Current Challenges and Opportunities in the Legal Sector

Current Challenges and Opportunities in the Legal Sector: Insights from our legal roundtable

Throughout the year, QuoStar holds roundtable events for the legal sector, where a small group of attendees can get together over a three-course meal to share industry insight and best practice. At the end of April, we held our first event of 2024, with QuoStar CEO, Rob Rutherford joining myself and several Partners, Managing Partners, and Heads of IT from south coast law firms.

It was a fascinating evening of discussion, with a focus on how best law firms can mitigate mounting cybersecurity risk, drive operational efficiency and use tech innovation to gain an advantage.

Law firms in the crosshairs

Cyber risk is fundamentally a strategic business risk today – and one that impacts all legal sector organisations, no matter what their size. Attendees around the table agreed that their company is very much in the crosshairs of threat actors – whether they’re financially motivated cyber-criminals, state-sponsored hackers or even disgruntled current or former employees. Automated tools mean these bad actors can continuously probe for vulnerabilities in public-facing IT infrastructure without breaking sweat.

Their efforts are hitting home. Current data is hard to come by, but the Solicitors Regulation Authority claims that 18 law firms in the UK were hit by ransomware in 2021. Three-quarters (73%) of the firms it visited for a cybersecurity review a year earlier reported cyber-related incidents. Separate data from the Information Commissioner’s Office (ICO) analysed by insurer Chaucer reveals that the number of legal sector data breaches reported to the regulator increased 36% annually to reach 226 in 2022/23.

There are many reasons why law firms are a popular target for attack. They hold sensitive client information, handle large volumes of funds and play a key role in business transactions. The National Cyber Security Centre (NCSC) warns that firms acting for organisations that engage in “controversial” work such as life sciences or energy may also be targeted by hacktivists. The top threats to the sector are phishing, data breaches, ransomware and supply chain compromise, it says.

Time for multi-layered cyber-defence

As digital investment grows in the sector, so does the cyber-attack surface. All attendees recognised the challenge – agreeing that everyone in an organisation needs to play a part in keeping their firm safe. From a strategic perspective we recommend the following:

  • Deploy robust security controls and best practices such as advanced firewalls, multi-factor authentication (MFA), complex passwords, mobile device management, and vulnerability management.
  • Don’t ignore the human factor. Ongoing staff awareness raising and education is key to mitigating the risk of phishing, which is often the starting point for breaches
  • Put an incident response plan in place today, to enhance business resilience and minimise the impact of a security breach if one occurs. Data cited by the Law Society claims only 35% of law firms have one in place. It’s also important to test this, such as what happens if the firm is affected by Ransomware.
  • Consider obtaining a cyber accreditation such as Cyber Essentials Plus and ISO27001. This won’t stop attacks occurring, but will ensure the organisation is better placed to respond efficiently, mitigate the impact, whilst also reassuring clients. QuoStar can help by undertaking an independent audit to identify any gaps in current security posture, risk management, governance and compliance.

Risk extends to third parties

Law firms increasingly outsource parts of their IT function to third-party suppliers – whether they’re a provider of cloud services (CSP), SaaS applications or managed services (MSP). But these entities in turn can be a target for attack – making it essential that they maintain the same high level of cybersecurity as their client organisations. It is no defence to say that a third party was responsible for a breach. The regulator will generally hold both parties responsible. Nor is this a theoretical risk. A UK-based MSP was hacked last year via an exploited vulnerability and the resulting breach impacted dozens of its legal sector customers for over a month.

Attendees around the table argued that it’s not good enough to assume that larger suppliers are inherently to be trusted. Given what’s at stake, it’s vital to conduct thorough due diligence, and undertake a security audit of any prospective supplier, which QuoStar can help with. Those accredited with Cyber Essentials Plus, ISO 27001 or other standards/frameworks are a good place to start.

Gaining an advantage through AI

Finally, no roundtable discussion on technology would be complete without a conversation about the role AI could play in driving advantage. The IT and business leaders we spoke to are rightly sceptical about many of the claims currently being made by vendors about their products – especially legacy tech vendors they see as jumping on the AI bandwagon.

Most of those around the table understood AI to mean generative AI (GenAI) tools like ChatGPT and Copilot. But in fact, there’s much more to the technology than this. Law firms could utilise:

  • Pure AI, using core algorithms to develop their own AI solutions. One example we heard was a law firm using AI to predict the outcome of litigation cases
  • GenAI: AI that can produce and summarise content including text, video and images
  • Packaged AI: suppliers that have built AI features into their technology and deliver these to law firms, eg many suppliers now embed machine learning into their applications

Attendees were unanimous in agreeing that AI will play a major part in the practice of law in the future. But they also argued that headlines claiming it will replace large number of lawyers and fundamentally change the way the sector operates have been significantly oversold.

AI will simply be another tool. By all means experiment with it – especially GenAI, which could have some productivity benefits – but don’t feel like the company will be left behind if it does not embrace AI immediately. There are certainly challenges to be managed – not least, biased/inaccurate output, and potential data security and confidentiality risks when inputting information. The best option for many may be to wait for others to make the leap first and then learn from them.

Stay informed, sign up

How careful planning can take the pain out of ransomware breach response

How careful planning can take the pain out of ransomware breach response

There is plenty that organisations can do to enhance their resilience to ransomware breaches. But no preventative strategy can ever be 100% guaranteed to succeed. The modern corporate attack surface is simply too porous and expansive, and threat actors too persistent, for that. That’s why network defenders should also be primed and ready for a worst-case scenario.

As we explained in our previous blog, an attack can strike at any time. And when it does, those in charge are often trapped in a whirlwind of confusion. The key to successfully managing such a situation lies with forward planning.

