Center For Practice Management, Ethics, Security

Testing and Training for Cybersecurity in Law Firms

What should firms be doing to increase their cybersecurity stance right away? What are some of the other ways firms can harden their defenses with PEN testing, zero knowledge architecture and the new FIDO passwordless protocols? How can you keep your team security aware? Join us for a conversation with Conor Egan, security consultant at 10X Consulting Group out of Charlotte to learn how to keep your firm safe from external threats.

Transcript 

Catherine Sanders Reach 

Welcome everybody. This is a video blog post from the Center for Practice Management blog “From the Center” and today I am talking to Connor Egan. Connor is with 10X Consulting, and they are a cyber security consulting firm out of Charlotte. So, Connor, I have a couple of questions for you. First, what are three things that a law firm can do to start immediately getting a better security position? 

Conor Egan 

Sure, Catherine and thanks for having me. Right off the bat, three things that a firm can do immediately for little to no cost would be multifactor authentication across platforms. Just click on your settings and then go into the security section to get it set up. We have passwords for everything, so the second part is getting a good password manager and implementing that. And the third thing I would say would be backups, so make sure you have good backups for all firm information. We really need to go a step further and copy those backups onto an additional storage site that is not connected. Best practices would be to have backed up to a different location, be it in the cloud or onsite. Then it is all the better for worst case scenarios. 

Catherine Sanders Reach 

Excellent! I use the analogy of a belt, suspenders, and safety pin approach. It is called the 3-2-1 backup method and that is the way I try to describe it. Your backup is replicated not just once but twice in various locations. 

So, the three basics are multifactor authentication, password managers, and good backup. All of those are important, but there’s some more sophisticated techniques that a firm can use to add more security to their networks. Can you explain the concept of zero knowledge architecture? 

Conor Egan 

As you go beyond a few employees and we start getting into more sophisticated environments where there are controls and segmentation across networks, and more branching, we get into things like zero trust and zero knowledge. Zero knowledge is a way to vault passwords locally on your machine in a way that is encrypted and only allows the local user access to that so that you know if someone does get into the machine, they just have access to the passwords locally on that machine and they cannot get to the cache, which is oftentimes associated with directories like Active Directory and other systems management. It segments the damage to just one area. When we are looking at designing our networks, we would design it in a zero-knowledge way so that there is that segmentation.  

Catherine Sanders Reach 

So, if somebody gets hacked the hacker cannot back end into the system through that user. Is that the concept? 

Conor Egan 

That is exactly right. It reduces exposure to cached information that lets a user just immediately sign into a system. With zero-knowledge we still have that capability, but there is not as much access to the main repository of cache data. 

Catherine Sanders Reach

Another thing that I hear about is PEN testing or penetration testing. Can you explain what that is and what firms’ technical environments are the best candidates for PEN testing?

Conor Egan 

Penetration testing, or purple team/red team exercises are fancy ways to say that someone is going to try and hack into the system in a safe manner. There is no one silver bullet in cybersecurity. We can lock down the windows and close the doors as much as we can. We can layer security, but penetration testing will determine what they can do, how far they can go and what damage they can do. Then we can better protect ourselves with improved systems architecture. The small firms can do it with just someone at an hourly rate. Larger firms may have more extensive and sophisticated networks to test. 

Catherine Sanders Reach 

By using a white hat hacker, somebody that you are paying to find out the vulnerabilities. It is better for you to do it than for someone else to do it. 

Conor Egan 

And when we think of things from the hacker’s perspective, we can get a much better picture of what they can do.  

Catherine Sanders Reach 

The world of security is ever changing. It is a race to keep up with the bad guys. And I say keep up because they are often a step ahead, so it is not something that you get to set and forget. One of the newer security protocols that I have been hearing a good bit about is this FIDO standard and  passwordless access. Can you explain what that is about? 

Conor Egan 

Sure, and so it is awesome that you have been hearing about it, because that’s kind of the cutting edge of technology when it comes to protecting systems. “Fast IDentity Online” is what FIDO stands for. It is a passwordless access protocol, so it matches our zero-knowledge architecture. Architecture is the way we design computer and network systems. The passwordless access is how we use those systems and is like MFA (Multi Factor Authentication) where we use encryption keys to access systems and applications. But FIDO goes a step further with biometrics, like face scans and fingerprints, so you do not have to type in a password, instead you have your encryption keys stored locally and you have your biometric access that is stored in the same way. 

Catherine Sanders Reach 

I know that iOS 16 now has the FIDO standard applied for the the new iPhone operating system, but we are also seeing Microsoft pushing this out. Google is pushing this out too. We are familiar with using biometrics to unlock hardware, but FIDO is going to the next step to unlock software. 

Conor Egan 

That is exactly right. And you are seeing it on some software packages that you can put on your phone. For example, like you mentioned, it was really designed originally designed for the mobile device networks, so now we are transitioning to some of the software – not just face scan to get into my phone but also face scan to get into some of my applications. 

