Free Public WiFi, what more could we want?

Depending on your location, free public WIFi can be an absolute god send.  Those who work in law often spend a lot of time on the road/in the air/stuck at airports.  On a personal level, mobile data is cheaper now than it ever has been, and far more accessible, but if you're away from home in a foreign land the last thing most of us want to do is tether to our mobile devices and incur ridiculous roaming charges.  Some of us may use Free Public WiFi closer to home, maybe a laptop in a well known coffee shop is your office space for the morning?  Beware - free public WiFi has many unknowns and you need to be aware of the potential risks you are taking by using this type of service.  Few people understand these risks, but this blog post might go some way to helping you out.

In it's most basic form, free WiFi is giving you a free connection to a router, which in turn is connected to the internet.  When you do this at home you are on your own network, with (hopefully!) your own unique password.  The problem in public is that you do not know who else is connected to that router you are essentially sharing the network with.  You wouldn't let a criminal in your house, but potentially you might be sharing a connection with one every time you use free public WiFi.

The most common danger/worry in this scenario for cyber security is named man-in-the-middle (MitM) attack, where a hacker will position themselves virtually between you and the router, therefore having visibility of all of your traffic/key presses/credentials before passing them on to their intended location.  You might not be wise to this or ever find out it happened.  With your details however the hacker could then impersonate you with whatever information they have seen, and generally make your life a misery.

There is also the opportunity for a hacker to "place" malware or the like onto your computer, especially if you have network file sharing turned on for your device.  Consult your device providers instructions to turn this off while out of your home, or turn it off at all if it's not needed. 

There are many things you can do to protect yourself, not only in a free public WiFi area but wherever you are.  I have listed some of these below, I would encourage you to research these defences beyond this blog post, it could save your identity:

  • Use a VPN connection.  Personal VPN's can be purchased from reputable companies.  It is worth checking local laws to ensure that you are not breaking any.
  • Turn WiFi off when you don't need it - not only will no one be able to hack you if you're not connected, you'll save some battery life in the process.
  • Use and keep up to date your antivirus software - this is a basic one which we should all be aware of whichever device you have.

Stay safe everyone.

 

USB sticks - gift or attack?

There's nothing nicer than attending an event and being given a nice big free USB stick, some of us may think... copy the contents on to your PC, format the drive and you've got yourself a freebie for music, videos or whatever data you're interested in.  It might even have a key ring, if you're lucky.


Unfortunately, a USB stick is not always what it seems.  After some experimentation, almost half of USB sticks that are found in public places will be inserted into a port on a computer at some point, according to a social experiment from the University of Illinois.  The intention of this blog post is to insert some suspicion into every one regarding end points and plugging in a USB device.  A USB port is an entry point into your computer and into your firm, just like the door you walk through every morning into the office, although it's much easier to carry a USB stick undetected than a human.

What could be on the USB?  Anything at all is the answer.  There are no limits.  USB drives can autorun as well.  The files inside might be disguised as legitimate content, but actually be malware with criminal intentions.  Dropping a USB on the floor is a well-hidden tactic, you'll do well to find theperson who drops a device in the street prior to it being picked up.  They're making you do all the hard work.

One issue is how can you tell what's on the device until you've got it plugged in?  Use antivirus scanning software which can look at the contents without opening directly on your PC is a good start, or even better ask your IT team.  They may insert the device into a non-networked computer and do some scanning this way, avoiding any mass replication of a virus.


It's the job of IT professionals to raise awareness to scenarios such as this.  Our biggest Information Security weakness is our colleagues understanding of technological possibilities and we need to be proactive in sharing the potential pit falls wherever possible.

Observations in the personal space

Last week I attended a facilitation skills workshop with a group which contained mainly lawyers.  The two day programme was great.  The main take-outs for me were how to structure a facilitation session, considering the audience and encourage audience participation when appropriate - all obvious things you may think, but I'm sure we've all been guilty of hiding behind a PowerPoint slideshow particularly when facilitating or presenting remotely.  Anyway....

 

As part of the main session we all chose a subject to present on at the start and end of the course, showing progression in our learning.   I chose "Cyber Security in the personal space" for my session.  I touched on subjects such as how delicate a mechanical hard drive can be, new topics such as Ransomware and the use of Dropbox for the consumer.  I was surprised two fold by the reactions of my legal audience.  Firstly, it became apparent how little the audience of four were aware of what can cause potential data loss, the scale and number of hacking techniques used today and what happens to the pictures they've taken of their credit card which has automatically uploaded to Dropbox.  Secondly, with the audience not being privy to what can happen to their data, I was taken back by the interest that the audience had after receiving the session I ran, this pleased me.

