Tag Archives: cyber security tools

Security

‘Active Defense’ will Improve Cyber Security

Leave a comment

Lately I’ve seen many articles about “active defense” and “hack back.” This is good because current defenses aren’t working and being in a constant state of defensive mode is not a lot of fun.  Something needs to be done.  The problem is many of these articles take a doomsday approach to the topic. 

Comments like, “it’s illegal, you can’t do it;” “you will disrupt someone’s life support in a hospital;” “we will end up with vigilantes hacking back;”and many more, do not facilitate a discussion but appear to seek to end the debate.  Many of the naysayers claim the only solution is law enforcement and more of it.  How many more police would be enough and is this a realistic response? 

Consider this: one person can command a million bot attack from the comfort of his living room; nation-states are training their people to use cyberspace to attack, steal, disrupt; and working for organized crime and terrorist groups pays much better than working a legitimate job in many countries.  So, what will it take to raise the stakes and make hacking a more risky business?

Active defense will actually improve security for those who consider it.  However, regardless of how the debate proceeds and no matter what the perceived outcome, companies are not likely to suddenly flip a switch and begin hacking back.  There are still too many variables and unknowns involved, e.g. risks, liability and legal issues.  There will continue to be much caution and debate, primarily since the law on this topic is so unsettled and at this point it is difficult to tell from one jurisdiction to the next how this activity will be perceived.

A company with any sense of corporate responsibility will attack this problem with a very cautious approach.  For instance, if your company is persistently attacked the first question is why and how.  Is the company being targeted for a particular reason or is your security so crappy that every hacker and his brother are using you as their playground? 

If your security is good, which is relative because no matter whom you are, your security can always be improved, you will likely take an escalated approach to the problem and not jump right in to hacking back.  During this escalated approach you should be collecting the necessary intelligence to evaluate the problem. 

To use an analogy, let’s say you are in a combat zone and encounter a sniper.  In most circumstances you will not call in an airstrike on the sniper.  There are many factors to consider, like where is he, what type of collateral damage may occur, what is the least amount of effort and resources necessary to take him out, etc.?  So, when facing a cyber-attack the same considerations apply:

  • Where is the hacker coming from;
  • What is his motive and end-state;
  • Based on the Intel you have collected, what tools and techniques can you use;
  • What collateral damage may occur; and,
  • Since time and resources are money, what is the least time and resource intensive course of action you can take to resolve this issue?

Companies have too much to lose to take this lightly and jump forward without a very careful analysis.  It is this analysis that will inevitably lead to much better security and more focus on the problem.

Other questions for a company to ask are, is the attack persistent or a one-time hit and how much Intel can be collected regarding the attack: can a motive be determined, what is the source and means of the attack, potential location and/or identity of the attacker, how many hops in-between your network and the attacker, what type of servers and who owns those servers; then, what is your end-state (block attack, find hacker, prevent further disruption, retrieve intellectual property/trade secrets, etc.), and finally, what are the risks, liability, and legal issues involved? 

Any company that would attempt to hack back without ensuring that their security is good or better than average is just asking for trouble.  A lot of avenues of approach beyond the standard defenses currently employed exist for companies persistently attacked.  The fear mongering spewed in many articles over active defense and hack back will simply drive companies, which are persistently attacked and frustrated with the state of security, to go underground with their response, act in a haphazard manner, and hope they don’t get caught.

Security

Attorneys and Law Firms Beware and Implement Good Cyber Security Practices

Leave a comment

If you are an attorney you need to heed the warnings: lock down and protect client data.  This is not a scare tactic, but good advice in light of recent events.  In 2010 at least seven law firms in Canada were hacked, allegedly by Chinese hackers seeking to derail a $40 billion deal with an Australian mining company and to steal valuable client data resident at the law firms; and just this year the Puckett law firm was hacked by the Anonymous hacker group because the firm represents one of the Marine sergeants accused in the Hidatha, Iraq killings.  Some members of Anonymous were upset that the sergeant was getting a pretty good deal and Bradley Manning, the private who leaked      secrets to WikiLeaks was facing life in prison.  Imagine realizing that your law firm has been hacked and wondering what this is going to do to your reputation, and what, if any, ethics or disciplinary action may result. These are the type of stories that make the headlines.

Let’s face it, if your client’s network and/or data is secure, smart hackers will look for the soft target and see if they can get what they are looking for by going through you.  “As financial institutions in New York City and the world become stronger, a hacker can hit a law firm and it’s a much, much easier quarry.” (Mary Galligan, head of cyber in the New York City office of the FBI).  As a profession, we have moved far beyond being able to claim ignorance when it comes to cyber security.

An Aug. 2011 ABA formal opinion suggested that attorneys discuss with clients the fact that email may not be very secure.  Ensure clients are comfortable sending sensitive client info via email.  Some local bar associations have taken it a step further and stated that ethics require attorneys to use a secure email service.  I agree.  In fact, I would do two things:

1) include in your engagement letter a statement that email is not secure and that clients should either agree to use a secure service or sign a statement indicating their desire to continue to use email despite the security concerns; and,

2) Incorporate into a security policy for the firm a plan that outlines how client data will be protected and ensure all in the firm have read and are following it.

Cyber security does not need to be a mystery.  Many free and easy to use tools exist that will help you keep your practice more secure.  For instance, your email service may support secure or encrypted email.  If it doesn’t, there are many good options, such as Hushmail.  It is free, like Hotmail, and allows you to password protect emails using a question and answer format.  Just send your client a text or call them on the phone and tell them the password/answer.  This will significantly lower the risk of loss or theft of data and potentially reduce or eliminate your liability if an incident does occur.  It will also be a deterrent to your client if he/she decides to share your confidential communications with a third party, thus destroying attorney-client confidentiality. He/she will have to provide the password to that person or at least take extra steps to forward the message.  This is just one of many free tools that you can use to significantly lower the risk of a cyber-incident and reduce your liability if data is lost or stolen.  Will these tools make you 100% secure?  Not even close, but if the big guys like Citibank, JP Morgan, Google, the Pentagon, RSA, Visa, and a slew of others cannot prevent getting hacked neither can you.  What you can do is pull yourself out of the low hanging fruit category and minimize the risk of an incident. It’s time to do some research into this topic or hire someone you can trust.  Do Not trust the firm that tells you they have made your network secure, its not going to happen, and if you believe it there is a little bridge I would love to sell you ; – ).  Feel free to contact me with questions or leave a comment.