In March 2021, Formal Opinion 498 was release by the Standing Committee on Ethics and Professional Responsibility of the American Bar Association. These rules guide lawyers, when conducting virtual legal practices, as follows:
“In compliance with the duty of confidentiality, lawyers must make reasonable efforts to prevent inadvertent or unauthorized disclosures of information relating to the representation and take reasonable precautions when transmitting such information.”
To make a blanket statement for the world re: most of 2020-2021: if something could be done virtually, it was done virtually.
While the pandemic response drove technology to new heights, it also drove cybercrime to new heights. Not far into the whole situation, worldwide, an exponential number of homes were both a new workplace and a new vector of attack.
“An attack on file-sharing company Accellion Inc. affected several law firms earlier this year, and clients are asking more and more questions about the security postures of the law firms they work with…Clients are getting better at managing their own risk, and with that I’m seeing a sharper and sharper look as well as greater scrutiny of providers, including law firms…Don’t just check the box…Have the lawyers and info security teams sit together and really collaborate.” (emphasis mine)
With law firms under increased security guidance and more intense scrutiny, they need to up their game in the protections they provide for the data of both their clientele and their firm.
The Importance of Trust
Trust is important. Even more so when it comes to all the confidential data that law firms must handle.
As an example: After a deponent has accepted the transcript of a deposition, that transcript is stored for permanent record. How important is it to the deponent, even to all parties involved, to keep that document secure? It may be available for distribution, but can it be changed? Part of the process is ensuring that it remains immutable. What could happen if someone was able to get in and change the deposition?
In 2016, over 2.6 terabytes of data (containing 11.5 million files) were extricated from Mossack Fonseca, a law firm headquartered in Panama. The case of the “Panama Papers” was one of the largest breaches of all time and implicated numerous world leaders who participated in forming shell companies for offshore wealth management. (for more recent coverage, research the recent news about “Pandora Papers)”
Two of the primary causes of the breach were:
1) unencrypted emails, and
2) outdated Drupal server.
Additionally, the servers and workstations were not properly segmented.
While the first issue might be more about user training (not encrypting sensitive emails when sending them), the other issue (and other related problems) is technical and just might have been discovered by having a third-party test both the external services and internal setup. The missing controls could have been discovered by internal personnel, but internal staff are prone to underestimate of tone down the severity of issues.
This was the first class-action suit regarding law firm data security, claiming that the firm Johnson & Bell was guilty of legal malpractice because it allowed information security vulnerabilities which put client information at risk.
The suit did not end in class-action, but it was a wake-up call to law firms to protect both their data and their reputations.
Confidentiality and Integrity
You’re likely familiar with the CIA triad – Confidentiality, Integrity, and Availability. For the jurisprudence realm, Confidentiality and Integrity are of utmost importance. While there are many security components involved in ensuring that information can only be seen and changed by those with the authority to see and change it, an important factor is penetration testing.
Whether you need a penetration test for compliance, for proving to customers that you take cybersecurity seriously, or you simply want to prove to yourself, your partners, and your staff that you have a strong security posture, Cybersecurity Crusaders will help.
The D.A.E.R. penetration testing methodology provides a common, understandable, and repeatable framework for customers and the pentester assigned to their project, assuring that findings and reports are delivered in a consistent and coherent manner to all parties involved.
SIM-swap fraud is an increasingly widespread means for hackers to steal access to your phone number and then your identity. We will explain how SIM-swapping works and how you can keep yourself safe.
A “SIM-swap” means that a hacker has stolen access to your phone number and rerouted calls and texts to themself instead of you. This enables them to then steal your identity. But the first step is the SIM-swap.
How Does This Work?
Your smart phone has a SIM (Subscriber Information Module) card in it, which is basically a piece of plastic with a chip in it that holds the phone number and some account data. Normally, you take a SIM card out of one phone, put it in a second phone, and then all calls to the phone number will go to the second phone instead of the first.
But if your phone is stolen or lost, you can buy a new phone with a new SIM card and ask your phone service provider to use their system to switch your phone number from the old SIM card to new one. This reroutes all traffic to the new phone and SIM card.
Hackers take advantage of this system by pretending to be you and asking your phone service provider to switch your phone number from your SIM card to theirs.
The main factor in a SIM-swap is for the hacker to convince the victim’s service provider that they are the true account owner. In order to make sure that the customer representative is speaking with the supposedly true owner of the phone number, they will ask some questions that require personal knowledge of the owner.
How does this happen?
The standard security measures for email services are to offer two factor authentication (also known as 2FA) to make sure no one logs into your email. Typing your password is the first factor, and the second factor is usually that the email service sends your phone a text message with a passcode in it. Then you type in the passcode and the email service lets you change the password to your account. Email services will typically ask for your phone number when you sign up for the sake of 2FA. There are other, better forms of 2FA, but the text message method is often the default setting. We’ll discuss better methods later.
