This is a copy of a guest blog authored for Ascertus Ltd, feel free to read the post over here.
Whilst content in our 9 – 5 employment, slightly resentful that our personal activities aren’t getting the attention they deserve, it’s easy to forget about the true value of things around us – especially their inherent value to other walks of life. Similar to a life of slavery in ‘The Matrix’ we start to just see the ones and zeros, contracts, pdf’s, ledgers and scribbled notes.
It’s hard to imagine a criminal world where there are no regular pay cheques, no need to wear a suit, people making up the rules as they go along, no Christmas parties, no AGMs and so forth. It’s all just so alien to our mindset in business that we feel we have no reason to focus on these carefree, parasitic lifestyles. But we should, or else, our ignorance could be our downfall.
Hackers, cyber-criminals, fraudsters or whatever they get labelled, are just people in search of a slightly better-off life. Based on all the crooks I’ve met, the thing nearly all of them have in common is a blunt ‘laziness’.
I’m reminded of the following quote by Bill Gates:
“I choose a lazy person to do a hard job. Because a lazy person will find an easy way to do it.”
This quote sums up perfectly why a criminal would rather target your law firm. Criminals after credit card data, target hotels – i.e. the aggregators of these details. Criminals after sensitive data for extortion or of victims regularly transferring large sums of money, target law firms. These hubs of commerce are fast becoming centres of illegal industry and are big targets.
It’s about time that law firms analysed the security risks and firmly instituted preventions. By this I don’t mean a new device or an extra padlock on the filing cupboard! It’s time to embed a real security culture and put into motion implementations.
This said, it’s not all doom and gloom. The best defence is knowing where the security risks in the organisation are, and being aware of the tricks of the ‘criminal’ trade and the variety of ways in which they will target you, ‘the individual’, so that the necessary measures can be taken. Let’s take a look:
- Phishing – This is the number one attack vector. It poses little risk to criminals and is relatively easy. Be wary of all attachments and never allow them to enable macros – ever!
- Spear phishing – If the phishing doesn’t go too well for the criminals, next in line will be ‘spear phishing’ – i.e. targeted emails that are tailored to your typical areas of interest. They might guide you to login pages designed to harvest your credentials or might simply deliver malware, ransomware or a whole host of other nasty attacks on your computer.
- Whaling – These emails target the ‘whales’ – i.e. the CEOs, the finance heads, CFOs and such. They are designed to blend straight in and are sophisticated attempts to go for the big wins. Often impersonating a company head, criminals will ask for payments to be made to bank accounts. Watch out for emails from your children’s school, rushed requests for money, emails from people who are on holiday and so on.
These emails are hard to spot, so as a rule, NEVER make a bank transfer based on an email request.
- Physical breaches are often disguised as robberies, but some criminals break in to steal computers containing data. Be sure all your law firm’s devices have full disk encryption.
- Social engineering attacks come in many forms – the individual might appear as a potential client booking a meeting, but in reality, may be more interested in knowing the company WiFi password and location of cabinets in the firm, rather than contracting the organisation.
- We all like to be helpful on the phone, but be on guard always! You are better off making your client jump through a few hoops to validate their identity as opposed to discussing their case with anyone who cares to call and enquire.
- Be aware of text messages, especially the ones claiming to be from your bank or client. Text messages can easily be spoofed and should not be trusted. Instead agree a safe method of communication such as a messenger that validates the recipient and sender share ‘keys’ which can confirm it is indeed the correct device. Wickr Messenger, Signal or even WhatsApp have many security benefits over SMS.
Documents, data and processes that are considered routine by lawyers are often extremely valuable to cyber criminals. Firms must be acutely mindful of this and indeed the fact that criminals are adept at deception and manipulation to successfully gain the data for their own financial gain. A well-rounded awareness of breach methods and approach to security is essential.
About Richard De Vere
Richard De Vere (@AntiSocial_Eng) is the Principal Consultant for The AntiSocial Engineer Limited, he has an extensive background in penetration testing and social engineering assessments, including ‘red team’, ‘phishing’ and ‘smshing’ exercises, and information gathering assessments for financial institutions and some of the UK’s largest companies.