Internet, Information Technology & e-Discovery Blog

Internet, Information Technology & e-Discovery Blog

Social changes brought about by the Internet & Technology

Legal risk moved to 4th biggest cloud security concern!

Posted in IT Industry

A recent survey of 2,200 Information Security Community professionals indicated that concerns “about legal and regulatory compliance have seen the biggest gain, moving from the number 7 spot (24%) to number 4 (39%)” and that 49% believed that “one of the major barriers to cloud adoption is the fear of data loss and leakage.” The Cloud Security 2016 Spotlight Report survey was taken in March and April 2016 which included the result that 52% “believe that cloud apps are as secure or more secure than on-premises applications.”

Based on the Report Darkreading identified these “5 Reasons Enterprises Still Worry About Cloud Security”:

  1. Cloud computing has progressed so fast that it’s hard for the security industry to keep up
  2. IT still feels like they don’t have the proper tools to secure the cloud
  3. Storing and accessing data in the cloud could be a lawsuit waiting to happen
  4. Lack of visibility and the fear of letting go
  5. Security is still an afterthought, or not a thought at all

Cloud security will continue to be a topic legal issue, and probably move up from number 4.

13 critical questions about Service Level Agreements (SLAs) to ask your cloud provider

Posted in IT Industry

All cloud customers should ask their cloud providers critical questions about the SLAs which describe the performance standards they think they are signing up for.  However customers may want to reconsider which cloud provider they should use if the cloud provider doesn’t give good answers to these SLA questions offered by Jamie Tischart (Intel’s CTO to the Cloud/SaaS (Security as a Service)).

Here are the 13 questions in DarkReading’s article entitled “Cloud SLAs: What Everyone Should Know”:

  1. Do you publish SLAs, and how are these documents accessed?
  2. If you do not publish SLAs, do you publish service level objectives (SLOs)?
  3. How do your SLA targets differ from your competitors? You may be surprised that SLAs do no vary that much.
  4. Why were your SLA targets chosen? Targets are often defined competitively or based on the best or worst capability of the underlying products.
  5. How often have you violated your SLAs in the last three months, six months, 12 months?
  6. Do you publish your SLA results openly? How frequently?
  7. Which SLA metrics do you fail at most often, even if it has no impact on your customers?
  8. How often do you increase or decrease your SLA targets, and what has the trend been? Any reduction or removal of a target may mean scalability challenges.
  9. What SLA metrics have been removed in the last 12 months?
  10. How often do you test your own SLAs? You really want to hear that the metrics are continuously tested.
  11. How are SLA claims validated? How am I compensated for an SLA violation? Your provider should be doing the work here, not requiring you to prove a failure.
  12. Do I receive detailed incident response information? This is necessary to fully inform your organization or customers of the problem and the solution. Never waste a failure; make sure your provider is identifying the root cause and resolving it.
  13. Do you use any third parties to monitor your SLAs? This can provide additional validation of the seriousness of SLA measurement.

Customers better know what to expect from the SLAs because the performance of the SLAs can make or break a successful cloud system.

IT administrator with ‘keys to the kingdom’ indicted for hacking former employer

Posted in Cyber, eCommerce, Internet Privacy, IT Industry

With a possible sentence of 20 years in prison for hacking for a trial set for June 28, 2016 the US Attorney commented about the indictment that “IT administrators often hold the ‘keys to the kingdom’ for companies, … Disgruntled IT administrators can therefore pose a grave threat to businesses, which must take measures to protect themselves when letting such an employee go.”  On May 6, 2016 Nikishna Polequaptewa pled not guilty in federal court to on one count of unauthorized impairment of a protected computer.  The FBI reported comments about the case against Mr. Polequaptewa:

A former Garden Grove resident pleaded not guilty this afternoon to federal charges of hacking into the computer system of Blue Stone Strategy Group – an Irvine-based company and the man’s former employer – and deleting files.

According to the indictment, Blue Stone provided consulting services to Native American tribal governments throughout the United States. Polequaptewa was responsible for information technology at Blue Stone until November 2014, when he was relieved of his duties, which led to his resignation. Immediately following his resignation, Polequaptewa repeatedly accessed the Blue Stone internal server, a desktop computer, and remote accounts held by Blue Stone, and allegedly deleted various files belonging to the company.

All IT administrators my impacted by this case, but only time will tell.

