real estate law & practice mcle meeting attorney resource ... · 2/8/2018 · bank for their...

Real Estate Law & Practice MCLE Meeting Attorney Resource Center (ARC)

Date : February 8, 2018

11:45 AM – Noon Welcome/Introductions Angel Traub, Section Chair

Noon – 1:00 PM Program

Cybersecurity Risk Management for Real Estate Attorneys Chris Burhans, Attorneys’ Title Guaranty Fund, Inc. Speaker’s Bio

Chris is the Chief Information Officer at Attorneys’ Title Guaranty Fund, Inc. He is an accomplished manager of IT systems and projects offering more than 12 years key experience. He has practiced in successful development and management of business-critical systems security and telecommunication components. Chris has a Master’s Degree in Data Security from DePaul along with several certifications including CISSP and C/EH.

Presentation Description

This presentation will analyze the cyber security threat matrix for law firms and provide industry specific risk mitigation techniques.

Next Meeting: March 8th

DCBA Events: 2/22 Happy Hour @ 5:30 p.m. – Cooper’s Corner, Winfield

3/2 43rd Annual Judges’ Nite

3/15 Happy Hour @ 5: 30 p.m. Muldoon’s in Wheaton

3/21 President’s Trip- Phoenix, AZ

View & Print All CLE Certificates through the DCBA Website:

Manage Profile -> Professional Development (under content & features) and choose the icon to the left of each meeting to print your certificate directly or choose to have them emailed to you to save to your computer (you MUST be logged in to view this feature)

DCBA OnDemand CLE is Now Powered by IICLE The Illinois Institute for Continuing Legal Education (IICLE®) and the DuPage County Bar Association (DCBA) are excited to offer a new IICLE®Share collaboration to provide DCBA members a high quality and reliable online learning experience. Members can find the link to The Illinois Institute for Continuing Legal Education (IICL) on the DCBA website under “Legal Community” ◊ OnDemand CLE ◊ Online CLE Catalog.

2/7/2018

1

Cybersecurity Risk Management

for Real Estate Attorneys

Chris Burhans CISSP, C|EH, Sec+, MS

Chief Information Officer | Senior VP

Attorneys’ Title Guaranty [email protected](312) 752‐1241

Agenda

What is Cybersecurity?

Major Law Firm Breaches

Profiling Hackers

Wire Fraud

Challenges facing small businesses

Financial Risk

Attack History

Exposure

Attack Vectors

Social Engineering

Spear Phishing, Ransomware, Insiders

Mitigation Techniques

Prevention, Detection & Recovery

The Future of Cyber Attacks

Cybersecurity Checklist

How ATG Can Help

ATG Legal Education

New Tools Coming…

© 2018 Attorneys’ Title Guaranty Fund, Inc.

2/7/2018

2



2/7/2018

3

What is Cybersecurity?

“Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. These attacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes.

Implementing effective cybersecurity measures is particularly challenging today because there are more devices than people, and attackers are becoming more innovative.”

Cisco Systems



2/7/2018

4

Law Firms At Risk

2016: The Panama Papers are an unprecedented leak of 11.5m files from the database of the world’s fourth biggest offshore law firm, Mossack Fonseca. The records were obtained from an anonymous source by the German newspaper Süddeutsche Zeitung, which shared them with the International Consortium of Investigative Journalists (ICIJ).


How much is "personal information" worth on the Darknet?

Full credit history (good rating FICO): $25

Full scan documents such as passport , driving license, utility bills and so on, will cost: $10-35

Account service provider in the US: $14

PayPal and eBay accounts with a good, long-term history: $300

Full details of the bank account: $200-500

Netflix subscription: $.50+

Flat rate of $30 for U.S. credit cards, $20 to $35 for U.K. cards, $20 to $40 for Canadian cards, $21 to $40 for Australian cards and $25 to $45 for European cards

Source: Trend Micro


2/7/2018

5



2/7/2018

6


Wire Transfer Fraud - Statistics

$5.3 billion: The amount targeted by perpetrators in the mortgage industry alone in 2016 (source: FBI)

480%: Year-over-year increase in wire fraud scams reported by title companies to the Internet Crime Complaint Center (IC3) in 2016.

2,370%: Increase in identified exposed losses to the most typical of wire fraud scams between January 2015 and December 2016.

