that choose to ignore this risk do so at their peril. Implementing adequate data security is not only a sound business practice, but also a legal and ethical duty for lawyers. Fortunately, law firms may avoid the vast majority of breaches by implementing data security measures that are neither unduly expensive nor obtrusive. The Growing Data Security and Privacy Threat for Law Firms Law firms hold vast collections of sensitive client documents – data of significant value to hackers. Ample cause for concern arises as security experts working with law firms report that law firm hacking is pervasive. In most of these cases, the law firms either had failed to discover the breach on their own, or had discovered the breach several months after its occurrence. Indeed, security experts commonly note that there are two types of law firms: those that know they have been hacked, and those that don’t yet know it! Beyond the risk of a hacking incident, law firms are vulnerable to data breaches from within the law firm. According to CNA claim data, a lost or stolen laptop or device is the most frequent cause of a data breach claim. The growth of smartphones, tablets and other devices in the legal profession has notably amplified the security risks for law firms. Many law firms now have “Bring Your Own Device” (BYOD) policies that enable lawyers to access their law firms’ networks and download client data onto their devices. Currently, most law firms do not require any security on outside devices, such as mandatory password protection, encryption, or remote wiping capability. As a result, not only is data on the device vulnerable to a potential breach if the device is lost or stolen, but the firm’s network itself may be exposed to harmful malware and viruses present on the device. Rogue employees represent another vulnerability regarding law firm data. Although this situation may be rare, there have been examples of lawyers or other law firm staff misappropriating or misusing confidential client data. 5 In a recent case, a law firm brought litigation against a former partner of the firm who had downloaded Dropbox software onto the firm’s network in order to continue accessing client files through the cloud provider after his departure. Firms should, therefore, consider adopting security mechanisms such as data loss protection (“DLP”) systems, also known as data leak prevention systems, to help detect and prevent the potential unauthorized transmittal of confidential information by employees.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    382 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us