Apple & Google are among 8 mobile device companies the FTC ordered to disclose security update practices

Posted in eCommerce, Internet Privacy

The Federal Trade Commission (FTC) “is seeking to compile data concerning policies, procedures, and practices for providing security updates to mobile devices offered by unnamed persons, partnerships, corporations, or others in the United States.”  The May 6, 2016 FTC Order requested that “Apple, Inc.; Blackberry Corp.; Google, Inc.; HTC America, Inc.; LG Electronics USA, Inc.; Microsoft Corp.; Motorola Mobility, LLC; and Samsung Electronics America, Inc.” provide the following:

  • the factors that they consider in deciding whether to patch a vulnerability on a particular mobile device;
  • detailed data on the specific mobile devices they have offered for sale to consumers since August 2013;
  • the vulnerabilities that have affected those devices; and
  • whether and when the company patched such vulnerabilities.

Section 3i Security Update Processes in the Order also includes a requirement about software licensing including the following

i. Licensing terms or other contractual obligations that require the device manufacturer or any other entities to develop, test, or deploy security updates

ii. Communication of vulnerability information to device manufacturers or other entities involved in the development, testing, or deployment of security updates;

iii. Development support (e.g., software code, instructions, or other information or material) the Company provides for the development, testing, or deployment of security updates; and

iv. Any other assistance the Company provides to address security vulnerabilities in such device software.

After the FTC gets this information it will be interesting to see what happens next.

Employee Training about phishing is critical since only 3% of phishing targets alert management!

Posted in Cyber, eCommerce

Is there any doubt that training employees about phishing would help reduce the malware damage? Of course there’s also no surprise in a recent Verizon report which indicated that 89% of phishing attacks were send by organized crime and only 9% state-affiliated actors. Verizon ‘s  2016 Data Breach Investigations Reports included the following Recommended Controls:

Filter it! Filter it real good!  –“An ounce of prevention is worth a pound of cure.” It was good advice when Ben said it and so it remains. The first opportunity to defend against email-borne threats is (thankfully) before a human can interact with it. Email filtering is your buddy in this fight and you need to have an understanding of your current solution, and test its implementation.

Talk amongst yourselves (I’m verklempt)!  –Provide employees with awareness training and information so they can tell if there is something ‘phishy’ (couldn’t resist) going on. Also, provide them with a means for reporting these events. We recommend a button on their taskbar, but whatever works for you.

One click does not a catastrophe make.  –So, it snuck past your email filters and someone went clicky-clicky. There is still ample opportunity to limit the impact. Assuming the organization’s “seekrit stuff” isn’t resident on the initial foothold, make it hard to pivot from the user device to other assets in the organization. Protect the rest of your network from compromised desktops and laptops by segmenting the network and implementing strong authentication between the user networks and anything of importance. Static passwords are adorable, but sophisticated attackers don’t just bypass them, they utilize them to advance their attack.

Keep your eye on the ball. –You increase your chances of catching signs that you have fallen victim to a phishing attack if you monitor outbound traffic for suspicious connections and potential exfiltration of data to remote hosts.

Training, training, training is essential to reduce phishing damage!

Email Privacy Act passes the House, but the proposed Act does not require notice of warrants

Posted in eCommerce, Internet Privacy

The Electronic Communications Privacy Act (ECPA) of 1986 was created to deal with telephone records not email, so the new proposed Email Privacy Act clarifies what email is, but did not change the ECPA much since it “does not require authorities to notify users that a warrant has been obtained to review their electronic communications.” Also the Email Privacy Act does require search warrants to review electronic communications older than 180 days which was not in the ECPA.  As well InformationWeek pointed out:

The Email Privacy Act also makes a distinction between commercial public content, such as advertisements, and content sent to an individual or select group, such as email.

In the meantime to get a difference perspective on the ECPA and Email Privacy Act you might want to check out my April 18, 2016 blog “Are US Privacy Laws Unconstitutional? We’ll find out in Microsoft’s new suit against the US Government!

Even though the Email Privacy Act passed unanimously there is no exact predictability about what the Senate may do.

FBI says only 20% of private sector reports cyberintrusions!

Posted in Cyber, eCommerce

20+ years ago, before the Internet and Social Media, the conventional wisdom was that only 10% of businesses would report computer crime crimes. However since cyberintrusions against Sony, Target, and other high visibility companies are daily headline news, one would think the increase was much more than only 20%. But FBI Director James Comey commented in a recent speech at the “Georgetown University International Conference on Cyber Engagement”:

According to a recent study, about 20 percent of those in the private sector in the United States who had suffered computer intrusions, actually turned to law enforcement. That means 80 percent of the victims in this country are not talking to us. We have to get to a place where it becomes routine for there to be an exchange—an appropriate, lawful exchange of information between those victims and government. First and foremost because we need that information to figure out who’s behind the attack.

