real estate law & practice mcle meeting attorney resource ... · 2/8/2018 · bank for their...
TRANSCRIPT
Real Estate Law & Practice MCLE Meeting Attorney Resource Center (ARC)
Date : February 8, 2018
11:45 AM – Noon Welcome/Introductions Angel Traub, Section Chair
Noon – 1:00 PM Program
Cybersecurity Risk Management for Real Estate Attorneys Chris Burhans, Attorneys’ Title Guaranty Fund, Inc. Speaker’s Bio
Chris is the Chief Information Officer at Attorneys’ Title Guaranty Fund, Inc. He is an accomplished manager of IT systems and projects offering more than 12 years key experience. He has practiced in successful development and management of business-critical systems security and telecommunication components. Chris has a Master’s Degree in Data Security from DePaul along with several certifications including CISSP and C/EH.
Presentation Description
This presentation will analyze the cyber security threat matrix for law firms and provide industry specific risk mitigation techniques.
Next Meeting: March 8th
DCBA Events: 2/22 Happy Hour @ 5:30 p.m. – Cooper’s Corner, Winfield
3/2 43rd Annual Judges’ Nite
3/15 Happy Hour @ 5: 30 p.m. Muldoon’s in Wheaton
3/21 President’s Trip- Phoenix, AZ
View & Print All CLE Certificates through the DCBA Website:
Manage Profile -> Professional Development (under content & features) and choose the icon to the left of each meeting to print your certificate directly or choose to have them emailed to you to save to your computer (you MUST be logged in to view this feature)
DCBA OnDemand CLE is Now Powered by IICLE The Illinois Institute for Continuing Legal Education (IICLE®) and the DuPage County Bar Association (DCBA) are excited to offer a new IICLE®Share collaboration to provide DCBA members a high quality and reliable online learning experience. Members can find the link to The Illinois Institute for Continuing Legal Education (IICL) on the DCBA website under “Legal Community” ◊ OnDemand CLE ◊ Online CLE Catalog.
2/7/2018
1
Cybersecurity Risk Management
for Real Estate Attorneys
Chris Burhans CISSP, C|EH, Sec+, MS
Chief Information Officer | Senior VP
Attorneys’ Title Guaranty [email protected](312) 752‐1241
Agenda
What is Cybersecurity?
Major Law Firm Breaches
Profiling Hackers
Wire Fraud
Challenges facing small businesses
Financial Risk
Attack History
Exposure
Attack Vectors
Social Engineering
Spear Phishing, Ransomware, Insiders
Mitigation Techniques
Prevention, Detection & Recovery
The Future of Cyber Attacks
Cybersecurity Checklist
How ATG Can Help
ATG Legal Education
New Tools Coming…
© 2018 Attorneys’ Title Guaranty Fund, Inc.
2/7/2018
2
© 2018 Attorneys’ Title Guaranty Fund, Inc.
© 2018 Attorneys’ Title Guaranty Fund, Inc.
2/7/2018
3
What is Cybersecurity?
“Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. These attacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes.
Implementing effective cybersecurity measures is particularly challenging today because there are more devices than people, and attackers are becoming more innovative.”
Cisco Systems
© 2018 Attorneys’ Title Guaranty Fund, Inc.
© 2018 Attorneys’ Title Guaranty Fund, Inc.
2/7/2018
4
Law Firms At Risk
2016: The Panama Papers are an unprecedented leak of 11.5m files from the database of the world’s fourth biggest offshore law firm, Mossack Fonseca. The records were obtained from an anonymous source by the German newspaper Süddeutsche Zeitung, which shared them with the International Consortium of Investigative Journalists (ICIJ).
© 2018 Attorneys’ Title Guaranty Fund, Inc.
How much is "personal information" worth on the Darknet?
Full credit history (good rating FICO): $25
Full scan documents such as passport , driving license, utility bills and so on, will cost: $10-35
Account service provider in the US: $14
PayPal and eBay accounts with a good, long-term history: $300
Full details of the bank account: $200-500
Netflix subscription: $.50+
Flat rate of $30 for U.S. credit cards, $20 to $35 for U.K. cards, $20 to $40 for Canadian cards, $21 to $40 for Australian cards and $25 to $45 for European cards
Source: Trend Micro
© 2018 Attorneys’ Title Guaranty Fund, Inc.
