In “Threat Modeling for Lawyers,” I wrote about a structured way of thinking about what you need to protect, who you need to protect it from, and how likely those threats are.
This post gets down to practical recommendations to establish a baseline level of security. Most of these recommendations are easy to implement, and will go a long way toward keeping you—and your clients’ secrets—safe.
This first thing you need to understand is that passwords are terrible. Not just “weak” passwords, but all passwords. The idea of the password is fundamentally flawed. Why? Because the human brain is just not wired to remember “good” complicated passwords. Web comic XKCD said it best:
You might think “Tr0ub4dor&3” is an awesome password (it has capital letters! and numbers! and punctuation!), but I have bad news: it’s still nowhere near random enough to prevent a hacker from cracking it without breaking a sweat. It’s also hard to remember.
If your passwords are all hard to remember, you’ll probably get password fatigue, and decide you can only remember one or two “good” passwords and re-use them everywhere. Do not reuse passwords. Once a password is cracked on one site, you can be sure hackers will try it on others.
The best thing to do is use a password manager. A password manager is a program that helps you generate good passwords, and stores them securely so you don’t even have to remember them. (You do have to remember one strong password to use the password manager itself.) LastPass, 1Password, Dashlane, and KeePassX are popular password managers.
When DNC chair John Podesta’s email was hacked, it’s because he (and DNC IT staff) fell for a phishing attack. Phishing is the art of sending carefully crafted emails that lead a victim to a website that looks real, but is actually malicious.
Well-done phishing sites can look exactly like a real Google or bank login page, and have tricked many high profile people into typing their passwords into these fake sites. Multi-factor authentication guards against password attacks like this.
In the abstract, to authenticate yourself to a system, you have to provide one or more “authentication factors”. These can be something you know (a password), something you have (a key), or something you are (biometrics like your thumbprint). If the system requires only a password, then that’s single factor authentication. Multi-factor authentication is much stronger: even if a hacker gets your password, they still can’t get in without your key or your thumb.
So, even if you fall for a phishing site and accidentally give up your password, it’s useless because the attacker doesn’t have your second factor. If Podesta had been using multi-factor authentication…well, you can supply your own counterfactuals.
When you have multi-factor authentication enabled, you’ll begin the login process normally, by entering a username and password. Once the password is accepted, you’ll then be prompted for a special code, which you’ll get from an app on your phone. This code is the second factor, because it relies on something you have (your phone). Google Authenticator is the most popular multi-factor authentication app, but there are others like Authy and Microsoft Authenticator that do the same thing. They’re all available on both iOS and Android.
Instead of an app, some sites will send you a code via text message. This has pros and cons, but because text messages are also vulnerable to hacking, whenever you have a choice, you should prefer app-based codes over text-based codes.
Many popular websites and services offer multi-factor authentication. Email providers Google, Microsoft, and Yahoo all offer it. That includes Office 365, which many law firms use. Go enable it now if you use any of those for your email. Dropbox and Box also have it, and so do Facebook and Twitter. Some lawyer-specific services like Clio also have it. Wherever it’s available, always turn it on.
Now that your online accounts are locked down with strong, unique passwords and multi-factor authentication, it’s time to talk about your own computers. One of the most important things you can do is keep your software up-to-date.
- Mac: Open the App Store app, and check for updates. Your computer will do this for you automatically on a regular basis.
- Windows: Windows checks for updates automatically. These updates usually arrive on a Tuesday. Do not use Windows XP, or older versions of Windows. Microsoft no longer releases security updates for these older operating systems.
- iOS: Your iPhone or other iOS device will also check for updates automatically. If you hear about an update and haven’t been prompted to install it yet, you can force the update by going to Settings, then General, and then Software Update.
- Android: Keeping an Android device patched is harder, because device manufacturers like Samsung often don’t release patches for older phones. You can, at least, keep your apps updated.
If your law firm runs any of its own servers, it’s critical that these stay patched, too. Hopefully, that’s not your job, because it’s hard. But you can make sure it is somebody’s job.
Beyond patching, there are other behaviors you can implement to avoid getting malware, including ransomware. First, use some common sense. Stay out of the dark corners of the internet. For example, torrent sites tend to be riddled with malware. Other sketchy sites get paid by running ads from ad networks that don’t adequately vet their inventory, and those ads can contain malware. Yes, web ads with viruses are a thing, and it’s called malvertising. If you’re patched, this is less of a problem, but it’s a reason to consider using an ad blocker. Finally, don’t do anything silly like disabling your operating system’s firewall or your virus scanner.
ACLU technologist Christopher Soghoian puts it bluntly:
The poorly secured private email accounts and cell phones of the D.C. political class are America's cybersecurity soft underbelly.
— Christopher Soghoian (@csoghoian) December 19, 2016
It’s not just politicians, either. Just this week, federal prosecutors charged three overseas hackers with exfiltrating data on M&A deals from at least two prestigious New York law firms’ email servers. According to the US Attorney’s press release, both victim firms were initially breached through “unlawfully obtained credentials” of firm employees—very likely, phishing.
Don’t have a soft underbelly, and don’t read about yourself in a US Attorney’s press release. Use a password manager and multi-factor authentication, stay patched, and avoid malware. For a detailed explanation of how to implement these solutions, download the Lawyerist “4-Step Computer Security Upgrade.” After following this advice, you’ll be a harder target.
Read the next post in this series: "Secure Messaging for Lawyers."