Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Free Newsletter Sign Up

Data Security Expert: Execution Trumps Planning

June 8, 2015, 7:39 PM

Editor’s note: The author of this post is a fellow at CodeX: The Stanford Center for Legal Informatics and is a member of the California bar.

By Monica Bay, Fellow, CodeX: The Stanford Center for Legal Informatics

The International Legal Technology Association held its third annual LegalSec Summit 2015 on Monday with more than 300 legal professionals attending the two-day event at the Renaissance Baltimore Harborplace Hotel.

Steve Surdu , principal at at the information security firm, Surdu Consulting, began his keynote with an anecdote about a law firm.

The unidentified firm received an unnerving call from the FBI,which said that the firm was losing data via an email breach. But the agency did not provide any information about how the breach occurred. Eventually, outside consultants to the firm conducted an investigation that revealed the trigger was a “piece of malware” generated by hackers in China via an external fire wall that was not owned by the firm, according to Surdu, who worked on the case. Eight people were identified as participating in the scheme, which lasted 16 months.

The diagnosis also found:

• Passwords were so simplistic that many could be guessed. • The firm had hundreds of user names, many with administration rights. • The firewall was outsourced, preventing the firm from remediation in a timely matter. • Operating systems were vulnerable because patches were not current. • Websites, VPN and mass storage devices were vulnerable.

The firm was “pretty much defenseless,” said Surdu. “It had not prepared.”

Surdu identified five major categories of cybercriminals:

Terrorists: Surdu downplayed the role of terrorists, with a disclaimer that his point of view may be skewed by his current work which focuses on insurance matters.

• Insiders:The biggest threat is insiders, “generally employees, contractors and partners.” Insiders, he said, “may take information to sell it to others,” and look for ways to use information to get money. They are likely to have knowledge of the organization’s vulnerability, “but they have limited access — and it takes practice to get good at it.” What makes insiders less effective is that they are not likely to know about forensics and how to clean up after themselves. Surdu explained, “The impact tends to be relatively limited in the grand scheme.”

He cited as an example, Dmitry Braverman, a former information technology employee at Wilson Sonsini Goodrich & Rosati, who pleaded guilty last November to one count of securities fraud, for using internal firm information to collect about $300,000 from illicit insider trades. Braverman is expected to serve time in prison and also faces restitution, said Surdu.

Hactivists include Anonymous, LulzSec, Syrian Electronic Army and Turkish Ajan, he said. They tend to be teenagers and young adults who do hacking for notoriety or a cause. Hactivists are often are motivated by politics, act from around the world, generally are not interested in money, and “want to disrupt people’s lives and get attention,” according to Surdu.

Typically, hactivists have at least basic technological skills and understand and can take advantage of vulnerabilities, said Surdu. Limitations include resources, tech depth and breadth, and organizational structure. They rely on relationships and often communicate on Skype. An example, he said, is Hector Xavier Monsegur, a.k.a. Sabu, of New York City, who was arrested in 2011, pleaded guilty to hacking conspiring charges, agreed to cooperate and was released on “time served.”

• Criminalsseeking to make money pose great dangers, Surdu said. Non-U.S. organized crime, in countries such as Russia, Moldova, Estonia, Romania, Ukraine and Asia — which lack reciprocity with the U.S. — are a particular threat. They often possess a deep understanding of technology, industry knowledge and are proficient in Microsoft Corp.'s Windows. “They can’t be touched based on where they live.”

He cited Viktor Pleshchunk, of St. Petersburg, Russia, who was expert at stealing from ATMs and payment card systems. Pleschunk pleaded guilty in 2010 for hacking into Atlanta-based RBS Worldpay and was ordered to pay $8.9 million in restitution and received a six-year suspended sentence in Russia, said Surdu.

• Nation statesinclude military and intelligence “from a whole lot of countries,” said Surdu. Most participants view this as espionage or defense, he said. “The Chinese look at it differently, as benefiting its economy and patriotism.”


Surdu offered five concrete suggestions to protect against cybersecurity breaches:

1. Awareness:Educate employees, management, suppliers and clients about threat tactics and safe computing.

2. Visiblity: Take an inventory of assets and create logs and alerts to gain actionable intelligence.

3. Focus:Avoid misplaced faith in compliance alone.

4. Operational expediency:Make reasonable operations and security trade-offs. Nail down the environment more tightly than in the past.

5. Priorities:Focus on actor tactics, people, processes.


Surdu also urges legal professionals to establish checklists, starting with:

• Retain core key players • Inventory and track information assets. • Develop and track measurable key performance indicators. • Establish and maintain disciplined processes. • Create and maintain support for senior management. • Develop and maintain response capabilities. • Make complete use of existing technology. • Carefully select people, processes and new technology.

Surdu warned: “Details matter. If you can’t get the little things right you won’t get the big things right. Finishing is more important than starting. Plans are important, but execution trumps strategy.”