Cyber crime: Preparing for attack
Are the SRA's principles and security practices both sides of the same argument, asks Peter Cohen
As with any business, many legal firms handle sensitive data that criminals, hacktivists, and even nation-states may covet. In March, the Wall Street Journal warned that a number of major US law firms had had their computer systems compromised by hackers attempting to gather data for insider trading deals. Mossack Fonseca found itself caught up in an exposé '“ dubbed the 'Panama Papers', when 11.5 million documents were stolen and leaked online. Of course, it's not just international firms in the hackers' cross hairs as small partnerships have also suffered with scammers spoofing conveyancing clients with phishing messages to commit wire transfer fraud.
When it comes to the 'how', organisations are generally breached with a combination of reconnaissance, widely available commodity malware, and well-known exfiltration techniques. However, more sophisticated threat actors might deploy advanced techniques to facilitate their objectives either more 'quietly', or in a way that carries more impact.
Firms are increasingly asked by key clients and prospects (particularly in finance) to implement specific security controls to achieve assurance or compliance. Of course, it's not just client pressure as the Solicitors Regulation Authority handbook also specifies the extent to which attack detection needs implementing. Arguably it could be expressed a little more clearly, but can the SRA guidelines actually help?
Stick to your principles
Firms are required to act within the 'principles' of the SRA, which lead to required 'outcomes'. If not adhered to it can affect the regulatory status of a law firm. When it comes to the sphere of security and attack detection the following principles are particularly relevant:
Principle 5: Provide a proper standard of service to your clients;
Principle 6: Behave in a way that maintains the trust the public places in you and in the provision of legal services;
Principle 8: Run your business or carry out your role in the business effectively and in accordance with proper governance and sound financial and risk management principles; and
Principle 10: Protect client money and assets.
Of the regulatory outcomes, these two are the most relevant:
Outcome (4.1): You keep the affairs of clients confidential unless disclosure is required or permitted by law or the client consents; and
Outcome (4.5): You have effective systems and controls in place to enable you to identify risks to client confidentiality and to mitigate those risks.
The guide also references 'indicative behaviours' and acting in the following way will show that you have achieved the outcomes and therefore complied with the principles above:
Indicative behaviour (4.1): Your systems and controls for identifying risks to client confidentiality are appropriate to the size and complexity of the firm or in-house practice and the nature of the work undertaken, and enable you to assess all the relevant circumstances.
Present the evidence
We said before that the guidelines could be explained a little more clearly so, deciphering the elements above into a cyber security process, it simply means: understand your critical assets; understand the attacker's motive; determine what is the likely threat you face; ascertain the attacker's capability; indentify your attack paths; and, finally, put in place appropriate attack detection and response measures.
Covering relevant attack paths is only half the equation. At some point an attacker may be successful in moving around the network, gaining access to sensitive data, and exfiltrating that data. In this event, the ability to detect and respond to the malicious activity is paramount.
To combat cyber threats requires 24/7 attack detection and response, which is capable of revealing the initial compromise early enough in the breach process and before any kind of control channel is opened to the attacker. Harking back to the motivations of attackers, it's also imperative for legal firms to choose effective detection controls with an understanding of the motivation and capability of the probable threat actors.
Discussing attack detection and wider cyber-security controls, in the context of SRA guidelines, enables a common language between the security function and the business owners. The final element is to design these controls that also fit within the wider business culture, compatibility and internal resourcing requirements in the most cost-effective way possible.
Firms must adhere to the SRA principles, and they must keep their systems secure. Ultimately, the SRA guidelines are a suitable starting point for determining appropriate attack detection controls.
Peter Cohen is the strategic manager of Countercept