Tag: cybersecurity

Law firm uses security certification to attract clients

October 5, 2015 Shelby Bice Leave a comment Security

The international firm Shook, Hardy & Bacon has started using their new security certification to woo potential clients. The security certification, ISO 27001, took two years and multiple consultants and analysts to obtain, but Shook’s CIO, John Anderson, thinks the work was worth it. He started the process toward obtaining the certification  based on the opinions of Shook’s information governance committee because they wished to have “a methodology and a framework that ensures [they’re] using best practices for information security” and “third-party verification that proved [their] commitment to information security to external parties”, according to Anderson. Now, the hard work is paying off. Anderson states that the certification is a “differentiator” and a “competitive advantage” for the firm.

In a recent poll of 1, 322 CEOS, 61% of them listed cyberattacks as a key concern. With the average data breach costing approximately $3.8 million dollars, it’s no wonder that organizations are asking firms about how they implement cybersecurity. Some, according to John Murphy, Shook’s chair, even specifically ask if the law firm has the ISO 27001 certification. Their clients’ questions are unsurprising, considering that the firm handles highly confidential and regulated information on a regular basis, sometimes for organizations within the pharmaceutical industry.

Just having the ISO 27001 security certification isn’t necessarily enough, though. An analyst at Constellation research, Steve Wilson, explains that the certification is simply a “management process standard–it doesn’t tell you what to do exactly in security; it tells you how to go about managing the security function.” Shook’s executives point out, though, that the certification does require the firm to routinely evaluate and update their security standards, and if nothing else demonstrates their commitment to keeping their clients’ data secure. The firm, in addition to the spending required to obtain the certification, also has funds dedicated towards the other aspects of their security strategy. “We wanted to make sure we had the processes in place so [clients] had confidence that we were doing the best we could,” Murphy explains.

Article: CIOAugust 28, 2015

Photo: Security via Robert Wallace [Creative Commons Attribution-NonCommercial-NoDerivs]

Apple remedies cyber breach in app store

September 30, 2015 Shelby Bice Leave a comment Cybercrime

In the past, only five malware-infected applications have made it into the Apple App Store. That number has grown, though, as 25 apps have been identified and pulled from the App Store for containing malware. This cyber breach is due to a program called XcodeGhost, an imitation of the program Xcode, which is the platform develops utilize to make programs for iOS and Mac. While the official Xcode program takes about half an hour to download in the United States, the time is almost triple for developers in China. Most decide to download the program from local servers, which allowed the counterfeit XcodeGhost to be substituted for the real Xcode program and downloaded in in its place. Thankfully, apps developed using this malware have not been observed to steal any sensitive information from users that have downloaded them. Still, though the apps appear to be harmless, the attack on the App Store is notable according to Palo Alto Network’s Director of Threat Intelligence, Ryan Olsen. The firm was the first to report the existence of the malware-tainted apps, and Olsen states that the cyber breach reveals that the Apple App Store isn’t impenetrable.

To prevent another cyber breach, Apple will provide a way for Chinese developers to download an official copy of Xcode domestically, and Apple is “working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps” according to an Apple spokesperson.

Article via CNETSeptember 22, 2015

Photo: Apps via Pixel Fantasy [Creative Commons Attribution-NonCommercial-NoDerivs]

Data hack exposes 10 million health records from insurer

September 17, 2015 Astrid Countee Leave a comment Health Justice, News

Health insurer Excellus BlueCross BlueShield and a partner company experienced a data breach of their health care records. The sophisticated cyber attack on more than 10 million records was disclosed by the company last wednesday, September 9th 2015. This comes just a couple of months after a similar hack at UCLA’s health system in July in which 4.5 million records were accessed.

Excellus claims that this hack exposed social security numbers, medical claims, as well as other identifying information. The FBI is investigating the crime. In a statement by Excellus CEO Christopher Booth he says, “protecting personal information is one of our top priorities and we take this issue very seriously…”. The frequency of data breaches in health care is alarming and is causing some to say that health records in the US are not safe. Why?

Health records are extremely attractive to data hackers. The information is valued over credit card information when sold on the black market. The records are attractive simply because the data is so rich. Personal information like social security numbers, identification information and medical history can allow an attacker to use the data in a variety of ways. These uses range from opening a bogus account, committing income tax fraud, to getting health insurance under someone else’s name.

The possibilities are plentiful, and therefore the health care industry remains a primary target.

 

Article via CNET, 10 September 2015

Photo: A Doctor Looks Over Patient Medical Records via World Bank Photo Collection [Creative Commons Attribution-NonCommercial-NoDerivs]

Intel takes cybersecurity measures to protect cars

September 15, 2015 Shelby Bice Leave a comment Cybercrime, Security, Tech

Innovation has allowed cars to be outfitted with rear-end cameras, internet connectivity, computerized maintenance systems, and other technological components that can greatly benefit drivers. Unfortunately, new technology sometimes leads to new problems. The instant a car connects to networks,  it is opened up to cyberattacks, which could eventually lead to hackers controlling the car remotely. This could potentially create a multitude of problems, which has caused Intel to create the Automotive Security Review Board. The goal of the ASRB is to diminish the risk that cyberattacks present to vehicles. Chris Young, the Senior Vice President and General Manager of Intel Security, states that “with the help of the ASRB, Intel can establish security best practices and encourage that cyber-security is an essential ingredient in the design of every connected car.”

