SlideShare a Scribd company logo

Cybersecurity Fundamentals for Bar Associations

NowSecure, profile picture
NowSecure

The document discusses cybersecurity fundamentals for bar associations. It covers why cybersecurity is important, how to conduct an asset-based risk assessment, common attack vectors like phishing and ransomware, and frameworks and best practices like the NIST Cybersecurity Framework. It also provides examples of vulnerabilities found on a local bar association's web server and outlines five practical cybersecurity tips for organizations, such as patching systems, using strong authentication, encrypting data, and outsourcing security functions.

Law
Related topics:
Information Security
1 of 36
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Cybersecurity Fundamentals for Bar Associations
Andrew Hoog CEO and Co-founder of NowSecure © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. ● Computer scientist & mobile security researcher ● Author of three mobile security books ● Enjoyer of science fiction, running and red wine © Copyright NowSecure 2016, Inc. All Rights Reserved. Proprietary Information.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Contents ● Why invest in cybersecurity? ● Assets-based risk assessment ● Common attacks vectors ● Frameworks / Best Practices
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Why invest in cybersecurity?
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Model Rules of Professional Conduct 1.6: Confidentiality of Information (c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Your job? Your bonus?
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Anyone heard of the Panama papers? The Panama Papers are: 11.5 million leaked documents that detail financial and attorney–client information for more than 214,488 offshore entities.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Regulation
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. FTC v. Wyndham “A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.” Circuit Judge Thomas Ambro, United States Court of Appeals for the Third District
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. FTC v. Wyndhan FTC has authority to bring data security cases Apple App Store and Google Play store require privacy policies Failure to invest in security of those apps (i.e., “do what you say”) puts you at risk
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Information Security - It’s a process, yo! Information Security Management System (ISMS) is not a computer system but an organizational policy and program to implement and manage information security. A major component of this is executive accountability for information security, making clear the responsibility overall and also "ownership" of specific systems/data.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Asset-based risk assessment
© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Assets of value Things I heard you value ● Member database ● Credit cards ● PII ● Anything related to cases ● … Things attackers may also value
© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Assets of value Things I heard you value ● Member database ● Credit cards ● PII ● Anything related to cases ● … Things attackers may also value ● Network (DDoS) ● CPU (bitcoin mining, wheeee!) ● Your identity ● Making a point (political / philosophical agendas) ● Bragging rights
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. I think of vulnerabilities in three buckets Unknown / No fix Best practices Very little anyone can do here See router example (vulnerable cable modem) Tactics: implement best practices and try to limit what attackers can access This is the area to focus most energy 80/20 rule in play here, meaning a reasonable amount of effort will address 80% of your risk. The remaining 20% is precipitously expensive and difficult to address. Targeted attacks Can’t defend against Attacker will ultimately succeed Tactics: implement best practices and try to limit what attackers can access
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Compromised router
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. It all began on Saturday, February 13 ● Certificate error ● Examined the details ● Determined there was an issue Documented the issue Contacted corporate security team ● Attempted to re-create on iPad, other iOS devices, laptop, desktop © Copyright NowSecure 2016, Inc. All Rights Reserved. Proprietary Information.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Info gathering and identification Symptoms ● Gmail app wouldn’t sync ● Wi-Fi certificate errors ● Analyzed certificate Hosted in shared environment ● Istanbul ● Both used self-signed HTTPS certificate ● Issued by: ssl@servers.carsimedya.com © Copyright NowSecure 2016, Inc. All Rights Reserved. Proprietary Information.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Continuing investigation Suspicious DNS entries ● Queried IP address - resolved to a server in Germany ● Same DNS as carsimedya.com ● Social media and SEO related ● Investigated router configuration Theories ● Targeted attack ● Mass router compromise (using known or zero-day vulnerability) © Copyright NowSecure 2016, Inc. All Rights Reserved. Proprietary Information.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Common attack vectors
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Common Attacks 1. Vulnerable software (and firmware) 2. Phishing attacks, email most common but can also be SMS 3. Ransomware - (typically phishing + vulnerable software) 4. Webserver 5. Social engineering 6. Physical With scary cyber criminal image
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Local ABA Webserver
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Web Server Info Scan took 1.5 seconds - IIS 7.5 was released in 2009!
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. IIS 7.5 Known Vulnerabilities
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. .NET Framework 4.0 Know Vulnerabilities
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Ideas on how the Panama papers leaked? Does anyone want to conjecture on how the Panama papers were leaked? The Panama Papers are: 11.5 million leaked documents that detail financial and attorney–client information for more than 214,488 offshore entities.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Frameworks / Best Practices
NIST Cybersecurity Framework Check it out: https://www.nist.gov/cyberframework
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Five practical info sec tips for non-security firms
© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. 1 2 3 4 5 Patch Routers Firewalls Wi-Fi Access Points Servers Computer Laptops Mobile phones ....
© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. 1 2 3 4 5 Patch Routers Firewalls Wi-Fi Access Points Servers Computer Laptops Mobile phones .... Auth Change default passwords! Use a password manager. Two Factor Auth
© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. 1 2 3 4 5 Patch Routers Firewalls Wi-Fi Access Points Servers Computer Laptops Mobile phones .... Auth Change default passwords! Use a password manager. Two Factor Auth Segment Install a firewall Consider segmenting sensitive servers from computers, mobile and IoT devices and guest Wi-Fi
© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. 1 2 3 4 5 Patch Auth Segment Install a firewall Consider segmenting sensitive servers from computers, mobile and IoT devices and guest Wi-Fi Encrypt Encrypt data at test Servers Laptops Mobile Devices This is only effective in some scenarios Routers Firewalls Wi-Fi Access Points Servers Computer Laptops Mobile phones .... Change default passwords! Use a password manager. Two Factor Auth
© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. 1 2 3 4 5 Patch Auth Segment Encrypt Outsource Security is hard so outsourcing makes sense in many situations Primary upside is using large SaaS providers for key systems like email Audit your mobile apps against the framework Set internal requirements for mobile app security Teach developers how to code in compliance with the framework, and teach security auditors how to test apps against it Document framework, education materials, and assessments (i.e., reports), and make sure it’s all organized and accessible
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Security needs to be user friendly or people will circumvent it Executives must lead by example and take responsibility for security Needs to become part of your DNS Assets are valuable, vulnerabilities are everywhere. Attackers have an asymmetric advantage Information Security is org policy and program
Don’t Panic Andrew Hoog CEO / Co-founder, NowSecure ahoog@nowsecure.com 312-878-1100, x4242 Twitter: @ahoog42 nowsecure.com