When the hacker has your phone number THEY will receive the text message with the passcode, not you.
Therefore, because the hacker does not know your password, they can click on the “Forgot My Password” option and, as we just noted, usually the default security measure is for the email provider to send a text message to your phone with a unique code number that is needed to log in. Because the hacker SIM-swapped your phone, the security text will go to the hacker’s phone instead of yours. After logging in, the hacker can reset your password, so you are locked out of your account.
Unfortunately, this is only the beginning. The “Forgot My Password” option on the rest of your accounts (think of your credit cards, social media, bank, etc.) is usually set by default to send a link or code to your email or phone. After taking over your email, the hacker can gain access to your other accounts and lock you out.
If you are a manager or a business-owner, the threat is not just against you personally. If your employees are targeted, a hacker could use an employee’s account to potentially gain access to your business network.
How They Do It
Consider a hypothetical hacker that only knows your phone number. Even if you never post any information about yourself on social media, a hacker is still able to find enough relevant information about you to pull off a successful SIM-swap while relying only on using publicly available sources.
To start with, the hacker needs to know which service provider to call. They can use websites like Free Carrier Lookup, that will identify any phone number’s service provider for free.
The next step is to find out enough information about you to pass the security questions.
A January 2020 study from Princeton University proved it is generally easy for someone, such as a hacker, to call an phone carrier service and pretend to be the owner of someone else’s phone number. The standard practice is for phone service representative will ask the caller, the hacker, a few questions about the phone’s true owner. The hacker just needs to do some research on the phone number, by using the methods described below, and then they will be able to correctly answer enough of those questions to “prove” that they are the true owner.
How They Find Your Personal Information
There are several free websites (truepeoplesearch.com, fastpeoplesearch.com, thatsthem.com, freepeoplesearch.com) that reveal personal information about any phone number’s user.
To showcase how this works, I chose a random phone number to research as an example. Below you see the initial results revealing the user’s name, month and year of birth, and address.
If we scroll down, we see the user’s email address, as well as former addresses and approximate dates when they lived there. If we click on any of these data points (names, phones, addresses, email) the site will show all other data points associated with it, which enables a hacker to delve further and further into the victim’s background.
The site lists “possible relatives,” which are likely identified based on whether these people were registered to the same phone or address during the user’s childhood years.
Finally, in the screenshot below you see how one site explains why it believes it has identified the phone owner’s spouse.
How to Stay Secure?
The best measure you can take to stay safe is to obtain quality security education for you and your colleagues to be aware of the tactics that are out there. You should consider making your business networks more secure by reaching out to Cyber Security Crusaders for assessment services with actionable steps. Just go to cybersecuritycrusaders.io to contact us or learn more.
The following steps are affective against these threats. If you own a company, you can start by educating your work force on the risks and the set up the following safety measures for your employees.
1 – Most phone service providers will let you set up a password to use in case your phone is lost or stolen. If you choose to use this method, consider getting a password manager (such as Bitwarden, NordPass, or Dashlane).
2 – Start using an authenticator as your 2FA instead of text messages. If you have an authenticator app, it will stay on your physical phone even if your phone number transferred to another phone. If your physical phone is stolen, you can reset the authenticator on a new phone by using a pre-set password (which is one more reason to get a password manager).
3 – Sign up for a free account on a data breach website like HaveIBeenPwned.com that will notify you as soon as your phone number or other information appears in a data breach so that you know to change your password.
These safety measures are straight-forward and convenient. This article might be frightening, but you can stay safe with good security education and some simple measures.
The T-Mobile data breach is scary because so much is unknown, but what little information is available tells us that the worst kind of personal data has been leaked for a lot of people. What’s more, it is difficult to know if your data was in the breach. But you do not need to panic.
You can gain piece of mind by taking a few safety measures that will be effective regardless of how bad this situation becomes.
What Do We Know So Far?
A quick review of the situation is as follows: T-Mobile suffered a massive breach but tried to keep it quite until it was revealed by an article from VICE. T-Mobile acknowledge the breach but the extent of it is not certain, the company has not been forthcoming with its information. However, it is estimated that millions of people’s data has been exposed and it is some of the worst kinds of personal information to lose. This data reportedly includes social security numbers, phone numbers, names, physical addresses, and driver license information.
There are many articles that will give you a litany of security measures that you can take (signing up for an account with the social security administration, changing the two-factor authentication on all of your accounts, etc.). But there are a couple of comparatively quick actions specific to this breach that you can take right now that will address the heart of the problem.
What To Do?
