When an FBI Director speaks about risks to legal firms everyone in the business listens. According to former FBI Director Frank Mueller, there are two kinds of legal firms: those who have been hacked and those who will be hacked.
A harsh statement regarding those who put safeguarding their customer’s sensitive data as a top priority. Even more alarming is that Mueller’s quote is now eight years old and still holds true.
According to the American Bar Association 2020 Survey, 29% of firms experienced a security breach (such as a hacker, break-in, website exploit, etc). We believe these numbers are much higher as many firms would hide and not report cyber incidents. In the same survey, 21% of responding firms continuing to report that they do not know whether their firm has ever experienced a security breach. In many cases, not knowing might be even worse. Often times we are brought into situations where an attacker spent months inside an organization and was able to carry out very sophisticated and devastating attacks. This unfortunate situation could have been mitigated with a more proactive approach to cybersecurity. Gone are the days that firms could rest on their laurels and hope for the best. The statistics show a grim picture even understate what we often see in the marketplace.
What to do? Start with awareness.
Being proactive requires a mindset shift that starts with awareness of the risk. In a previous article, we explained the various business risks associated with cyber attacks. In this article, we share a few ways and tactics attackers may employ to penetrate or harm your organization. Being aware of the ways someone could put your livelihood at risk allows you to consider your options and decide which mechanisms and procedures to put in place.
Phishing
A Phishing attack is an attack that targets users through email, text, or direct messages (WhatsApp, social messages, etc.). In this situation, the attacker, masked behind a trusted contact, leverages the preconceived notion of trust to extract login credentials, banking information, or other types of sensitive data. In a phishing scheme attempt, the attacker tricks the recipient into divulging credentials, clicking a malicious link, or opening an attachment that infects the user’s system with malware, trojan, or zero-day vulnerability exploit. In a corporate setting, phishing can have a devastating effect by allowing attackers to penetrate the organizations’ defences which often lead to a ransomware attack, or privilege information leakage, or financial manipulation. Phishing scams can take various forms, below are the most common:
Spear Phishing
Unlike general phishing that mostly used as spam email to blast millions of accounts, Spear Phishing is a targeted scam that is tailor-made specifically against an individual within an organization. In this scam, the attacker will learn about the person/company and carry out a very targeted attack.
Whaling
Is the tip of the spear-phishing scam whereby CEOs or executives or partners (“whales”) are being targeted. Attackers find this vector worthwhile since CXOs have immediate access to information or execution power to invoke high-value monetary transfers.
Business Email Compromise (BEC)
Can be thought of as “reversed whaling” in which the attacker will send an employee an email as if coming from the CXO or an executive. The attacker leverages the urgency of an authoritative email to induce employees, vendors or customers to take swift action. Usually, the action takes the form of a money transfer. In more severe cases, BEC can also be in the form of a hacker sitting in your mail server, and monitoring all your email traffic.
Clone
One of the most common attempts where the attackers would clone a “legitimate” email (similar sender name and email body) and insert malicious links to trick the receiver into typing sensitive information in a replicated fake webpage.
Spyware
Spyware is a malicious software that infiltrates connected devices to then collect your internet usage data and sensitive information. Spyware tracks and gathers information to sell to advertisers, data firms, or external criminal networks. Spyware could be leverage for many use cases but usually is used to capture credit card or bank account information, capture login credentials, steal a personal identity. It is another tool in a hacker’s toolbox.
Man-in-the-middle
Attack In this case, it takes three to tango: the victim, the entity with which the victim is trying to communicate, and the “man in the middle”, that intercepts the victim’s communications. In this type of attack, the attacker exploits weak web-based protocol and insert itself between the two parties trying to communicate, unbeknownst to both. Once inserted itself the attacker can intercept credentials and sensitive data. A more aggressive form usually manipulates the victim to divulge additional information and can even take a more proactive form of follow-ups by the attacker using emails, text messages and other means.
Insiders Threat
Unlike other attacks, this type is not external and is done from within. An inside job if you will. The threat identified here is coming from an employee’s action putting the company at risk through theft of information, interrupting business processes or sabotage. But not only intentional actions can risk your practice. Negligent employees or vendors with access to information can cause considerable harm, security drifts or leaks accidentally too. In this attack, the access was a given but the lack of controls and processes around the access is the culprit. Customers’ data, intellectual property, financial data, employee data and other databases are the companies crown jewels that can be exploited by a rogue employee or someone who abuses his access. Lack of employee training and awareness, insufficient or inefficient data protection strategies and an increasing number of devices with access elevate this risk.
Ransomware
Ransomware is a specific type of attack that holds your data (personal/corporate) hostage in exchange for ransom.
This attack, we should note is something the result of a rolling breach event instigated by one of the mechanisms we have detailed above. Ransomware is highly tactical and leverages the attackers’ complete control over your data. Attackers threaten to corrupt, encrypt, block, or publish information unless the victim agrees to meet the attacker’s demands. In most cases, the demands are monetary ones. Once paid (by bitcoins usually) the attacker will provide a decryption key for the files. Paying the ransom will provide the victims with faster access to their data but whether they pay or not, breached organizations will continue to suffer from the consequences of the breach for months and even years to come. We continually see the professional services sector (legal and accounting firms mainly) being targeted with these type of attack because:
This sector’s dependency on data is essential.
The data characteristics contain valuable information.
The sector is generally under-protected making the risk/ reward equation favourable for attackers. In many scenarios that we are asked to assist with,
Ransomware was the last step of the attack. The attacker has breached the organization weeks or months earlier, took the time to learn about the organization and its assets and then struck by taking the data hostage after already copying the data offline.
Summary
Protecting organizations against cyber threats become increasingly more complex as business transform and digitize with many forced to adapt to out of office environments where both security controls and support were lacking due to the pandemic. Despite this, basic understanding and awareness of the various attack methodologies drastically reduce some of the ways attackers gain access to crown jewels. Being proactive about your cybersecurity is imperative. In our next article, we will explore how you implement basic procedures and tools to increase your overall security and reduce the business risk derived by cyber threats.
________
How protected are you? If you cannot easily answer this question it is time to asses your cyber posture in order to protect your business. Don’t let years of your hard work disappear overnight.