Planning for a breach

Ransomware is among the most common and acute cyber-threats facing UK businesses. And the threat will continue to grow with the advent of AI, the National Cyber Security Centre (NCSC) recently warned. For smaller businesses its impact can be particularly destructive. A 2022 study revealed that a fifth of US and European businesses had nearly been forced into bankruptcy by a historic attack. Last year one of the UK’s largest privately owned logistics firms entered administration due to “disruption” caused by a ransomware compromise.

Yet it doesn’t need to be this way. It all starts with putting the right team together. Ideally, it should include key representatives from the IT and security function, PR and legal – and possibly also HR and customer service stakeholders. That’s because, when a ransomware attack hits home, it can impact disparate parts of the business.

PR is essential to help organisations manage their external communications strategy. HR should be on hand to manage internal comms and cross-departmental collaboration. And legal will dispense critically important advice on engaging with regulators, managing potential customer/employee class action suits, and more. For most organisations, customer service will also need to be involved to manage the fallout for end customers. If any piece fails, there could be significant financial and reputational repercussions, including customer churn, regulatory fines and lawsuits.

The average cost of a UK data breach is calculated at $4.2m (£3.3m) today. But in some cases, ransomware has caused losses measured in the tens of millions. From a regulatory perspective, organisations need to think not just of data protection watchdog the Information Commissioner’s Office (ICO) but also any relevant industry-specific bodies, like the Financial Conduct Authority (FCA).

Putting the pieces in place

Every organisation is different, and there’s no single agreed format that an incident response team should take. Most important is that everyone has a clearly defined role that they understand, and that they are working under unequivocal instructions from an incident response lead. In many cases, this will be a senior individual from the IT team. Crucially, they need not only experience of working under pressure – and ideally in crisis incident response situations – but must also be given the authority to lead for the duration of an incident. That means even members of the organisation and board senior to that individual must respect their decision making.

The next thing a team needs is a plan. This is where many organisations fall down, by attempting too much. No one can predict how or when a ransomware breach will take place, and what its impact may be on the organisation. But many try, by building out complex incident response plans which will likely be redundant as soon as attackers strike. The key to success is rather to keep things simple and high level. The incident response team will need to improvise, but within their own clearly defined roles. It’s also important to ensure any pre-written plan is accessible in a crisis – ie, not stored on a server that has been encrypted by ransomware.

In a similar way, organisations shouldn’t overthink things by scheduling frequent incident response training exercises. In a typical organisation there are mini incidents occurring all the time which can be used to hone the skills of team members. Once a driver has passed their test, they aren’t forced to sit another one every six to 12 months: simply by being behind the wheel they continue to practice and improve the required skills.

Communicating clearly

Above all, when working through post-ransomware breach response, organisations must foreground the importance of clear communication. That could mean:

  • Communication between incident response team members
  • Communication with the board and senior managers (they should be kept updated at frequent intervals)
  • Communication with the wider community of employees – to ensure they follow policy by limiting what they publish online about an incident, and to maintain morale during what could be a long road to recovery
  • External comms. It’s vital that a senior spokesperson is chosen as part of the incident response team. This individual should be the face of the organisation during the breach response. External comms is critically important to prevent rumour and speculation, especially in the early hours and days following a breach

This is by no means a comprehensive checklist for post-ransomware breach response. But it’s somewhere to start.

For a more detailed briefing on what to expect from a ransomware attack and how to respond, register today for our upcoming reality check webinar: Assessing the real impact of a Ransomware attack.

Assessing the real impact of a Ransomware attack, webinar registration

Why Privileged Identity Management (PIM) is critical for businesses using the cloud

"Privileged accounts are a prime target for cybercriminals..."

Privileged Identity Management (PIM) is an essential security practice for businesses using the cloud. It focuses on securing and managing privileged accounts and access rights within an organisation. In this blog post, we will explore the importance of PIM for businesses, particularly those using the cloud, and why every business should consider implementing it as part of their comprehensive cybersecurity strategy.

What is PIM?

PIM refers to the processes, policies, and technologies used to manage and secure privileged accounts and access rights within an organisation. Cybercriminals often target privileged accounts as a means of gaining access to sensitive information and systems. PIM aims to reduce the risks associated with privileged accounts by providing a central solution for managing and securing these accounts. It involves identifying, managing, controlling access, and monitoring privileged account activity.

Importance of PIM for Businesses

Privileged accounts are a prime target for cybercriminals, and a breach can result in severe consequences, including data theft, business disruption, and reputational damage. PIM is essential for businesses because it helps to mitigate the risks associated with privileged accounts. By implementing PIM, businesses can control who has access, monitor, detect and respond to suspicious behaviour, and reduce the impact of a breach if one occurs.

Why Every Business Using the Cloud Needs PIM

Cloud computing has transformed the way businesses operate, providing flexibility, scalability, and cost savings. However, the cloud also presents new security challenges, particularly when it comes to privileged accounts. Cloud environments typically have many privileged accounts that can access critical resources, making them attractive targets for cybercriminals. PIM is especially important for businesses using the cloud because it provides a central solution for managing and securing privileged accounts across all cloud services and platforms. With PIM, businesses can identify and manage privileged accounts, enforce access controls, and monitor activity. Implementing PIM in the cloud can also help businesses to meet compliance requirements.

Conclusion

PIM is a critical component of a comprehensive cybersecurity strategy, particularly for businesses using cloud computing. By implementing PIM, businesses can manage and secure privileged accounts, control access to critical resources, and monitor privileged activity. PIM can help to reduce the risk and mitigate the impact of a breach if one occurs. Every business using the cloud should consider implementing PIM as part of their cybersecurity strategy to protect against the growing threat of account breaches.