More Related Content

PDF
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
NowSecure
 
PDF
Preparing for the inevitable: The mobile incident response playbook
NowSecure
 
PPTX
Netwatcher Credit Union Tech Talk
NetWatcher
 
PDF
It's not about you: Mobile security in 2016
NowSecure
 
PDF
How to scale mobile application security testing
NowSecure
 
PDF
PROGRAMMING AND CYBER SECURITY
Sylvain Martinez
 
PPTX
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
centralohioissa
 
PDF
5 Mobile App Security MUST-DOs in 2018
NowSecure
 
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
NowSecure
 
Preparing for the inevitable: The mobile incident response playbook
NowSecure
 
Netwatcher Credit Union Tech Talk
NetWatcher
 
It's not about you: Mobile security in 2016
NowSecure
 
How to scale mobile application security testing
NowSecure
 
PROGRAMMING AND CYBER SECURITY
Sylvain Martinez
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
centralohioissa
 
5 Mobile App Security MUST-DOs in 2018
NowSecure
 

What's hot (20)

PPTX
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Eric Vanderburg
 
PDF
Tomorrow Starts Here - Security Everywhere
Cisco Canada
 
PPTX
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
North Texas Chapter of the ISSA
 
PDF
Slides to the online event "Creating an effective cybersecurity strategy" by ...
Go Global
 
