Covid-19 cyberfraud

TL;DR: don't be a sucker.

We need to talk about Covid-19 cyberfraud.

Robert Capps wrote about how there has been a rise in cybercrime due to the pandemic. There are more phishing emails coming from the CDC or WHO, and that with employees working from home, they are getting calls that ask for various passwords and they are giving them out. For all the people who say they wouldn't do that, keep in mind that if you get a call from someone claiming to be in the IT department at your organization, you don't have the benefit of seeing whether they are who they are. They aren't coming by your desk wearing a company badge. They're a voice on the phone and you can't verify their credentials. But they're sure asking you for your credentials! 

A lot of people are predicting that work from home is here to stay. I don't think so, but I'm willing to be wrong. If it is here to stay, we need to get serious about security. You can institute all of the clean desk policies at the office that you want. You can require multi-factor authentication, and floors are monitored by security guards and accessed with keycards. A large chunk of that goes out the window the second you set people out on their own. They may be incredible workers but not understand the point of the policies. And even if they do, there's not a security guard or keycards allowing access to their homes. You have lost some of your security right off the bat. Those calls that were previously getting screened by a menu or receptionist are now being routed to your cell phone and may have lost something in the security. Your organization is weaker. Accept that's true. If you want your workers to continue to work from home, figure out what to do about it. Humans are always the weakest link and if you are running the organization and failed to properly train your staff to avoid these scams, guess which human is to blame... (hint, it's not your employees).

One other thing the article addresses that helps explain why cyberfraud is on the rise during the pandemic is that policies are constantly changing. My own personal firm which I run had to move very quickly from conducting business in the office to doing it remotely across the country. We're digitizing everything because we needed to access it from anywhere, not just a filing cabinet. One of my law clerks left to spend the pandemic with his mom in California, so he was a very different time zone than the rest of us. As we needed to make calls, it became evident that his clocking in around 5pm wasn't going to work because he couldn't make those calls. That switched. We had to have communication software and a process for assigning tasks because yelling across the office did not work anymore. That took trial and error. For my attorney that had already been struggling to bring in clients before the pandemic, he certainly had a hard time adjusting to the new changes when he already hadn't figured out the old process. We parted ways. Although it was almost certainly always headed down that path, the pandemic meant I couldn't give him any help or advice when he couldn't get with the software and had a hard time walking through it with me remotely. So it hastened it. 

All of the changes all throughout were a result of, "the world is in a red level panic, I have to either fire everyone and abandon my office or figure this out and I'm rather tenacious so I guess I have to figure it out." But that didn't mean I knew what I was doing. Nobody did. If I went back in time and told employers to get their BYOD device policies and security in order because they'd need them, I would have been ignored and told they are NEVER going BYOD so this is useless advice to them. We're now at the stage of the pandemic where if somebody told me I need to keep a pair of running shoes at my office, ready at all times, I'd believe them. I don't know why I'd need them, but I can analyze a scenario where I'm going to need to run and I won't want to do it down stairs in heels. 

Apart from the mess-ups, an intelligent employer should see this as a golden opportunity. I don't want to pull an ego trip and pretend I'm an absolute genius, fantastic business card aside. :) But I used this as an opportunity to improve. What am I lacking? Why is all this stuff only accessible on paper? I like to travel- what if I'm in Japan and I need a document right now? Digitize that stuff. Adopt this as a standard practice. I've given serious thought (and even had to low-level implement a few times) the action plan for what happens if I cannot access the written or digital copies? Or what if my power goes down? What is my contingency plan for various scenarios? As much as I dread it and try to prevent it, I know what I'd do if a computer got locked down with ransomware. I don't like it- I don't like any of this- but I've got a plan for it. I even have a contingency plan for if I get sick and a different one if I die from that illness. It's hard enough doing it in a personal way, but I've confronted my own mortality in a business sense and determined here's who gets my data, business, and assets; why that person gets it; how it should be handled; etc. 

If you are a company owner reading this, have you asked yourself how you can improve security? Assume your employees don't know how. 

If you are an individual reading this, first, please understand that businesses aren't throwing meaningless policy and security changes at you for no reason. We're doing the best we can as the situation evolves. Some are doing better than others. But second, ask yourself what you can do. Assume you know nothing and everyone is trying to steal your info. Well, you've heard you need strong passwords- start there. Find out why. You've heard not to write them down or share them. Again, follow that info and learn why. A) You don't want to be the fool that gets disciplinary action for giving out your password over the phone. B) You DO want to look like a cybersecurity hero when you walk back in the office and you have personally adopted some good habits that you can share with others. C) Even if someone else in your company did reveal their password, you might have done enough to keep your stuff sequestered, which REALLY makes you look like a hero. They might not give you a raise since they're paying millions to clean up so-and-so's mistake, but you might get a promotion out of this.