If you’d like a member of QuoStar’s consulting teams to assess your risks and advise on potential controls, without obligation, please contact us.

How to safeguard your cyber insurance cover – and your business

The risks of – and the potential fallout from – a cyber-attack is enough to keep any company director awake at night. 

The costs of a breach can be huge, costing UK enterprises an average of £4.09 million per breach, according to IBM’s Cost of a Data Breach study.  

These figures are not surprising when you consider lost productivity and revenue, response, forensics, recovery, communications, data breach fines, and various other costs. Even a company with 100 employees can be looking at hundreds of thousands of pounds, just to get back to where they were before an event, such as from a ransomware attack.  

Together with the significant reputational damage that can follow a data breach, the level of risk and likelihood means that most organisations have some form of cyber insurance to cover these substantial costs.  

 But as the number of cyber insurance pay outs grows, insurers are looking at ways to not pay out, or at least not for the full amount of damage. This is understandable in cases where a board has been negligent and not managed the risks, just as a motor insurer would not pay out where a driver had failed to get an MOT or put road legal tyres on their car.  

Your responsibility to control risk

All cyber insurance providers expect policy holders to take responsibility for evaluating and mitigating risks.  

Insurers expect best-practice cyber security controls to be in place, which typically includes the ‘absolute basics’ such as Cyber Essentials. This also means keeping on top of security operations year-round, not just a tidy up and certification every year or so. 

If the basics are not in place at the time of a breach, then many insurers will not pay out. On top of this, the ICO and other regulators are likely to hand out significant fines. These amounts aren’t insignificant, as the ICO alone can hand out a data breach fine of £17.5 million, or 4% of an organisation’s total annual worldwide turnover, whichever is higher. 

Cyber security basics should be viewed as seriously as other risk controls in your business, such as a fire alarm that is regularly serviced and tested. 

Common cyber security measures

For a cyber liability policy to pay out in a breach scenario you need to check the small print.  However, here are common areas that are going to have an impact on any claim: 

Patches and Updates

  • Firewall Protection – IT equipment must be protected from unauthorised access by a suitable firewall. The firewall needs security updates and other updates at least once a month, if not automatically. An insurer will almost certainly not pay out if the firewall is not up to date at the time of a loss.
  • Software updates –It’s best practice to patch and update software and it is a standard cyber insurance term to mitigate known vulnerabilities. Important updates to firmware, operating systems, and other software must usually be installed within 14 days of being released by the vendor or provider. Some insurers will insist on seven days, which can be a tough clause to manage in some environments, so keep an eye out for this.
  • Tablets, phones, and other devices – It’s important that tablets, phones, and any other devices with access to your network are updated or kept off the corporate network. Your organisation is responsible for who and what connects to its network. If your network is breached from an insecure work or personal device, then your insurance could be void. 
  • Outdated operating systems – Outdated operating systems and software that is no longer supported by the vendor in terms of security updates is going to invalidate insurance if they are breached. 

Users and Passwords

  • Change default passwords – If you have default passwords or use the password that came with an IT device when it was purchased, then your policy will be invalid. There are large databases on the internet that list all these default passwords, and these are always a go-to for hackers and automated attacks.
  • Individual ID and password –It can be common for some users to share logins and passwords to certain systems, and for conference room PCs to have shared logins. These shared credentials are unacceptable as they are a common cause of a breach. It also makes the source of a breach difficult to trace.
  • Limiting access – System users should only have access to what they need, particularly logon credentials with enhanced security rights, such as administrator rights. It’s particularly important that users don’t have administrator rights on the device they log in to as that’s an easy way for an attacker, who may be an employee, to gain control of a machine and then the wider network and systems. Organisations will need to prove that administrator accounts are controlled and that passwords are changed regularly.
  • Work laptops should be controlled – Only authorised users should be able to use work devices. This will need to be controlled via policy and login restrictions. An employee’s child downloading and installing a game with ransomware on to a work device could lead to the insurance being invalidated.

Data Backup

Cyber insurance policies will always cover the backup and protection of data. They will typically include: 

  • Two copies of backup data at different locations – It’s standard to expect two separate copies of backup data to be stored. One can be local to the IT environment, but another should be taken or backed up off-site, such as on a cloud backup platform. It’s increasingly common for insurers to ensure that backup data is air-gapped, so if someone gains access to your systems, they cannot get access to the backups. It’s common for ransomware attacks to seek and encrypt backups quickly.
  • Frequency of data backup –It’s usual to backup data daily, if not continually, in most modern IT environments. If your data is critical, then an insurer would want to know why you have not backed-up regularly. 
  • Backup checks – It’s critical that you regularly evaluate your backups to make sure everything that needs to be is backed up. It’s even more critical to ensure that your backups are working as expected. Many systems will send automatic alerts, but it’s still worth doing a manual check and restore every now and again.
  • Virus Protection –Cyber insurance terms typically state that anti-virus software should be in full and effective operation at the time of a loss. It should also be noted that many insurers are now asking that businesses have at least EDR (Endpoint Detection and Response), which is a typically more advanced antivirus solution, supported by a specialist organisation. In fact, it’s generally considered a security basic now, as antivirus was 20+ years ago.

Pre-existing problems

Cyber insurance will not pay out if you are aware of, or ought to have reasonably known about, a pre-existing issue, prior to the cyber insurance being taken out. This is particularly important if you’ve had security audits undertaken in the past but not dealt with any issues highlighted. Too often organisations know they have issues but still take out insurance as a way of mitigating spend on security controls. This is a bad idea. 