Catherine Sanders Reach 

Interesting, so it is a brave new world. And finally, it is said people are the weakest link in your firm security. So how can a firm effectively train staff to recognize and avoid phishing and hacking? 

Conor Egan 

A great question, Catherine. Our first line of defense is knowledge and knowledge is power. Credit to the North Carolina Bar Association for providing technology credits as part of their CLE (Continuing Legal Education) offerings. Most of the bad actors are using social engineering. They are playing on human emotions, playing on our human behavior to get information. The best example is a phishing e-mail where it looks like your bank account has been logged into and you react quickly, and you click on the link. This can be avoided by educating our employees. Even just one hour a month. That type of exposure can help protect the firm in a low-cost way. Further, they are simulated phishing programs that you can implement. CISA (Cybersecurity and Infrastructure Security Agency), the government website regarding cybersecurity infrastructure, has a lot of resources. So just time and effort, really, when it comes to protecting the firm. 

Catherine Sanders Reach 

Yes, it involves constantly reminding people to be wary and especially right now around the holidays when people are shopping online. One thing I try to remind people is to have an e-mail policy where you tell your staff and the attorneys not to use their firm e-mail for personal stuff for shopping online and things like that. You are less likely to expose the firms’ network to attacks. If you are using your firm e-mail address as your login for Amazon, then if you get an e-mail that says your Amazon account has been hacked and you panic and you go and log in, guess what? It was possibly a fraud. You fell for it, and now you put your firm’s data at risk. I like the SANS Institute Ouch newsletter. It comes out monthly and they do a deep dive into a particular exploit. We have phishing of course, but now we have smishing, the SMS phishing where you get a text message from someone, and then there is vishing, the voicemail phishing. All of this is the same variation on a theme in terms of social engineering, but we just must be more aware and more careful than ever before. 

Conor Egan 

And then we have even more exploits, like impersonation. Someone might get an email that says “Hey, it is Connor Egan, managing partner at this firm” and asks one of the accounting individuals for information or to go out and get gift cards or things like that. One quick tip that I am sure a lot of people can find and use immediately is if you do think there is a suspicious e-mail or link, first off, send it to the IT (Information Technology) folks. If you do not have an IT team, you can hover over the link in your email with your mouse. The actual URL address will be displayed. It is not foolproof because we can rename hyperlinks to what we want and look like everything we want, but a good first step. 

Catherine Sanders Reach 

One twist on mousing over a link to reveal the destination is when I am looking at my phone, I cannot mouse over a link in an e-mail. 

Conor Egan 

Exactly so. In that case, it is best to pick up the phone and call that individual who is sending you that information if you are suspicious at all. 

Catherine Sanders Reach 

The exploits may or may not be designed to get into your phone and do damage the way it would do into your Windows computer or your Mac and get into the network, but we do not want to find out the hard way, right? 

Conor Egan 

Right, it is more advanced when it comes to the malware deployed on phones, and that is not a majority yet, but it is quickly turning.  

Catherine Sanders Reach 

Yep, so. Everybody, be security aware and safe out there. Thank you for describing some of these newer ways to protect the firm, and hopefully we will look forward to talking to you later. 

Conor Egan 

Thanks for having me on Catherine. 

Resources for Further Study

How to Identify a Phishing Attempt and Thwart It (Video) – North Carolina Bar Association

How to Identify a Phishing Attempt and Thwart It (Video)

Good Backup Is Good Business Continuity – North Carolina Bar Association

Good Backup Is Good Business Continuity

Staying Up to Speed on Security – North Carolina Bar Association

Staying Up to Speed on Security

How to Identify a Phishing Attempt and Thwart It – North Carolina Bar Association

How to Identify a Phishing Attempt and Thwart It

Basic Security Best Practices for Law Firms – North Carolina Bar Association

Basic Security Best Practices for Law Firms

Is a Password Enough To Keep Your Sensitive Information Safe? – North Carolina Bar Association

Is a Password Enough To Keep Your Sensitive Information Safe?

What Is the Difference Between Cloud Computing and Cloud Storage?
https://www.10xcg.com/Blog/ArtMID/441/ArticleID/46/What-Is-the-Difference-Between-Cloud-Computing-and-Cloud-Storage

Why Having A Disaster Recovery Plan Is Crucial To Your Business
https://www.10xcg.com/Blog/ArtMID/441/ArticleID/15/Why-Having-A-Disaster-Recovery-Plan-Is-Crucial-To-Your-Business

Identification with Zero Knowledge Protocols | SANS Institute
https://www.sans.org/white-papers/719/

Learn About Our Latest Offering – Penetration Testing
https://www.10xcg.com/Blog/ArtMID/441/ArticleID/37/Learn-About-Our-Latest-Offering-Penetration-Testing 

Cybersecurity Trends in 2023
https://www.10xcg.com/Blog/ArtMID/441/ArticleID/49/Cybersecurity-Trends-in-2023