Articles

We are still unconvinced that we will ever know the full extent of the damage from what is perhaps classified as the worst data breach ever. The compromise of the SolarWinds Orion platform has impacted approximately 18,000 public and private sector customers according to Cyber Unified Coordination Group (UCG). The UCG also said that the Russian-backed Advanced Persistent Threat (APT) group is most likely responsible for the SolarWinds hack. As the investigation continues, we are learning more and more details about the attack and those impacted.

What we do know is that the attackers spent many, many patient months learning about the SolarWinds environment and determining the best and most effective way to insert backdoor access into the Orion product. The supply chain attack was extremely sophisticated and a real wake-up call for cybersecurity professionals.

It is now painfully obvious that the traditional castle and moat designs for security don’t work in these modern computing days. We can’t just create perimeter security by walling off our resources and controlling access through a firewall. We are very much a mobile workforce and many of the services we utilize in our law practices are cloud based. We need a new approach to secure access to the confidential data law firms possess.

The National Institute of Standards and Technology (NIST) released the final version of its Zero Trust Architecture (ZTA) publication (NIST Special Publication 800-207) in August 2020, which will help organizations deploy a security model for the future. The National Security Agency (NSA) and Microsoft are also advocating for Zero Trust Architecture to help combat sophisticated cyber-attacks such as SolarWinds.

The obvious question is…what is zero trust? The concept of zero trust networks has been around for at least a decade, but cybersecurity events such as SolarWinds and attacks on Microsoft on-premise Exchange servers has brought renewed focus to the Zero Trust discussion.

The NSA stated, “The Zero Trust security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity. Zero Trust embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting critical assets (data) in real-time within a dynamic threat environment. This data-centric security model allows the concept of least-privileged access to be applied for every access decision, allowing or denying access to resources based on the combination of several contextual factors.”

In other words, trust nothing and constantly verify. It gives new meaning to Ronald Reagan’s words, “Trust, but verify.”

Read the entire article here. 

Passwords have been around since the early days of mainframe computing. Believe it or not, passwords were not originally designed to prove identity. The betting money is that computer passwords first showed up at the Massachusetts Institute of Technology in the mid-1960s in order to track time when using a mainframe computer: The Compatible Time-Sharing System (CTSS).

Today, passwords are used to help authenticate the identity of the computer user. From a security perspective, the problem is that people use crummy passwords, forget them and even reuse them across multiple systems. At the end of the day, if someone has your password, the computer doesn’t know it really isn’t you. It’s no secret that many lawyers are resistant to change. Abandoning passwords is no different. With the significant increase in remote workers, get ready for a change in how you will access your firm’s network or cloud service.

History

Password managers help users by generating strong and unique passwords for every account you access. Depending on the password manager you use, there may be issues with accessing the encrypted password vault across multiple devices. Many services will allow you to use your Apple, Google or Facebook passwords for access instead of creating one password specific for their service. That strikes us as a bad idea. If their service is compromised, the attacker has keys to your Facebook, Google or Apple account. You can add two-factor authentication (2FA) to increase security, but there are ways to intercept the second passcode sent by a text message.

Going Forward

You’ve probably heard of multi-factor authentication. A password is something you know. A second factor is something you have, such as a security key or token. A third factor is something about you – biometrics. There is a move afoot to totally ditch passwords and move to something you have and something you are.

Fast Identity Online (FIDO) are standards designed to let you dump passwords as an authentication method. The standards utilize hardware security keys and dovetail with biometrics. Think of hardware security keys as the digital equivalent of your house key. The security key plugs into a USB or Lightning port. It is a single device that works with multiple apps and websites. The key can be augmented with biometric access such as Windows Hello or Apple’s Face ID.

Read the entire article here. 

Background

For over a year now, we have primarily been working from home as a result of the pandemic. That has meant performing a lot of our daily tasks using some sort of video conferencing application. As Virginia lawyers know, the Virginia Supreme Court endorses and supports the use of Cisco’s Webex video conferencing application for Virginia court activities. What does this mean for Virginia lawyers? In order to be competent in the practice of law, lawyers need to understand how to use Webex and what options are available. We’ll attempt to cover Webex basics to get you started.

The one thing to remember is that the court will normally be the host of the meeting (hearings) and will have control over how Webex is configured and used. As an attorney, you will be a participant and may or may not have certain capabilities depending on what the court or judge has allowed.

Features

Obviously, we can’t cover all the intricate details and features of Webex, but there are many that you should be familiar with. Understand that even if a feature or function is available, that doesn’t mean the particular court has enabled it or made it available to participants. You know the old saying…if you know one court, you know one court. In these days of virtual hearings, we could probably drill down deeper and say that if you know one courtroom (and its judge) then you know one courtroom.