2/7/2018
5
© 2018 Attorneys’ Title Guaranty Fund, Inc.
© 2018 Attorneys’ Title Guaranty Fund, Inc.
2/7/2018
6
© 2018 Attorneys’ Title Guaranty Fund, Inc.
Wire Transfer Fraud - Statistics
$5.3 billion: The amount targeted by perpetrators in the mortgage industry alone in 2016 (source: FBI)
480%: Year-over-year increase in wire fraud scams reported by title companies to the Internet Crime Complaint Center (IC3) in 2016.
2,370%: Increase in identified exposed losses to the most typical of wire fraud scams between January 2015 and December 2016.
103: Number of nations to which fraudulent transfers have been rerouted (Source: IC3 and ALTA)
22,143: The number of businesses victimized by wire fraud. (Source: FBI)
© 2018 Attorneys’ Title Guaranty Fund, Inc.
2/7/2018
7
Wire Transfer Fraud – Real World Examples
November 2017: Couple loses life savings, $300,000+, after being tricked by thieves who convincingly posed as their real estate attorneys.
January 2016: Montgomery County, Md., hackers siphoned off "between $100,000 and $200,000" sent by buyers to what they believed was the correct bank for their home purchase, according to Todd Hylton, owner of Excalibur Title & Escrow LLC, whose firm was scheduled to handle the settlement. The money vanished.
March 2016: Greenfield, Mass., Corinne Fitzgerald, broker-owner of Fitzgerald Real Estate, hackers grabbed $80,000 in closing funds and $20,000 in earnest money deposits by penetrating the email account of a buyer's agent and supplying false bank wiring instructions.
© 2018 Attorneys’ Title Guaranty Fund, Inc.
Only 14% of small businesses rate their ability to mitigate cyber risks, vulnerabilities and attacks as highly effective.
60% of small companies go out of business within six months of a cyber attack.
48% of data security breaches are caused by acts of malicious intent. Human error or system failure account for the rest.
© 2018 Attorneys’ Title Guaranty Fund, Inc.
2/7/2018
8
These companies spent an average of $879,582 because of damage or theft of IT assets.
In addition, disruption to normal operations cost an average of $955,429.
© 2018 Attorneys’ Title Guaranty Fund, Inc.
© 2018 Attorneys’ Title Guaranty Fund, Inc.
2/7/2018
9
© 2018 Attorneys’ Title Guaranty Fund, Inc.
© 2018 Attorneys’ Title Guaranty Fund, Inc.
2/7/2018
10
Attack Vectors – Deception
Social Engineering: “using deception to obtain confidential information from someone by phone or in person.”
© 2018 Attorneys’ Title Guaranty Fund, Inc.
Attack Vectors – Email
1. Spear Phishing: “a malicious tactic which uses emails, social media, instant messaging, and other platforms to get users to divulge personal information or perform actions that cause network compromise, data loss, or financial loss.”
© 2018 Attorneys’ Title Guaranty Fund, Inc.
2/7/2018
11
© 2018 Attorneys’ Title Guaranty Fund, Inc.
Attack Vectors –Ransomware
2. Ransomware: “a type of software that is designed to extort money from a victim. Often, Ransomware will demand a payment in order to undo changes that the Trojan virus has made to the victim’s computer.”
A 2016 survey from IBM that found that 70% of businesses impacted by ransomware paid the criminals.
© 2018 Attorneys’ Title Guaranty Fund, Inc.
2/7/2018
12
WannaCry
The WannaCry Ransomware affected more than 200,000 computers across 150 countries, with total damages ranging from hundreds of millions to billions of dollars. Security experts believed from preliminary evaluation of the worm that the attack originated from North Korea or agencies working for the country.
© 2018 Attorneys’ Title Guaranty Fund, Inc.
© 2018 Attorneys’ Title Guaranty Fund, Inc.
2/7/2018
13
Attack Vectors – Insider
3. Inside Attack: “a malicious attack perpetrated on a network or computer system by a person with authorized system access.”
© 2018 Attorneys’ Title Guaranty Fund, Inc.