Capps, R. (2021, February 19). Fight back against covid-19 cyberfraud. Retrieved February 20, 2021, from https://securityboulevard.com/2021/02/fight-back-against-covid-19-cyberfraud/

The CIA Helps You Protect Your Data

 TL;DR- wait, what?! The CIA helps me protect my data? Uhhhhh...

To start off, I'm an attorney. This is relevant because we have to do continuing legal education classes (CLEs) to stay current. I'm partially working on this because I hope to present it someday as a CLE at my local bar. They actually take cyberlaw and cybersecurity very seriously. For the cybersecurity professionals reading this, this is going to be Cybersecurity 101 and insultingly simple. For everyone else, let's get to why you need to actually take cybersecurity seriously, ESPECIALLY if you don't know anything about it.

First, I want to start with the most basic definition. What the heck is this cyber stuff anyway? I get what the Internet is (sort of) but what's cyber?! Great question. First, cyber is an adjective. I remember constantly yelling at my TV every time Senator John McCain came on because he'd talk about "we need to improve cyber." I would always yell back, "CYBER WHAT?!? Cybersecurity? Cyberspace? Shall we improve cybercrime, you freakin' idiot?!" So think of cyber as meaning technology and we'll call it good enough. But that's only an adjective. We need to figure out what particular realm we're talking about. Because I promise you, we don't want to improve cybercrime, even though we might want to improve our defenses against it. For purposes of this discussion, we're talking about cybersecurity. Given the definition I've provided, that means the security of technology.

For those new to this, you're probably thinking, "I just figured out what cyber means and that it's an adjective, and now I have to take on security issues. I can't do that! I don't know enough." That's great, because now we have a starting point for the discussion, definitions, and hopefully a willingness to figure it out. 

I would argue that we need to know the goals of cybersecurity before we can apply any fixes. So what are the goals of cybersecurity? That's where we get to the title... Many people would raise an eyebrow that the CIA is going to help protect your data. But we're not talking about that Central Intelligence Agency. Here, the CIA triad stands for: 

• Confidentiality- C
• Integrity- I
• Accessibility- A

Have these three things in place, and you can trust your data. So what do these actually mean?

Confidentiality means that other people who aren't supposed to look at your information aren't looking at your information. Think of it like this- when you go to the doctor, do you want some other patient in the waiting room to pick up your chart and start reading about and discussing all of the various illnesses you have? Do you want your bank teller to take your credit card to lookup your account and then announce to all the other customers what your credit card number and PIN are? Probably not. Confidentiality means keeping certain things secret. For lawyers, rule 1.6 says we have to keep information about representation confidential 1) unless we have informed consent or 2) it's reasonably necessary for certain reasons, AND we have to take reasonable steps to keep information confidential. That's because not many people go visit an attorney because it's the best day of their lives. The way the rule is written, 1 or 2 can apply, but 3 always applies. That means lawyers have an ethical duty to take steps to keep cyberinformation private, so if you do anything on a computer or phone, you must pay attention to cybersecurity.

Integrity: we talk about integrity in the legal profession a lot, but this isn't that kind of integrity. Here, it means keeping the information whole and accurate. Someone might look at that and think it sounds smart, but why would it be necessary. Here's why- what good is information if it's incomplete? If I call another attorney to talk about a case and they say, "I can confirm I represent that person but I cannot provide you with discovery responses because my client shredded the documents." What??? You already know we're going to have a problem in court. Frankly, I don't care if you confirm you represent them at that point because I'm going to do everything I can to make your representation meaningless. Further, I'd argue you aren't really representing them because you haven't done anything on their behalf. How does that look in technology? You go to your computer and open a contract draft to find that the last changes weren't saved, and there went four hours worth of work down the drain. Now you need to explain to your client why you are trying to bill for another four hours for the same task, or you need to write off the time as a loss. Neither is particularly good.

Accessibility- this means your data can be accessed. This can take many different forms. Let's say that your building has a fire and you cannot physically get to your computer. It's not accessible. Let's say that you open your computer one morning and find that the operating system will not load. What that looks like is that you turn on your computer and there is power, but nothing happens. It never loads the screen you use to login. Your information might be fine, but you cannot access it. If you cannot access it, how much good is that information doing?

Let's say there's a blizzard of the century and you cannot physically get to your office to get the files off your computer, but there is a Zoom hearing in three hours. Your information is complete and whole. It's saved on your computer and remains confidential. So what? You lost one of the legs of the table and now it is useless to you. Let's say alternatively that your computer is hacked. You can still access it- that's not the issue. All of the data is whole and integral. That's a problem here because confidentiality has been breached. Finally, let's say your data is confidential. You've used good passwords and you can access it. But the changes in that contract didn't save, so it doesn't have integrity. You're working with pieces of it. This is why you need all three. 

