An Introduction to Malware for Lawyers
Cybersecurity Basics for Law Firms
Never underestimate your opponent.—Sun Tzu, The Art of War
Cybersecurity addresses reasonably securing computer assets and data from unauthorized access. The FBI recently warned that law firms are specific targets of computer criminals (cybercriminals) seeking unauthorized access to data. Recent HIPAA changes require law firms to protect patient data from unauthorized access. Pending changes to the Rules of Professional Conduct re-state the lawyer’s duty to reasonably secure computers to protect client confidentiality. The ABA just adopted a resolution on cybersecurity “urg[ing] lawyers” to review and comply with confidentiality requirements. Thus, cybersecurity emerges as a law practice issue.
Malicious software (malware) represents one way cybercriminals gain unauthorized access to computer systems. Unlike traditional “hacking” incidents, cybercriminals may seek long-term access to computers to glean data over time. Cybercriminals siphon data from compromised computer systems for an astounding 8 months before detection on average. The incidence of malware increased sharply in the past two years—especially attacks on “smart” phones. Cybersecurity experts recorded almost 250,000 web attacks per day in 2012. Millions of malware variants now circulate with 70,000 new types added per day. Phishing-email attacks increased by 125% with cybercriminals trolling social media sites for personal information and then targeting phishing emails (called spear-phishing) using that information. Globally, 431 million people fell victim to cybercrime in 2012.
To understand this growing malware threat, lawyers should understand
- the role of cybercriminals,
- the sophisticated driving forces behind malware,
- the most common types of malware, and
- basic malware countermeasures.
First, we need to dispel the quaint notion of a teenage “hacker” sitting in a darkened room bathed in computer-monitor-glow and “hacking” into a website. Instead, the pressing threat arises from well-organized, internationally-based, highly-professional, well-funded, cybercriminals. A cybercriminal uses computers to perpetrate crimes, and cybercriminals monetize their computer technology skills through a structured, underground economy—reported at $114 billion per year and now rivaling the illegal drug trade.
Most people think cybercriminals just steal credit card information. While this certainly does occur, today’s cybercriminal profits from a complex and sophisticated underground economy that markets in both data and malware services.
On the data side, cybercriminals sell social security number, home address, bank account, credit card, health-care, trade secret, CAD drawing, email account, company finance, and company strategy information (the latter two leading to sophisticated insider trading). Currently, cybercriminals might get $25 for a Visa card number—$200 with the PIN number and a good balance. Email account login—$28. Bank account login—$1,000. Social security number—$3. Mother’s maiden name—$6. Thus, cybercriminals thrive by selling stolen data in an established black market—and increasingly to the grey market of “data providers.”
On the malware products-and-services side, some cybercriminals develop and sell ready-to-use malware packages and tools, which allow less sophisticated cybercriminals to also profit from cybercrime. Cybercriminals also lease pre-packaged cybercrime “cloud” services, such as botnets, for a monthly fee (reportedly as low as $495). Botnet services can act as a catalyst for further cybercrime by aggregating thousands of malware-compromised computers into a huge network. The cybercriminal sells access to this network to entities seeking to attack other computers or to deliver their own malware.
Thus, cybercrime encompasses a complex and well-developed system of services, tools, and products in addition to traditional theft. Considering this context, malware reflects a mature, albeit illicit, business model, not a casual nuisance.
Generally speaking, malware describes any type of software that does something to a computer without the computer owner’s informed consent. Many have heard of “computer viruses.” Today, the term malware more generically describes the entire field of malicious software that now includes Trojan horses (trojans), rootkits, viruses, ransomware, spyware, keyloggers, botnet clients, and malicious website scripts. Most of today’s malware falls into the general category of trojans.
Trojans are a broad type of malware that are usually embedded into seemingly “normal” software or websites. For example, a person may see a free game app and download the software. But when the user installs the software, a trojan also secretly installs and delivers its malicious “payload.” The trojan payload might spy on the user’s activity (e.g., record bank account login information via keyloggers), send the user’s personal information to a remote server from time-to-time (spyware), or give the cybercriminal on-demand, remote access to the computer via a “back door.” Trojans may also turn your computer into a botnet client (or zombie) where your computer is used along with other compromised computers to send spam email, attack other computers, or deliver new malware variants to others. Notably, the malicious payload of trojans continues to evolve as cybercriminals respond to countermeasures (creating a cyber-arms race) so new variants are expected.