PPTX
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
Eric Vanderburg
 
PPTX
Cyber Resilency VANCOUVER, BC Nov 2017
Kevin Murphy
 
PPTX
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Zivaro Inc
 
PPTX
Mobile Security: 2016 Wrap-Up and 2017 Predictions
Skycure
 
PDF
Webinar: Insights from CYREN's 2015-Q3 Cyber Threat Report
Cyren, Inc
 
PDF
Webinar: Cloud-Based Web Security as First/Last Line of Defense
Cyren, Inc
 
PDF
Slide Griffin - Practical Attacks and Mitigations
EnergySec
 
PPTX
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
EnergySec
 
PPTX
A Day in the Life of a GDPR Breach
Splunk
 
PPTX
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
Stanton Viaduc
 
PDF
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
NowSecure
 
PPTX
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
centralohioissa
 
PPTX
NUS-ISS Learning Day 2017 - Managing Cybersecurity Risk in the Digital Era fo...
NUS-ISS
 
PPTX
2015 ISA Calgary Show: IACS Cyber Incident Preparation
Cimation
 
PDF
OFFENSIVE IDS
Sylvain Martinez
 
PDF
OWASP Day - OWASP Day - Lets secure!
Prathan Phongthiproek
 
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Eric Vanderburg
 
Tomorrow Starts Here - Security Everywhere
Cisco Canada
 
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
North Texas Chapter of the ISSA
 
Slides to the online event "Creating an effective cybersecurity strategy" by ...
Go Global
 
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
Eric Vanderburg
 
Cyber Resilency VANCOUVER, BC Nov 2017
Kevin Murphy
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Zivaro Inc
 
Mobile Security: 2016 Wrap-Up and 2017 Predictions
Skycure
 
Webinar: Insights from CYREN's 2015-Q3 Cyber Threat Report
Cyren, Inc
 
Webinar: Cloud-Based Web Security as First/Last Line of Defense
Cyren, Inc
 
Slide Griffin - Practical Attacks and Mitigations
EnergySec
 
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
EnergySec
 
A Day in the Life of a GDPR Breach
Splunk
 
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
Stanton Viaduc
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
NowSecure
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
centralohioissa
 
NUS-ISS Learning Day 2017 - Managing Cybersecurity Risk in the Digital Era fo...
NUS-ISS
 
2015 ISA Calgary Show: IACS Cyber Incident Preparation
Cimation
 
OFFENSIVE IDS
Sylvain Martinez
 
OWASP Day - OWASP Day - Lets secure!
Prathan Phongthiproek
 
Ad

Viewers also liked (20)

PDF
Industrial Cybersecurity & SCADA hacks presentation
Gavin Davey
 
PDF
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
AVEVA
 
PDF
Cybersecurity for Your Law Firm: Data Security and Data Encryption
Shawn Tuma
 
PPTX
InduSoft Speaks at Houston Infragard on February 17, 2015
AVEVA
 
PPTX
chile-2015 (2)
Massimiliano Falcinelli
 
PPT
Economics Of Networks - Rod Beckstrom, National Cybersecurity Center, Departm...
RodBeckstrom
 
PPTX
Cybersecurity Law and Risk Management
Keelan Stewart
 
PDF
Cybersecurity in Industrial Control Systems (ICS)
Joan Figueras Tugas
 
PDF
Cybersecurity in the Boardroom
Marko Suswanto
 
PDF
Introduction to NIST Cybersecurity Framework
Tuan Phan
 
PDF
Cybersecurity
Ben Liu
 
PDF
Guia extraescolares 17-18
Educo Servicios y Proyectos Educativos
 
PPTX
Mau ghe nail 2017 dep gia re bao hanh 5 nam
Noithat_hcm
 
PPTX
Ecosistemas eii
26844369
 
PDF
Business is a game & the best team wins
Growthwise
 
PDF
Laboratorio di Internazionalizzazione d’Impresa
Octagona Srl
 
PPTX
3Com 10/100BASE-TX
savomir
 
DOCX
Boletim 2017
Jorge Efrahim Magalhaes Berto
 
DOCX
La evolución
nicolas triviño velandia
 
PDF
Tech talent hunting
Thibault Genaitay
 
Industrial Cybersecurity & SCADA hacks presentation
Gavin Davey
 
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
AVEVA
 
Cybersecurity for Your Law Firm: Data Security and Data Encryption
Shawn Tuma
 
InduSoft Speaks at Houston Infragard on February 17, 2015
AVEVA
 
chile-2015 (2)
Massimiliano Falcinelli
 
Economics Of Networks - Rod Beckstrom, National Cybersecurity Center, Departm...
RodBeckstrom
 