----------------------------------------------------------------------------------------------------

So great- you're convinced. You need the CIA triad. What can you do if you don't know much about cybersecurity? 

For confidentiality, use strong passwords. Yes, they are annoying. No argument. Use one very strong password with upper and lower case letters, numbers, symbols, and at least 8 characters long. Memorize the heck out of that password and get yourself a password manager. Don't rely on your browser- get a password manager. If you remember that one password, it unlocks all the other passwords and can help you generate strong ones. Some of them will work across devices, so for example, I have one that helps me on any of my computers or my phone.

For integrity, do regular backups. Admittedly, you may still not get the last draft of that contract, but you won't have to recreate every contract you're working on. Backup your information. Set this to automatically do it regularly and do it to a flash drive, a DVD, an external drive, or a cloud service such as Google Drive. Somewhere that isn't on your computer.

For accessibility, there's a lot of tie-ins with integrity. If your computer is inaccessible and you have that external drive with you, you can access it from home via that. It's even easier with the cloud services because Google Drive can be accessed from anywhere. 

But again, think about how these work in relation to each other. If you're backing things up to an external drive but you leave that in the same place as your computer, it might be destroyed in the same event that takes out your computer. If you backup and take the external drive with you, you shouldn't leave it in your car for someone to steal, because this will destroy the confidentiality. 

This is the crash course in how the CIA helps you protect your data. This is not meant to be an exhaustive discussion on the nuances of cybersecurity. This is meant to get you thinking and asking questions about how to protect your data, why it's important to do so, and demystify the whole thing.

Social Engineering

I'm currently taking three classes in my last semester of a cybersecurity degree, and one of them is Human Aspects of Cybersecurity. I did not expect this at all, but I'm kind of having a blast. Essentially, it's social engineering. What's that, you ask? Manipulation. How are people manipulated to give up information?

It's actually terrifyingly easy. People are so conditioned to be friendly. And apparently, being friendly means opening up your entire life story. Some are worse than others. I have met people that in less than ten minutes, I know how many ex-husbands they have, their neighbor's horse's names, and that they spend large amounts of money on antique furniture. 

I can't do much with this information, nor do I want to. But I think about certain friends I know that can't resist a good Facebook quiz. In fact, one that I'm thinking of, I know that she's Capricorn born on January 5th, her favorite color is purple, she's divorced but in a new relationship since then, and where she's eaten in the last week. I can use this. How many security questions ask your favorite color? How many verifications want your date of birth? I can start predicting patterns based on where she regularly eats. I can get into other things based on the name of her new relationship. This is all info in various Facebook quizzes and profile. It's even discarding a lot of other random things I could learn simply by "relating" to her. Drop a mention about Supernatural or Harry Potter and I can find out a lot. 

And this isn't just her. It's shocking the amount of stuff people put out there for everyone to read. The Internet has a long memory, and when someone is posting upwards of 10 posts or more a day, it takes some time to sift through, but they've given you an entire picture of who they are.

Off of Facebook, it's not much harder. You just have to do more work for it. I know that my next door neighbors have two adult children- one of whom has twins. They live in Michigan. That probably irritates dad because of a long standing football rivalry. The guy worked at a dishwasher repair place before retiring and has had heart issues. The woman works as a hostess at a local Italian restaurant. Her sister also worked there and has served Chrissie Hynde. She likes to run, her mom has dementia, and their dog was named Jake and he liked to sleep under the tree in my yard. 

How do I know all of this? I listen. People talk. You're probably thinking, "yeah, but it's a friend and your next door neighbor. Not everyone does this." Sure they do. I've had conversations with complete strangers and they told me they're fixing up their house so they can sell within the next six months. Cool. If I was evil-inclined, I'd wait for your house to go up for sale, break in, and if caught, I know the name of the owner. She introduced herself to me. 

What does this have to do with cybersecurity? Everything. According to the Verizon Data Breach Incident Report, 30% of attacks involved an insider (https://enterprise.verizon.com/resources/reports/dbir/2020/introduction/). Now, this doesn't necessarily mean that a person in a company intentionally attacked their own company 30% of the time. It does mean they bear responsibility for it. Lousy password security, not locking your computer, etc. all make it very easy for an attacker to get in. Not shocked yet? In 2003, 90% of office workers at London's Waterloo station gave away their computer password in exchange for a cheap pen (https://www.theregister.com/2003/04/18/office_workers_give_away_passwords/). People are ridiculously lax with their information and security of that information.

So where am I going with all of this? Well, be smarter than that. Not just the computer password in exchange for a pen, but stop doing the Facebook quizzes to find out your spirit unicorn name. Be bold. Make up your own spirit unicorn name! While you don't necessarily have to stop chatting with the neighbors, be circumspect about who you reveal information to.