Friday, April 8, 2016

Hacking law firms: A shift in trends? A closer look at the data.

Before the infamous, Panama Papers breach Wall Street Journal reported in late March on cyber security incidents that occurred at two major law firms. As WSJ noted,  that "[h]ackers broke into the computer networks at some of the country’s most prestigious law firms, and federal investigators are exploring whether they stole confidential information for the purpose of insider trading, according to people familiar with the matter. The firms include Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, which represent Wall Street banks and Fortune 500 companies in everything from lawsuits to multibillion-dollar merger negotiations."
The attack is a shift in the traditional targets of hackers, which has largely been focused on stealing personal data. Based on UWCISA's review of public news sources from , we recently analyzed data from cyber attacks  based on a review of public new sources from 2010 to 2016 (unless otherwise stated) we found the following:
  • Personal data stolen at higher rate than financial data: Of the breaches analyzed, about 33% of attacks related to stealing financial data. In contrast, approximately 53.5% pertained to stealing personal data. 
  • What does the data say? Hackers want to go phishing: When analyzing the different data elements (from 2010 to 2014), 35% of elements stolen  could be potentially used by hackers to conduct further phishing and spear-phishing attacks. Of these, 13% relate to user credentials (username + password), while the balance fields includes things such as email, name, address, and social security numbers. This is not to say hackers don't want financial data - approximately 11% of the data elements related to things such as debit/credit cards and even intellectual property.  
  • Malware is attack vector of choice: Malware represented 21% of the attack vectors used, while SQL injection was the next favourite at 11% and phishing and spear -phishing was third at 6%. 
  • Industry trends: In terms of industry, software publishers (8%), hotels (5%) and AV equipment manufacturers (~4%) and limited service restaurants (3.5%) were the top of the list . However, this compares to an average attack of 1% by industry (when excluding attacks that were not attributed to an industry). 
The move by hackers to target law firms illustrates how the infamous risk formula, likelihood X impact, needs to go beyond  financial assets, like credit cards or bitcoins. As noted in the data analysis above, firms also need to protect intellectual property or anything that can be converted to cash. Consequently, organizations need to be astute as the perpetrators in assessing how information - such as that held by law firms - can be used for financial gains.

No comments: