The subject line of the email read: “Support Greta Thunberg – Time Person of the Year 2019,” which seemed harmless enough. However, rather than providing information on climate change, the email actually contained a malicious Microsoft Word document which, if opened, would attempt to download malware onto the user’s computer. Malware has the ability to cripple a law firm, wiping out valuable data and rendering devices inoperable.
Although significant security breaches are usually the ones in the news, law firms of all sizes still have to concern themselves with security, as they may often be the target of viruses and phishing attempts as hackers try to access, change, or destroy sensitive client information, attempting to interrupt normal business processes and often to extort money.
Types of Threats
- Malware: Malicious software that can be used to harm a computer user, such as worms, viruses, Trojan horses and spyware.
- Ransomware: a type of malware that locks computer system files via encryption. Hackers then demand a payment to decrypt and unlock them.
- Phishing: fraudulent emails, mimicking emails from reputable sources, which instead steal sensitive data, such as credit card information or login credentials.
One of the most challenging aspects of cyberattacks is the continuous evolving nature of the threats developed. It seems like new viruses and malware are released online on a daily basis. Two significant security issues were found in the last week alone:
Late last week, the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a rare warning to all users of the desktop version of the Mozilla Firefox browser, urging them to update to the latest version due to a hacking threat. Older versions of the browser contain a critical vulnerability that could allow an attacker to take control of a user’s entire operating system. According to the CISA, “Mozilla has released security updates to address a vulnerability in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisories for Firefox 72.0.1 and Firefox ESR 68.4.1 and Thunderbird 68.4.1 and apply the necessary updates.” This issue does not impact mobile browsers.
- Mac: launch Firefox and click About > Firefox and click the “Restart to update Firefox” button.
- PC: launch Firefox and click on either Options > Firefox Updates or Options > Advanced > Update to update Firefox.
You need to upgrade to either Firefox 72.0.1 and Firefox ESR 68.4.1 or higher.
Microsoft’s Windows Issue
Earlier this week the National Security Agency issued an advisory regarding a major vulnerability in Windows 10 and Windows Server 2016 which can compromise the security of MS Window’s cryptographic functionality. Exploitation of the vulnerability allows hackers to appear as a trusted entity, while actually exploiting network connections and delivering executable code. Your operating system could be tricked using fake signatures and thus allow malicious apps to run on the OS, allowing hackers to control the system.
The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools have likely already been developed and are widely available. The NSA recommends that all users update their Windows 10 and Windows Server 2016 immediately.
NSA recommends installing all January 2020 Patch Tuesday patches as soon as possible to effectively mitigate the vulnerability on all Windows 10 and Windows Server 2016/2019 systems. In the event that enterprise-wide, automated patching is not possible, NSA recommends system owners prioritize patching endpoints that provide essential or broadly replied-upon services.
To update Windows, click the Start button, then go to Settings > Update & Security > Windows Update.
Keep Your Systems Secure
Your law firm should be implementing cybersecurity best practices in order to limit risk and protect IT assets from attackers with malicious intent. Security should be implemented in three basic areas:
- Devices like computers, smart devices, and routers
- Internal networks
- Cloud-based data
Common technology used to protect these entities include firewalls, malware protection, antivirus software, and email security.
While you may have implemented comprehensive, effective, and likely expensive security tools, often the weakest links are the people using those tools. Here are some cybersecurity tips to keep in mind:
- Practice good password management. Use a strong mix of characters and don’t use the same password for multiple sites. Consider using a password management system, such as Last Pass. Use of such a system means you only have to remember one password. It also allows you to easily grant or revoke access for your staff to various accounts, without having to share actual passwords.
- Be sure you’re familiar with the sender before opening attachments or clicking on links in email. If an email is unexpected or suspicious for any reason, don’t click on it. Spelling and grammar errors are often a red flag for hacking attempts.
- Only allow access to sensitive data from the office computers or other known devices. Using a public computer or free Wi-Fi at a coffee shop puts you at risk of your data being copied or stolen.
- Keep your website safe! Be sure that whomever maintains your website continuously keeps all of your plugins, themes, coding updated to avoid any hacking attempts. And remember to back up your data regularly.
- Make sure your antivirus software is always turned on and up to date.
- Malware can be spread through infected flash drives, external hard drives, and even smartphones, so be cautious when plugging devices into your computer.
Cybersecurity helps prevent data breaches and ransomware attacks. When a law firm has a strong sense of network security, it is better able to prevent and mitigate cyberattacks. If you haven’t given any recent thought to how secure your law firm network and website is, now’s the time to contact your IT company to verify that your cybersecurity measures are up to date.
Director, Web and Online Marketing Services
American Academy of Estate Planning Attorneys, Inc.
9444 Balboa Avenue, Suite 300
San Diego, California 92123
Phone: (858) 453-2128