Cybersecurity Law and Risk Management
Keelan Stewart
 
Cybersecurity in Industrial Control Systems (ICS)
Joan Figueras Tugas
 
Cybersecurity in the Boardroom
Marko Suswanto
 
Introduction to NIST Cybersecurity Framework
Tuan Phan
 
Cybersecurity
Ben Liu
 
Guia extraescolares 17-18
Educo Servicios y Proyectos Educativos
 
Mau ghe nail 2017 dep gia re bao hanh 5 nam
Noithat_hcm
 
Ecosistemas eii
26844369
 
Business is a game & the best team wins
Growthwise
 
Laboratorio di Internazionalizzazione d’Impresa
Octagona Srl
 
3Com 10/100BASE-TX
savomir
 
Boletim 2017
Jorge Efrahim Magalhaes Berto
 
La evolución
nicolas triviño velandia
 
Tech talent hunting
Thibault Genaitay
 
Ad

Similar to Cybersecurity Fundamentals for Bar Associations (20)

PPT
Guard Era Security Overview Preso (Draft)
GuardEra Access Solutions, Inc.
 
PDF
Fall2015SecurityShow
Adam Heller
 
PPTX
CyberCare Pro - Cybersecurity for SME's updated.pptx
margueritemcleod1
 
PDF
Introduction to information security
Harish Jangid
 
PPTX
2024 Security Outlook & Essential Security Practices
Dan Houser
 
PPTX
Assessing Your security
Legal Services National Technology Assistance Project (LSNTAP)
 
PPTX
Internet safety and you
Art Ocain
 
PPTX
Private Data and Prying Eyes
Ellie Sherven
 
PPTX
Application Security: What do we need to know?
Jose L. Quiñones-Borrero
 
PDF
Tech Talent Meetup Hacking Security Event Recap
Dominic Vogel
 
PDF
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
John Bambenek
 
PPTX
A6 pragmatic journey into cyber security
Jorge Sebastiao
 
PPTX
Basic Security Training for End Users
Community IT Innovators
 
PPTX
Unveiling the dark web. The importance of your cybersecurity posture
Lourdes Paloma Gimenez
 
PPTX
attack vectors by chimwemwe.pptx
JenetSilence
 
PDF
Small Business Quick Wins Guide
Jacob Ford
 
PDF
Scot Secure 2019 Edinburgh (Day 2)
Ray Bugg
 
PDF
Security & Compliance for Startups
Symosis Security (Previously C-Level Security)
 
PPTX
Can your company survive a modern day cyber attack?
Symptai Consulting Limited
 
PDF
Rogers eBook Security
Rogers Communications
 
Guard Era Security Overview Preso (Draft)
GuardEra Access Solutions, Inc.
 
Fall2015SecurityShow
Adam Heller
 
CyberCare Pro - Cybersecurity for SME's updated.pptx
margueritemcleod1
 
Introduction to information security
Harish Jangid
 
2024 Security Outlook & Essential Security Practices
Dan Houser
 
Assessing Your security
Legal Services National Technology Assistance Project (LSNTAP)
 
Internet safety and you
Art Ocain
 
Private Data and Prying Eyes
Ellie Sherven
 
Application Security: What do we need to know?
Jose L. Quiñones-Borrero
 
Tech Talent Meetup Hacking Security Event Recap
Dominic Vogel
 
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
John Bambenek
 
A6 pragmatic journey into cyber security
Jorge Sebastiao
 
Basic Security Training for End Users
Community IT Innovators
 
Unveiling the dark web. The importance of your cybersecurity posture
Lourdes Paloma Gimenez
 
attack vectors by chimwemwe.pptx
JenetSilence
 
Small Business Quick Wins Guide
Jacob Ford
 
Scot Secure 2019 Edinburgh (Day 2)
Ray Bugg
 
Security & Compliance for Startups
Symosis Security (Previously C-Level Security)
 
Can your company survive a modern day cyber attack?
Symptai Consulting Limited
 
Rogers eBook Security
Rogers Communications
 

More from NowSecure (20)