© 2018 Attorneys’ Title Guaranty Fund, Inc.
2/7/2018
14
Attack Vectors – “Viruses”
4. Malware/Virus: “software that is specifically designed to gain access or damage a computer without the knowledge of the owner. ”
© 2018 Attorneys’ Title Guaranty Fund, Inc.
© 2018 Attorneys’ Title Guaranty Fund, Inc.
2/7/2018
15
Attack Vectors – Too Many To Count
Many more attack vectors exist:
Man in the Middle
XSS
Password cracking
Denial of Service
Sniffers
Data Modification
Etc.
© 2018 Attorneys’ Title Guaranty Fund, Inc.
Risk Mitigation Techniques
1. Prevention: the process of implementing controls to prevent cybersecurity threats.
2. Detection: the process of monitoring and remediating your environment if a data breach has occurs.
3. Recovery: the plan to restore all of your digital assets if an attack takes place.
© 2018 Attorneys’ Title Guaranty Fund, Inc.
2/7/2018
16
Prevention
Awareness: According to the results of the 2014 US State of Cybercrime Survey, around 42% of respondents asserted that the security awareness training of new employees helped to deter attacks.
Mandatory employee awareness training
Cybersecurity policy creation and acknowledgement
Password strength
Login sharing
Monitoring
Restrictions
Notification platform for zero day threats
General procedures to report attacks
© 2018 Attorneys’ Title Guaranty Fund, Inc.
Prevention (cont.)
Multi-Factor Authentication: In a survey on digital identity by Centrify, over a quarter of respondents said they enter a password online more than 10 times a day, which is potentially 3,500 to 4,000 times a year.
According to Symantec, 80% of security breaches could be prevented with 2FA.
© 2018 Attorneys’ Title Guaranty Fund, Inc.
2/7/2018
17
Prevention (cont.)
Operating system / browser / 3rd party software updates: “a vulnerability is a hole in computer security that leaves the system open to damages caused by cyber attackers.”
© 2018 Attorneys’ Title Guaranty Fund, Inc.
© 2018 Attorneys’ Title Guaranty Fund, Inc.
2/7/2018
18
Detection
Anti-Virus: “software that can identify and block many viruses before they can infect your computer. Once you install anti-virus software, it is important to keep it up to date.”
In 2014, a senior vice president at Symantec, went so far as to publicly say he thought that antivirus software was “dead.” At the time, he estimated that the technology only caught about 45 percent of cyberattacks.
© 2018 Attorneys’ Title Guaranty Fund, Inc.
Detection (cont.)
Hardware Firewall: “a piece of hardware purchased, as a stand-alone product, to protect the perimeter of the entire network.”
© 2018 Attorneys’ Title Guaranty Fund, Inc.
2/7/2018
19
© 2018 Attorneys’ Title Guaranty Fund, Inc.
Detection (cont.)
Real-Time Monitoring: “the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions.”
© 2018 Attorneys’ Title Guaranty Fund, Inc.
2/7/2018
20
Recovery
Backup / Restoration: copying and archiving of computer data so it may be used to restore the original after a data loss event.
6% of all PCs will suffer an episode of data loss in any given year.
70% fail within five years.
34% of companies fail to test their tape backups, and of those that do, 77% have found tape back-up failures.
60% of companies that lose their data will shut down within 6 months of the disaster.
Every week 140,000 hard drives crash in the United States
Options include cloud, tape, network, external hard drives, etc.
© 2018 Attorneys’ Title Guaranty Fund, Inc.
Recovery (cont.)
Disaster Recovery Plan: is a documented process or set of procedures to recover and protect a business IT infrastructure in the event of a disaster.
96% of organizations have a DR solution.
50% leveraging the cloud, 9% using cloud-only.
54% have reported downtime of more than 8 hours.
Two in five companies don’t have a documented disaster recovery plan.
52% of small businesses say it would take at least three months to recovery from a disaster, according to the same survey.
Only 18% of companies surveyed that have fewer than 50 employees have a disaster recovery plan.
Only 25% of businesses that close due to a major disaster ever reopen
© 2018 Attorneys’ Title Guaranty Fund, Inc.
