17/10/2023Privacy + CyberSecurity Law
17/10/2023Privacy + CyberSecurity Law
Are you ready?
Globally, the majority of businesses, not-for-profit organizations and individuals are not currently prepared to face the coming waves of increasingly sophisticated cybersecurity attacks.
We predict that in order to survive in the long-term businesses:
1️⃣ Will need to invest the necessary time and effort to effectively mitigate against cybersecurity threats; and
2️⃣ Businesses that do this, will obtain a strategic competitive advantage.
How did we get here?
Part of the problem is that there is a severe shortage of cybersecurity skills.
There is also a general lack of awareness regarding both existing (hacked businesses are being tight-lipped about what went wrong) & emerging cybersecurity risks, as well as what can be done in order to provide effective mitigation of the cyber-risks.
Based on what we have seen historically, when a business data breach is reported, the accompanying public relations spin appears to reveal nothing about the root cause of the cyber incident or data breach, unless it can be clearly blamed on a third party.
Recent Law Firm Hacks
1. 16 March 2023, ASX-Listed IPH Limited (Vulnerability Allowing Hack Not Communicated);
2. April 2023, Russian-linked ALPHV/Blackcat HWL Ebsworth Ransomware Attack involving 3.6 TB worth of data (Vulnerability Allowing Hack Not Communicated);
3. Further reading: Data Breaches That Have Happened in 2022 and 2023 So Far by Aaron Drapkin [last updated on October 11, 2023]
This lack of transparency means that other businesses do not have the opportunity to learn from others' mistakes, making them vulnerable to the same kinds of cybersecurity attacks.
It is the lack of proactive action on behalf of businesses to date, combined with the growing sophistication of the global hacking community that has created this urgent need to understand and address cybersecurity risk.
Many of the emerging cyber-risks and mitigation strategies nominated below are not new.
As more businesses continue to suffer data breaches, we will find prospective clients insisting on at least self-assessment and where appropriate, independent certification regarding the level of cybersecurity protection that businesses have in place.
In turn, businesses will fully expect the same from their various cloud platforms, suppliers & outsourcers (refer below).
Governments at all levels are being pressured to follow the lead of the EU GDPR and begin to impose greater regulation & eye-watering financial penalties in the privacy sphere.
Given the above, a unmitigated cyber-related incident now more than ever, has the potential to drive your business 'out of business'.
As part of the growing sophistication of the global hacking community, one prime example is the creation of new business models whereby state-of-the-art hacking software platforms and ransomware tools have now been made available for rent on the Dark Web by anyone who wants to use them – these services operate on the same basis as the dominant Software as a Service Model (SaaS) used to sell legitimate software.
‘RaaS kits allow affiliates lacking the skill or time to develop their own ransomware variant to be up and running quickly and affordably. They are easy to find on the dark web, where they are advertised in the same way that goods are advertised on the legitimate web.
A RaaS kit may include 24/7 support, bundled offers, user reviews, forums and other features identical to those offered by legitimate SaaS providers.
The price of RaaS kits ranges from $40 per month to several thousand dollars – trivial amounts, considering that the average ransom demand in 2021 was $6 million.
A threat actor doesn’t need every attack to be successful in order to become rich.
Read more about the RaaS business model here.
Another example of growing sophistication in the global hacking community is the sharp rise (since 2021) in the incidence of what are called 'zero-day attacks'.
‘Zero-day exploits – when security defenders have no patch or experience, AKA ‘zero days’, to protect against an emergent cyber threat – have taken on a life of their own over the past year, set against the backdrop of surging online vulnerabilities during the pandemic era.
Once considered merely as valuable cyberweapons in the arsenal of elite government hackers targeting other states’ critical infrastructure, publicly disclosed zero-day exploits have been on a sharp rise, including hitting high profile targets such as the Microsoft Exchange server attack. Project Zero, a Google team devoted to identifying and cataloging zero-days, had tallied 45
incidents this year back in September – and the hacker community had likely discovered long before Google did.
The number of zero-day exploits uncovered so far has already broken the record number in 2020, which saw 25 zero-days recorded. Notably, the number has been increasing every year since 2018. And now, the MIT Technology Review is reporting that multiple data researchers and cybersecurity specialists like the Zero-day tracking project are confirming that at least 66
zero-days are in active use in 2021.
That’s nearly double the amount reported from last year and shatters the recorded number from any other year since zero-day exploits began being monitored.’
These attacks rely upon the hackers technical ability to discover and begin to exploit (for how long we don’t know) previously unknown security vulnerabilities before software vendors become aware of the vulnerability.
The risk of a Zero-day attack continues, even after the software vendor becomes aware of the vulnerability and the security patch has been rapidly designed and deployed.
A security patch can only begin to protect your business after it has been implemented across your entire business.
