For the lawyers here -- law firm cybersecurity

1,011 Views | 12 Replies | Last: 6 yr ago by eric76
eric76
How long do you want to ignore this user?
AG
Here's an interesting article on cybersecurity for law firms: http://abovethelaw.com/2017/09/what-you-need-to-know-about-law-firm-cybersecurity/.

From the article:
Quote:

As entities, law firm systems contain highly-sensitive financial data, corporate strategies, trade secrets, business transaction information and plenty of both PIIA and PHI. Unfortunately, many firms lack a complete, effective, privacy and security program. According to an ALM Legal Intelligence study, 22% of law firms did not have an organized plan in place to prepare for or respond to a data breach. Only 50% of law firms included in the study have cyber security teams in place to handle and implement the types of complex programs and initiatives necessary to deal with a data breach.

And, unsurprisingly, hackers have noticed these vulnerabilities. In February of 2016, Russian cybercriminal, under the name of "Oleras," targeted law firms; in March, the Wall Street Journal reported that the nation's biggest firms have been hacked (including names like Cravath and Weil Gotshal); in April, the "Panama Papers" were leaked, revealing confidential attorney-client information detailing tax evasion techniques; in May, a Chicago-based law firm was sued by a client for cybersecurity flaws that "systematically expos[ed] confidential client information"; in December, the DOJ charged three Chinese nationals for insider trading based on information hackers obtains from law firms.
91AggieLawyer
How long do you want to ignore this user?
AG
Eric: since you know networking well, walk me through how a hacker could access a firm's network through their ISP DHCP address. Assume the firm would have either a custom or off the shelf router/firewall and all computers and a file server are behind that. Assume no attached email files opened by staff.
mickeyrig06sq3
How long do you want to ignore this user?
AG
91AggieLawyer said:

Eric: since you know networking well, walk me through how a hacker could access a firm's network through their ISP DHCP address. Assume the firm would have either a custom or off the shelf router/firewall and all computers and a file server are behind that. Assume no attached email files opened by staff.

They wouldn't try to brute in to the network, but they would exploit your users to gain a foothold in a machine. That first step is all it takes. It could be an email attachment, a link in an email, a dropped usb drive in the parking lot, someone talking their way in to your offices. The weakest part of network security is the human element.
eric76
How long do you want to ignore this user?
AG
91AggieLawyer said:

Eric: since you know networking well, walk me through how a hacker could access a firm's network through their ISP DHCP address. Assume the firm would have either a custom or off the shelf router/firewall and all computers and a file server are behind that. Assume no attached email files opened by staff.
Is the DHCP address routable or is it a private address that is itself behind a NAT? One way to tell which is which is to log into the router/firewall and see what address it has. Then go to a website that shows the IP address and see if it matches the one on the router/firewall.

Another way to check is to look at the address. If it is in one of the 10/24 (10.0.0.0 to 10.255.255.255), 192.168/16 (192.168.0.0 to 192.168.255.255), or 172.16/12 (172.16.0.10to 172.31.255.255) blocks, then you have a nonroutable address and are behind a NAT, but you would not normally expect one of these to be used because they could conflict with private networks of the provider's customers. There is a lesser known block, 100.64/10 (100.64.0.0 to 100 127.255.255) reserved for ISPs that they should be using. So if you see one in that range, then you are behind a NAT.

You can see the same on your cell phone. It appears that IBM uses the 10/24 block for cell phones. My cell phone is a Trakfone that uses Verizon and it has always had a routable address when I checked it.

The NAT helps because the NAT device wouldn't normally pass the incoming traffic to your router/firewall. It would allow outbound connections, not inbound. Even then, depending on their security, anyone else behind the NAT would be able to attack your router/firewall. It helps, but don't depend on it.

We are a small ISP in the Texas Panhandle. Most of our customers are behind a NAT in the 100.64/10 block, but any who needs a routable address has one. A customer with a routable address on their wireless router for their office was hit with a worm a couple of months ago. Once on the local network, it spread through other customer's routers and radio gear. I was very fortunate that I happened to notice the odd traffic from the worm about two hours after it started and was able to get most of worm cleaned out before the next morning.