2/7/2018
21
© 2018 Attorneys’ Title Guaranty Fund, Inc.
Recovery (cont.)
Routine Maintenance / Testing / Review: “your IT DR plan should be tested at least once a year. If you are a large organization employing more than 150 employees, you might want to consider testing it at least once every quarter.”
© 2018 Attorneys’ Title Guaranty Fund, Inc.
2/7/2018
22
The Future of Cybersecurity
Mobile Botnets
SMS SPAM
AI & Machine Learning Agents
Combination Hacks
Sleeper Hacks
Burrowed Hacks
Cybersecurity Ventures expects ransomware damage costs will rise to $11.5 billion in 2019 and that a business will fall victim to a ransomware attack every 14 seconds by that time.
What does it all mean? In 2015, Ginni Rometty, IBM's chairman, president and CEO, said, "Cyber crime is the greatest threat to every company in the world."
New forms of cyber attacks are emerging everyday …
© 2018 Attorneys’ Title Guaranty Fund, Inc.
The Future of Cybersecurity
Statista, a statistics portal, estimates that there are 22.9 billion connected devices in 2016, and predicts they will grow to 50 billion by 2020.
Cyber Security is a rapidly evolving industry, projected to become a $232 billion global market by 2022. This is a significant rise from last year, in which the market value reached $137.8 billion worldwide. (Forbes)
Cyber crime is expected to cost the world $6 trillion per year by 2021, up from $3 trillion in 2015. To put that in perspective, profits will surpass those global illegal drug trade. (According to research firm Cyber security Ventures)
© 2018 Attorneys’ Title Guaranty Fund, Inc.
2/7/2018
23
© 2018 Attorneys’ Title Guaranty Fund, Inc.
Security Benefits of the Blockchain
Transparency: The distributed nature of distributed blockchain ledgers means that no one administrative agency has a master copy, everybody with access to it can see the same transactions and no one can change or alter entries in it.
Data Integrity: users can trust that the data they are seeing and using is quality data that hasn’t been tampered or interfered with in anyway.
Decentralization: the breach of a single terminal by a hacker looking for sensitive or personally identifiable information (PII) won’t compromise the data as it would be stored across various different encrypted nodes and blocks.
© 2018 Attorneys’ Title Guaranty Fund, Inc.
2/7/2018
24
Security Companies Leveraging The Blockchain
GuardTime: a data security startup that has been around since 2007. It is now placing its bets on blockchain technology to secure sensitive records.
REMME: businesses can authenticate users and devices without the need for a password.
Obsidian: uses the blockchain-decentralized network, which cannot be censored or controlled by any single source. In addition, communications meta-data is scattered throughout the distributed ledger, and cannot be gathered at one central point, reducing the risk of surveillance through such digital fingerprints.
© 2018 Attorneys’ Title Guaranty Fund, Inc.
Getting Started - Cybersecurity Checklist
Get a private business domain for email / website
Install a hardware firewall
Install an updated anti-virus program
Implement multi-factor authentication for email
Review wireless security infrastructure
Utilized the cloud to backup your data
Implement on-going cybersecurity awareness program for your office
Schedule routine maintenance and patching for all your devices
Create a disaster recovery plan
Install security monitoring on your network
Create schedule to revisit security program components
Identify legacy devices – purge, update, mitigate
Document an information security policy
© 2018 Attorneys’ Title Guaranty Fund, Inc.
2/7/2018
25
How ATG Can Help You
We take action to protect ourselves to ensure your transactions are safe.
ATG Legal Education
Secure Wire Instructions
New Technology On The Way ….
Chris Burhans CISSP, C|EH, Sec+, MSChief Information Officer | Senior VPAttorneys’ Title Guaranty [email protected] (312) 752-1241
© 2018 Attorneys’ Title Guaranty Fund, Inc.
Sources FBI.com
ABAJournal.com
Fortune.com
HousingWire.com
Cisco.com
SmallBizTrends.com
TrendMicro.com
Microsoft.com
Realtor.com
CIO.com
AbovetheLaw.com
Blockchain.info
AmericanBarAssociation.org
PCMagazine.com
Symantec.com
© 2018 Attorneys’ Title Guaranty Fund, Inc.