Bloomberg Law
Feb. 5, 2016, 3:59 PM UTC

Perspective: Everything is Hackable

Mark Kerzner

Editor’s Note: The author of this post leads product development teams in the legal space.

By Mark Kerzner, Chief Product Architect, LexInnova

In the end of 2015 and beginning of 2016, legal publications were full of sensational cybersecurity headlines. They discussed information leaks and data breaches, and predicted that the breaches would keep getting worse. There were also mentions of Big Data going mainstream and of privacy issues which would arise as a result of this.

However, save for a few notable exceptions, these articles provided little help to the reader. They may be raising awareness of the long-standing problems, but I believe that what the readers actually want is practical and useful information which is not intended to scare but to help.

To achieve this, let us peel the cybersecurity onion layer by layer. First of all, let us separate privacy and security. While it is true that in a data breach both privacy and security may be compromised, privacy lies more in the world of regulations, while security is associated with technology and attacks.

More specifically, privacy makes sure that law-abiding, legitimate entities and persons have their “personally identifiable” information protected. This is achieved by creating a robust framework of privacy regulations.

Security, on the other hand, deals with attacks by criminals, often remote or unknown entities, who can be masquerading as someone else. Thus, one can be completely OK on privacy (by observing all the rules and maintaining legal compliance), but still be completely insecure (for example, by using unpatched versions of software). In this article, we will deal primarily with security.

[Image “personal” (src=https://bol.bna.com/wp-content/uploads/2016/01/personal-e1454082066829.png)]

Personal vs Enterprise security

Primarily, there are two, let’s call them, domains: work/enterprise security and personal security. Lawyers are human beings, and they need security, too. To paraphrase Shakespeare, “If you prick them, do they not bleed? If you tickle them, do they not laugh?” Let us deal with this second domain first, because after all it is simpler.

As I was writing this article, my lawyer friend called me: he was being cyber attacked. All his phones were ringing at once, and he was getting emails in Russian language — which he does not understand. The phone calls all came from different caller IDs, but the voice said the same thing, “Hello, world!”

This sounded like a classic “denial of service attack” on a human. In a heist that happened a couple years ago, a similar attack, but on a larger scale, was conducted while money was siphoned out from the victim’s bank account. What gave us hope though is that the attack, first of all, has already stopped. Moreover, it sounded very crude, and “Hello, world” is a standard programming application that you write in any new language.

I advised my friend to verify all his assets, not from his computer, but from some other device, that has not been under attack; at this point he decided to just go directly to his bank. He will also run possible virus scanners, potentially re-image his devices (there may be a keystroke logger), etc. Generally, these measures help. Criminals must have a good ROI, or otherwise their crime does not pay. So, once you raise your level of defense higher, they go somewhere else.

This is standard personal advice, but it demonstrates an important idea. In our personal life, we are quite paranoid about being hacked. We would get little solace in being JUST compliant, and would much rather be hackproof. We should try to adopt the same sense of paranoia in the work/enterprise domain.

Security Protection - Raising the Hacker Bar

Basically, everything is either already hacked, or can be hacked. According to Jeremiah Grossman, a very large proportion of all websites are hacked, but “there is little one can do about it. Malicious software is installed on these sites, and it tries to infect your computer when you visit the site. But if you write to the owners of the site to warn them about it, they will likely think that you are a hacker yourself.”

Jeremiah runs a protection racket (just kidding). He is the founder of WhiteHat Security, a company that finds web site vulnerabilities and helps clients fix them. In his live hacking demo in Houston, Jeremiah provided an easy talisman: keep your defenses higher than the other guy, and hackers may hack someone else, not you. Cynical, but true.

Exactly what should one do? Matthew Nelson, an attorney with the security firm Symantec corporate strategy department, gives sound advice . Here are the most important points.

a) Don’t store the data you don’t need, and it won’t be stolen. b) Require secure passwords and automate this. c) Encrypt the data at rest and in transit. d) Break your network into segments, monitor who’s trying to get in and out, apply this to remote access as well. e) Use secure software development practices .

