How to manage your client’s data responsiblymarburychambers.com.au/wp-content/uploads/how-to-manage-clien… · What is BEC fraud? Social Engineering / Spear Phishing: “I am the

How to manage your client’s data responsiblyProtect your clients from fraud, identity theft and confidential information

Jeremiah Cruz

jeremy@cryptoaustralia.org.au

Nick Kavadias

nick@cryptoaustralia.org.au

Gabor Szathmari

gabor@cryptoaustralia.org.au

Marbury ChambersCryptoAUSTRALIA2/11/2018

Who is CryptoAUSTRALIA

• A not-for-profit started by security and privacy enthusiasts.

• We have nothing to do with BitCoin, so please stop asking.

• We are for finding practical ways of dealing with the modern privacy and security challenges.

• We are looking for sponsors in order to continue our work and research.

• This may be a new concept to lawyers, but we are running these events for free*.

* This presentation does not constitute cybersecurity advice.

Who is Marbury Chambers

• http://marburychambers.com.au

Self Promotion..

Tonight’s speakers:• Jeremy – Network Security Expert• Nick – Solicitor and Technologist• Gabor – Cybersecurity Expert

We know how to internet…

@CryptoAustralia#cryptoaus

http://chat.cryptoaustralia.org.au

https://fb.me/CryptoStraya

Interact with us in the digital world…

What we are covering tonight…

1) Phishing and BEC Fraud

2) Password Security(2FA and Password reuse)

3) 100 point checks & ID verification

4) Document conversion practices

5) Secure document sharing practices

6) Data Disposal & Physical security (dos and don’ts)

7) Metadata in documents

8) What to do post-breach 🙏

Phishing and Business Email Compromise

What is BEC fraud?

Social Engineering / Spear Phishing:“I am the CFO, pay this invoice urgently”• Display name spoofing – real name, but not email• Email address spoofing – real name, email. Different Reply-To address• Email account compromise – real email account is broken into (data breach

credentials or spear phishing)

Impersonation:“Our payment details have changed, use this bank account instead”• One of your staff’s mailbox is compromised• One of your vendor’s mailbox is compromised

How does BEC affect my practice?

• Financial loss – direct & indirect loss. Could be enough to put you out of business? Litigation, insurance premiums, system remediation, investigation

• Notifiable Data Breach – if email account compromise - incident reportable to OAIC, fines?

• Reputational damage – Negative media coverage & Twitter rage

The biggest cyber security threats in 2018

Business Email

Compromise (BEC)*

Ransomware

Data

breach

Phishing

Identity theft

Good security

practices reduce

the risk of multiple

threats.

For a generic list of threat mitigation,

refer to the ASD Essential 8 https://acsc.gov.au/publications/protect/Essential

_Eight_Explained.pdf

*9 Billion dollar industry in 2017 https://www.trendmicro.com/vinfo/au/security/ne

ws/cybercrime-and-digital-threats/fbi-bec-

losses-in-2017-shot-up-to-over-us-675-million

Secret: “hackers” log into your webmail

Password hygiene

• Websites get hacked.• People reuse same

email and password across multiple online accounts. D’oh!

Haveibeenpwned

Do you have leaked passwords? https://haveibeenpwned.com/

Meanwhile on SpyCloud

Secret: “hackers” log into your webmail

Solution: Use Two-factor authentication

If you only do one thing to improve your

cybersecurity posture, it should be to turn

on 2FA for your email

Advice evolves with threats & as criminals

become more sophisticated.

e.g. 2FA via SMS can be attacked with SIM

swapping

Two-factor authentication

Most powerful defence from:

• Crappy passwords (Letmein1)

• Stolen passwords (phishing)

• Leaked passwords (reuse)

Two-factor authentication

Why we have just a few passwords?

Problems:• Too many passwords to

remember• Has my password leaked in a data

breach?

Password managers solve both

Password hygiene – Wallets

Remember a single password only• LastPass• 1Password• Dashlane• RoboForm

1Password

100 Point ID Checks

Personal Information and Verification of Identity (VOI)

100 points ID checks VOI required by NSW conveyancing rules since 2016

• Scan-to-email devices (bonus: unencrypted traffic)

• Images stored on copier HDD

• Documents sent/received over emails

• Asking clients to email you ID for a

100 point check

DATA LEAKS

EVERWHERE!

Bad practices - VOI checks

• Don’t ask for scanned documents to be sent over emails!

• Mailbox Compromise – Notifiable Data Breach

• Many scan to email office devices also insecure• Rely on VOI providers instead

• Secure smartphone app and web portal• https://www.dvs.gov.au/users/Pages/Identity-

service-providers.aspx

Bad practices

Document Conversion

Manage client data responsibly: Document conversion?

• DOCX =>PDF• PDF =>DOCX• OCR?

Bad practices - Online document conversion

Online2PDF.com, freepdfconvert.com...

• They provide a convenient service to convert documents to PDF

Bad practices - Online document conversion

Online2PDF.com, freepdfconvert.com...• Who’s behind the service?• What happens to your documents?• Why would you upload

sensitive documents to random strangers?