To start, Webex provides high-definition video and audio meetings supporting up to 1,000 attendees. There are user-controlled layouts such as grid, active speaker and other modes. The user can “pin” speakers to keep focus on specific individuals. If you don’t pin a participant, the focus with automatically shift to whoever is speaking.

Security is a huge concern, especially when protecting the client confidential information used in court proceedings. Besides Zoom, Webex is the only other platform that has true end-to-end encryption protecting all messages, files, drawings, recordings and other Webex features. Just like Zoom, end‑to‑end encryption in Webex is not turned on by default and must be separately activated if desired. There are built in security controls for private messages, file sharing and other attendees’ interactions to ensure that the meeting follows court guidelines. From the court’s perspective, there are very robust management tools to provide role-based control of feature availability. In other words, judges will have different features available as would clerks, attorneys and even the public.

Read the entire article here. 

Background

Thrust into the Work-From-Home (often seen online as WFH) environment, many lawyers scrambled to learn the technologies that would allow them to continue their practice of law during the pandemic. Finding solutions that would allow lawyers to continue to take client meetings, albeit virtually, became a priority. The pandemic way of life was new to all businesses – law firms included – having the ability to continue to interact with clients was a must.

From the outset, Zoom dominated the video conferencing market. Over the past year, Zoom has grown in popularity and usage. According to Zoom, there are over 300 million daily participants – up from just 10 million at the start of 2020. As popular as Zoom is, that doesn’t mean it’s the only possible solution for your firm. There are other video conferencing providers to evaluate, including one that you may already be paying for – Microsoft Teams.

Microsoft Teams is a communication and collaboration platform developed by Microsoft and is part of the Microsoft 365 subscription service offering. Teams is often thought of as a competitor to Slack, offering workspace chat rooms, video conferencing, and file storage/sharing. Microsoft Teams replaced Skype for Business, which has been retired and is much more than a Slack alternative.

There is a free version of Teams for users who don’t already have a Microsoft 365 subscription, but it comes with some usage limitations such as a participant capacity of up to 100 users and a maximum meeting length of 60 minutes. These limitations don’t exist with the Business Basic, Business Standard, or E3 subscription levels.

Read the entire article here. 

We are regularly asked to “spec out” computers. So . . . in an effort to save lawyers time and to be helpful, here are our current specifications for 2021. Remember that we are balancing price and features to find the “sweet spot” for you. As we are sure you realize, specifications change over the course of a year, so we’ll make sure we revise these at the end of 2021.

Windows-Based Desktop Computer

Hardware Component   Recommendation

Computer Model:            Dell OptiPlex 7080 Small Form Factor

Operating System:           Microsoft Windows 10 Professional 64-Bit

Processor:           10th Generation Intel® Core™ i7-10700 (8-Core, 16MB Cache, 2.9GHz to 4.8GHz, 65W)

Memory:             16GB, 2x8GB, DDR4 non-ECC Memory

Video Card:         NVIDIA GeForce® GT 730, 2GB, LP (DP/DP)

Hard Drive:         M.2 256GB PCIe NVMe Class 40 Solid State Drive

Network:             Intel Gigabit LAN 10/100/1000 Ethernet

Monitor:              2 x Dell 24-inch Monitor—P2419H

Warranty:            Three-year basic hardware service with three-year onsite/in-home service after remote diagnosis

Other:   No mouse and keyboard required; no out-of-band systems management; four USB 3.2 ports, two USB 3.2 Gen 2 Type-C port and four USB 2.0 ports included.

Read all the specs here. 

Jim Calloway, Director of the Oklahoma Bar Association’s Management Program, frequent speaks with us about the future of law. Recently, Jim recorded a Legal Talk Network podcast with Sharon which bears the same name as this article. You can find the podcast here.

The authors continue the discussion below.

We were glad to see the backside of 2020. But 2021 carries many uncertainties with it and that makes predictions risky. Fortunately, we are not averse to risk-taking and it is a worthwhile effort to make predictions, especially about things we’re fairly certain will come to pass.

One thing that both lawyers and clients seem to have changed their minds about is the importance of physical office space. Until we read the Clio 2020 Legal Trends Report which surveyed a combination of Clio users and non-Clio users, we had no idea that 21% of law firms were already operating without commercial office space and since the pandemic, another 7% of lawyers have given up their commercial offices and 12% are unsure they’ll keep them going forward.

