New Zealand Law Society - An appetite for strong IT security

An appetite for strong IT security

This article is over 3 years old. More recent information on this subject may exist.

IT security is just like nutritional advice: It’s confusing, conflicting and what you read in the media, or on social media, often lacks science or common sense.

Is caffeine good or bad for you? Is quinoa really a ‘superfood’ and how do you say ‘quinoa’ anyway? How do you know that your computer systems and confidential client information are safe? If you do a bit of Googling you’ll find numerous compelling arguments supporting convincing, yet conflicting, points of view. So how do you make sense of it all?

Technology security, like our understanding of human nutrition, is a complex, ever-changing concept. The security practices that we rely on today can become the security exploits that are used to attack us tomorrow.

To make matters worse, much of the tech security advice is bogus. Sometimes unintentionally, from the well-meaning but misinformed, but often intentionally, from those trying to sell you something, or trying to justify their existence.

However, the risks are persistent and real. And for any company with more than a few employees, tech security is not a DIY job.

Law firms are particularly desirable targets for bad guys, as they can be rich sources of valuable information. Most people will know about the Mossack Fonseca hack that resulted in the Panama Papers scandal, but far more law firms are compromised every year. And you won’t hear about many of these events in the media.

We’ve consulted with many customers on security over the years and it’s frightening how woefully unprepared most companies are for the myriad security risks they’re faced with, especially big companies, where the illusion of security often causes them to ignore the obvious.

“Ethical Hacking”

For a few fun examples, let’s look at some of the ‘ethical hacking’ tricks that we’ve used to test the security of customer IT systems (customers pay for, and authorise, these ‘hacks’ to test their security):

  • Waving a bus card at a security guard and giving them a false name, including a false name of our company, to gain entry to a secure data centre. We managed to walk out with the server we were paid to hack. The security guard even fetched us a trolley.
  • Walking into a bank and connecting to its internal network by plugging a laptop into one of their network-attached IP phones. They thoughtfully placed the phone in a user waiting area. How considerate.
  • Tricking a Chief Information Officer (CIO) and his personal assistant into disclosing the CIO’s network passwords by ringing them and pretending to be from their helpdesk. A CIO should really know better, but you’d be appalled at how often this trick works.

The most insecure bit of a computer system is the warm fleshy bit between the keyboard and the chair. Unfortunately, humans are both gullible and compelled to comply with social norms. So we often do things that, on reflection, aren’t too smart.

Our biggest weakness is that we don’t want to appear stupid, so we’ll often go along with whatever the ruse is even if our inner voice is telling us that something’s not right.

The media loves to portray hackers as super-nerds with advanced technology at their disposal. The reality is a lot less sexy and almost all successful security attacks rely on plain old laziness (eg, someone hasn’t updated a system to patch a security flaw) or our natural gullibility.

Some examples:

  • Mossack Fonesca was hacked because its IT security was laughably bad. They hadn’t updated key software components in years, allowing hackers to stroll in the back door and steal all of their emails undetected.
  • The US election was swayed — some say convincingly — because Hillary Clinton’s campaign chair was tricked with one of those spammy ‘Click here to change your Gmail password’ emails. They hacked his Gmail account and Clinton may have lost as a result. Let that sink in for a moment.
  • In 2014 the details of millions of customers, including over 50 million credit card numbers, were stolen from hardware megastore Home Depot in the US. The hackers spread malware, which is similar to a virus, on to Home Depot’s hopelessly obsolete point of sale terminals. It sat there for months, or even years, without the retail giant noticing.

Entrusting IT

Most firms have someone they entrust with their IT security — Mossack Fonseca did — and most of us would not dare to ask pointed questions of that person or group for fear of looking foolish.

But ask questions we must. You have to understand, and be comfortable with, your firm’s security posture before something goes wrong. You can’t simply entrust this to someone else, even if they do work for you. Just try explaining to your clients that you ‘thought’ you were safe if their information is compromised.

In the next column I’ll offer up some practical, common sense advice to help you take control of your IT security.

Damian Funnell is a technologist and founder of Choice Technology (an IT services company) and PanaceaHQ.com (a cloud software company).

Lawyer Listing for Bots