 

It is very obvious to me that Cyber Security Awareness is not at a level where companies can feel safe that their employees are doing everything in their power to consider the company's integrity through best practise.  If the man in the street is not adhering to his own best practises to keep personal data safe, why would this be any different in the workplace.  I'm certain their is a perception that IT/Risk need to worry about Cyber Security; of course this is true, but it goes beyond the specialists and into the business where the damage can be done.

 

My experience in the session proves that interest can be generated when you relate the circumstances to things that can affect personal lives; threats of losing the digital family photo album can help, as can warnings of an intruder in your bank account.  Strategic communication planning with IT, Risk and HR teams are essential, and information sharing is key as new issues arise.  This is only going to become more prominent over time, be careful out there.

Policy vs Enforcement

It's a bit of a personal gripe of mine when people hide behind policies.  I'm not talking specifically about the IT or indeed Law professions, but in everyday life.  It's never enough to create a policy and share it.  Writing a policy is now more of a "tick the box" exercise; yes it needs to be completed to ensure correct guidelines are set, but this is only the initiation period.  The main body of work for policy setting is enforcing the policy and ensuring that it is being followed by inserting correct measures and controls.  Obviously I am angling towards IT Security Policies now which should be adhered by all company staff, rather than computer or network security policies which are usually (or should be!) fixed.  Penetration testing, to a certain extent, can be seen as another "tick the box" exercise in some respects, although vitally important in others.  Both creating IT policies for our end users and penetration testing can show the firms board level members that the correct thought process is being followed in order to mitigate security issues or worries, but the enforcement is sometimes lost after nothing beyond that policy is considered or actioned.

In it's simplist form, I'll give an example of an IT policy which I believe to be correct...

  1. A meeting between IT and the business determines that no users should use Dropbox to upload company documents.
  2. A policy is written regarding Dropbox usage, in conjunction with both IT and the business.
  3. The policy is shared with the business.
  4. The policy becomes part of a new starter induction programme, so no one is missed going forward.
  5. Controls, measures and alarms are put in place which triggers when Dropbox FTP/HTML traffic is found.
  6. Those triggers are followed up on, and individuals are spoken to proactively.
  7. A review of the policy and the alarms/measures is carried out every X period and the policy reviewed, or shared again.

The above is just one example of a system which might be being misused, and unknowingly.  An article on ZNet shows that in the early part of 2014, 90% of data breaches were preventable, with 29% being caused either accidentally or maliciously by employees.  A lot of money is spent on perimiter defense (firewalls/network security) and client security (anti-virus/admin access), but an easy and relatively costless way of keeping safe maybe doesn't hold as much importance in todays landscape.

Clear desk policy

Those "clean your desk" emails that appear from time to time within the office can sometimes fall on deaf ears for some of our colleagues.  Maybe a VIP is due in town, or maybe a pending audit is due to happen.  The clear desk policy (CDP) goes far beyond scrubbing the coffee marks from the tabletop or removing the untidy post-it notes plastered all over the monitor (Google ISO27001 audits). 

The main intention, if you are unaware, is to keep the data you hold locked away in your desk, cupboard or other locked areas.  In my opinion, your work domain should be treated the same as your house.  It's quite an odd thing to say "treat everyone as a potential criminal", but that's not too far from how it should be.  Why take the risk when you don't need to?  I'll speak about the inside job issues which relate to cyber security in a further entry. 

Obviously within this text I am referring to data contained on devices such as USB sticks, CD-ROMs or even your computer itself, which should in reality be locked to the desk, certainly if it is a laptop anyway (see Kensington Locks - http://www.kensington.com/en/gb/4482/locksDocuments as well as USB sticks).  This policy however goes beyond devices, and includes all firm related details such as documents and notes, an Information Security Risk.

Referring to my point on not taking risks,  and considering treating everyone as a potential criminal, thoughts of those in your environment should also run through your mind.  The kitchen porter, the office cleaner, building security.  Again, why take the risk?

A point I would like to mention, which is vitally important is that you might never know that anything has gone from your desk.  That USB stick you left overnight is still there......... but can you be sure that it hasn't been copied or duplicated?  Obviously it couldn't be, because it was password protected, right?!

CDP is there to protect you as an individual, your firm, and your clients data.  Next time you receive the email, don't take it so lightly. 

Who's problem is Cyber Security?

An obscure, yet feasible question.  The mere phrase "Cyber Security" suggests that any IT security-related incident may eventually fall into the blame of IT department.  Then again, the somewhat relaxed attitude of what I would call a "Data Carrier" (someone with a USB stick with firm or client data on it for example) would suggest that this person may be to blame in certain scenarios.