These and other pieces of advice will help you get off the hook with the regulatory authority (such as the FTC) in case of a breach, and they will also increase your real security overall.

However, they are not a panacea. As recent hacks of SONY showed, everything and anyone can be hacked. In fact, as Kim Zetter explains in her excellent book “ Countdown to Zero Day ,” there may be a number of hacks by the state actors that have already happened, and that may be waiting for years to be exploited. The real game is very complex. Take, for example, this question – If the NSA finds a bug in Windows, should it quietly use this bug for exploits against their targets, or disclose it to Microsoft, making for a more secure software but allegedly less secure future? There is a very balance in the answer to this question. So what is one to do against this backdrop of everybody spying on everybody?

Before we turn to the answer, let us look at what lawyers and lawmakers as a group can do to assure a more secure software. There are a few things that can actually be done here, if only one listens to the voice of reason. Here they are (again, thanks to Jeremiah Grossman ).

What the lawyers and lawmakers can do as a group:

a) Legislative measure are good for law abiding citizens, but are no protection against hackers, who usually reside outside of their jurisdiction. We should keep this in mind while enacting laws. b) And yet, you can do something. First, require software makers to add some form of liability to end-user agreements, just like it works in all other markets. c) Make a form of Safe Harbor provisions applicable to security researchers. If they are treated like hackers, they will stop their community research. d) Let the government share breach information with the researchers, and let the companies responsibly share the breaches as well, not cover up on every breach other than credits card breaches which are currently required to be divulged by law in many states.

Security and Big Data

It is well-known that the security in Big Data is less mature than in the “small data” world, to say the least. One reason for this is that the security was added to Big Data tools (like Hadoop and NoSQL databases) as an afterthought. Initially, Hadoop clusters were for friendly groups of engineers working at Yahoo, who dealt with the data that was public anyway. Understandably, such data required very little protection.

Another reason for Big Data insecurity is the reliance on Hadoop being deployed within internal networks. This is a common fallacy; once the attacker is inside this network, all is open. As an experiment, we have put our internal hacker on attacking Hadoop, and he quickly found a number of vulnerabilities, collecting “hacker bounty” in the form of t-shirts and free beer in the process .

The biggest reason for Big Data security however is human. Take a typical Oracle or Microsoft SQLServer administrator. He will likely have a few security courses under his belt, and customary security procedures in place. Take a NoSQL administrator. This will likely be the “devops” type of developer, responsible for both coding and administration, and not overly concerned about security. If anything, it is in his way, because it stops his software from working.

In a recent penetration test in California, much of the client company’s internal personnel information was tied to MongoDB (nice, popular NoSQL product), which was run without even a username and password protection. Once the attacker gains control over that, it is “game over” in hacker parlance.

The moral: one should pay special attention to securing the Big Data part of the organization’s software. Get a list of Big Data tools, have them raise a red flag once you see them. It may start like the list below. For the rest, you can consult our open source, free book,Hadoop Illuminated.

[Image “tools” (src=https://bol.bna.com/wp-content/uploads/2016/01/tools.png)]

The list continues here .

Final piece of advice

As discussed above, what is a lawyer to do when he or she is dealing with the security of a client corporation? In addition to the technical measures, the overall approach should be “everything is hackable.” Just as in eDiscovery, the mantra is “Everything is discoverable,” so it is in the security world.

Have procedures on “what to do when this information leaks.” But do strike the right balance between security and convenience. Do not try to go for 100 percent in either direction. This may sound paranoid, but as Andy Grove of Intel said, “Only the paranoid survive.”

By following the approach delineated above, and by implementing the steps, we can at least rest assured that we did everything we could.

But there is one more thing to keep in mind. To paraphrase Shakespeare once again,

Give me your hands, if we be friends,

And Robin shall restore amends.

Robin, also known as Puck, is a mischievous spirit, sort of a hacker in the woods. By temporarily adopting his looks - that is, by thinking the way a hacker thinks - we can help improve security.

Learn more about Bloomberg Law or Log In to keep reading:

Learn About Bloomberg Law

AI-powered legal analytics, workflow tools and premium legal & business news.

Already a subscriber?

Log in to keep reading or access research tools.