Previous breaches

If you’ve been breached before it will impact your insurance, as there could always be something waiting to deploy at a particular time, or a hole left in the environment. You must declare if you have had a breach, usually over the last three years. 

What can reduce premiums?

There are key areas that can make a real difference to your cyber insurance premiums and your security posture, such as: 

  • Multifactor authentication, particularly for remote access and administration accounts 
  • Privileged Access Management (PAM) 
  • Endpoint Detection and Response (EDR)
  • Secured, tested and encrypted backups 
  • Email filtering and web security 
  • Patch and vulnerability management 
  • Cyber incident response planning and testing 
  • Cyber security awareness testing and phishing testing 
  • Security Information and event management solutions 
  • Vendor and supply-chain risk management 

All the above are sensible security controls that should already be in place in organisations of all sizes. 

How do I know if I have the right controls in place?

If you would like a no-obligation audit, please contact us to sign up for a Cyber Maturity Assessment or Cyber Risk Assessment.

How our Fortinet SD-WAN solution delivers security at scale

If your organisation is considering SD-WAN (Software-defined Wide Area Network), then effective networking and built-in security should be integral to your decision.

In partnership with Fortinet, QuoStar is one of 15 SD-WAN specialised partners in the UK. We offer a solution that achieves safer, more cost-effective and efficient SD-WAN implementation. Here’s how:

SD-WAN explained

With dispersed workforces, new digital tools and cloud adoption at an all-time high, many organisations are turning to SD-WAN. This virtual WAN architecture brings together existing internet connectivity options, such as MPLS, Broadband, DIA and LTE, to securely connect users to applications, while simplifying the control and management of this connectivity.

SD-WAN solutions help to remove complex and expensive routing, cut down on hardware costs and remove expensive MPLS networks. They can also greatly enhance access to Software as a Service (SaaS) and other cloud-based services and help to minimise downtime.

The issue

However, many available SD-WAN networking solutions have little or no built-in security, which can lead to organisations adding a range of disparate tools to address these risks. This increases capital expenditure, raises complexity and creates potential gaps for cyberattacks.

A fully integrated, secure SD-WAN solution is the best way to ensure effective protection, operational efficiencies, and on-going readiness for evolving network demands.

QuoStar’s SD-WAN solution

Working in partnership with Fortinet, who have been recognised by Gartner as a Leader in the 2022 Gartner Magic Quadrant for SD-WAN for a third year in a row, QuoStar’s SD-WAN solution brings extra security protection and enhanced performance to the existing benefits of SD-WAN. These improvements include:

  1. Protection at all edges

Native security for both on-premises and cloud-delivered services, to provide flexible, secure access for a distributed workforce working on and off the network. Unified orchestration capabilities further provide end-to-end visibility and control of the network environment.

  1. A world-class user experience

Our solution overcomes WAN impairments at all edges using our comprehensive self-healing SD-WAN as well as AIOps and Digital Experience Monitoring (DEM). There are no network slowdowns thanks to our purpose-built security processing units, and application performance is maximised with artificial intelligence and machine learning.

  1. Reduced costs and complexity

Significantly lower operational complexity and low total cost of ownership is achieved with converged networking and security. Our unified SD-WAN solution secures remote workers and on-premises users with consistent policies.

You should investigate SD-WAN if:

  • You’re a largely distributed company experiencing network problems.
  • You’re particularly vulnerable to internet outages.
  • Your internet connectivity costs need to be revaluated.
  • You want to simplify the branch architecture.
  • You’re in the market to affordably expand your company’s network.
  • Your company needs to scale quickly and easily.
  • You would like to enable reliable user experience on any transport with rich routing and advanced WAN remediation for self-healing networks
  • SD-WAN control and management across multiple locations is providing a challenge for businesses with IT resources facing skill gaps

Obtaining a Secure SD-WAN Assessment Report will give you unmatched insight into your current security posture and network activity. Learn more about your network by registering for a free assessment here.

Free SD-WAN Assessment

Why MFA is no longer enough

Two step authentication

It’s time to let go of the view that multi-factor authentication (MFA) provides enough security.

Hackers have the means to steal passwords, hijack users’ sign-in sessions and bypass the authentication process entirely, even when MFA is enabled. Adversary-in-the-middle (AiTM) attacks may be nothing new, but the ability of criminals to bypass MFA is.

What’s new?

Attackers can now intercept the legitimate session cookie issued by a real website, along with the authentication token.

The sophistication of these modern AiTM attacks has been highlighted by Microsoft, who explain how AiTM phishing attacks work.

In simple terms:

  1. An attacker sends a cleverly crafted email (phishing attack) which looks legitimate
  2. An unsuspecting user clicks on this link, which takes them to the attackers’ ‘spoof’ website
  3. The attackers’ website silently and transparently forwards on the request to the real site (Office365, Google etc) for authentication
  4. The user sees the real website and enters their credentials to authenticate

The attacker can now silently intercept this data while it passes through their website

Cookie theft

Ever wondered how you can launch Edge or Chrome and navigate to your Office 365 email without being prompted for authentication? Or launch Outlook or Teams without being prompted for authentication?

This is because you have already done that once and have a safely stored session cookie which is valid for a set number of days.  This is what the attacker is after and once they have it, they have easy, instant access to your email or Teams account.

 

Build multiple layers of protection

A multi-layered approach to security is the key. Relying on a single security mechanism such as MFA is like putting all your eggs in one basket. You need to reduce the possibility of security compromise by adding more control layers.

