What Is The Dark Web And Why Should My Law Firm Care?
Dark web is a term that is widely used today to conjure up images of a 2nd mysterious layer of the internet where criminal gangs operate. Although often used by criminals to trade banned or sinister materials, the dark web is essentially comprised of web pages that aren’t indexed to appear via a search engine search.
The dark web is used by organised crime gangs to trade stolen credentials and other data that may be used in a cyber attack against your firm. Data breaches are reported so frequently in the news these days that people are almost becoming desensitised to the devastating impact that they can have.
Within a year of a data breach, usernames, passwords and personal data will inevitably be for sale on the Dark Web. Financial gain is one of the biggest drivers for these types of attacks. Having said all that, its fair to note that most of these reported breaches impact data and credentials relating to members of the public, it’s rare that breaches affecting business data are reported on the news.
So why should a Law Firm care? There are several scenarios where such attacks could prove damaging to a law firm
Scenario 1 – Password Reuse
Recent studies show that 1 in 4 employees in the UK use the same passwords at work as they do at home.
- Hacker causes data breach of seemingly innocuous app. Usernames and passwords were recently stolen from US sports giant Underarmour’s My Fitness Pal app
- Stolen credentials for sale on dark web
- Credentials bought by 2nd hacker
- 2nd hacker researches on linked in to discover that this set of credentials belongs to a Law Firm employee
- They try these same credentials for Law Firm email account and are granted seemingly legitimate access
This scenario is also really difficult for the law firm to detect. Credentialed access isn’t picked up by normal monitoring methods easily.
How to protect against scenario 1
- Train your staff about the dangers of reusing passwords. Get a password manager to make it easier for them to use unique strong passwords for each account
- Implement 2 Factor Authentication where possible
- Talk to Lawyer Checker about password checking and how we can ensure that the passwords used in your organisation aren’t for sale on the Dark Web
Scenario 2- Phishing
Even if credentials aren’t stolen during a breach, a whole heap of other personal data can be. This data can then be cleverly used to extort credentials.
- Hacker causes data breach of seemingly innocuous app- in 2018, Apollo, a sales engagement business accidentally leaked over 126 million records containing email addresses, job titles, place of work and other data
- Stolen data for sale on dark web
- Data bought by 2nd hacker
- 2nd hacker uses data to piece together hierarchy of a particular firm
- Hacker spots that DMARC hasn’t been implemented on the firm’s domain and emails accounts department seemingly from Managing partner to ask for a large money transfer. Alternatively, hacker emails Law firm client, seemingly from solicitor to advise that bank details have changed, and funds must be sent to this new account
How to protect against Scenario 2
- Train staff about the dangers of phishing
- Conduct regular phishing tests
- Implement DMARC on all domains as recommended by UK Government
Both scenarios are too easy to fall victim of. We are only human, and the cyber criminal will prey on our fallibility. Ensuring that your firm regularly trains staff to consider these pitfalls could be the difference between extreme reputational damage and securing the sensitive business and client data you hold.