What’s the one sure thing that defines life as an IT professional at a law firm? There’s always a challenge. Lucky for us, these unsung heroes thrive in the face of complexity.
Perhaps the most significant challenge for the IT professional, in legal, is security. The sharp increase in mobile device use over the past few years has added several new complexities to the security conversation.
The recent data breach known as the “Panama Papers”contains terabytes of confidential information from the Mossack Fonseca law firm. We still do not fully know the origins of the breach, however, some of the things that we know highlighting security practices at law firms give us reason to believe that they may not be as good as they need to be.
Security has taken a backseat in too many places as of late, causing it to be reduced to nothing more than a simple check-list: VPN? Check. MDM? Check. SSL? Check. These checklists are good and fine, but they need to be complemented with an understanding of the threats to the firm’s information systems as a whole. Without that understanding, people can be lulled into a false sense of security and risk a data leak that will compromise the entire firm and its clients.
Mobility vendors have a special responsibility given that their software operates in a very hostile environment: compromised, lost or stolen devices, malicious hotspots, bad user practices… the list of potential threats goes on and on and at the end of this post we will include links to some interesting reads.
Also in this post, we’ll review some of the most common scenarios where security can be compromised and how you can protect your firm before an attack takes place.
Scenario #1: Device Lost or Stolen
One of your devices is lost or stolen. Any confidential data stored on that device is now (or shortly will be) in the hands of the attacker. Remote wipe can be bypassed. Encryption will only delay the inevitable. You only have one chance to protect your data and once it's gone, it's gone.
Lesson: Do not store data on user devices.
Scenario #2: Password Reuse
No matter how many times they are told not to, users frequently reuse the same password on many different systems. A lost or stolen device – even if it contains no actual data - can still contain user passwords that can be used to attack and compromise your VPN, Intranet, Email, Citrix, Document Management System, etc.
Lesson: Do not store passwords on user devices.
Scenario #3: Insecure Connections
Some websites and servers accept both encrypted (HTTPS) and unencrypted (HTTP) connections. Your users may be using an unencrypted connection and not know any better. Communicating in this manner sends information in plain text and can expose confidential data, passwords, etc.
Lesson: Do not transmit data through unencrypted connections.
Scenario #4: Phishing Attacks
In this instance, the user receives an email from website XYZ requesting that the user change his password. The user diligently obliges, but it turns out that the email was fake and the attackers now have the user’s password, which they are using – as we speak - to impersonate the user and access his/her confidential data.
Lesson: Require two-factor authentication.
Scenario #5: Server Compromise
An attacker learns that your firm is using a certain mobile App which communicates with your back office servers through an open port in your firewall. The attacker then uses that firewall opening to find and exploit a vulnerability in your back office servers or in your server’s operating system. The rest is history.
Lesson: Do not open holes in your firewall.
Scenario #6: Malicious Hotspots
One of your users at the airport needs an internet connection and, sure enough, decides it is a good idea to connect to an innocent looking Wi-Fi hotspot called “Free Internet Here!” The owner of the hotspot is now in an enviable position to eavesdrop on the connection and obtain emails, passwords, and other confidential information.
Lesson: Do not fall for man-in-the-middle attacks.
Scenario #7: Device Compromise
A user’s device gets infected with a virus or other malware. Next time the user connects to your VPN, the virus spreads its payload on your internal network.
Lesson: Do not let devices connect directly to your VPN, and always assume devices are compromised.
Scenario #8: Malicious Downloads
A user receives an email indicating that a new version of the “Easy Share” App is now available for download. It turns out, however, that the email is fake and what the user is actually installing is a malicious App that uploads all the user’s contacts, email, and VPN settings to the attacker’s website. That was indeed easy sharing!
Lesson: Make sure to only accept downloads from trusted App stores.
Although all these scenarios are real, and even very common, the lessons may be impractical or even impossible to follow in all situations. Sometimes you have no alternative, sometimes your users just have to have that App even though its design increases the risk of a data leak. But by following these lessons as much as you can and practicing “security in depth,” you can manage risk better and, perhaps, avoid becoming the next front page story.
Is your firm following all of these practices? If there are any gaps in how you are managing your mobile security, there is no better time than now to address them!