Law firms are the new target for IP theft: Basic Protections

As discussed in the first part of our three-part series on cyber security for law firms, today’s IP attorneys are facing direct attacks by Black Hats looking for IP information. Unfortunately for law firms, protecting intellectual property is far more difficult than stealing it, since protection of IP is only as strong as the security system’s weakest link which is often the least careful employee. This article, the second in our series, will cover some basics relating to IP protection.

Anti-spam protection, malware filters, and other base-line protection mechanisms are key components of the most basic system architectures and provide an important first step in preventing access to protected information. Vigorous employee training should be step two of any well-balanced security program but there are a number of additional steps firms can take to enhance security protection such as firewalls, intrusion detection systems, network access controls and bring your own device (BYOD) security. In this article, we will focus on two measures that are currently generating significant discussions among law firms: access management and email security.

Access Management

It is essential that access to data or networks is limited to authorized users and that all unauthorized users are prevented from accessing the protected data either physically or electronically. According to the DOJ Best Practices Guide, preparation for a cyber incident should include having or having access to “technology and services that they will need to respond to a cyber incident, [including] intrusion detection capabilities.” DOJ Cybersecurity Unit, Best Practices for Victim Response and Reporting of Cyber Incidents (April 2015). One method for preventing electronic access is to implement identity and access management (IAM) protocols.

Today, passwords alone are not enough to effectively manage data access. The list of America’s most-used passwords — ‘password123’ or ‘1234567’— will never keep an aggressive adversary from gaining entry into the network and even the Hollywood elite can have their passwords broken by individuals who are focused enough to dedicate the necessary time and effort to accomplish the task. At a minimum, two-factor authentication rather than a single password, should be used to protect most types of confidential data. With two-factor authentication, the user is required to use two of the following three forms of identification – something they know (password or PIN), something they possess (a token or USB stick) or a physical characteristic of the user (finger swipe) in order to gain access to the data.

For more sensitive data, a multi-factor approach offers an even higher degree of security. In multi-factor authentication, a user must use three or more forms of identification. For example, in addition to a password and a token, users are required to answer one or more custom questions, known only to the user.

Risk-based authentication is far more sophisticated and significantly improves access security for remote users. The configurable system goes beyond user based login requirements, and can, for example, create an approved ‘whitelist’ of access points and environments to authenticate identity. For example, the system can deny access to anyone trying to log in without a legitimate business purpose or location without advanced notice.

Enhanced Email Security

Any basic cyber security program must protect itself against open access points which can be used to access other systems within the law firm or company to obtain sensitive data. For attorneys, especially those with access to sensitive client data, the number one threat vector is electronic mail. The first line of protection for all email systems is an email security system (anti-malware/anti-spam filter) which works well to protect against known threats. However, in order to protect against unknown threats, such as Zero-day exploits (new threats) and targeted attacks, law firms should implement an enhanced email system which sits between an email security system and email. This additional level of protection is vital to overall security for particularly sensitive data like IP because it defends against a number of additional threats, including malicious links, corrupted attachments and spear phishing. Spear phishing is a targeted email communication, designed to resemble a legitimate communication from almost anyone: from someone in the firm, from the bank and even from the IRS. In addition, some law firms could also be the targets of Advanced Persistent Threats (APT) which are targeted directly at a specific user or organization. Due to the targeted nature of the attack, this is a prime instance where standard anti-virus protection may not be enough.

There are several ways to protect email from attackers and other purveyors of malware. Firms can either install a dedicated appliance that specifically combats this type of unwanted intrusion or they can contract with a monitoring service to manage the process as part of Continuous Monitoring as a Service (CMaaS) solution. An in-house solution can require additional technology purchases and dedicated staff. A managed service outsources all of this, and may reduce overall costs while increasing scalability and access. It is important to weigh the costs and benefits of an in-house or managed services solution.

Whether you choose an in-house or outsourced monitoring service, the technology works by sending a potentially infected email to the security system for examination inside of a ‘sandbox’. By opening the email in the sandbox, the functionality of the file in question can be determined. If it acts in a malicious manner, it will be quarantined, if not, it will be passed along as normal, thus protecting the integrity of the internal system.

Often, layers of security protection overlap each other. One layer, like any single solution, is simply not enough anymore. Only with multiple layers of protection and multiple tools, can your confidential information be protected. Our last article, in this series of three articles, will focus on even more advanced security tools for endpoint and enterprise applications.