For example, cybercriminals recently launched ransomware trojans. Most people do not backup computers. Cybercriminals developed trojans that encrypt all the victim’s data using the cybercriminal’s encryption key—effectively locking the victim out of his own data. The victim gets a notice demanding a large sum ($5,000) to unlock the encrypted data. Most victims have little choice other than to pay—and the cybercriminals use really strong encryption to make sure that you have no choice.
Mobile devices are especially vulnerable to newer rootkit trojans due to the mobile device’s low security and typically high-access to business networks. The rootkit gives access to anything on the mobile device and virtually anything on the entire network accessible through the device. Such unfettered access should concern law firms because of confidentiality. But also think about what such access does to the authenticity or integrity of information.
Thus, today’s malware goes far beyond relatively simple viruses. Malware now feeds a sophisticated cybercrime economy through creative and long-term access to your data and resources.
Malware Vectors for Infection
How does malware get to my computer? In some cases, the end-user is tricked into installing the malware—for example, by installing a piece of software infected with a trojan. But, cybercriminals also use phishing or spear-phishing attacks where a malicious email includes a website link that looks legitimate but actually redirects to a malware website. When the end-user clicks on the link, the malware installs. In other cases, the malware is packaged as an attachment to a seemingly legitimate email message. The attachment can look like a completely normal zip archive, PDF, Word document, or image file. But, when the user clicks on the malicious attachment, the embedded malware installs. These examples illustrate infection through user interaction.
But, cybercriminals also use so-called “drive-by-attacks” via malicious websites to deliver malware during regular web browsing. Rather than trick an end-user, drive-by-attacks exploit bugs in the web browser software or in the web browser plug-ins (such as Adobe Flash) to allow the browser to download and install the malware without the end-user’s knowledge. Web-based, drive-by-attacks can also infect “smart” phones and tablets as well as traditional desktops, laptops, and servers. Drive-by-attacks are more challenging to prevent specifically because the victim might not even know of the attack. Both up-to-date web browser software and anti-virus software may reduce the risk, but multi-layered defenses may be necessary.
Malware, as many aspects of cybersecurity, seems overwhelming at first. But, awareness is a first step. Recognizing that a formidable threat exists helps emphasize the importance of cybersecurity practices. Also, awareness helps the law firm to educate and train staff to recognize the threats.
Second, any computing device is vulnerable to malware—including traditional computers (desktops and laptops), servers, “smart” phones, “tablets,” networking equipment, telephone systems, and photocopiers. Thus, one must think broadly when considering potential risks.
Third, “old” rules-of-thumb still hold true:
- be wary of email (and messaging)—even email from colleagues or known companies,
- only open email attachments if expecting an email attachment (if unsure, call the sender to confirm),
- limit (or eliminate) use of social media (a source for spear-phishing attacks),
- keep “anti-virus” software up-to-date at all times (and Macs now require anti-virus software), and
- keep software and operating systems patched and up-to-date (don’t overlook web browser plug-ins such as Adobe Flash, Adobe Acrobat, and Java).
Fourth, and a little more complex, law firms should develop, implement, and test cybersecurity policies and procedures such as data backup, data retention/archiving, and disaster recovery (note the three distinct categories). Formal software and hardware patching, software installation and use, systems management, and mobile device policies are also needed. Along with these policies goes training and staff education about cybersecurity issues.
Malware provides a good introduction to cybersecurity issues—illustrating the types and magnitude of the potential threat. Cybercrime is big business. While all businesses are vulnerable, cybersecurity issues uniquely affect law practice so lawyers need familiarity with these issues. Notably, countermeasures are possible. Some basic operational rules, awareness, training, and properly implemented (and tested) cybersecurity policies may help to reduce the risks.
Addendum—o6 November 2013—US CERT Issues Alert on Ransomware
On 05 November 2013, US-CERT, the US government security group, issued a warning about the Cryptolocker malware. Cryptolocker malware infects systems through email phishing scams an then encrypts vital information on the users hard drive or any attached network drives.The suggested avoidance strategies largely mirror the above “old” rules of thumb.
Publication Information & Suggested Citation
Article Submission Date: 2013-08-15
Article Publication Date: 2013-09-19
Please Cite as: Shannon Brown, An Introduction to Malware for Lawyers, In Brief, 16 Lancaster Bar Association Newsletter 3 at 4, 14–15 (Third Quarter 2013), available at http://www.shannonbrownlaw.com/?p=1981.