It’s been widely reported that the legal industry has been a slow adopter of cybersecurity measures. This article by Law.com is further proof of how primitive the industry is when it comes to cybersecurity: https://bit.ly/2HYBm0E. The article merely lists and then discusses in a superficial manner certain “basic cybersecurity measures” (which is the phrase used in the article) like antivirus and the need for encryption.
Instead of creating lists of “basic” cybersecurity measures, Law.com should point all legals to informative sources like @usnistgov and its Cybersecurity Framework: https://bit.ly/2ePWDZM, or @FTC and its small businesses resources: https://bit.ly/2Hv3zsv. And instead of spouting superficial cybersecurity tips like using encryption to protect data, Law.com should provide legals with useful information about a comprehensive, “managed” file transfer software that can address many cybersecurity needs: https://bit.ly/2b6amgC.
I enjoyed reading an article which addresses the recent cries to regulate Facebook in order to better protect users’ privacy. The author, Richard Jones of Dechert LLP, urges caution based on parallels between the “current kerfuffle over Facebook and privacy” and “the Dodd-Frank mess” that followed the Great Recession.
Jones says the Dodd-Frank regulatory scheme consisted of “faux solutions, air freshener wafting over the midden heap of a deeply damaged banking and capital formation sector.” The “faux solutions” were made in haste because of cries for regulation based on a “narrative that banks and bankers were bad and needed to be beaten regularly, made to disgorge billions of dollars for alleged bad conduct (and thereby damaging capital while at the same time we were trying to increase it) and needed to henceforth conform to an exhaustive and elaborate skein of rules and regulations that, in some chalkboard exercise we were assured, would make banking safer and perhaps even end the business cycle.”
Dodd-Frank didn’t make banking safer, but Jones observed that it did enrich the “legions of staff, lawyers and accountants” needed to navigate the maze of the regulations. Jones argues that the “Dodd-Frank regulatory torrent was ill-advised then and I am certain that the current cri de coeur for regulating the internet without further delay is ill-advised today.”
The crux of Jones’ argument for not regulating Facebook rests in the phrase, “Act in haste, repent at leisure.” Jones claims this phrase “is not just a hoary old dodge, but a fundamental truth.” Jones counsels everyone to pause and ponder a fundamental, common sense question: “What exactly does everyone mean by regulating the internet?” He then presents cogent, common sense points for exercising caution before hastily drafting a broad regulatory scheme, which he summarizes as follows: “Someone said we become insane collectively and regain our sanity one by one. Seems right. The internet is too important. Connectivity is too important. We can’t afford to embrace insanity and then wait for regrets.”
Please read Jones’ piece and let us know if you agree or disagree.
U.S. and UK cybersecurity authorities have issued a warning of another campaign by Russian state-sponsored hackers to target network infrastructure. Targets of the alleged Russian attacks are infrastructure devices at all levels, including routers, switches, firewalls, network intrusion detection systems and other devices supporting network operations. Once they gain access, hackers masquerade as privileged users and are able to modify the devices so they can copy or redirect traffic to Russian infrastructure.
It appears the Russian intrusions into US/UK networks were relatively easy to accomplish, and fairly hard to detect. Why? Because many networks have weak security, legacy protocols and service ports intended for administration purposes.
Obviously, software updates and patches should be applied as soon as they’re available. Infrastructure equipment that can’t be updated should be replaced with equipment for which updates are available and which will be supported for a reasonable lifetime.
The US/UK cybersecurity agencies included a list of tips for potential attack targets, which means nearly any organization with a network:
- Don’t allow unencrypted management protocols, such as Telnet, enter your organization from the internet. If SSH, HTTPS or TLS encryption is not possible, use a VPN.
- Do not allow internet access to the management interface of any network device. You should allow access from inside the network only from a white-listed device.
- Disable unencrypted protocols such as Telnet or SNMP v1 or v2. Retire legacy devices that cannot be configured with SNMP v3.
- Immediately change default passwords and enforce a strong password policy.
The National Institute of Standards and Technology (NIST) released Version 1.1 of its widely known Cybersecurity Framework, which incorporates changes based on 2 years of public feedback: https://lnkd.in/gBi3sG3. The Cybersecurity Framework compiles effective cybersecurity standards, guidelines, and practices into one framework. The new version of the Cybersecurity Framework includes updates on authentication and identity; self-assessing cybersecurity risk; managing cybersecurity within the supply chain; and vulnerability disclosure.
When an organization does infosec planning, one decision involves whether to run software on-premise, in the cloud, or in a hybrid model. At a recent round-table discussion involving infosec pros from financial services organizations, a variety of opinions were proffered regarding the different deployment models, which is consistent with what we hear from bTrade customers.
For example, an infosec pro from ABN AMRO Bank said a public cloud is “a no-go” for him because he cannot “control it” and does not “know who has access to the data,” which is what we often here from large organizations in the bTrade community. Another infosec pro from AXA uses a hybrid deployment because a public cloud works best for certain situations, like “processing data quickly for real-time services,” but they “constantly check what kind of data can be stored in the cloud, even after it is anonymized.”
If you want to learn about deployment models for bTrade software solutions, please contact us at firstname.lastname@example.org. If you want to keep updated on developments in the world of secure file transfer and data security, follow us on Twitter, Facebook, LinkedIn, Google+, and our blog MFT Nation.
Another good tip about ransomware–an insidious type of malware that encrypts, or locks, valuable digital files and demands a ransom to release them–from @FBI: Create/test a solid business continuity plan in the event of an attack. According to @FBI, nothing will completely protect your organization from a ransomware attack, so contingency and remediation planning is crucial to business recovery and continuity, and these plans should be tested regularly.
The U.S. federal government, thru @USCERT_gov, issued a special alert advising that it has “observed an increase in ransomware attacks across the world”: https://bit.ly/2qlcup4 . According to @USCERT_gov, the “best practices and guidance remain the same” for preventing ransomware:
1. Create system back-ups
2. Be wary of opening emails and attachments from unknown or unverified senders
3. Ensure that systems are updated with the latest patches
And @USCERT_gov encourages users and administrators to review its its Ransomware page and the the U.S. Government Interagency Joint Guidance for further information.
Congratulations to to our longtime customer/partner, Sony, on the opening of its new Digital Media Production Center near bTrade world HQ in Glendale, CA: https://bit.ly/2GJjtDc. The facility will be the company’s home to Los Angeles-based crews for gear, training and education about its latest production technologies that include 4K and high dynamic range capabilities.