What I am trying to get at is that the answer to the question, is everyone.  All parties can have an impact on most incidents.  I have detailed what I perceive the main aspects of Cyber Security to be below;

  • Application security
  • Information security
  • Network security
  • Disaster recovery / business continuity planning
  • End-user education
  • Social Engineering

In no particular order, this pretty sums up what we're looking at.  The efforts of Cyber Security need to involve the IT department as well as the business in order to better understand the situations and trends from both sides, and defend against attacks, or indeed mistakes.

Taking Application Security as an example; yes sure, the IT department can stop any unknown applications (downloaded or malicious .exe files etc.) from running on your work laptop, but what about that website that a Partner of the firm accesses to upload some firm documentation to?  This is where the control of Application Security is removed, and End-user Education comes in, also involving a trust of where the data is going/duplicated/backed-up..  Is the Partner aware of the potential issues?  How often should they be reminded?  How strict should the firm's document upload policy or controls be?

Looking at Network Security; this is usually only feasible when actually on your firm's network.  Prior to connecting to a VPN or Cloud desktop session, you're on your own on whichever network you are connected to (potentially dangerous public WiFi connections, which I'll look into in a later blog).

The key to all elements of Cyber Security for business users is awareness. IT teams need both awareness and understanding, but there does need to be that transparency between both sides in order to keep ahead of the bad guys.

Hell for the Helpdesk...

Every organisation which holds some form of IT Infrastructure also makes us of an IT Helpdesk/Service Desk, whether this be internal or outsourced.  When we think of Cyber Security, the immediate thoughts run along the lines of hackers infiltrating our network and cracking codes to obtain our information.  The world news is full of this recently.  Usually this kind of activity is gained through use of an authorised login account.  This is where Social Engineering can play a huge part.

If, like me, you have ever forgotten a password for a website account, maybe even an email account, there are many ways in which to retrieve this.  There is usually a request to provide additional information to verify who you are before a trigger is made to send you a means to access account, usually via another email address these days.  But how does this work in a law firm?

If I can give an example; a Partner might call the IT Service Desk saying "I have forgotten my password, can you reset it for me please?"  The onus is then on the Helpdesk analyst to verify the Partner as being who they say they are.  It is vital that this line of questioning is correct, as it would be very easy to come up with some seemingly difficult questions.  Some examples below;

When did you start with the firm? LinkedIn would probably house this information

Can you email me from your BlackBerry to verify yourself, or Can I call you back on your mobile? Maybe the Partner provides a different number saying his corporate phone is dead.

These types of questions should not be trusted to give a verified answer; with preparation anyone could give excuses or answers to these questions.  Also adding to this, if the Partner appears irate on the phone, the pressure increases on the Helpdesk analyst to quickly act. 

The firm's policies should be clear from day one of any new starter, whether that be Partner or Helpdesk analyst.  IT Security should not be taken lightly, no matter what your status or urgency; something to bear in mind when calling your IT Helpdesk.

 

 

Dropbox in the law firm

I would like to write my first post on something that I see as a weekly occurrence.  This is the use of Dropbox to share company documentation, whether this be client or firm related data - who knows. Dropbox's Cloud storage is such a powerful platform, but it is difficult to ignore it or the dangers it may bring. Commenting negatively on Dropbox alone is actually very naive; there are a multitude of other options out there, most of which are probably less secure that Dropbox.

The issue I have around these Cloud storage platforms is the concept. The analogy that I like to use, is that of putting your personal belongings into someone else's house, someone who you do not know, and in a location that you do not know.  These belongings may be placed in a safe without being looked at, but they may also be left on the front doorstep for anyone passing to pick up.  The key is that you do not really know where it is, or whether it has been copied/backed up/moved/shared etc.  IT departments cannot control the data you share on Dropbox, it's out of the domain entirely.

In my view, the reason Dropbox and the like are used are simply through ease of use.  I know that if I need to get a large 200mb file to someone quickly, I can upload to Dropbox and send a link to whoever I want to; easy.

Within your firms IT department I am sure there are file transfer solutions that you are able to use, but maybe these take time to process.  IT need to put the power into your hands, enabling you to carry out the same transfer which is as easy as a Dropbox share, but in a secure internally managed manner.  I have seen solutions of point to point transfer in the past, but none seem to fit the bill.

For the business, an internally managed but externally facing Cloud solution would work.  These can be implemented fairly easily.  You see similar solutions within home networks, with the use of easy to use NAS drives.  The business drive needs to be there to initiate such projects however, and with firms dealing with big data now this is surely going to be a certain requirement of the near future.  One of the biggest benefits would be eradicating the need to USB drives/sticks, as the data won't actually be local on any device that an end user can touch, or lose for that matter.

A great article by D-Tech consulting covers some of the points I made in greater details - http://www.dtechconsulting.com/7-risks-dropbox-corporate-data/