Secure your T-Mobile account, put a freeze on your credit (even if you don’t have an account with T-Mobile, you are in danger if you ever let them run a credit check on you), and then seek out good security education.
Right now would be a good time to get one of the many free password managers, but if you are not interested you can skip to the next paragraph. Bitwarden is widely considered the most convenient while still very secure. A password manager will automatically (no effort on your part) log your credentials whenever you log into an account and save them locally. This last part is important because it means that the company does not have its clients’ credentials in a central database and therefore if the company Bitwarden were breached, your credentials would still be safe. Finally, and most importantly for our purposes here, Bitwarden will suggest and save passwords that are random and unique. You will see why that is so important in a moment.
Your T-Mobile Account
You want to secure your T-Mobile account if you have one by changing your password and added in a passcode (or changing that too if you have one). Log into your T-Mobile account before a hacker can and change the password to something unique.
While you are logged into your account, take advantage of a special function in T-Mobile that lets you set up a unique passcode. If you want to reset your password in the future, you will need to passcode, so make sure you save it to your password manager. This simple act will prevent many of the most widespread scams, which often rely on people pretending to be you and trying to reset your password. But that is beyond the scope of this article.
Your Credit
Next, put a freeze on your credit. When someone steals your identity, you can eventually get your money and accounts back, but your credit can be irreparably damaged. A freeze on your credit will keep it safe and prevent hackers from opening new lines of credit in your name. Go to the three big credit agencies (Experian, Equifax, and TransUnion) and there is an option on each of their websites to freeze your credit. And of course, you could just call them too.
Your Education
The best measure you can take to stay safe is to obtain quality security education for you and your colleagues to be aware of the tactics that are out there. You should consider making your business networks more secure by reaching out to Cyber Security Crusaders for assessment services with actionable steps. Just go to cybersecuritycrusaders.io to contact us or learn more.
Bonus Suggestion
If you feel like putting in a little extra effort, you can also change the password on any other accounts where you used that same password. If you don’t want to try to remember each of those accounts, you can just look up which of those other accounts (where you used the same password) were also exposed in data breaches. Find those accounts by searching your password on data breach websites like Leakpeek.com and Dehashed.com. The results will show any accounts that were exposed in a data breach that used that same password. Look in those results for your accounts and go change your password (preferably choose a unique password so you don’t have to do this step again if those sites get breached again).
We often hear the word “Hacker” in terms of a bad actor who breaks/breaches into a system or network and tries to compromise important data by stealing it to exploit and damage an organization’s or an individual’s reputation and assets. This, of course, is the dark side of the term “Hacking,” but it depends on the Hacker whether he uses it for criminal purposes – such as exploiting vulnerabilities to damage one’s reputation and assets, or for good, e.g., assessing the infrastructure for security loopholes and suggesting appropriate remediation steps. Let us dive into what Ethical Hacking is, what an Ethical Hacker does, and why an organization needs one.
What is Ethical Hacking?
An ethical hacker exploits vulnerabilities and weaknesses in the IT infrastructure ethically. By ethically, we mean receiving permission/consent from the organization or individual to exploit vulnerabilities, keeping in mind the company’s SOPs (Standard Operating Procedures). Vulnerabilities are exploited, and then countermeasures are suggested to the organization so that it can apply proper mitigation techniques to protect the organization’s assets, services, or reputation. The Ethical hacking process of assessing the company’s overall security posture by bypassing the IT infrastructure includes, but is not limited to, LAN, WAN, wireless network, cloud network, mobile and web applications, database management systems, Active Directory, endpoints, and security controls. The process also involves varying hacking techniques such as Man-in-the-Middle attacks, DOS, DDOS, exploitation of weak encryption algorithms, outdated application versions, phishing attacks, Advanced Persistent Threats. These techniques bypass security parameters and exploit vulnerabilities in the system, network, or application in the same way a threat actor would.
There is a famous saying “To beat a hacker, you have to think like one “
Ethical Hackers possess the skills and the mindset to keeps them one step ahead of the adversary or a hacker. That means they will find vulnerabilities and provide necessary countermeasures before some other threat actor tries to exploit them.
The Five Phases of Hacking
There is a systematic process through which a Hacker can achieve his objective more effectively and efficiently. The 5 Phases of Ethical Hacking are:
Reconnaissance: The Reconnaissance phase, also known as information gathering or footprinting, is the initial and most important step in hacking. In this, we try to gather as much information as possible about the target. We usually gather information regarding the host, network, and the people involved in our target.
Scanning: Scanning involves multiple aspects such as port scanning, scanning for vulnerabilities on the target, usually done using automated tools or network mapping such as connectivity of hosts in a network, topology diagram creation with the help of available information.