Manage client data responsibly: Document conversion?

Source: https://www.itnews.com.au/news/abbyy-temporary-data-breach-exposed-200000-scanned-docs-511612

Online document conversion

Convert documents offline with Adobe Professional

Secure document sharing practices

Bad practices -Document sharing over emails

Problem statement:

Your email file attachments and embedder download links remain in your ‘Sent’ email folder forever, waiting for a hacker to login and download them

Bad practices -Document sharing over cloud-based file storage services

File sharing with Dropbox, OneDrive, random service:• Download links are valid forever• Mailbox gets hacked → Links are still live

Transferring sensitive documents securely

• Send web links instead of file attachments where appropriate

• Use expiring web links

Services: Google Drive, Sync.com, Tresorit...

Bad practices

Transferring sensitive documents securely

• https://send.firefox.com(currently in pilot)

• Password protect

• Link expires after 1 to 20 d/l

Or 24 hrs (you pick)

Transferring documents securely

Storing documents securely

Cloud file storage – Who is your adversary?• Hackers? - Dropbox, G Drive, OneDrive + Two-factor

authentication turned on

• Government? - End-to-end encrypted service: Sync.com, Tresorit

• Encrypt your disks, USB flash drives and smartphones• BitLocker - Windows 10 Professional

• FileVault – Mac

• Android supports disk encryption

• On iOS disk encryption is turned on by default

Data disposal

Prudent data disposal practices

Laptops, computers:

• Magnetic disks: overwrite

• DBAN (https://dban.org/)

• SSD: Physical destruction

• USB flash drives: Physical destruction

iPhone: Factory reset

Android*:

1. Encrypt device2. Remove storage and SIM cards3. Factory reset4. Remove from Google account

Phones (SD card): Physical destruction* https://www.computerworld.com/article/3243253/android/how-to-securely-erase-your-android-device-in-4-steps.html

Prudent data disposal practices (cont’d)

Physical security (dos and don’ts)

Physical security (dos and don’ts)

• Shredding documents• Diamond cut shredder

• Secure document disposal service

• Can secure dispose digital media for you

• Digital certificates (e.g. PEXA key)• Leave them unplugged when not in use• Cut the built-in smart card in half to dispose

Metadata issuesGood document management practices

Metadata in Documents:What can go wrong?

1. Disclosure of instructions

• Comments, tracked changes

2. Identification of personnel:

• Disclosure of author or commentator who wishes to be anonymous

• Metadata from multiple authors, silent partners

What can go wrong? (cont’d)

3. Disclosure of former or existing clients

• Everyone is using templates – Recycled documents

4. Embarrassment

• Nasty comments left in the document that was supposed to be private

Recent decision where metadata was the turning point:

• Wadler v Bio-Rad Laboratories

• Sanford Wadler general counsel – his employment was terminated for whistleblowing

• Employer claimed erratic work and workplace outbursts

• Employer introduced a piece of evidence of an unfavourable performance review (a document)

• The document established the performance review was created one month after the employee was terminated.

• Jury awarded $8 + $5m in damages

Metadata in legal documents

Office documents

• Track changes

• Comments

• Hidden content

Removing metadata - Tooling

• Adobe’s Redact Tools

• Windows Explorer’s – File Properties

• Workshare Secure - integrates with MS Exchange

• Payne Group Metadata Assistant 5.0 – Compatible with MS Office and Windows. Integrates with document management systems and email clients – thepaynegroup.com

• cleanDocs – Removes Word, Excel, PDF – docscorp.com

• BEC MetaReveal – MS Office and MS Outlook – beclegal.com

• Litera Microsystems Metadact

Removing metadata – More information

Law Society Journal – 2018 March – page 76

Helen Brown: Why it’s time to wise up about metadata

https://lawsociety.cld.bz/e/LSJ-March-2018/76

What to do when you get hacked 🙏

• Disconnect your computer from the Internet and stop using it

• Contact your MSP and have cloud account passwords reset

• Notify Lawcover - They have an incident response team

• Checklist: http://lca.lawcouncil.asn.au/lawcouncil/images/cyber/CP-What-to-Do.pdf

Summary

1) Use 2FA and don’t reuse your password

2) Use a VOI provider for identity checks

3) Share documents with expiring links

4) Dispose data securely

5) Shred documents & protect digital certificates

6) Remove metadata as appropriate

7) Notify Lawcover when the house is on fire

Where to get help

• Law Council of Australia Cyber Precedent, great learning resource

• Law Council cyber-attack checklist

• Lawcover crisis management team can help you clean up the mess.

• Victim of identity theft, you should contact IDCARE, NFP helping people

• Have a conversation with your IT Service Provider, or staff. Use these slides as a talking point!

“You don't have to run faster than the bear to

get away. You just have to run faster than

the guy next to you.”

@CryptoAustralia#cryptoaus

http://chat.cryptoaustralia.org.au

https://fb.me/CryptoStraya

Get updates:https://cryptoaustralia.org.au/newsletter

Next workshop:

https://www.meetup.com/Cybersecurity-for-Lawyers-by-CryptoAUSTRALIA/