It’s a pretty good bet that those numbers are higher today. We have heard from some of our big law friends that they are actively looking to sublet some of their space. Those that were near the end of their leases were the lucky ones because they can negotiate for downsized space. We, on the other hand, signed a five-year lease in February 2020. Great timing, huh?

We may also see rotating offices (yes, there will be institutional resistance), where lawyers showing up to work get assigned to an office with the office space rotating among the firm’s lawyers. Large, luxurious partner offices may also become a thing of the past. The physical footprint of the office may be reduced but virtually everyone seems to agree that firms of a certain size need some kind of office in which to conduct meetings, have a receptionist to deal with mail, packages, etc.

Another topic that comes up frequently is the cloud. We’ve been saying for a very long time that the cloud protects the security of law firm data better than the lawyers would and that is so true. We regularly hear stories of cloud breaches but lawyers often misunderstand their cause. The majority of those breaches are caused by users who misconfigured the security of the cloud and their presence in the cloud.

Read the entire article here. 

The work-from-home environment has placed additional mental and technological stress on lawyers as they try to effectively practice law remotely. Video conferencing has been a huge help in staying connected with clients and colleagues. Accessing cloud services allows attorneys to avoid trips to the office and access client data from the comfort of their own homes.

Having adequate network speed is critical for the success of remote computing. One major challenge during the pandemic is how to maintain sufficient network bandwidth. Typically, we connect to the Wi-Fi network and hope our video doesn’t freeze while participating in a virtual hearing. In addition, we’re competing for bandwidth with our spouse, children and other family members as they also work remotely or remotely attend school.

What are our options for improving network speed? The first suggestion is to get off Wi-Fi and directly connect to your router via Ethernet. Not everyone has hard wired Ethernet in their residence. There are options there too. If you are not too far from your router, you can purchase a long Ethernet patch cord to connect to your computer. Just make sure the cable isn’t a tripping hazard.

If you do decide to have Ethernet cabling instead within the walls of your residence, make sure the cable specification is at least category 5e or higher. 5e or higher cable will be able to support gigabit Ethernet connections. Hopefully, your router has gigE Ethernet ports and not the much slower and older 10/100 Mbps Ethernet ports.

Another alternative is to purchase Ethernet over Powerline adapters such as the TP-Link AV1000. You can get a set of adapters from Amazon for around $50. Basically, you plug one adapter in an electrical outlet near the router and connect a patch cord from the adapter to a router port. Plug the second adapter in an electric outlet near your computer and connect a patch cord from the adapter to the Ethernet port on your computer. The adapters communicate with each other over the electrical wiring in your house.

If you decide to go with another manufacturer instead of the recommended TP-Link model, make sure the adapters support 10/100/1000 Mbps connections. Don’t get one that only supports 10/100 Mbps connections as those will most likely be slower than your already congested Wi-Fi network.

We have had many people tell us that using an Ethernet over Powerline adapter “changed their lives.” Even though Ethernet over Powerline adapters work very well for most installations, it is not guaranteed to improve your network speed. You can always return the adapters if they don’t work with your wiring. For $50 you really can’t go wrong.

Read the entire article here. 

The Perfect Storm is Headed Your Way

The way law firms operate has undergone a drastic change over the past year, in both the physical and digital worlds. We saw law firm employees working remotely, a heavier reliance on cloud-based technology solutions and services and firms operating on a reduced budget through the economic crisis caused by the pandemic. Some law firms have thrived, while some have floundered with an inability to pivot and adapt quickly.

The new norm has created an operating environment that hackers once could only dream of. What has been proven over the past year is that cybercrime rises during times of crisis and law firms are still slow to respond. Ransomware is the number one cybersecurity threat that we now face. The perfect storm has been created and is heading towards your firm if it hasn’t arrived already.

What exactly do we mean? Users are now accessing confidential client files from their kitchen or home office through personal computers, tablets, and outdated Wi-Fi that has not had the configuration updated since the Internet Service Provider installed it. Employer-provided systems are not universal, even among the largest of firms. Users are now responsible for keeping their software and operating system patched with critical updates.

Two-factor authentication, which Microsoft states will stop 99.9% of account takeover attacks, remains unused – even though it is provided at no cost with your Microsoft 365 subscription. Encryption of laptops, while commonly discussed, is hardly implemented. Our country was shut down abruptly; this prevented most firms from carefully planning and evaluating the new cybersecurity landscape. They faced immediate changes in the way they worked. Plain and simple, they were not prepared.

Law firms recognize that there are security problems within their networks. Many just don’t know where to start to identify and fix them. Others accept the risks of taking no action.

All is not lost. There are steps that law firms can take now to get control of the situation, to identify where the problems exist and remediate them. The first step is realizing that something needs to be done. The next step is finding where the problems exist, and that is accomplished through a security assessment.

