Every Firm's a Target

Malware threats grew 34 percent in 2012, with more than 200,000 new ones surfacing each day, according to security software maker Kaspersky Lab. Experts estimate that as many as 577 million worms, viruses, Trojans, and pieces of spyware are constantly probing for vulnerable spots in software and devices where they can insert their dirty payloads; most commonly, they are spread by malicious links. Given that cyber attacks typically cost even small businesses $8,700 apiece, the resulting damage can be significant.

Some law firms are under the impression they're vulnerable only if they do large, international business deals, but firms are being targeted on an increasing number of fronts. Email remains a prime delivery mechanism for hacking attempts; phishing emails lure the unwary into providing passwords and other information to sites that mimic banks, PayPal, or other reputable businesses. But mobile devices, apps, and even voice calls and PDFs have become conveyances for spyware.

The Need to Encrypt
"Something as simple as a passport number or tax ID number could make your firm a direct target. In the right hands, that information is very valuable," says Justin Greer, director of IT for Higgs Fletcher & Mack in San Diego. And a high-profile client can attract especially sophisticated hackers.

Tiffany Rad, a security researcher for the Global Research and Analysis Team at Kaspersky Lab, says too much sensitive information is still being transmitted by email, but many companies now require their attorneys to actively protect their information - and that usually means encryption.

"Cryptographically protecting emails should be a high priority," Rad says. Any attached documents also should be encrypted, she says, even though it can seem laborious and annoying. "There's always a trade-off between accessibility and security."

Encryption applications apply algorithms to scramble the data in electronic files before they're transmitted; recipients need a key, sent separately, to unscramble the information again. Clients may need to run the same encryption program that their law firm uses. "Email a client saying, 'Here's a program, set up a key, and use it,' " Rad recommends. Even if a firm uses a cloud provider to store and transmit documents, encryption will prevent anyone who gains unauthorized access from being able to read them.

Mobile Mayhem
Malware geared specifically for mobile devices is on the rise, according to security software vendor McAfee, which collected almost as many mobile malware samples in the first half of 2013 as it did during all of 2012. McAfee, a subsidiary of Intel, expected to collect even more in the second half of the year. Kaspersky detected 29,695 new bits of malware targeting mobile devices in the second quarter of 2013, a 23 percent increase from the first quarter.

Scammers often distribute malware to mobile devices using copycat apps. "The most effective way for a malicious app to get distributed is for it to clone functionality or the brand of a currently popular app," says Lou Manousos, co-founder and CEO of RiskIQ, a company that scans the Web for threats.

Typically, scammers make a complete copy of a popular app, give their version a similar name, and then include adware or more malicious components. They may distribute their look-alikes in the same app store as the original or in a second- or third-tier store that's less rigorous about screening. Consumers unwittingly download the copycat app instead of the legitimate one, and the dirty payload is on its way.

The extra material could be relatively benign display ads, or it could be a link to a chain of shady affiliates that install malware on the device. App-happy lawyers are prime targets, says Dale Gonzalez, product strategist at Dell SecureWorks, a subsidiary that provides security services. "Lawyers charge by the hour. They never sleep, they only bill. So they use technology that lets them be home sometimes. All that makes them awesome targets for the newest types of thieves," he says.

Spyware on the Line
Even plain old cell phone voice calls are increasingly subject to hacking. Cell phone attacks can be active or passive, according to Cellcrypt, maker of voice encryption for smartphones. In an active attack, a radio scanner takes advantage of the fact that cell phones constantly seek the strongest signal (often without requiring proof that the station sending it is authentic). The scanner impersonates a base station to fool nearby phones and then turns off their encryption so it can record, block, or redirect calls. A scanner also can manipulate a base station by impersonating a phone. In a passive attack, a scanner just intercepts and eavesdrops on cell phone signals traveling between base stations. Passive attacks are undetectable but require sophisticated decryption software.

Human Intervention
As all kinds of data become increasingly valuable, a law firm may suffer a "spear-phishing" attack, a handcrafted attack aimed at a specific person. In contrast with phishing emails, which are sent to thousands of addresses in the hope that someone will take the bait and inadvertently download malware, spear-phishing messages are based on online sleuthing about a specific target. After identifying law firm staffers who work for a client with juicy information, for instance, criminals would gather information using social networks and other online sources. It's easy to identify groups that staffers belong to on LinkedIn or other social media and learn what meetings or conferences they're planning to attend. The crook can then create what looks like a legitimate email that purports to follow up on earlier communication but actually includes a link or zipped file delivering malware.

"When they drop the payload, it could have a Trojan to allow remote access. [Then] they can exfiltrate whatever type of data they can get their hands on," says Todd Waskelis, executive director of AT&T Security Consulting Services. "Nowadays, in the advanced, persistent threats you hear about, the initial attack is through social engineering - spear-phishing or planting malware on a website that a potential victim is likely to visit."

Inside Jobs
Law firms also face risks from malicious employees, says Dell's Gonzalez, most commonly new workers or someone who was recently terminated. Atypical or changed behavior can be a clue. "Look for a difference in the way that someone is using a computer," Gonzalez advises. That could be someone from another department looking at accounting data, or someone whose data usage suddenly triples.

In fact, employees remain every firm's biggest threat, even if they don't have wicked intentions, says Greer. "If you have a user base that's not well-trained and doesn't understand information security and how to protect their clients, they are as much of a danger as a hacker on the outside."

That challenge is what keeps Greer going. In trainings, he focuses as much on why security tools and procedures are important as on how to use them. "My biggest worries are ... users who didn't read that tip that day, didn't attend the security training, who happen to open that one file or visit that one site that could disclose our information."

Susan Kuchinskas covers business and the business of technology for publications including Scientific American, Portada, and Telematics Update.

---