103: Number of nations to which fraudulent transfers have been rerouted (Source: IC3 and ALTA)

22,143: The number of businesses victimized by wire fraud. (Source: FBI)


2/7/2018

7

Wire Transfer Fraud – Real World Examples

November 2017: Couple loses life savings, $300,000+, after being tricked by thieves who convincingly posed as their real estate attorneys.

January 2016: Montgomery County, Md., hackers siphoned off "between $100,000 and $200,000" sent by buyers to what they believed was the correct bank for their home purchase, according to Todd Hylton, owner of Excalibur Title & Escrow LLC, whose firm was scheduled to handle the settlement. The money vanished.

March 2016: Greenfield, Mass., Corinne Fitzgerald, broker-owner of Fitzgerald Real Estate, hackers grabbed $80,000 in closing funds and $20,000 in earnest money deposits by penetrating the email account of a buyer's agent and supplying false bank wiring instructions.


Only 14% of small businesses rate their ability to mitigate cyber risks, vulnerabilities and attacks as highly effective.

60% of small companies go out of business within six months of a cyber attack.

48% of data security breaches are caused by acts of malicious intent. Human error or system failure account for the rest.


2/7/2018

8

These companies spent an average of $879,582 because of damage or theft of IT assets.

In addition, disruption to normal operations cost an average of $955,429.



2/7/2018

9



2/7/2018

10

Attack Vectors – Deception

Social Engineering: “using deception to obtain confidential information from someone by phone or in person.”


Attack Vectors – Email

1. Spear Phishing: “a malicious tactic which uses emails, social media, instant messaging, and other platforms to get users to divulge personal information or perform actions that cause network compromise, data loss, or financial loss.”


2/7/2018

11


Attack Vectors –Ransomware

2. Ransomware: “a type of software that is designed to extort money from a victim. Often, Ransomware will demand a payment in order to undo changes that the Trojan virus has made to the victim’s computer.”

A 2016 survey from IBM that found that 70% of businesses impacted by ransomware paid the criminals.


2/7/2018

12

WannaCry

The WannaCry Ransomware affected more than 200,000 computers across 150 countries, with total damages ranging from hundreds of millions to billions of dollars. Security experts believed from preliminary evaluation of the worm that the attack originated from North Korea or agencies working for the country.



2/7/2018

13

Attack Vectors – Insider

3. Inside Attack: “a malicious attack perpetrated on a network or computer system by a person with authorized system access.”



2/7/2018

14

Attack Vectors – “Viruses”

4. Malware/Virus: “software that is specifically designed to gain access or damage a computer without the knowledge of the owner. ”



2/7/2018

15

Attack Vectors – Too Many To Count

Many more attack vectors exist:

Man in the Middle

XSS

Password cracking

Denial of Service

Sniffers

Data Modification

Etc.


Risk Mitigation Techniques

1. Prevention: the process of implementing controls to prevent cybersecurity threats.

2. Detection: the process of monitoring and remediating your environment if a data breach has occurs.

3. Recovery: the plan to restore all of your digital assets if an attack takes place.


2/7/2018

16

Prevention

Awareness: According to the results of the 2014 US State of Cybercrime Survey, around 42% of respondents asserted that the security awareness training of new employees helped to deter attacks.

Mandatory employee awareness training

Cybersecurity policy creation and acknowledgement

Password strength

Login sharing

Monitoring

Restrictions

Notification platform for zero day threats

General procedures to report attacks


Prevention (cont.)

Multi-Factor Authentication: In a survey on digital identity by Centrify, over a quarter of respondents said they enter a password online more than 10 times a day, which is potentially 3,500 to 4,000 times a year.

According to Symantec, 80% of security breaches could be prevented with 2FA.


2/7/2018

17

Prevention (cont.)

Operating system / browser / 3rd party software updates: “a vulnerability is a hole in computer security that leaves the system open to damages caused by cyber attackers.”



2/7/2018

18

Detection

Anti-Virus: “software that can identify and block many viruses before they can infect your computer. Once you install anti-virus software, it is important to keep it up to date.”

In 2014, a senior vice president at Symantec, went so far as to publicly say he thought that antivirus software was “dead.” At the time, he estimated that the technology only caught about 45 percent of cyberattacks.


Detection (cont.)

Hardware Firewall: “a piece of hardware purchased, as a stand-alone product, to protect the perimeter of the entire network.”


2/7/2018

19


Detection (cont.)

Real-Time Monitoring: “the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions.”


2/7/2018

20

Recovery

Backup / Restoration: copying and archiving of computer data so it may be used to restore the original after a data loss event.

6% of all PCs will suffer an episode of data loss in any given year.