If the firmware on all that had been up to the current revision levels, there wouldn't have been a problem. I routinely upgraded the firmware on those that had routable addresses that I had access to, but I didn't have access to theirs. Our own equipment with that firmware and that version of firmware were protected from any and all accesses from outside the network, but those that were vulnerable still got hit.

Some firewalls will be more susceptible than others, but the main thing to remember is that they can still be broken into. Anyway, rule 1 should be to always keep the firmware up to date for everything you have. Nearly every time someone is attacked, it is with methods that are well known and for which patches exist. There are zero day exploits, but they don't normally stay zero day exploits for long.

Another way that your network could be breached, even with a fully patched firewall with no vulnerabilities at all, and that is with a VPN. If someone works from home and logs in through a VPN, then any viruses or other malware on their computer could spread into your network.

There was a recent article about one noted large company in the East that suffered from such a vulnerability. The company probably spends well over a million dollars annually on security. In spite of following the best practices suggested by the NSA, their system got hacked through an employee's use of the VPN. The attack completely went around all of their regular defenses. Fortunately for them, they caught it really quick and was able to isolate the issue.

Another problem is with wireless access on your office network. Anyone who knows, or can guess, the password has full access to your office network. My approach to this is to set up a separate wireless that outside of our office firewall. People can connect to it without getting into our internal network at all. So if someone walks in and asks if they can use the internet, it's all right with me since they can't get into our internal network at all. It's not even password protected.

One thing we're doing here is putting a firewall or a wireless router in each office. The only things not behind these individual firewalls/routers is the main office firewall and the printer. Where we have a router, it has the capability of reducing the output power levels to a very small fraction of the usual power. At that level, you can connect to the router from inside the office, but not from very far away. The wireless is for me to use when trying to fix a problem -- I'm the only one who should ever connect to it.

For example, one night I parked in front the window of our accounting clerk's office and tried to connect to the wireless router. Even from that short distance, I was unable to connect with either my smart phone or my laptop.

Also, the firewalls in each office are of a different manufacturer than the main office firewall. The idea is that if they were able to break into the main firewall, they would then have to use an entirely different attack to get to any individual office firewall. So if anyone gets malware on their computer, it is going to be very difficult for it to get out to other computers. Knowing how everything is set up and all the passwords, it would take me a while to be able to set up a connection from any a computer in one office in the building to any other computer in the building.

So we have three layers of firewalls. The first is an external firewall that controls access to the customers and to our office firewall. In general, there are three levels of incoming access: all, usa, or local. For where the access level is set to "local", the only permitted incoming connections are from within our local network. For where the access level is set to "usa", the only permitted incoming connections are from netblocks used in the US. Only for the very few with the access level set to "all" can someone from outside the country connect to any of our computers or devices. This is mainly for things like DNS, web pages, and email delivery and which are not internal to the office.

The second level is a Cisco RV325 router. And then the internal routers inside each office which are usually Ubiquiti.

Note that if the second level was a Ubiquiti router and someone could get into it, then they would be more likely to be able to go from it to the internal routers in each office. Using a different manufacturer at each level is intentional for security issues.

Out of all that, the most important thing, I think, is to make sure that the firmware is always up to date.
eric76
How long do you want to ignore this user?
AG
mickeyrig06sq3 said:

91AggieLawyer said:

Eric: since you know networking well, walk me through how a hacker could access a firm's network through their ISP DHCP address. Assume the firm would have either a custom or off the shelf router/firewall and all computers and a file server are behind that. Assume no attached email files opened by staff.

They wouldn't try to brute in to the network, but they would exploit your users to gain a foothold in a machine. That first step is all it takes. It could be an email attachment, a link in an email, a dropped usb drive in the parking lot, someone talking their way in to your offices. The weakest part of network security is the human element.
They might try to bruteforce their way in.

