The Scales of Justice Hold Weighty PIIWhitepaper

2The Scales of Justice Hold Weighty PII

The Scales of Justice Hold Weighty PII

When most companies get breached, the fallout is relatively predictable. There’s a notification letter sent out to affected customers, who get a year or two of free credit monitoring—and that’s it. No media outcry, no high profile resignations, and barely any interruption to business as usual. Most companies, however, aren’t law firms.

Very few companies hold PII that can land their clients in prison, and law firms are among them. In fact, when other companies hold information that could potentially get them into trouble with the law, law firms are usually where they stow it—making legal entities the custodian of financial data, health information, insurance records, sensitive intellectual property, and more. Apart from banks (and nuclear arms manufacturers), no other kind of organization holds a greater concentration of sensitive material.

For proof, take a look at the Panama Papers hack, a colossal disclosure of sensitive information held by the Panamanian law firm Mossack Fonseca. That breach provided the government with financial information pertaining to top officials in dozens of countries leaked for all to see. What’s more, in the fallout from the breach, it became obvious that Mossack Fonseca was protecting its clients’ information with cyber defenses that were desperately obsolete.

Mossack Fonseca is not alone. Law firms protect some of the most sensitive information on the face of the planet—but, as an industry, their investment in the tools and training to protect this information is enormously lacking. Where are the gaps, and what are the specific risks? More importantly, how can law firms quickly pivot to adapt to these very real threats?

terrabytes2.6

docs11.5m

Shell Companies200,000

The scale of the Panama Papers hack

12

3

3The Scales of Justice Hold Weighty PII

Only a little analysis is necessary to determine that law firms lag behind both on traditional security measures, and the awareness of their importance. Security awareness training, for example, is fully stagnant within law firms--the International Legal Technology Association reports that twelve percent of law firms don’t train employees on information security, and over half of firms only train their employees once a year.

As a result, sixty percent of law firms fear that their employees are susceptible to social engineering campaigns or spear phishing attacks. They’re right to fear, as these kind of attacks open a window for damaging forms of malware—including ransomware attacks.

In June of 2016, a spate of European legal firms underwent ransomware attacks, continuing attacks against law firms that have been ongoing since the year 2009. These attacks don’t usually involve a ransom designed to beggar the victim—most ransoms are in the low hundreds of dollars—but the ramifications can be more expensive. Oftentimes, ransomware groups might end up encrypting mission-critical elements of a law firm, such as a client database. Not only does this prevent the law firm from running normal operations, the ransomware group might decide not to decrypt the system, even if the ransom is paid. Worse still are the potential consequences in the form of reduced customer trust.

Conventional breaches haven’t spared law firms either. In March 2016, a number of large M&A law firms—including Cravath, Swaine & Moore LLP, and Weil, Gotshal & Manges, two of the industry’s biggest players—made a rare public disclosure that they’d been breached the previous summer. During the same week, dozens of other firms made the unrelated disclosure that they’d been targeted by Russian hackers looking for sensitive business information.

Law Firms Plead Guilty to Lackluster InfoSec

of phishing attacks now come loaded with ransomware.

93%

4The Scales of Justice Hold Weighty PII

This data would have allowed the attacker to potentially make millions of dollars via what amounted to insider trading—using advance details of upcoming corporate mergers and acquisitions to make advantageous stock purchases.

Again, most law firms try not to make waves in the world of media, and so there’s not much information on the specific form that these attacks took, or even what, if anything, was taken. It’s not possible to use these specific events to create a general picture of the security loopholes that might commonly exist within law firms.

However, there is one breach that has been explored in great detail: the Mossack Fonseca breach. If the vulnerabilities depicted there are any indication, then the entire legal industry is in serious trouble.

Shortly after the publication of the Panama Papers, independent security researchers took an inventory of the legal firm’s website. What they discovered was an obsolete mess of a system. The login portal alone was subject to vulnerability known as DROWN, due to the fact that it allowed connections from servers that use an obsolete version of SSL.

The CMS, by the way, had not been updated since 2013 at the time of the breach, and contained 25 additional vulnerabilities.

Other failures included a webmail system that hadn’t been updated since 2009, a similarly vulnerable Wordpress implementation, unencrypted emails, and other vulnerabilities which meant that the individuals who leaked the Panama Papers probably didn’t have a very difficult time getting their hands on sensitive information—and the ramifications have been huge.

Attackers exploiting the DROWN vulnerability would have been able to hack Mossack Fonseca’s CMS in under a minute, using tools that cost less than $500.

5The Scales of Justice Hold Weighty PII

Due to fallout from the Panama Papers, Prime Minister Sigmundur David Gunnlaugsson, of Iceland, was forced to resign. Prime Minister Nawaz Sharif, of Pakistan, was temporarily forced to flee to London. Public figures from David Cameron to Vladimir Putin were embarrassed. Law enforcement agencies from no fewer than five European nations began to collaborate in order to hunt down and prosecute tax evaders. While not every law firm protects secrets of that particular magnitude, the fact remains that legal breaches have the power to ruin lives, careers, and companies.

