Operation “Night Dragon”: A Data Breach Illuminated

Hackers and cybercriminals have been having a field day recently. Even big oil companies with expansive security budgets can’t keep the bad guys out. In an operation dubbed “Night Dragon” by security company McAfee, Chinese hackers have been targeting several global oil and energy companies since November of 2009, in an attempt to steal sensitive proprietary information about oil and gas field bids and operations. You would think that oil companies would have first class security and defense-in-depth. Apparently, not so.

Law firms should take these attacks against big oil as a warning – and should bear in mind the FBI’s advisory in late 2010 that law firms are increasingly the targets of hackers.

We read about data breaches daily online or hear about them on the evening news. Law firms aren’t immune, as we saw a record number of reported data breaches in 2010. Even the small law firms have become victims of data breaches.

There are a number of reasons hackers and cybercriminals target law firms – clientele, insider information having financial value, litigation tactical advantages – just to name a few. Law firms must understand the severity of this threat and be proactive in dealing with it.

Buried within the details of the “Night Dragon” report (we won’t bore you with the technical aspects) are the graceful steps, a work-of-black-art, which the hackers used to attack the big oil companies in a methodical and progressive manner. Knowing exactly how the bad guys successfully thwarted the defenses of the largest companies in the world can help to identify potential areas of weaknesses within a law firm’s security strategy –assuming they have one — and ultimately drive them to harden its defense – from threats both external and internal.

Naturally, just like any castle or fortified-defense, the security of a computer network (or stone building) is only as secure as the weakest link – end users. End users are often the problem. Whether it’s using simple or no passwords, or falling for a phishing attempt, end users can open the doors to a law firm’s most critical data in a matter of seconds. With the Internet, the bad guys are only milliseconds away, even if they’re attacking from across the globe.

End users were a primary target exploited by the hackers in operation “Night Dragon.” To help fortify these areas of weakness, law firms should:

    (A) Require every employee to review and sign a computer and Internet usage policy
    (B) Require user passwords to be a minimum length of 12 characters and contain both upper and lower-case characters, as well as numbers and symbols. Passwords should also be set to change frequently, usually every 30 days. Passwords should not be re-used.
    (C) Educate end users on spam and phishing techniques. There are even phishing tests your users can take online – to grade their ability to detect fraudulent e-mails such as the one here:
    (D) Verify that antivirus and antispyware definitions are kept up-to-date, that client computers and servers are scanned on a periodic basis and are operating as configured.
    (E) Laptops should only be used with hardware or software encryption. No encryption – no laptop – no exceptions.

Besides taking advantage of careless end users, hackers were also able to gain access to web servers that were connected to both the Internet and internal corporate networks. Once hackers had control of these systems, they were on the “inside.” Game Over. The hackers used Structure Query Language (SQL) injections to exploit these systems. If logging had been configured at a bare minimum, these actions should have been captured and triggered alerts. Whether logs were reviewed by a person or some program, the intrusions might have been detected during the initial stages of the operation – not after the fact.

If a law firm is facing a decision to host its own website, e-mail or other service on a computer system that is both accessible from the Internet and is on the local computer network, extreme prudence should be exercised to protect and monitor the system for suspicious activity that might signal or warn of an impending or ongoing attack. Ongoing monitoring (regardless of the type of system) should include the review of any antivirus or security software log files and alerts, system and security event logs, and any application specific or firewall logs.

Why have law firms become the darlings of the hacking community? Their systems tend to have a weak underbelly. Law firms are not generally very sophisticated about technology. Law firms hate change, which security requires constantly. Security costs money, and law firm are often pennywise and pound foolish, especially where the confidential data of clients is concerned. Complacent for years, and thinking they were not a target of hackers, law firms are just beginning to understand the extent of the dangers they face externally and internally. Every law firm should have a security assessment annually – and semi-annually is generally better. Lawyers have an ethical duty to take reasonable measure to protect their clients’ information – and the definition of ‘reasonable’ has certainly changed to require more of law firms than ever before.

Comments are closed.