I have several servers on the internet with ssh so that I can connect to them from outside. For example, last week I took my oldest brother and his wife to the doctor in Amarillo and connected to my computers at the office and worked while waiting for them.

Last April, I started setting up the computer I'm using now. Even though I gave it an IP address that had not been used in a year or two, it took less than an hour before someone connected with ssh and tried to guess the password. Within a week, it was up to several thousand attempts a day. My passwords tend to be quite secure and so I wasn't too worried.

About that time I checked the log files on another computer and saw that about 1.3 million attempts were made to guess passwords on ssh on it in the previous two months. Out of those 1.3 million attempts, a bit more than half were from one /24 block in China. I checked several other computers and they saw the same thing.

I already knew from running tcpdump that there are pretty much constant scans going on from all over the world looking for different services on our network.

I found a place where I can download the Ip address blocks in use by country, both IPv4 and IPv6. So on the new computer with a few thousand attempts to connect to ssh, when I restricted access to US only, the number dropped to about six or seven attempts from three IP addresses for the day. After that, I expanded that to our entire network and covers all incoming connections, not just ssh.

Now every IP address is in one of three classes. If marked "all", then there is no filtering of incoming traffic by source address. This is for those customers who may need access from anywhere in the world as well as for our own DNS, web, and mail servers.

The second class is "usa" and filters out all incoming traffic that is not from an ip address block in the US. The third class is "local" and filters out all but local traffic.

Note that the filtering is on establishing a connection. It lets you make any connection going out -- the filtering is only on connections created from outside the network.

As a result, we now see maybe 1% to 2% of the incoming malicious traffic that we saw before. While anything that could come in from outside the country is surely coming in from inside the country (just in much smaller amounts), it is somehow satisfying to be blocking so much of the malicious traffic.
Phat32
How long do you want to ignore this user?
eric76
How long do you want to ignore this user?
AG
Regarding security issues with home routers, from http://www.zdnet.com/article/flaws-in-att-routers-put-customers-at-risk/:
Quote:

Five flaws were found in common consumer Arris routers used by AT&T customers and other internet providers around the world. The flaws were detailed in a blog post by Joseph Hutchins, who described some of the them as being as a result of "pure carelessness."

The report said Arris NVG589 and NVG599 modems with the latest 9.2.2 firmware are affected, but it's not clear who's responsible for the bugs.

Hutchins said that some of the flaws may have been introduced after the routers were delivered to the internet provider, which often adds customized code for remote interactions, such as customer support and diagnostics.

...

Among the vulnerabilities are hardcoded credentials, which can allow "root" remote access to an affected device, giving an attacker full control over the router. An attacker can connect to an affected router and log-in with a publicly-disclosed username and password, granting access to the modem's menu-driven shell. An attacker can view and change the Wi-Fi router name and password, and alter the network's setup, such as rerouting internet traffic to a malicious server.

The shell also allows the attacker to control a module that's dedicated to injecting advertisements into unencrypted web traffic, a common tactic used by internet providers and other web companies. Hutchins said that there was "no clear evidence" to suggest the module was running but noted that it was still vulnerable, allowing an attacker to inject their own money-making ad campaigns or malware.
eric76
How long do you want to ignore this user?
AG
One thing I meant to mention, but forgot, about security on your router/firewall is to make sure that you have the management access to the router from the internet disabled.
eric76
How long do you want to ignore this user?
AG
From http://www.zdnet.com/article/cia-has-been-hacking-into-wi-fi-routers-for-years-leaked-documents-show/:
Quote:

Routers remain a prime target for intelligence agencies and hackers alike because of they act as a central port of call for an entire network. What makes routers such an attractive target is that they are more often than not riddled with security flaws that make exploitation easy.

According to one 2010-dated document, the CIA had by mid-2012 developed implants "for roughly 25 different devices from 10 different manufacturers," including Asus, Belkin, D-Link, Linksys, and Netgear.

"In general, once a make, model, and hardware version of a device is supported, it is straightforward to implant any later firmware versions, or international firmware versions, so long as the device has not changed its underlying hardware or operating system," said the document.