70% fail within five years.

34% of companies fail to test their tape backups, and of those that do, 77% have found tape back-up failures.

60% of companies that lose their data will shut down within 6 months of the disaster.

Every week 140,000 hard drives crash in the United States

Options include cloud, tape, network, external hard drives, etc.


Recovery (cont.)

Disaster Recovery Plan: is a documented process or set of procedures to recover and protect a business IT infrastructure in the event of a disaster.

96% of organizations have a DR solution.

50% leveraging the cloud, 9% using cloud-only.

54% have reported downtime of more than 8 hours.

Two in five companies don’t have a documented disaster recovery plan.

52% of small businesses say it would take at least three months to recovery from a disaster, according to the same survey.

Only 18% of companies surveyed that have fewer than 50 employees have a disaster recovery plan.

Only 25% of businesses that close due to a major disaster ever reopen


2/7/2018

21


Recovery (cont.)

Routine Maintenance / Testing / Review: “your IT DR plan should be tested at least once a year. If you are a large organization employing more than 150 employees, you might want to consider testing it at least once every quarter.”


2/7/2018

22

The Future of Cybersecurity

Mobile Botnets

SMS SPAM

AI & Machine Learning Agents

Combination Hacks

Sleeper Hacks

Burrowed Hacks

Cybersecurity Ventures expects ransomware damage costs will rise to $11.5 billion in 2019 and that a business will fall victim to a ransomware attack every 14 seconds by that time.

What does it all mean? In 2015, Ginni Rometty, IBM's chairman, president and CEO, said, "Cyber crime is the greatest threat to every company in the world."

New forms of cyber attacks are emerging everyday …


The Future of Cybersecurity

Statista, a statistics portal, estimates that there are 22.9 billion connected devices in 2016, and predicts they will grow to 50 billion by 2020.

Cyber Security is a rapidly evolving industry, projected to become a $232 billion global market by 2022. This is a significant rise from last year, in which the market value reached $137.8 billion worldwide. (Forbes)

Cyber crime is expected to cost the world $6 trillion per year by 2021, up from $3 trillion in 2015. To put that in perspective, profits will surpass those global illegal drug trade. (According to research firm Cyber security Ventures)


2/7/2018

23


Security Benefits of the Blockchain

Transparency: The distributed nature of distributed blockchain ledgers means that no one administrative agency has a master copy, everybody with access to it can see the same transactions and no one can change or alter entries in it.

Data Integrity: users can trust that the data they are seeing and using is quality data that hasn’t been tampered or interfered with in anyway.

Decentralization: the breach of a single terminal by a hacker looking for sensitive or personally identifiable information (PII) won’t compromise the data as it would be stored across various different encrypted nodes and blocks.


2/7/2018

24

Security Companies Leveraging The Blockchain

GuardTime: a data security startup that has been around since 2007. It is now placing its bets on blockchain technology to secure sensitive records.

REMME: businesses can authenticate users and devices without the need for a password.

Obsidian: uses the blockchain-decentralized network, which cannot be censored or controlled by any single source. In addition, communications meta-data is scattered throughout the distributed ledger, and cannot be gathered at one central point, reducing the risk of surveillance through such digital fingerprints.


Getting Started - Cybersecurity Checklist

Get a private business domain for email / website

Install a hardware firewall

Install an updated anti-virus program

Implement multi-factor authentication for email

Review wireless security infrastructure

Utilized the cloud to backup your data

Implement on-going cybersecurity awareness program for your office

Schedule routine maintenance and patching for all your devices

Create a disaster recovery plan

Install security monitoring on your network

Create schedule to revisit security program components

Identify legacy devices – purge, update, mitigate

Document an information security policy


2/7/2018

25

How ATG Can Help You

We take action to protect ourselves to ensure your transactions are safe.

ATG Legal Education

Secure Wire Instructions

New Technology On The Way ….

Chris Burhans CISSP, C|EH, Sec+, MSChief Information Officer | Senior VPAttorneys’ Title Guaranty [email protected] (312) 752-1241


Sources FBI.com

ABAJournal.com

Fortune.com

HousingWire.com

Cisco.com

SmallBizTrends.com

TrendMicro.com

Microsoft.com

Realtor.com

CIO.com

AbovetheLaw.com

Blockchain.info

AmericanBarAssociation.org

PCMagazine.com

Symantec.com


real estate law & practice mcle meeting attorney resource ... · 2/8/2018 · bank for their...

Documents