  1. Enable MFA if you haven’t done so already. Without this, it’s like having a toy padlock on your front door.
  2. Raise awareness. This is the most effective and essential step of all. Educate users on how to spot phishing emails and when they should and shouldn’t enter their credentials.
  3. Implement advanced email filtering. Reduce the chance of attacker emails reaching users’ mailboxes by deploying Content Filtering, Sender Filtering and Safe Links. These are must-haves.
  4. Implement a Web Proxy. These may be usually considered a mechanism to stop people accessing Facebook or eBay during working hours, but when combined with Deep SSL Inspection, a Web Proxy can inspect all traffic leaving the organisation and track known suspicious or malicious content and sites.
  5. Implement EDR. Next Generation anti-virus/anti-malware technologies with an Endpoint Detection and Response (EDR) service overlay can detect threats in your networking environment and respond to them appropriately, automatically, and ideally with a human interaction when required.
  6. Implement Microsoft Conditional Access Security Defaults. Conditional Access policies allow IT admins to create conditions before events, such as authentication, can be accepted. This could include enforcing MFA when logging into any Azure integrated Cloud App, including Office 365, to block sign-ins from untrusted locations or from unknown devices.
  7. Implement Least Privilege. If an attacker manages to penetrate all these layers you can still limit the damage done. If the end user does not have local admin rights, then there’s a good chance that the attacker will not have these when they compromise that machine. Another, possibly even more important, step is admin account separation

None of these controls are particularly new. They are in essence good practice and should be implemented as a base standard in all sizes of IT estate. The majority shouldn’t even cost significantly to implement if anything.

Find out how QuoStar can help to evaluate your IT security and safeguard your enterprise from attacks with a complimentary consultation with a member of our security team.

 

The cyber-war era: the rapid growth of the threat landscape

cyber security skull banner

 

In this blog we explain what you should be looking out for in the cyber-war era, and how you can best protect the cyber-security of your organisation.

 

The threat landscape is accelerating faster as global tensions grow over the Russia Ukraine conflict. The Cyber-war is well underway, with Ukraine rallying troops for the frontline of the cyber battleground

Cyber-war era: as cyber security threats rise, what should you look out for?

Amid the tensions of early 2022 cyber-attacks were already on the rise, with threat actors targeting both Ukrainian organisations and their government. Although there are still questions around who may be responsible for some of these attacks, Ukraine firmly believes Russian state actors are responsible – and evidence would strongly suggest that is the case.

Since the Russian invasion began in Ukraine on 24th February 2022, businesses and government institutions globally are on high alert for state-sponsored cyber threats – with banks, energy companies and airlines undertaking additional work to strengthen their defences against such attacks. There is an underpinning fear that this could be the new era of global cyber-war.

DDoS attacks

Cyber-attacks on state-owned digital assets such as the Ukrainian Defense Ministry and Military websites increased in February, as they were hit with DDoS (Distributed Denial of Service) attacks, along with two large Ukrainian banks – PrivatBank and Oschadbank. In this case, the websites were flooded with traffic to the point that they crashed, making the websites unusable.

FoxBlade

Microsoft has issued a Security Intelligence advisory about FoxBlade, a novel trojan. This trojan can use your PC for distributed denial-of-service (DDoS) attacks without your knowledge.

Malware

HermeticWiper / FoxBlade (aka KillDisk)

At the end of February, there was the discovery of the new wiper malware that had been unleashed – dubbed HermeticWiper by some and FoxBlade by others. As well the as DDoS attacks mentioned above, it was designed to wipe the hard drives/system storage of the systems infected, corrupting all the data in the drive – making the data unrecoverable – then initiating a system shutdown. It has been found on Ukranian computers, as well as on machines in Latvia and Lithuania.

Furthermore, a “worm component” dubbed HermeticWizard, has been discovered that could be used to spread the HermeticWiper in local networks.

FoxBlade (HermeticWiper) also downloads and installs other programs – including other malware – onto infected systems, Microsoft has advised.

IsaacWiper

Cybersecurity experts identified a second wiper cyber-attack, named IsaacWiper, targeted at Ukrainian governmental networks according to a report on Tuesday 1st March. The second wiper attack was detected on 24th February and is described to be a lot less sophisticated than HermeticWiper.

Cyclops Blink malware

The UK’s NCSC (National Cyber Security Centre) and the US CISA (Cybersecurity and Infrastructure Security Agency) have released details about a new malware targeting network devices, which they attributed to Sandworm – a threat actor previously attributed to the Russian GRU’s Main Centre for Special Technologies (GTsST).

Cyclops Blink is a new piece of malware that targets network devices – supposedly being used by the Sandworm threat actor – a replacement for the VPNFilter malware 2018. The malware collects device information, sending it to a command-and-control server. It can download and execute files, as well as getting additional modules at a later date.

Cloned websites

Researchers have identified a web service hosting cloned copies of websites. A number of Ukrainian government websites were cloned, along with the main webpage of the Office of the President. These sites were filled with malware links, that once clicked, would download on to the user’s computer.

 

What does this cyber-war era mean for nations other than Russia and Ukraine?

 

Whenever one nation launches a cyber-attack against another, it doesn’t just increase cyber risk for the nations involved. It also impacts global cyber risks. The Cyber Attack Predictive Index (CAPI) tool, created by Johns Hopkins Information Security Institute, has hit its highest possible threat likelihood level, at a score of 25 (out of 25) under the current situation.

While the aforementioned attacks aren’t particularly sophisticated, and can be mitigated with the right cyber protection measures, these types of attacks have previously been used as a diversion tactic in order to lay groundwork for more damaging, sophisticated attacks.