PDF
iOS recon with Radare2
NowSecure
 
PDF
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
NowSecure
 
PDF
Android Q & iOS 13 Privacy Enhancements
NowSecure
 
PDF
Debunking the Top 5 Myths About Mobile AppSec
NowSecure
 
PDF
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
NowSecure
 
PDF
Building a Mobile App Pen Testing Blueprint
NowSecure
 
PDF
Mobile App Security Predictions 2019
NowSecure
 
PDF
Jeff's Journey: Best Practices for Securing Mobile App DevOps
NowSecure
 
PDF
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
NowSecure
 
PDF
A Risk-Based Mobile App Security Testing Strategy
NowSecure
 
PDF
Android P Security Updates: What You Need to Know
NowSecure
 
PDF
iOS 12 Preview - What You Need To Know
NowSecure
 
PDF
5 Tips for Agile Mobile App Security Testing
NowSecure
 
PDF
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
NowSecure
 
PDF
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
NowSecure
 
PDF
What attackers know about your mobile apps that you don’t: Banking & FinTech
NowSecure
 
PDF
Solving for Compliance: Mobile app security for banking and financial services
NowSecure
 
PDF
Leaky Mobile Apps: What You Need to Know
NowSecure
 
PDF
Vetting Mobile Apps for Corporate Use: Security Essentials
NowSecure
 
PDF
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
NowSecure
 
iOS recon with Radare2
NowSecure
 
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
NowSecure
 
Android Q & iOS 13 Privacy Enhancements
NowSecure
 
Debunking the Top 5 Myths About Mobile AppSec
NowSecure
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
NowSecure
 
Building a Mobile App Pen Testing Blueprint
NowSecure
 
Mobile App Security Predictions 2019
NowSecure
 
Jeff's Journey: Best Practices for Securing Mobile App DevOps
NowSecure
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
NowSecure
 
A Risk-Based Mobile App Security Testing Strategy
NowSecure
 
Android P Security Updates: What You Need to Know
NowSecure
 
iOS 12 Preview - What You Need To Know
NowSecure
 
5 Tips for Agile Mobile App Security Testing
NowSecure
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
NowSecure
 
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
NowSecure
 
What attackers know about your mobile apps that you don’t: Banking & FinTech
NowSecure
 
Solving for Compliance: Mobile app security for banking and financial services
NowSecure
 
Leaky Mobile Apps: What You Need to Know
NowSecure
 
Vetting Mobile Apps for Corporate Use: Security Essentials
NowSecure
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
NowSecure
 

Recently uploaded (20)

PPTX
UDHR & OTHER INTERNATIONAL CONVENTIONS.pptx
legumleviosa
 
PPTX
prenuptial agreement ppt my by a phd scholar
rajuyadav42111
 
PPTX
Behavioural_Approach_Public_Administration_Zambia_USA.pptx
innocentkamfwa250820
 
PDF
SUMMARY CASES-42-47.pdf tax -1 257++/ hsknsnd
ibrahimnorlainie
 
PPT
Understanding the Impact of the Cyber Act
dhanesh96
 
PDF
Analysis Childrens act Kenya for the year 2022
ssuserbc32b91
 
PPTX
prenuptial agreement ppt my by a phd scholar
rajuyadav42111
 
PDF
NRL_Legal Regulation of Forests and Wildlife.pdf
yuvanaaramachandran
 
PPT
looking_into_the_crystal_ball - Merger Control .ppt
williamawulff
 
PPTX
2.....FORMULATION OF THE RESEARCH PROBLEM.pptx
pacifey700
 
PPT
Understanding the Impact of the Cyber Act
dhanesh96
 
PPTX
Punjab Fertilizers Control Act 2025.pptx
Abrar Ahmad
 
PPTX
Income under income Tax Act..pptx Introduction
Vaishali Sharma
 
PDF
Vinayaka Mission Law School Courses and Infrastructure.pdf
monash2629
 
PPTX
Peter Maatouk Is Redefining What It Means To Be A Local Lawyer Who Truly List...
Maatouks Law Group
 
PPTX
Financial Rehabilitation and Insolvency Act
JuliusMila
 
PDF
8-14-25 Examiner Report from NJ Bankruptcy (Heller)
skysthelimitcolor
 
PPTX
Sexual Harassment Prevention training class
lmy1103
 
PDF
The AI & LegalTech Surge Reshaping the Indian Legal Landscape
Vidhikarya Legal Services LLP
 