Security Assessments Are Essential

You can’t fix what you don’t know is broken. We are now at a point in time where attorneys are receiving from a client or prospective client a request for an independent security assessment or proof of having one recently been performed. Many are also receiving a request to provide a client or prospective client with their firm cybersecurity measures, along with any documentation or guidelines. Law firms inquiring about cyberinsurance are often required to have an assessment performed to become eligible for coverage. Assessments are becoming THE way to prove (and document) that you take cybersecurity seriously.

Read the entire article here. 

Perhaps classified as the worst data breach ever, the compromise of the SolarWinds Orion platform has impacted approximately 18,000 public and private sector customers according to Cyber Unified Coordination Group (UCG). The UCG also said that the Russian-backed Advanced Persistent Threat (APT) group is most likely responsible for the SolarWinds hack. As the investigation continues, we are learning more and more details about the attack and those impacted.

SolarWinds

So what is SolarWinds Orion and what is it used for? Essentially, SolarWinds Orion is a network monitoring and management tool. It is used by IT personnel to provide a single dashboard for administering various parts of the network to include the infrastructure and applications.

Discovery

In early December 2020, cybersecurity firm FireEye discovered that its own systems were compromised and attackers made off with FireEye’s own tools for investigating breaches. While FireEye was investigating how their systems were pierced, it learned that there was a backdoor, known as Sunburst, within SolarWinds. We now know that the backdoor has existed for months and provided undetected access to thousands of systems.

So what led FireEye to even think they were compromised? Unlike a bomb threat, nobody called FireEye and said “Knock. Knock. I’m in your network.” FireEye’s CEO Kevin Mandia said the first clue to the massive attack was what is called a Severity-Zero Alert. “In this particular case, the event that got briefed to me and got us to escalate and declare this a full-blown incident was somebody was accessing our network just like we do, but they were doing it with a second registered device.” They contacted the employee associated with the account and confirmed that they did not register a second phone. This is certainly a clear indication that the attacker already knew the employee’s username and password. As Mandia further stated, “We had somebody bypassing our two-factor authentication by registering a new device and accessing our network just like our employees do, but it actually wasn’t our employee.” How many of us have systems in place to issue an alert for a second device being registered? Make that lesson one.

Read the entire article here. 

Heaven help us – with that title, we hardly know where to start.

OK, we’ll just quote a headline from Vice: “New Yorker Suspends Jeffrey Toobin for Masturbating on Zoom Call.” You can’t make it up, right? Somehow a highly respected New Yorker reporter, during a call between several New Yorker reporters and a radio station, didn’t realize his video was on while he was touching himself.

He was not alone in Zoom stupidity. A Florida court was zoom-bombed in August by pornography when someone changed the secure Zoom defaults and allowed screen sharing, allowed participants to unmute themselves and completed the fiasco by posting the hearing link publicly at the Florida state attorney’s office website complete with time and ID number. That’s a trifecta of stupidity. So the court hearing for 17-year-old Graham Clark of Tampa, Florida (the alleged mastermind of the July 15 hack against Twitter which resulted in a bitcoin scam after the accounts of high-profile Twitter users were compromised) was terminated swiftly after someone injected a pornographic video clip into the proceeding.

No matter how well Zoom secures its platform, if you mess with the secure default settings, you are setting yourself up for disaster.

A law firm in Oklahoma learned the same lesson in May 2020. On August 14, Oklahoma’s NBC 4 reported that an Oklahoma City law firm (not named) set up a Q&A session in May which was open to the public.

Someone named “Christine” joined the meeting and began showing a graphic video of a man sexually assaulting a child. Not something a law firm needs.

The meeting was brought to a quick close, followed by an investigation by both the Oklahoma City police and Zoom. User error again.

While we could recount Zoom stories forever, the BIG story of the year for the legal world was ransomware. Law firms, bar associations, and all manner of other organizations were hard hit as ransomware surged by 715% in the first half of 2020. 27% of victims are now paying the ransoms, especially when the cybercriminals have stolen law firm data before they encrypted it. This gives the option, if you can restore your data from your own good backups, for them to demand a ransom for destroying your data rather than publishing it.

The authors had all but begged our clients to allow us to put endpoint protection on their networks. But three law firm clients did not and were subsequently struck by ransomware. To the credit of all three, these clients were quick to blame themselves for not listening to our entreaties. Happily, they all had backup protection solutions and we they were up and running in less than a day without having to pay the ransom. They all signed up for endpoint protection subsequently. A hard-earned lesson.

Read the entire article here.