Exposure or risk

As the EU, UK and the US impose sanctions on Russia and Belarus there is greater chance of being at risk of targeted cyber-attacks, as retaliations make take place from the Russian and respective forces. Companies across Britain have been warned to prepare for a heightened security risks as the UK placed sanctions on three of Russia’s wealthy allies.

UK organisations have been urged by GCHQ’s National Cyber Security Centre (NCSC) ‘bolster their online defences’ and warned that there has been an ‘historical pattern of cyber-attacks on Ukraine with international consequences’.

According to Laurance Dine, global partner, X-Force Incident Response, IBM, businesses need to start operating under the assumption of compromise, and put in place the proper controls and measures necessary to defend their environment and critical data.

The UK government may well be taking their own measures to defend the cyber security of the nation, as secretary of state for defence, Ben Wallace, told parliament in reference to the National Cyber Force: “I am a soldier, and I was always taught that the best part of defence is offence… What is good for the goose is good for the gander, and that if necessary we could use cyber warfare to give as good as we get back to Russia.”

High alert for the energy sector

This week (28th February 2022) the UK Business Secretary, Kwasi Kwarteng, is holding talks with the chair of National Grid amid anticipation of a surge in state-sponsored cyber-attacks from Russia. A wise move considering that, in a recent report published by IBM Security, the UK’s energy sector was the target of 24% of all cybersecurity incidents in the country last year. It is also thought that Russia was most likely responsible for the SolarWinds and Colonial Pipeline attacks of 2020 and 2021.

We recommend:

  • It may seem obvious but evaluate the controls you have in place against cyber-attacks, particularly ransomware.
  • Pay close attention to the news cycle in relation to this situation.
  • Pay attention to the types of attacks that are coming through via security feeds.
  • Keep everything patched.
  • Watch out for any suspicious traffic that may be coming from outside of the country.

At QuoStar we are committed to helping you and your business remain secure. Our experienced industry professionals are here to give you measured and realistic advice.

Evaluate your protection against currents risks, book a complimentary initial cyber security review session with our Head of Security David Clarke.

 

Cybersecurity recommendations for the Finance and Banking sector in 2022

Finance and banking image

Cybersecurity attacks strike at the heart of an institution’s reputation.

If data is compromised, trust can be shattered. Like all service providers, financial firms depend on their painstakingly-built reputations to stay in business. Consumers must be confident that their financial information – and money – is safe. Guarding against cybersecurity threats is crucial.

These risks increased in 2021, with ransomware attacks rising by 288% last year. Given the global ransomware industry now generates annual revenues of over $1.5 trillion, this growth is unlikely to slow.

A new critical vulnerability was also recently exposed in Log4j, an open-source logging library that is used by a range of apps and services. This offers criminals with minimal knowledge the chance to infiltrate IT systems in order to steal passwords and data, and compromise networks with malicious software.

Cybersecurity is now being taken seriously at the highest level. In May 2021, President Biden’s Business Office released new advice about ransomware and how firms should guard themselves. This guidance offers financial firms eight main lessons to take into 2022:

1. Back up your data

Many firms back up their data only at weekly intervals, or longer. Should a cyberattack occur, they could therefore lose up to seven days’ worth of data. Further, the longer the interval between backups, the longer it takes to restore lost data in the event of an attack. The effect on productivity could be devastating. Firms must equip themselves with technology to backup and restore data quickly and reliably, potentially by working with specialist partners. It’s also important to note that traditional backup systems are often a primary target in a ransomware attack, so firms need to ensure they have specific solution in place to protect backups from being encrypted.

2. Implement an efficient patching system

It is not sufficient to patch IT systems on a weekly or monthly basis. Firms should be constantly monitoring their systems and resolving vulnerabilities. But as patching can cause outages, firms should invest to mitigate its impact on productivity. Technology is available that increases the speed of patching, reducing the time systems spend down. Bursting frees up resources for critical IT applications, allowing high-priority work to continue during outages. Hot standby systems also ensure that essential systems continue to function.

3. Vet your suppliers

Even if a firm’s systems are sound, there may be a way-in because of vulnerabilities in suppliers’ networks. Undertaking due diligence is therefore crucial. One way of vetting a supplier is to request their Software Bills of Material (SBOM), which lists all open-source components in their software for IT professionals to review. SBOMs also allow firms to see which software versions their suppliers are using. Firms should ensure that versions align throughout the supply chain, and that all suppliers operate within high-standard risk management frameworks. Ideally, all partners should be ISO27001 or SOC2-accredited bodies. Firms should not be shy in asking suppliers for certification or auditing their cybersecurity processes.

4. Maintain best practice

Firms should ensure best practice is in place, and that procedures are evaluated continuously. It is best to have evidence of these practices – such as by obtaining an ISO27001 certification, which recognises a high standard and continual management of information security. Systems must be regularly reviewed for any potential vulnerabilities and asset registers should be maintained, to ensure no risk is missed. Asset registers also mean a firm can prioritise by criticality – offering the most protection to its most important assets. Organisations should deploy well-established Governance, Risk and Compliance (GRC) practices. These embed risk management into everyday activity, making it easier to manage – and ensuring decisions are consistent and effective.

5. Obtain specialist detection systems

A Security Information and Event Management (SIEM) solution is now essential to continually monitor system logs within an organisation. This allows activity to be monitored comprehensively by professionals, who are also notified of anomalies, and can respond to block and remediate issues. This may require specialist security technologies and skills or working with external partners.

6. Segregate your networks

Both the UK and US governments state that network segments should be protected individually. Segmentation helps prevent attacks reaching other parts of the network, containing malicious activities to one part of the system and thus limiting damage. Micro-segmentation is even more effective, by establishing isolated zones within networks, protecting specific workloads individually. This stops lateral movement of malware through an entire system. Segregation is easy to install and manage, offering demonstrable benefits within a short period.