If your business does not have a cybersecurity-aware workforce, they will most likely be unaware of this ever-present cybersecurity threat and the need to apply security patches automatically (for example on their own personal devices they are using for business purposes).
Any delay in patching a vulnerability provides threat actors (i.e., hackers) an all-access pass to exploit the vulnerability until such time as the software security patch has been applied to all devices used by your business.
How much damage can be done by the hackers will vary with the individual vulnerability and length of the ‘time window’ afforded to the hackers.
Whilst the volume of zero-day vulnerability exploits is down from its peak in 2021, these are still emerging risks that we all need to keep vigilant about.
Source: Zero-day Tracking Project
I have observed that some of the recent business data breaches locally and overseas (where the source of the data breach has been reported) have been due to supplier vulnerabilities being exploited.
On July 22 2023, I read about this latest cybersecurity breach to hit some of the biggest law firms in the US legal profession in an article in the NY Post by Isabel Vincent.
‘Increasingly, cybersecurity vulnerabilities are to be discovered via the supply chain.
In this case, it appears that software used to transfer files called MOVEit is the source of the massive data leak affecting the personal data of thousands of clients of Kirkland & Ellis, K&L Gates and Proskauer Rose, along with 50 other multinational corporations.’
Hackers are increasingly using AI to generate more authentic & convincing phishing attacks.
As email phishing becomes more sophisticated, hackers may attempt to use your businesses domain as the source of their phishing emails.
If a client sees an email that has been sent from your business domain, they are more likely to trust that the email is genuine than if the email was sent by a similar or unfamiliar domain.
To date, most hackers have only masked the true source of the email which can be discovered by a little investigation, or used a misspelt version of a domain name.
When clients investigate the actual source of the email and learn it has been sent from a similar or unfamiliar domain (not yours) they can correctly determine that the email is not to be trusted and can be deleted/ignored.
However, if the hacker has actually used your business domain then your client will be tempted to trust the email.
This is a possibility, and increasingly we will see phishing emails being sent from genuine domains.
We constantly monitor attempts that are made to spoof our domain, and it appears that once it is determined that we have a DMARC policy (refer below) in place their efforts are quickly abandoned, and they presumably move on to easier targets.
As noted above, both foreign Government-funded and professional hackers are becoming more sophisticated.
From all accounts, their success is snowballing.
With each new hack, more resources become available (such as RaaS) and more capable tools are being developed.
Generative AI is also a new enabler making more convincing phishing attacks both cheaper & quicker to deploy.
Without the right cybersecurity technical skills & resources starting at the top of the organization, it can be extremely difficult for any business.
Even more so, when there is a workforce working from home.
➲ Additional logistical cybersecurity headaches are caused by post-COVID ‘Work from Home’ / ‘Bring Your Own Device’ Policies.
For example: It can be difficult for a business to be confident that its workforce have properly secured their home/local café networks (eg., using VPN to encrypt web traffic) and ensured their personal devices are configured securely and updated regularly.
➲ The majority of small businesses are solo entrepreneurs, which is both good & bad with respect to cybersecurity.
As the human element is generally considered the weakest link, when fewer people have access to data it generally means there is less chance of a successful cyber-attack.
With a small business, the strongest defence, cybersecurity training is also not as expensive (in some case it can be obtained for free) or time-consuming to implement.
To many the challenge appears insurmountable, or is ignored in preference to more immediate operational demands.
As a business working to a budget ourselves, blueocean.law falls squarely into this category.
Therefore all of the cybersecurity measures we have undertaken (read more here..) are also possible for any other individual, business or non-profit organization to implement, especially businesses on a tight-budget.
1️⃣ Awareness & Training ➲ Example: ISC2’s Free Certified in Cybersecurity Training;
2️⃣ Educate your Clients ➲ New Client Cybersecurity Alert Letter;
3️⃣ Cybersecurity Insurance;
4️⃣ Backup & Restore Processes as part of a Cyber-Incident Response Plan;
5️⃣ Encryption (see discussion below);
6️⃣ Pareto Security (Monitors Security Configuration Vulnerabilities + Flags if issues are identified, or software needs updating);
7️⃣ Virus/Malware Scanners;
8️⃣ Use a VPN – Virtual Private Network to encrypt your web traffic;
9️⃣ Security Keys ➲ Yubikeys;
🔟 Managing Accounts and Privileges (see discussion below);
⏸️ Careful Supplier/Outsourcer Selection;
*️⃣ Employing security benchmarks and compliance standards (E.g., SOC2 + STAR);
▶️ Leveraging modern hardware security features (Regularly Upgrade your Hardware);
⏺️ Keeping your software systems up to date (Automatic Security Patches);
#️⃣ Utilizing Multi-Factor Authentication.
It’s about more than just protecting your client’s data.
You need to go further to consider ways to reduce the likelihood that a hacker/malicious actor could impersonate your business brand to trick your clients or potential clients.
