New Microsoft Vulnerability – “Follina” Zero-Day Bug
On May 30th Microsoft announced a security vulnerability was discovered involving the Microsoft Support Diagnostic Tool (“MSDT”). The MSDT collects information from users to send to Microsoft for analysis by support personnel to help resolve problems. Attackers discovered a way to access MSDT and use it to install malicious code, view, change, or delete data, or create new accounts.
Experts report the exploit can be triggered in multiple ways, including from a “hover-preview of a downloaded file that doesn’t require any clicks using the preview pane in Windows Explorer. Microsoft recommends a workaround to avoid triggering an attack. The Cybersecurity & Infrastructure Security Agency (“CISA”) urges users to apply the necessary workaround.
Business Email Compromise
Business Email Compromise (“BEC”) is a scam that exploits the reliance on email to conduct business. The scam typically involves the compromise of legitimate business email accounts through social engineering or computer intrusion to access or redirect funds or personally identifiable information. The FBI reported in 2020 that BEC scams resulted in losses of $1.8 billion. That number grew to $2.4 billion in 2021.
Law firms are vulnerable to BEC scams because lawyers rely heavily on email to conduct business and often facilitate large monetary transactions. The variants of BEC scams that our policyholders report most frequently involve either wire transfer frauds or scams involving fraudulent checks. See our prior reports on these scams: Best Practices: Preventing Wire Fraud; May 10, 2022 OBLIC Alert; see also, Cyber Scams Again and Again, August 6, 2020 OBLIC Alert.
Our cyber-insurance partners at Tokio Marine created this BEC Guide to provide best practice recommendations for protecting against BEC scams.
These resources provide additional information related to BEC scams:
Avoiding Cybersecurity Threats When Marketing Your Firm
Lawyers often use social media platforms such as LinkedIn, Facebook and Twitter to get their information out to potential clients. The use of social sharing to post client testimonials or press releases and websites also market the firm. Each of these can be entry points for cyberattacks.
The Marketing Issue of the ABA Law Practice Magazine listed seven steps for how law firms can stay safe while marketing their services:
- Conduct a risk assessment
See OBLIC’s CyberToolbox for information on a risk assessment
- Perform a penetration test
A penetration test is an authorized simulated cyberattack on an information system that is performed to evaluate its security.
- Implement internal controls
Evaluate your internal controls in areas including human resources, physical security, information technology and vendor management, including evaluating who has permission to access the data, especially in this remote-working world.
- Assess your third-party vendors
Ensure that vendor is aware of the information security requirements and has the proper level of cybersecurity.
- Establish a social media usage policy
A social media policy provides guidelines on what attorneys and staff can and cannot share about your law firm and its clients on social media and other third-party platforms
Monitor all your inbound and outbound emails to detect any suspicious activity and use a domain-based method of authentication to identify spoof emails. Encrypt emails and set up DMARC (Domain-based Message Authentication Reporting and Conformance) records to prevent spoofed emails from being sent in your name without your knowledge.
- Educate and train your employee
See OBLIC CyberToolbox for training materials
Cybersecurity Incident Response Plan
The importance of having timely security disclosures was emphasized in new guidance issued by the FTC Division of Privacy and Identity Protection – describing which consumers or companies should be notified of data breaches regardless of whether a breach notification law applies. Data Breach Response: A Guide for Business provides information on what steps to take if personal information may have been exposed.
To prepare for cyber security attacks, every law practice should have an Incident Response Plan (“IRP”). If your practice does not have one, take the first step now to get started. OBLIC’s CyberToolbox has a guided planning process and Sample IRP. If you need help, we’re happy to walk you through it!