From https://www.wired.com/story/wikileaks-cia-router-hack/:
Quote:

Routers make an appealing entry point for hackers, the CIA included, in part because most of them offer no easily accessible interface or performance giveaways when they've been compromised. "There's no sign to tell you whether your router is hacked or notyou're just on the internet as normal," says Matthew Hickey, a security researcher and founder of the firm Hacker House, who's analyzed the documents. "The only thing is that everything you're doing on the internet is going through the CIA."

...

Given the general insecurity of the average home router, it shouldn't come as a surprise that one of the world's most well-resourced spy agencies has exploited them for surveillance. But the details of those hacking tools should, if nothing else, serve as a reminder to patch your own home router, as frustrating a process as that may be.
BDR14
How long do you want to ignore this user?
AG
To say they might try and brute force is an understatement.

Script kiddies and bot nets are constantly running port scans and throwing brute force attempts at any open port that doesn't kill the connection. If you don't have policies set at the firewall level to block these attempts after a certain number of attempts then they will just keep hammering away at you.

And that's just the natural environment, not a targeted attack.

Given a reason, any decently knowledgeable actor could gain access to your network, it's merely a matter of time and creativity. With options ranging from powerful click-less bluetooth exploits that take <10 seconds to execute, to more traditional tools such as metasploit it's very hard to consider ones firm entirely covered from attack.

The key is to understand why you might be targeted and increase your security measures accordingly. Even the most locked down network can be compromised by employees who feel stifled by all the measures you are imposing on them.

IT security, much like life, is about finding the right balance.
eric76
How long do you want to ignore this user?
AG
I think that unless you are a major target, nobody is likely to be doing everything they can to break-in and that might even include a physical break-in.

For most, the real problem is to avoid giving everything away. That includes the use of strong passwords and don't reuse them, choose your gear wisely and keep its firmware up to date (especially your firewalls/routers), don't connect untrusted equipment to your computers and networks (I've heard of people removing CD drives, floppy drives (if they still have one), gluing the ethernet cables to the outlets and to the network cards, and removing or gluing over the USB ports), limit internet access to those who actually need it, avoid wireless for any internal use, and maintain good physical security.

And then there are other things like developing a proper backup strategy and using it.
Tailgate88
How long do you want to ignore this user?
AG
Can you share the download link for the IP address blocks by country?

Also if I flash my Netgear router with DD-WRT and the CIA has developed an exploit for Netgear am I good? Not clear whether a different firmware would override it.

Great thread Eric, thanks for your time and effort!
jagouar1
How long do you want to ignore this user?
AG
You would be better off using a service like open dns or cisco umbrella. Let them manage those block lists because they are constantly changing.

The suggestions in the original article are a pretty good baseline but I would add one more. If you don't already have internal IT staff look at bringing in expertise like a managed services provider to help you get there. Like everything else you get what you put into it.
eric76
How long do you want to ignore this user?
AG
Tailgate88 said:

Can you share the download link for the IP address blocks by country?

Also if I flash my Netgear router with DD-WRT and the CIA has developed an exploit for Netgear am I good? Not clear whether a different firmware would override it.

Great thread Eric, thanks for your time and effort!

This is the link for IPv4: http://www.ipdeny.com/ipblocks/data/aggregated/us-aggregated.zone
And for IPv6: http://www.ipdeny.com/ipv6/ipaddresses/blocks/us.zone.

It wouldn't surprise me if there were exploits for pretty much every router available. It surprises me how many problems have been identified in routers that seem to be reasonably highly respected such as Sonic Wall.

In some cases, the manufacturers have intentionally created security holes in routers. For example, I was reading up on Fortinet last night because of a separate issue and saw a number of articles about them having a back door for their engineers to access the routers and that the back door has been discovered and abused by others. And there are allegations that the firmware updates by some manufacturers merely hide existing back doors instead of fixing them.
Refresh
Page 1 of 1
 
×
subscribe Verify your student status
See Subscription Benefits
Trial only available to users who have never subscribed or participated in a previous trial.