He also pointed out that “the nation-states like China, Russia, Iran, and North Korea, and multi-national cyber syndicates—we’ve seen a significant increase in the size and sophistication of those who are looking to steal information simply to sell it to the highest bidder.” And of the multi-national cyber syndicates Director Comey pointed out:

Terrorists have become highly proficient at using the Internet to sell their message and to recruit and plan for attacks. They’re quite literally buzzing in the pockets of people to try and make them followers all around the world. There’s no doubt that terrorists aspire to use the Internet to engage in computer intrusions to get to our systems for all kinds of bad reasons, but we don’t see them there yet. Because the logic of terrorism and the Internet is what it is, that’s a threat we constantly worry about.

Clearly all businesses are at risk since everything is plugged into the Internet, so reporting cyberintrusions is essential so the cybercriminals can be found!

Apparently Yelp lost in its attempt to stop astroturfers!

Posted in eCommerce

In March 2015 I blogged about a Yelp lawsuit against alleged astroturfers, and in March 2016 the parties settled the case, but since the defendants continue to operate Revleap  it would seem that Yelp lost its case.  My blog “Do You Still Rely on Yelp Reviews After Hearing that Yelp Sues Astroturfers?” provides the details about the suit:

Yelp’s lawsuit alleges a breach of the ToS (Terms of Service) by the defendants who “try to game the system and undermine that trust, by building businesses based on fraudulent reviews…” in addition to the more obvious trademark violations. 

Since the lawsuit settled at a November 2015 we don’t know the settlement terms which are confidential.  And the parties filed their Stipluation on March 22, 2016 there merely says:

The Parties to the above-captioned action HEREBY STIPULATE, by and through their counsel of record, that the action shall be, and is hereby, dismissed pursuant to Federal Rules of Civil Procedure Rule 41(a)(1), consistent with the Parties’ Settlement Agreement.

All in all not much changed since the lawsuit was filed as Yelp’s Terms of Service are still from November 27, 2012 (- which is about 623 Internet years) and the defendants continue their Internet operations!

GUEST BLOG: Small Texas Law Firm Used in International Cyberattack

Posted in Cyber, eCommerce

My Guest Blogger John Ansbach is General Counsel of General Datatech, L.P. (“GDT”), and John is a seasoned attorney with a broad range of experience developed over more than 18 years of practicing law including as a corporate generalist, his background includes experience in contracts; cyberlaw; intellectual property; real estate; human resources; corporate governance; regulatory and compliance; and, litigation. He’s also developed experience as a legislative advocate and technologist, advocating for GDT and its industry partners in areas relating to cloud and cybersecurity, the Internet of Things (IoT), tax policy and patent reform.

Version 3Anshbach background

 

SMALL TEXAS LAW FIRM USED IN INTERNATIONAL CYBERATTACK

April 22, 2016

It started a couple of days ago. The folks at the James Shelton law firm in Clarendon, Texas, about 60 miles east of Amarillo, began receiving calls. Thousands of calls from all over the place, including Canada and the U.K.

According to what’s known so far, cybercriminals apparently gained access to and used a law firm email account to email an unknown number of recipients with the subject “lawsuit subpoena.” The subject is company specific, and it asks if the “legal department” has received it yet. The email says the matter is, of course, “urgent,” and it includes a Word document attachment.

Ansbach email from blog

Actual email used in the cyberattack, intended to deceive recipients into clicking the attachment and downloading a malware infected payload.

In fact, the email (one was sent to our company here in Dallas) contains malware that is, according to sources, “a variant of Dridex… [It is a] virus [that] relies on macros in MS Office to propagate.”  “Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user.” (emphasis added) (Source: Webopedia).

Ansbach website pic

The law firm’s website now displays a warning banner about the cyberattack.

I spoke with Jim Shelton in Clarendon late this afternoon, who confirmed the attack. Working with his provider, they have disabled the email account and placed a bright red warning  banner on their website directing folks “not to click any links or download any attachments.” Jim told me he was also contacted by the State Bar of Texas, which had received calls about the email.

This attack is a serious one with the potential to cause significant damage and harm to folks who receive it and the companies they work for. If you or anyone you know receives an email like the one posted above, please do not open it and do not click on any attachments. Please do pass along word of this attack so that others might be made aware of and avoid it at all costs.