These breaches take their toll on a firm's clients, but what of the firms themselves? The consequences for a breached law firm are no less dire, as it happens.

First, in a bit of irony, one of the first order consequences for a breached law firm is a legal threat. For example, in response to the breaches at the M&A firms mentioned above, another law firm has put together a class-action lawsuit that targets fifteen firms which are believed to have sub-par information security investment. As security threats against law firms become more public—and as their lack of security becomes more evident—it is likely that these lawsuits will increase in number.

What’s the Sentence for Insecure Law Firms?

6The Scales of Justice Hold Weighty PII

Secondly, there’s compliance to consider. Law firms commonly store personal health information (PHI), and sensitive financial data. This makes them subject to HIPAA and Sarbanes-Oxley Act compliance regimes—and associated penalties for non-compliance. SOX penalties can include massive fines, but extend to potentially more brutal remedies, such as removal from stock exchange listings, and invalidation of certain insurance policies. Similarly, the worst form of HIPAA violation—uncorrected willful neglect of a potential vulnerability—can cost fifty thousand dollars per violation, with an annual maximum penalty of $1.5 million.

Lastly, there’s cyber-insurance. Only 13% of firms with 100 or more employees have data breach insurance, but that figure is likely to increase, as cyber liability insurance coverage grew 27% from 2014-2015. This coverage can help defray costs associated with fines, ameliorating aggrieved customers, and recovering corrupted data. Many companies, however, are discovering that cyber-insurance organizations won’t fully cover data breach incidents that result from neglectful security. Other times, insurance premiums will rise for companies deemed to have sub-par security in place.

The verdict is simple: Law firms will pay steep fines, lose customers, and incur large recurring costs if they can’t get cybersecurity under control.

7The Scales of Justice Hold Weighty PII

In the face of rising cyberattacks, law firms are faced with an extremely urgent need to scale up their cybersecurity posture. They need to protect their endpoint devices, from which security-unconscious workers regularly access insecure sites. They need to protect their servers, which may play host to vulnerabilities created by software that’s

several years out of date. Hiring and training security personnel, patching vulnerabilities, and educating users' about information security all takes time—time that law firms may not have.

Law firms must now search for an interim solution. They need security technology which can provide comprehensive protection for user endpoints and servers in order to provide adequate cover for administrators to take time in reinforcing system and application security by patching newly-discovered vulnerabilities. This is a tall order, because an effective solution of this kind must compensate for users’ bad security habits, work around unpatched vulnerabilities in software, and catch even the most novel and sophisticated malware currently in use. Lastly, this solution should be able to deploy in a lightweight manner, without impacting processing speed or productivity as regards to a firm’s pre-existing assets.

SentinelOne offers this solution. The SentinelOne Endpoint Protection Platform provides a lightweight, Agent-based solution that dynamically analyzes potentially malicious programs-- on the endpoint itself-- based on their behavior, not their static file characteristics. Programs which perpetrate suspicious actions such as encrypting files, creating unauthorized executables, or opening unauthorized network connections are convicted as a threat, meaning that there’s no way for even the most sophisticated attack to hide itself.

Compensate for users bad security habits

Work around unpatched vulnerabilities in software

Be easy to deploy without affecting existing processes

An effective Cyber Security Solution must:

How Can Law Firms Get a Reprieve from Cyberattacks?

1

2

3

8The Scales of Justice Hold Weighty PII

For more information on SentinelOne, visit www.sentinelone.com. To schedule a demo tailored for your organization, visit www.sentinelone.com/contact.

Unpatched vulnerabilities—even those which represent a “zero day” attack—aren’t typically a problem for SentinelOne. SentinelOne’s Dynamic Behavior Tracking engine rapidly identifies malicious behavior, even if an exploit for a particular vulnerability has never before been seen in the wild. This kind of protection doesn’t just increase an organization’s security—it also brings it into alignment with compliance rules that demand companies protect themselves from the ramifications that unpatched vulnerabilities bring about.

While the ability to prevent known attacks and detect more advanced unknown threats can substantially improve a law firm’s overall security posture, it is equally critical to be able to respond rapidly in the face of any identified threat. SentinelOne’s Endpoint Protection Platform seamlessly integrates a fully automated response feature set that allows firms to mitigate attacks by stopping their lateral spread and eliminating the threat completely from the environment. Furthermore, any attack-driven changes to files or system settings can be cleaned up with ease.

The consequences of a breach in any law firm’s security can be dire, and it is impossible to understate the necessity of a rapid improvement in legal organizations’ investment in security. Although no single solution can make any organization one hundred percent secure, SentinelOne gives law firms breathing room to bring the rest of their security solutions up to par by helping them deal with detected threats, and eliminating them from the environment.