Gaining Access: In this phase, the Hacker breaks into the system by exploiting any vulnerability found in the previous phase. The Hacker will then try to elevate his privileges to an administrator so that he can install malicious software either pivot into other systems on the network or change any configuration he might need to steal or hide data depending on the motive of the Hacker.
Maintaining Access: Once the Hacker has gained access, he might need to persist access to the system or network to carry out any malicious activities until he has achieved the desired objective. Maintaining access is achieved by installing rootkits, backdoors, trojans, or other malicious files.
Clearing Tracks: When the Hacker has achieved his desired intent, he then tries to erase the digital footprint he might have left during any malicious activity. Clearing tracks is necessary so that, upon investigation, the tracks do not lead to him. The process involves clearing system, application, audit, and security logs, changing registry files, or uninstalling malicious programs involved during hacking.
Types of Hackers
So now that we know what Ethical hackers are and how they operate, it’s time we categorize the types of hackers. This categorization is based on the motives and aims of the Hacker. Although hackers can be categorized into many types, we will discuss some of the types here.
Black Hat Hacker: Black Hat hackers are the bad guys who hack for personal, financial, or political gains. They are highly skilled individuals having sound knowledge about computer programs and exploitation techniques based on different infrastructures. These hackers tend to bypass complex security solutions and controls.
White Hat Hacker, a.k.a Ethical Hackers: White Hat hackers also referred to as the good guys because they know how black hats operate and have the necessary skill sets to identify, prevent hacks and deploy countermeasures against critical vulnerabilities that cause severe damage to the organization’s assets, services, and reputation.
Grey Hat Hacker: These hackers violate ethical standards and rules, but they do not have malicious intent. Grey hat hackers break into a system without the user’s or organization’s permission and may sometimes report to the organization by charging a small fee.
Red Hat Hacker: Red Hat Hackers actually chase the black hats by shutting them down so that they may not cause further damage to an organization. They use the same tools and techniques that the black hats use.
Why Do I Need An Ethical Hacker?
Whether you are a small, mid-sized, or large business, there is always a chance of getting breached by a threat actor or Hacker as almost all businesses use some kind of IT infrastructure to provide services to the customers, be it on a small or large scale. IT infrastructure includes computers, Laptops, Servers, Printers, Switches, Wireless routers, etc. These all are at high risk of getting breached at some point in time by hackers or adversaries. The attacks and breaches are becoming more advanced and powerful as technology is evolving. Some of the most common cyber-attacks that most organizations face are:
Ransomware
Phishing
DDoS Attacks
Man-in-the-Middle Attacks
Data leakage
Insider Threats
So considering the above facts, an Ethical hacker is a must for organizations who want to protect their business from attacks and breaches in order to maintain a reputation in the market. Hiring an ethical hacker for your business will ensure acceptable levels of risk associated with breaches and attacks. Here is how an ethical hacker will help protect your business. An ethical hacker will use different tools and techniques, such as running scans for open or unused ports and identifying vulnerabilities in operating systems, system configurations, software versions, services, etc. He will sometimes perform a penetration test that lies under ethical hacking and aims to penetrate a particular network or system to identify security loopholes. After discovering a security flaw or vulnerability, he will suggest countermeasures and remediation steps for it.
Hiring an Ethical Hacker
Hiring an Ethical Hacker for any business is very important. An Ethical hacker with the right mindset and approach will serve as a great defender for your organization. Ethical Hackers should have strong technical knowledge, including the latest security trends, advanced persistent threats, complex attack scenarios, the risks associated with different security breaches, information security management frameworks, and standards. They should also be well-versed in reverse engineering techniques, scripting, identification of vulnerabilities, and how to exploit them to propose countermeasures before an adversary takes advantage and breaches the perimeter. Security certifications prove the ability of an ethical hacker to deal with complex scenarios. Certifications such as CEH (Certified Ethical Hacker), LPT (Licensed Penetration Tester), OSCP (Offensive Security Certified Professional), and GPEN(GIAC Penetration Tester) are the most in-demand and prestigious security certifications across the globe.
If you are a business owner and constantly increasing your business by launching new products or services, upgrading your infrastructure, or getting ready to meet compliance requirements, then we suggest you opt for VAPT (Vulnerability Assessment and Penetration Testing ) services multiple times a year. VAPT is a very strenuous task and requires a lot of critical thinking and resources. It may seem like overkill, but you’ll thank us! Hiring an ethical hacker can end up saving you a great deal of pain, time, and money from an actual hacker attack. If you have questions on hiring an ethical hacker or would like to move forward with Vulnerability assessment and/or Penetration testing, then Cybersecurity Crusaders can take care of your organization’s security posture and ensure that your business remains protected against evolving and advanced security threats. Avoid your company being the next target of Cyber Criminals – contact Cybersecurity Crusaders.