GUEST BLOG: Cybersecurity Compliance Just Got Tougher

Posted in Cyber

My Guest Blogger Nick Akerman learned about Cybercrime as a federal prosecutor where he prosecuted a wide array of white collar criminal matters, including bank frauds, bankruptcy frauds, stock frauds, complex financial frauds, environmental crimes and tax crimes. Nick was also an Assistant Special Watergate Prosecutor with the Watergate Special Prosecution Force under Archibald Cox and Leon Jaworski.  Dan Goldenberger is Nick’s partner at Dorsey.

AkermanNick_155x190akerman logo

Companies need specific, well-executed plans to meet growing demands of federal and state agencies.

By:  Nick Akerman and Dan Goldberger

While cybersecurity risks have increased, government regulation has traditionally  lagged behind.   Recently, some government  entities have tried to catch up by mandating that companies take a proactive approach toward protecting personal and competitively sensitive data. The move is a departure from the traditional reactive response of simply notifying consumers after their personal data is breached.

With this shift in emphasis, companies are asking the obvious questions:  “What are we expected to do and what is a proactive cybersecurity compliance program?”

Both on the state level and through federal regulatory agencies, the government is beginning to dictate a comprehensive compliance approach to data protection.   Late last year, the U.S. Securities and Exchange Commission’s Cybersecurity Examination Initiative directed broker-dealers to “further  assess cybersecurity preparedness in the securities industry.”  Thus, the SEC announced that it “will focus on key topics including governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.”

In January, the Financial Industry Regulatory Authority announced that in reviewing a securities firm’s approaches to cybersecurity risk management its examinations may include “governance, risk assessment, technical controls, incident response, vendor management, data loss prevention and staff training.”  On the state level, Massachusetts is the only state thus far to require all businesses that store personal data of its residents to secure that data through a compliance program modeled after the federal sentencing guidelines.

The framework under the federal sentencing guidelines is the gold standard for an effective compliance program.  Having expanded well beyond its original goal of detecting and preventing criminal activities, it is fast becoming the corporate framework to protect data.  These guidelines establish seven steps for companies to follow:  first, promulgate standards and procedures; second, establish high-level corporate oversight including the board of directors that must provide adequate funding  of the program in proportion to the size of the company and the risk; third, place responsibility with individuals who do not pose a risk for unethical behavior;  fourth, communicate the program to the entire workforce; fifth, conduct periodic audits of the effectiveness of the program; sixth consistently enforce the polices; seventh establish mechanisms for reporting violations.

COLLABORATION IS CRITICAL

Because a compliance program must be tailored to an organization’s culture, it is critical to its success that all data-protection stakeholders collaborate in its creation and daily operation.  This means that data compliance is not just an issue for information-technology security.  Other stakeholders include human resources and legal, which are responsible for company rules, employee agreements and training,  and may assist in responding to company data breaches; risk management, which may determine, along with legal, the adequacy of the company’s cyber insurance; and compliance, which is often the logical focus of the company’s data protection efforts.

Stakeholders in turn should focus on six areas of risk when developing a company-specific compliance program to minimize the risks posed by each area.

First, hiring is the time to explain to new employees the rules in place to protect the company’s data.  Additionally, companies must approach hiring defensively, ensuring new employees do not bring into the workplace data that belongs to a competitor that  can result in civil or criminal liability.

Second, company rules and policies should spell out what  employees can and cannot do with the company network and form the  foundation of top-to-bottom workforce training.  At least one court has recognized that such “explicit policies are nothing but security measures employers may implement to prevent individuals from doing things in an improper manner on the employer’s computer systems.”  (American Furukawa v. Hossain).

Third, agreements with employees and other third parties are a key component of data protection.  Employee agreements are an opportunity to reinforce the lack of an expectation of privacy in using company computers and define the scope of authorized  access.  When company data is outsourced to a cloud provider, agreements formalize the responsibilities of that third party to protect the company’s data.

Fourth, technology can be employed not only to secure data but to define who is authorized to access what portion of the network and provide admissible evidence of a breach.  Information-technology security, working with legal, can prepare mechanisms to capture audit trails in the network that can be used to identify the source and scope of a breach.

Fifth, effective termination procedures are critical.  This is when insiders are most likely to steal company data to use at their next  job.  This is also the last opportunity to remind departing employees of their post employment obligations to maintain the secrecy of company data, to return  all company data and for the company to inventory the data returned.

Finally, if a breach occurs, it is important to have protocols in place to quickly determine the scope of the breach and the appropriate response.  Companies must therefore have in place an overarching plan to investigate suspected  breaches and to mobilize internal and external resources.

For a data-compliance program to work consistently, it must be a collaborative effort among all stakeholders and comprehensively focus on mitigating the risks to the company’s data from multiple and unexpected sources.