PPTX
FFFFFFFFFFFFFFFFFFFFFFTA_012425_PPT.pptx
bLackseaL2
 
UDHR & OTHER INTERNATIONAL CONVENTIONS.pptx
legumleviosa
 
prenuptial agreement ppt my by a phd scholar
rajuyadav42111
 
Behavioural_Approach_Public_Administration_Zambia_USA.pptx
innocentkamfwa250820
 
SUMMARY CASES-42-47.pdf tax -1 257++/ hsknsnd
ibrahimnorlainie
 
Understanding the Impact of the Cyber Act
dhanesh96
 
Analysis Childrens act Kenya for the year 2022
ssuserbc32b91
 
prenuptial agreement ppt my by a phd scholar
rajuyadav42111
 
NRL_Legal Regulation of Forests and Wildlife.pdf
yuvanaaramachandran
 
looking_into_the_crystal_ball - Merger Control .ppt
williamawulff
 
2.....FORMULATION OF THE RESEARCH PROBLEM.pptx
pacifey700
 
Understanding the Impact of the Cyber Act
dhanesh96
 
Punjab Fertilizers Control Act 2025.pptx
Abrar Ahmad
 
Income under income Tax Act..pptx Introduction
Vaishali Sharma
 
Vinayaka Mission Law School Courses and Infrastructure.pdf
monash2629
 
Peter Maatouk Is Redefining What It Means To Be A Local Lawyer Who Truly List...
Maatouks Law Group
 
Financial Rehabilitation and Insolvency Act
JuliusMila
 
8-14-25 Examiner Report from NJ Bankruptcy (Heller)
skysthelimitcolor
 
Sexual Harassment Prevention training class
lmy1103
 
The AI & LegalTech Surge Reshaping the Indian Legal Landscape
Vidhikarya Legal Services LLP
 