7. Consider hardware tokens

Hardware tokens are a physical device that are plugged into USB ports. They generate a random number, which expire after one use and are valid for a limited period. This number is needed to log into the computer along with a username and password. It is a form of two-factor authentication that is effective at preventing account takeovers and ransomware attacks.

8. Undertake resilience exercises

Financial firms should undertake resilience exercises to analyse their capacity to withstand cybersecurity attacks. By working through all the components of their technology infrastructure, organisations can analyse their resilience to cyber threats and review how strong the links within networks and systems are. Having identified the weaker links, firms can then ensure that appropriate mitigations are in place, or that the risks are understood. This helps business to respond to a cyberattack, while minimising the risk of any attacks being successful.

A growing threat which is often undertested is Denial of Service, where a bad actor swamps an organisation’s network connections, putting them offline. A financial firm needs to fully understand how they will respond, long before an attack ever happens.

The cybersecurity risks for financial firms are clearly increasing, but they are not unmanageable. By implementing this guidance, organisations can achieve more comprehensive and effective security operations, with systems resilient enough to withstand both emerging and existing threats. In turn, this will reduce the risk of reputation-damaging data breaches and regulatory scrutiny – whilst keeping clients assured they are in safe hands.

If you’d like further support please contact us, or you can sign up for our Cyber Maturity Assessment here.

A 5 step guide of actions necessary in the face of Security or Privacy breaches

5 Step guide to security breach

 

Security and privacy breaches are on the rise globally, with potentially serious implications for businesses that are not able to handle them promptly and efficiently.

 

This can feel like a vast and confusing maze to navigate, especially for small and medium businesses, if underprepared.

However, with just a few simple steps, businesses can ensure they are taking the most appropriate response to a breach and giving themselves the best chance of mitigating the impact of an attack. You can see the top five suggestions below from our Head of Security and CISO as a Service Consultant, David Clarke.

David Clarke QuoStar CISO

A 5 step guide

What to do the face of Security or Privacy breaches

  1. Once a breach is discovered, getting all the key stakeholders together to establish some ground rules about how to deal with the breach is key. This should be done whilst maintaining a ‘no blame’ approach to operations. Additionally, the incident should be given a code name for use in emails and discussions to maintain clarity.

 

  1. It’s then necessary to capture every piece of known, suspected or inferred information about the breach to get an overview of the situation. The targeted business should only work with verifiable facts, even if there are very few, and all decisions must be directly logged. Crucially, it’s vital to ensure that no suspicion or guesswork is released outside of the key stakeholders. Once ready to release information outside of the company, ensure that it is only via a named spokesperson.

 

  1. In the case of a personal data breach, the business should, in the first instance, work on the data subject risk analysis. For example, will this breach cause detriment to the data subject? It will then be necessary to verify and check all possible evidence and challenges. After the breach, only 20% or less of the data will remain available. This is why the business should start to size, scope and quantify the breach on an ongoing basis.

 

  1. Senior management should be briefed only with facts and factual based risk assessments. However, the business should also be prepared to notify the relevant authorities and/or Data Subjects in a controlled manner.

 

  1. Regulatory bodies will judge a business based on how breaches are managed, not the breach itself. Ensure to register the issue with authorities if required, for example if the risks are very high. Initial focus must be firmly on gaining a level of control, confidence, and containment over the breach.

 

Ultimately, businesses should reach out for professional assistance if needed. Work on containing the breach to make eradication easier.

 

If you’d like more support or out any further information on measures you can take to protect your business, get in touch.

Contact us today for a free security GAP analysis assessment. 

The ransomware risks to law firms and how to protect against them

Ransomware risks to law firms

Ransomware risks are the largest threat that faces law firms today.

Ransomware attacks have increased by 288% in 2021. And, Reuters doesn’t expect this to slow down any time soon – comically suggesting that “Like ‘Terminator’, high-tech cybercrime is expected to keep coming.”

Any business can become a target to cyber criminals, but law firms are one of the top targets globally. Even a listed UK Law firm was hit by cyber-security a incident this year. It’s obvious that law firms are lucrative and have access to money, so they are often able to pay a ransom where other types of businesses might not.

However, cash flow is not the only reason firms become a target. Law firms have many interaction points and are in effect a service business – service businesses live and die by their reputation. That’s why they are a prime target.

 

Ransomware risks to law firms: why are they a great target for Ransomware attacks?

They have some great data, and that fits with the Ransomware business model. Ransomware is a revenue generator for cybercriminals. Ransomware encrypts your practice’s electronic data, and takes a copy of the data, which can then be:

  • Sold to other cybercriminals
  • Held to ransom over public release of sensitive information
  • Assumes control of your social media and broadcasts your data and failings
  • Sell the exploit details to another cybercriminal
  • Use the same exploit again and ask for another ransom

 

Are law firms financially protected from cyber-attacks?

Typically, a paid ransom will be reimbursed by Insurance, but of course only if the right controls are in place from a cyber-security / risk perspective in the first instance.

Many firms think they are protected financially by simply having insurance in place to reimburse a ransom payment. However, if there isn’t the right security in place, then insurance won’t pay out.

 

Money isn’t the only loss a firm faces when hit

Greater threats are posed, here are some other ransomware risks to law firms.

Some ransom groups will demand a ransom, but that will only be after they’ve posted all of the firm’s sensitive data, and client data onto the dark web.

The firm may be able to get operational again, but the real damage goes beyond that, as their client’s data is in effect spread globally for anyone to access. It’s easy to see that the ransom payment is just a fraction of the real cost a firm could face.