Even if your business is itself cybersecure, this kind of attack does not try to hack your business, therefore your impenetrable security is of no assistance to your client.
Evidence has shown that a successful phishing attack spoofing your business brand can have a huge negative impact on your business's reputation.
It can be mounted at scale, with minimum additional cost.
'I freakin' love Yubikeys.
I switched to Yubikeys from Google Authenticator about a year ago, and I will never go back.
Not only are they great for TOTP 2FA, but they do so much more!
In this video, I try to cover it all, and probably screw up a few facts - but oh well - that's not the point.
The point is - you should be using Yubikeys.' video introduction by Crosstalk Solutions [380k Subscribers]
755,577 views Premiered Oct 28, 2020
00:00 - Intro
02:18 - What are Yubikeys?
02:56 - What is 2FA?
04:40 - TOTP 2FA and Authenticator apps
06:12 - Why you should standardize on hardware security keys
06:47 - Why hardware keys are faster than authenticator apps
08:05 - Yubikey authentication beyond TOTP
08:30 - FIDO authentication
12:07 - Yubikey TOTP login example
13:00 - Yubico Authenticator overview
13:39 - Yubico Authenticator on iPhone example
14:32 - Yubikey U2F login examples
16:09 - Yubikey WebAuthn login example
16:31 - Yubikey Initial Setup
18:00 - Adding a TOTP token to Yubikey
19:51 - Adding TOTP tokens to multiple Yubikeys
22:51 - What if you lose your Yubikey?
25:17 - Adding a FIDO U2F token to Yubikey
28:37 - Using Yubikey for Windows Login
30:44 - Will the Yubikey work for any TOTP 2FA?
31:48 - Different Yubikeys available
When your data is encrypted and your encryption keys are kept in a safe location, a data breach generally will not cause any damage as the hackers will not be able to decrypt the data.
➲ Encryption at Rest (where is your data stored – is it encrypted?);
➲ Encryption In-Transit (VPN, Website https:// + encrypted mail, encrypted messaging, secure client portals, secure video conferencing etc.);
➲ Safe storage of the encryption keys – for example, our Digital Asset Safe Custody Vault.
Your business can use the DMARC email authentication protocol (in combination with the usual email authentication protocols) to cause the email client to bounce or quarantine any emails that have not actually been sent from your business’ domain.
Whilst DMARC has been available for many years, my observation is that because hackers have not yet upped their phishing game, DMARC has not yet needed to be widely adopted as a defence mechanism.
This advice I picked up from the free ISC2 Certified in Cybersecurity training.
It is simple, and when implemented, I consider it to be some of the best advice for limiting the damage a cyber breach can cause.
‘Don’t grant more access than is required to do the task’.
I assume that many sole traders have set up one super-user account that has administrator access to everything.
This approach certainly makes life easier, one account, one password, less to remember.
When you think about it, do you really need this much access on a day-to-day basis?
By limiting your day-to-day access, should your day-to-day access fall into the wrong hands for any reason, whoever has taken over your day-to-day access will be automatically restricted with what they can achieve using the access.
The best example I can provide on this topic is the stories I have read about where a person is observed entering their phone code by a hacker who subsequently steals their phone and uses the code to change the code itself as well as the email and password the person uses for their entire iCloud world….
Generally, once control of your Apple iCloud account is lost, there is no way to get it back.
Your iPhone can be configured to require an additional PIN code before an access code or account change can be made.
This simple additional layer of security can be the difference between losing access to everything and retaining control of your iCloud account.
This is just one example of how limiting what privileges your day-to-day access has can dramatically change the outcome should your day-to-day access be lost.
During the process of researching and writing a separate blog article (working title 'CyberSecurity, CyberCrime, CyberSafety & CyberWarfare ➲ Global Top-Priority Boardroom Agenda Items') for the GlobalSign blog, I stumbled across & have taken full advantage of the (ISC)2 free^ online self-study course & 2-hour exam to earn the 'CC' Certified in CyberSecurity Credential.
You can find out more about how you can do this yourself in this blog article.
➲ Implementing signed software execution policies (reduces possibility of Trojan-Horse attacks); and
➲ Segregating networks using application-aware defences (contains spread of damage).
Credits: This blog article was written by James D. Ford Esq., GAICD CIPP/US CC | Principal Solicitor, Blue Ocean Law Group℠. It is the product of my refinement and modifications to my draft written responses to a series of interview questions asked by a journalist who was writing an article about safeguarding against cybersecurity risks.
This blog article is intended for general interest + information only.
To the extent this article is deemed advertising or solicitation, it is hereby identified as such.
It is not intended to constitute legal advice; the statements made are opinions about general situations, and they are not a substitute for advice as to any specific matter.
We recommend you always consult a lawyer for legal advice specifically tailored to your needs & circumstances.