FFFFFFFFFFFFFFFFFFFFFFTA_012425_PPT.pptx
bLackseaL2
 

Cybersecurity Fundamentals for Bar Associations

  • 1. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Cybersecurity Fundamentals for Bar Associations
  • 2. Andrew Hoog CEO and Co-founder of NowSecure © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. ● Computer scientist & mobile security researcher ● Author of three mobile security books ● Enjoyer of science fiction, running and red wine © Copyright NowSecure 2016, Inc. All Rights Reserved. Proprietary Information.
  • 3. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Contents ● Why invest in cybersecurity? ● Assets-based risk assessment ● Common attacks vectors ● Frameworks / Best Practices
  • 4. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Why invest in cybersecurity?
  • 5. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Model Rules of Professional Conduct 1.6: Confidentiality of Information (c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
  • 6. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Your job? Your bonus?
  • 7. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Anyone heard of the Panama papers? The Panama Papers are: 11.5 million leaked documents that detail financial and attorney–client information for more than 214,488 offshore entities.
  • 8. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Regulation
  • 9. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. FTC v. Wyndham “A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.” Circuit Judge Thomas Ambro, United States Court of Appeals for the Third District
  • 10. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. FTC v. Wyndhan FTC has authority to bring data security cases Apple App Store and Google Play store require privacy policies Failure to invest in security of those apps (i.e., “do what you say”) puts you at risk
  • 11. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Information Security - It’s a process, yo! Information Security Management System (ISMS) is not a computer system but an organizational policy and program to implement and manage information security. A major component of this is executive accountability for information security, making clear the responsibility overall and also "ownership" of specific systems/data.
  • 12. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Asset-based risk assessment
  • 13. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Assets of value Things I heard you value ● Member database ● Credit cards ● PII ● Anything related to cases ● … Things attackers may also value
  • 14. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Assets of value Things I heard you value ● Member database ● Credit cards ● PII ● Anything related to cases ● … Things attackers may also value ● Network (DDoS) ● CPU (bitcoin mining, wheeee!) ● Your identity ● Making a point (political / philosophical agendas) ● Bragging rights
  • 15. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. I think of vulnerabilities in three buckets Unknown / No fix Best practices Very little anyone can do here See router example (vulnerable cable modem) Tactics: implement best practices and try to limit what attackers can access This is the area to focus most energy 80/20 rule in play here, meaning a reasonable amount of effort will address 80% of your risk. The remaining 20% is precipitously expensive and difficult to address. Targeted attacks Can’t defend against Attacker will ultimately succeed Tactics: implement best practices and try to limit what attackers can access
  • 16. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Compromised router
  • 17. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. It all began on Saturday, February 13 ● Certificate error ● Examined the details ● Determined there was an issue Documented the issue Contacted corporate security team ● Attempted to re-create on iPad, other iOS devices, laptop, desktop © Copyright NowSecure 2016, Inc. All Rights Reserved. Proprietary Information.
  • 18. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Info gathering and identification Symptoms ● Gmail app wouldn’t sync ● Wi-Fi certificate errors ● Analyzed certificate Hosted in shared environment ● Istanbul ● Both used self-signed HTTPS certificate ● Issued by: ssl@servers.carsimedya.com © Copyright NowSecure 2016, Inc. All Rights Reserved. Proprietary Information.
  • 19. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Continuing investigation Suspicious DNS entries ● Queried IP address - resolved to a server in Germany ● Same DNS as carsimedya.com ● Social media and SEO related ● Investigated router configuration Theories ● Targeted attack ● Mass router compromise (using known or zero-day vulnerability) © Copyright NowSecure 2016, Inc. All Rights Reserved. Proprietary Information.
  • 20. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Common attack vectors
  • 21. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Common Attacks 1. Vulnerable software (and firmware) 2. Phishing attacks, email most common but can also be SMS 3. Ransomware - (typically phishing + vulnerable software) 4. Webserver 5. Social engineering 6. Physical With scary cyber criminal image
  • 22. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Local ABA Webserver
  • 23. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Web Server Info Scan took 1.5 seconds - IIS 7.5 was released in 2009!
  • 24. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. IIS 7.5 Known Vulnerabilities
  • 25. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. .NET Framework 4.0 Know Vulnerabilities
  • 26. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Ideas on how the Panama papers leaked? Does anyone want to conjecture on how the Panama papers were leaked? The Panama Papers are: 11.5 million leaked documents that detail financial and attorney–client information for more than 214,488 offshore entities.
  • 27. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Frameworks / Best Practices
  • 28. NIST Cybersecurity Framework Check it out: https://www.nist.gov/cyberframework
  • 29. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Five practical info sec tips for non-security firms
  • 30. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. 1 2 3 4 5 Patch Routers Firewalls Wi-Fi Access Points Servers Computer Laptops Mobile phones ....
  • 31. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. 1 2 3 4 5 Patch Routers Firewalls Wi-Fi Access Points Servers Computer Laptops Mobile phones .... Auth Change default passwords! Use a password manager. Two Factor Auth
  • 32. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. 1 2 3 4 5 Patch Routers Firewalls Wi-Fi Access Points Servers Computer Laptops Mobile phones .... Auth Change default passwords! Use a password manager. Two Factor Auth Segment Install a firewall Consider segmenting sensitive servers from computers, mobile and IoT devices and guest Wi-Fi
  • 33. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. 1 2 3 4 5 Patch Auth Segment Install a firewall Consider segmenting sensitive servers from computers, mobile and IoT devices and guest Wi-Fi Encrypt Encrypt data at test Servers Laptops Mobile Devices This is only effective in some scenarios Routers Firewalls Wi-Fi Access Points Servers Computer Laptops Mobile phones .... Change default passwords! Use a password manager. Two Factor Auth
  • 34. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. 1 2 3 4 5 Patch Auth Segment Encrypt Outsource Security is hard so outsourcing makes sense in many situations Primary upside is using large SaaS providers for key systems like email Audit your mobile apps against the framework Set internal requirements for mobile app security Teach developers how to code in compliance with the framework, and teach security auditors how to test apps against it Document framework, education materials, and assessments (i.e., reports), and make sure it’s all organized and accessible
  • 35. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Security needs to be user friendly or people will circumvent it Executives must lead by example and take responsibility for security Needs to become part of your DNS Assets are valuable, vulnerabilities are everywhere. Attackers have an asymmetric advantage Information Security is org policy and program
  • 36. Don’t Panic Andrew Hoog CEO / Co-founder, NowSecure ahoog@nowsecure.com 312-878-1100, x4242 Twitter: @ahoog42 nowsecure.com