A breach means letting clients know their data is ‘in the wild’, that other parties can access it and can, in effect, use that information to do much greater damage. That’s big, it will seriously hurt the firm and all those they work with.

Regulators want to try to compound that damage. A firm is now looking at huge fines from the regulators, such as the ICO and the SRA. It’s a horrible place to be, hence the focus from those in the global ransomware business, which is now bigger than the drugs trade (the global cybercrime economy generates over $1.5 trillion).

This year 4 New Square Chambers took an unusual approach this year after they were attacked mid-June. For damage limitation purposes they took out a court order demanding the criminals not to share the stolen data. The mystery hackers were ordered to hand over any information they may have obtained by 27 September 2021 or face possible contempt of court proceedings – but only time will tell how well this has worked.

 

Risk and IT security are not separate entities

Too many in the legal industry view the ransomware risks to law firms and IT security as separate entities. They simply put being secure from a cyber perspective and all those risks down to the IT team. That’s just not going to wash with regulators, clients and very likely the media. Risk is a board responsibility/accountability, not IT’s.

Of course, the IT team plays it part. However, like every important functional operation in a firm, you need governance. The whole firm needs to be aware of its role in controlling risk, especially as most IT breaches come from an employee doing something they shouldn’t. The biggest threat to a firm’s security is more often that not going to come from something simple such as someone unsuspectingly clicking a link or giving information out over a phone.

 

IT can only so go far

New and emerging threats are often targeted at the end-user sat at their laptop or on their phone. Sure, technology has its risks, such as unpatched software or a lost laptop, but people are always the weakest link. Although employees pose one of the largest risks with one of the biggest impacts, the threats are of course much wider.

The other big risk is vulnerabilities within IT systems that face the Internet, both those run internally and through third parties, such as a website host, an IT supplier, or some form of partner organisation that links into a firm’s systems. Every link into a firm is risk. they need to be evaluated and tested. A firm should certainly penetration test their own systems, but they should also look at those they interface with, to ensure they also deal with their part of the wider risk piece.

 

So, how can the ransomware risks to law firms be avoided?

There are most certainly the basics that should be dealt with, especially where ransomware is concerned, such as:

Have you got an air gap in your backups?

Ransomware attackers want to encrypt your data. That may take you down for a few days. However, if your backups are also on the same network as your data they will be looking to ensure they are also encrypted. That leaves a firm dead in the water with no chance of recovery.

Do you have a rigid patch management policy?

Many businesses patch once a week, many once a month. That’s not enough. The IT team needs to be continually aware of brand new threats and needs to deal with them quickly, or they need to rely on a specialist IT security partner to deal with it.

Do you use a VPN to protect endpoints on public networks?

Too many firms allow their staff to connect at home or in other locations, such as hotels, over unprotected networks. That’s a risk that needs to be controlled via a VPN.

Do you consistently train and test your users how to spot suspicious email or call?

Again, staff are the weakest link and need to be able to spot suspicious behaviours online.

Do you control USB ports to ensure non-approved storage devices can’t be installed?

You can’t allow staff to plug anything into a work machine or a machine that accesses work machines without controls in place. For example, a Rubber Ducky Attack cyberattack, where a custom USB device emulates a USB keyboard to attack a workstation.

Do you have an email security protection system in place?

You do need an advanced email security protection system in place that checks both links in email and the attachments. You can’t generally rely on email provider systems, not even Microsoft’s.

Do you have next generation antivirus in place?

Traditional antivirus systems aren’t enough to protect against ransomware. Once they’ve detected it with a scan it’s too late. You need NGAV (Next Generation AntiVirus) which can spot ransomware before it does its damage.

Do you have 2-factor authentication in place?

This is probably one of the biggest protections against ransomware available. A third party can steal a password, but they cannot get access to systems without a known device.

Do you have a SIEM and a 24x7x365 SOC?

A SIEM is a Security Information and Event Management system. A SOC is a Security Operations Centre. If you’ve done the other points, then you need a system that looks for suspicious behaviour (a SIEM looks for it) and a team that can take that alert and respond (a SOC). These systems can be expensive, so you need to really make a judged call on how far you should go.

So how do you decide how far you take your IT security?

Well, first you really need to understand the all the risks you face. You need to understand what the likelihood of those risks being exploited, and you need to understand the likelihood of it happening. How do you do that?

You need a system, you need a framework. Too many firms think they have Cyber Essentials so they are secure. That’s not the case. Cyber Essentials is the very basic and doesn’t make you secure, especially not from the ransomware risks to law firms.

Have a plan for resiliency.

The only way a firm, particularly the leadership, can get a grip on IT security is to work to a governance level – to implement an Information Security Management System (ISMS). If you have an ISMS you are doing the right thing from a leadership perspective. You can know your risks, you know the controls of those risks and you can make a call on what you need and want to do – based on real knowledge.

An ISMS, such as ISO 27001 will give you complete knowledge of your risks and how you deal with them. It will also let you manage all of your suppliers and third parties, ensuring they don’t pose a risk you are unaware of.

At Quostar we have a process called “Chain of Resiliency” which highlights the weakest links in your critical systems whether cloud or traditional server-based. This is so you can estimate the cost of lack of resiliency per system appropriate to your law firm, and do a cost-benefit realisation.

 

In short, a strong Executive action plan will:

  • Copy what the big tech companies do.
  • Enforce Backup and restore process (The important bit is the restore)
  • Implement an Information Security Management System (ISMS)
  • Use risk as a management tool not as a list
  • Implement Governance over risks with key stakeholders
  • Follow best practice

 

If you’d like any advice from our CISO on your firms cyber security set up get in touch today.