With offices moving to the cloud, more lawyers are using their own hardware to stay productive while away from the office. Merging personal and professional data on the same device opens both sides to cyber attacks.
Most workplaces are fully online: Printers and landlines are networked, paper files are being digitized and indexed for searching, and business services are accessible from a wide range of browsers and dedicated apps.
A recent model iPhone or Galaxy S phone has roughly the same computing power as a desktop computer did 5-10 years ago. Many modern phones are able to run the same apps, receive email and access company resources with only a few minutes of setup. The traditional office, which does not rely on intense local computations, can fluidly work between desktops and phones without skipping a beat.
Almost half of all U.S. jobs can at least partly be performed remotely, and 80 to 90 percent of the working population has some desire to do their jobs remotely. Of 200 U.S.-based workers surveyed by TheEMPLOYEEapp’s second annual study, 40 percent of the respondents work in a non-traditional setting and 55 percent indicated they travel. To remain connected, 49 percent use smartphones and 28 percent use tablets in their work.
Additionally, 70 percent of those surveyed are using their own personal devices. The survey revealed many did so without their employer instigating a proper mobile policy. It is the working population that is using the device they purchased for personal use and are plugging it into their company’s cloud and intranet.
This is a nightmare scenario for information security. Without a proper device policy, which includes technical oversight as well as security training, your phone is exponentially more dangerous to both the office and home. Moreover, the sensitive and protected nature of the data contained in a law firm can fetch a large bounty for would-be hackers.
Something as simple as viewing a webpage on your phone requires hardware and software from dozens of technology vendors. With so many moving parts and varying levels of security, hackers have their pick of where they want to start. They can target you, your workplace or even the routers that move every 1 and 0 across the internet. Here are a few ways prying eyes find what is not meant to be found.
PINs and passwords
Passwords are both the greatest deterrent against intruders and also the reason many hackers are successful. An IT analyst collected troves of publicly available leaked passwords, sampled the data and extrapolated 10,000 most commonly used passwords. The takeaway from the results is that people are terrible at coming up with passwords. The most effective solution to the password problem is to increase the entropy (or measurable strength) of a password so that it is no longer cost effective to try to guess.
It is no help that many sites will enforce seemingly arbitrary rules which result in complex or instantly forgotten passwords, which are then changed to weak ones. PIN codes are being treated in the same way with a significant portion of the population using straight lines or even just repeating the same four numbers.
Password cracking is more effective than ever. With each leak, patterns are fed back into the software to improve its effectiveness. One specialized cracking cluster was able to generate 350 billion guess per second, and this was back in 2012. More people are using passwords that are easier for machines to guess but harder for humans to remember.
Another possible weak point for passwords is sharing them by sending them over email, or even writing them down. It is a dangerous way to approach security: A login with more than one co-worker will often have an easy to remember but very insecure password.
Several password managers like LastPass and 1Password will do the work of creating, storing and changing your passwords to ones that are mathematically challenging. They are built for office environments with strict policies over who can use what password but remain flexible enough to fit most situations. You are still responsible for securing the master password but that could prove easier than trying to manage every site from memory (or worse, pen and paper).
Software or hardware vulnerabilities
Another angle of attack is to go after vulnerabilities in your handset or the software you use. Closed source software and open source software are both targets of such exploits. Adobe’s Flash platform is notorious for being targeted and exploited on a regular basis. It has gained such a bad reputation that Adobe has changed the name of their publishing software to Animate, which can still be used to render animation to safer formats such as MP4 or HTML5. Flash should be disabled from running or uninstalled completely from your system as exploits have been known to circulate for days before Adobe is made aware of the issue and can attempt to push a fix.
Even with companies investing more than ever into IT infrastructure, bringing your own device usually means bringing your own security policy. Not everyone wants to update their software the moment they receive that update notification, and many do not.
Outdated software is probably the most dangerous and easiest thing to infiltrate, because its weaknesses are known. If an update for a WordPress plugin promises to fix an exploit in a certain part of the code, then sure enough, armies of bots will crawl the web looking for older versions and attempting to use published vulnerabilities.
Before these vulnerabilities are patched, or even known to the vendor, they are called “zero day” exploits. Zero days have great appeal and value to hackers since they allow hackers to infiltrate and cause devastation without being detected for some time. Criminals are not the only ones accessing systems and hardware without detection; as recent leaks have shown, government intelligence agencies have employed the same methods for years.
Earlier this year, Apple made headlines by rejecting a court order compelling it to assist the FBI in decrypting the phone of a deceased terrorist. The refusal from Apple was not a knee jerk reaction, but a stern warning that any backdoors in encryption would ultimately end up in the wrong hands, nullifying everyone else’s protections.
Surely enough, these fears were confirmed when a huge cache of spying and hacking tools were leaked online and ultimately confirmed to belong to the NSA. Instead of attempting to snoop on individual machines, programs with names like BANANAGLEE and SECONDDATE targeted various weaknesses in industry standard routers, allowing them access to intercept traffic to their own servers.
Support exploitation and human manipulation
Even though your firm may not be the target of government sponsored spying or a large scale botnet attack, there is always a chance that a curious individual just wants to see how far he or she can go. Rather than trying to break your digital or physical security head on, they would look for someone on the inside who could let them right in.
One of the most notable cases of identity theft happened to Mat Honan, a technology writer for Wired. It occurred almost entirely over the phone, with the culprit calling Apple claiming to have trouble logging in and then being provided a temporary password. This happened in 2014, but it has not prevented similar incidents occurring with banks, cloud providers and cell phone companies.
One popular Youtuber Ethan Klein nearly had his channel of 2 million subscribers deleted, when someone posed as a T-Mobile employee helping Ethan get a new SIM card. They were successful and gained access to his entire contacts list. More valuable was their primary goal of being able to intercept his two-factor authentication texts. Ethan was familiar with this type of attack and quickly acted, when his phone lost all service, recovering his SIM before further damage could happen.
These social engineers have familiarized themselves with corporate structures and policies and know exactly how to extract the information they need. It all starts with a simple email, carefully researched and formatted to look like someone in your contacts. In the case of Snapchat, an email was spoofed from CEO Evan Spiegel requesting payroll information for existing and ex-employees.
Safer Handling of Handhelds
Any devices integrated to the office intranet should be updated to the latest versions. Both Android and iOS have suffered from SMS exploits which give complete control over the device. The latest versions address this bug, and many more, yet Android’s inability to update on older devices still makes it a prime target.
Biggerlawfirm.com received almost 10,000 login attempts in the month of July alone. Having strong passwords, or a password manager that handles this, is the way to make sure password guessing bots never get it right. Your phone’s unlock PIN should never be a recognizable pattern such as a line, four corners or repeating numbers. Enabling the destruction of your data with too many wrong guesses should be mandatory.
Perhaps the best mobile policy is having an office culture that embraces security. We all know not to give out personal information to telemarketers whom we know nothing about, but how suspicious would you be if the partner attorney asks for information they would not normally ask for?
There will never be such a thing as perfect security. Even after establishing a personal device policy, make sure it is easily accessed and understood by all employees, and constantly put it under review. A policy that fits your firm best and changes with your history and future needs ensures your reliance on technology is a healthy one.