Many companies looking for High Tech PR are concerned with an agency's ability to scale their offerings to vertical publications.  Here is an example of how Bridgeview Marketing is able to translate complex technology terms.

Social Networking or Social Melee?

Today, most individuals are carrying more technology in their pockets than it took to send Alan Shepard, Jr. to space on May 5, 1961. Connecting these high-powered pocket computers are immense broadband pipes capable of speeds of 1.4 terabits per second – enough to send 44 uncompressed HD films per second, as reported by the BBC’s Alcatel-Lucent and BT test results. Combining these two elements enables users to put an astounding amount of personal information out for public consumption very quickly:

• 500,000,000 Tweets per day (Source: Official Twitter Blog, Aug. 16, 2013)

• Facebook stores more than 300 petabytes (Source: Facebook company stats, Nov. 7, 2013)

• Over 6 billion hours of video are watched each month on YouTube with over 40% of YouTube’s watch coming from mobile devices. (Source: YouTube Press Stats)

Although entertaining, all this personal information is a virtual goldmine for hackers seeking to conduct social engineering attacks and steal vital information from law firms. Why law firm data?  Because it contains a wealth of financial information. Consider a separation agreement drafted by family lawyers. Hackers know that the weakest link in any IT security resides with the human element and will prey upon individuals caught off guard by a familiar approach.  

Precedent has been set, law firms both large and small have been targeted by hackers for some time. In fact, on November 1, 2009, the FBI issued an advisory warning to law firms that they were specifically being targeted by hackers.

Shane Sims, a security practice director at Pricewaterhouse-Coopers, has said, “Absolutely we’ve seen targeted attacks against law firms in the last 12 to 24 months because hackers, including state sponsors, are realizing there’s economic intelligence in those networks especially related to business deals, mergers and acquisitions.”

Law firms need to be aware that their clients are using social media as a vehicle to distribute information that they may have helped create and is now stored on their servers: On April 2, 2013, the Securities Exchange Commission (“SEC”) issued a report confirming that companies can use social media, such as Facebook and Twitter, to make company announcements in compliance with Regulation Fair Disclosure (Regulation FD) as long as investors are alerted as to which social media outlet is being used by the company.  The report was issued following an investigation into a Facebook posting made by Reed Hastings, CEO of Netflix.  In the report the SEC stated that previously published guidance on the use of Company websites was applicable to the use of social media.  Accordingly, a review of the SEC guidance on the use of company websites is in order.

Let’s face it, it’s common to wake up in the morning and read about yet another huge data breach such as Home Depot and JP Morgan. Home Depot confirmed a six-month breach of its payment system that affected some 53 million credit and debit cards.  JP Morgan confirmed that cybercriminals had obtained customer names, addresses, phone numbers and email addresses for 76 million households. However, one of the more interesting cases may be the much publicized eBay breach -- the online auction house giant that is one of the most widely used services in the history of the Internet. What makes this interesting is that the company may be a victim of social engineering. What is social engineering?

To execute a social engineering attack, hackers troll company employee lists and target individuals with a very personalized email, constructed from a plethora of data gathered from their Facebook, Twitter and YouTube accounts.  The employee in question would then be sent an email with an embedded link to click on. These emails disarm the employees by forming instant familiarity and directing the victim to click on an embedded link.  The link is filled with malware that enters the network to slowly extract and export credit card numbers, passwords, social security numbers or financial-related information.

In addition, the hacker would then follow up the email with a phone call. The victim in question would already have a false sense of security because the hacker also knows the information contained in the recently sent email. The call would then be used to persuade the employee to click on the malware-filled link, which would then silently install the virus. For months, the law firm would have no idea the malicious code is syphoning vital information. In fact, it takes a typical company 229 days to discover a malware attack.

With a data breach, the attacker needs to be careful to avoid getting detected for as long as possible. The goal is to move through the network without creating an event, which would send up red flags and could get them extracted from the network before the code is able to accomplish its intended task. The pattern is for hackers to penetrate a network only a few times a day until they get in. This avoids triggering a noticeable data anomaly or event that alerts an IT administrator.

So how can law firms quickly diagnose and prevent these types of breaches that can originate from a social engineering attack?

The best possible chance at preventing this type of data breach resides within a proper defense strategy. This involves the use of a variety of different tools, residing on several network layers, that can help identify and prevent breaches at various points during an intrusion attempt.

For example:

• A host layer includes malware specific software, file integrity management, web browser protection, and more.

• The server layer will have its own centralized log management solution, password rotation on a regular basis and antivirus protection for all servers.

• The network layer includes a centralized patch management solution, the ability to utilize a security scanner regularly, and a firewall with tight access controls.

• A security layer would include deep packet forensics collection, forensics solutions for investigations, security incident event monitoring, and more.

All of these layers would be monitored 24 hours a day, seven days a week to identify intrusion attempts at various stages and to help ward off attackers at all points during the traditional intrusion processes.

However a law firm does not have to hire a new IT security staff to address all these network layers and insulate themselves from hackers. They can accomplish all the aforementioned IT security elements via the cloud. Dubbed, Security as a Service a.k.a SaaS, this cloud-based offering puts the watchful eye of an entire IT security team on the network rather than assuming the expense of hiring trained professionals on staff. Besides, IT security staff members do not engage in billable hours.

Simple in concept, but powerful in execution, SaaS applications sift through all the granular bits of server log information to correlate data and look for anomalies. Out of potentially tens of thousands of log entries, the SaaS application is capable of narrowing down the few instances that match specific malware, botnet and other hacker traits, and send alerts to IT staff members.  IT staffers can now identify and focus on only the most important packet anomalies to quarantine infected PCs or servers. This cloud-based security process greatly reduces the time and frustration typically associated with identifying hacker activity while giving law firms the option of an on-demand security force trained in the most recent hacker codes and activities.

Law firms must embrace social networks as a means of conducting business, but be vigilant in terms of engagements. Facebook, LinkedIn, and Twitter are communication tools used in the same manner as PCs and smartphones.  However, in the same manner as hackers use PCs and smartphones as a conduit for their malicious code, they are also leveraging social engineering tactics as a means to establish an instant association or essence of friendship, to entice victims into clicking on an innocent-looking URL, which is really a Trojan Horse filled with a world of trouble.  Legal firms need to understand their data is valuable and most importantly, susceptible to the weakest link in the security chain – employees.