The board seeks to use ongoing security tests and audits to determine how best to advise automobile manufacturers. This, in turn, will keep cars and their drivers safer. Considering that some companies are already recalling cars due to security breaches, the ASRB and their findings will be useful to automotive companies. Intel will provide its advanced development platforms to assist with the board’s research into security and has already published an initial version of its automotive cybersecurity best practices that will be updated as the ASRB continues to conduct research. A key component of Intel’s advice centers on the fact that vehicle security is something that needs to be monitored and updated even after the sale of the car is finalized. As Intel stated in their report on best practices, “Threat analysis and risk assessment continues throughout the life of the car as old vulnerabilities are patched and new ones come to light, so the risk of attack can even increase with time.” As new threats are presented to technology, especially to its applications in cars, manufacturers will need the cybersecurity research that organizations like the Automotive Security Review Board are conducting.

Article via CNET, September 14, 2015

Photo: Urban Congestion via Doug [Creative Commons Attribution-NonCommercial-NoDerivs]

Internet of things and risky legal questions

September 9, 2015 Astrid Countee Leave a comment Privacy, Tech, Tech for Lawyers

The Internet of Things (IoT) is the next revolution in tech. It promises to take devices and connect them together via the internet. Once these devices live together in a network, they will then be able to communicate to each other, machine-to-machine. This level of complexity introduces a new level of legal risk.

As it is today, if something goes wrong with your appliance then you can report to the manufacturer about the faulty product. The Internet of Things will complicate this straightforward matter. In the future, it may be that all parties involved can be held accountable for a product failure. This includes not only the manufacturer, but the internet service provider, the web hosted servers, etc.

This brings up a related issue, user contracts. Due to the legal complications of connecting smart devices, will manufactures for the users to void their contract if their product is connected? At the heart of this concern is data. What will happen if there is a data or security breach? Products connected via Internet of Things will share data. In the event of an attack, who will be legally responsible for the data breach and the fallout?

“The privacy implications are potentially huge,”says Trey Hanbury , an attorney that was interviewed about the formation of Internet of Things ecosystem.

Juniper Research suggest that the internet of things will lead to a more robust security model precisely for this reason. The ideal model would be able to shut down part of the network where an attack is happening without effecting the devices connected to other parts of the network.

What is clear is that lawyers need to get ready for a new period of legal risk and uncertainty due to the IoT revolution. Companies are already heavily investing in building more connected devices. By the year 2020, there is expected to be an infrastructure running that will support a heavily connected world. It will be an exciting time to sort out how the next generation of security and liability will be legally accessed when property has gone digital.

 Article via LegalTechNews, 4 September 2015

Photo: Brooklyn Community Board via Bryan Bruchman[Creative Commons Attribution-NonCommercial-NoDerivs]

Should law firms share information about cyber threats?

September 8, 2015 Shelby Bice Leave a comment Cybercrime, In the Law, Legal News, Tech for Lawyers

With law firms and their clients facing cyber threats more and more frequently, it makes sense that firms would want to come together and share what information they know about these threats in order that each firm can be better prepared to advise their clients. The Legal Services Information Sharing and Analysis Organization, or LS-ISAO for short, was formed to allow this kind of collaboration between firms. The new alliance is connected with a similar organization, the Financial Services Information Sharing and Analysis Organization, or FS-ISAO, which has been requiring private and public financial sectors to share information on cyber security and other threats since 1999. While LS-ISAO was formed after several law firms contacted the FS-ISAO, not all law firms are eager to join the alliance.

Although any law firms are educating their members on cyber threats or even have teams specifically dedicated to cybersecurity, most law firms guide their response to cyber threats based upon their clients’ opinions. For example, Chanley Howell, a member of the cybersecurity team at Foley & Lardner, isn’t very keen on becoming a part of the alliance, but explains, “If we start hearing clients recommend it, we’ll probably join.” Though it may seem counterintuitive for a cybersecurity team to put off joining an organization created to spread knowledge about cyber threats, Jeremiah Buckley, a founder member of Buckley Sandler who writes about cyber risk, argues that there are some potential drawbacks an organization that shares cybersecurity information so freely. Namely, if a law firm shares what they learned from a cyber threat with the alliance, even though everything is required to be anonymous, other firms could still determine which law firm was involved and then use that information to attack and discredit the firm. On the flip side, firms should be wary of information that is shared anonymously since there is no way to prove that the information is correct. Finally, firms are still competing with one another, and giving someone else a leg up may not always be in a firm’s best interests.

Even though there may be some issues associated with the new alliance, the Legal Services Information Sharing and Analysis Organization is still young. With time, according to the Vice President of Products and Services at the FS-ISAO, trust will develop between its members.

Article via Bloomberg BNA, August 21, 2015

Photo: Two People-Business Meeting via Stephen D [Creative Commons Attribution-NonCommercial-NoDerivs]