Law Firms, CPA Firms, and other professional service organizations are becoming the latest targets for organized hackers to attack. These industries all have something in common that is drawing hackers to them like a magnet; sensitive client information.
In November of 2009, the Federal Bureau of Investigation (FBI) issued their first official warnings concerning spear phishing E-mails targeting U.S. law firms and public relations firms. The FBI stated in that warning that they had “assessed with high confidence that hackers are using spear phishing e-mails with malicious payloads to exploit U.S. law firms and public relations firms.” Since then, we have seen a dramatic increase in successful compromises of these firms as well as CPA firms. (To read the full FBI warning visit http://www.fbi.gov/scams-safety/e-scams/archived_escams)
According to Help Net Security, 80 major law firms were hacked in 2011. The article titled “Law Firms Get Hacked For Deal Data” explains that the hackers used a common tactic to gain access into the law firms’ data. (http://www.net-security.org/secworld.php?id=12318)
Hackers have become very sophisticated. They will spend a great deal of time scanning an organizations network and analyzing public facing website and social media sites to gather information that can be used to launch a successful spear phishing attack. A spear phishing attack is one in which an email is sent to a high-level executive or Partner of a firm that appears to originate from another high level executive or Partner within the firm. The email from the attacker will have the same email convention that the firm uses (i.e email@example.com) The content of the email can be as simple as: “after our conversation last week, I found this interesting article that I thought was very much on point for your matter.” The email will have an embedded website url link that, if clicked, will take the recipient to a website that will download a nefarious payload allowing remote access to that computer system. This is an entry point into the corporate network and depending upon the level of access the victim has, the Hacker can laterally access other resources and data as well.
Over the years, the hacker has been successful in compromising even the most sophisticated and secured corporate networks. Sony PlayStation, RSA, Booz Allen, Northrop Gruman, Lockheed, just to name a few. These companies invest millions of dollars yearly in their corporate IT infrastructure and still fall victim to these attacks. Hackers have traditionally ‘beat on a brick wall’ of a network that has well defined security configurations and systems, until the hacker is able to break through.
Recent reports show that hackers are now choosing to attack companies that do not have as secure of a network as one might think. These hackers are successful in choosing companies that have network security infrastructures not much more sophisticated than a basic home network. This allows the hacker to very easily ‘walk through a paper wall’ verses beating through that brick wall, and they are obtaining the same outcome: valuable information. In many cases, Law Firms and CPA Firms, especially those firms that have Healthcare, Tax, Matrimonial, Personal Injury, and Large Corporate Litigation practices are prime targets for these Hackers.
When a company suffers a data breach, customer lists, confidential client information, medical data and other valuable information is potentially accessed or stolen. The theft of Personally Identifiable Information (PII), theft of personal financial information, or theft of Protected Health Information (PHI) can haunt an individual for many years.
Fort-six states have enacted Data Breach Notification Laws. When a company suffers a data breach, that company is obligated by law to notify certain government agencies, as well as, all of the potentially effected individuals that their personal information has been “downloaded, copied, or accessed” by an “unauthorized” person.
Help Net Security recently published an article featuring a map by Imation that represents state data breach notification laws.
The “Compliance Heat Map” was developed to represent strictness of data breach laws and resulting penalties for breaches. The Compliance Heat Map provides a visual snapshot of the strictness of regulations by state, using a color scale ranging from light yellow (less strict) to dark red (more strict).
Some state laws require that the company who suffered the breach is responsible to offer a credit for the fees that each of the individuals have accrued due to the breach as well as identity theft recovery services and credit monitoring services.
When computer forensics is applied to a data breach case, the forensic experts are often able to find out what data from that compromised system was “downloaded or copied.” In most cases, this forensic evidence can be game changing in managing or significantly mitigating the notification requirements. Adding computer forensics services to a data breach investigation can help save the company significant damages as well as loss of good will and company brand and reputation.
Often the costs associated with performing the forensic analysis in these matters can be covered under existing insurance policies in effect. Cyber Liability Insurance in particular has specific provisions contained within the policy to cover the costs of forensic analysis as well the costs for credit monitoring services, identity theft recovery services and legal representation.
For more information please contact Michael McCartney: firstname.lastname@example.org