Home Invasion!!

14
Jul
2016

Jeffrey Brandt

I recently came back from ILTA’s fantastic LegalSEC Summit where I learned quite a bit from my colleagues at law firms of all sizes - big and small - as well as a number of amazing vendors.  The IT folks in attendance were looking for tips to better influence culture and get a handle on information security.  As you might expect, many firms are serious or getting serious about security.  But let me tell you, some firms are very, VERY serious about security.  At LegalSEC I also had the honor of speaking with Steve Boyce from Microsoft.  Our topic was entitled, The Internet of Things Are Lurking.  As that information was published I had a number of people reach out to me on the subject of the IoT (Internet of Things).  

People wrote and called to share articles, ask questions and to generally discuss the topic ahead of the presentation.  I have to say that is one of the things I love about having worked in legal for over three decades - the many people I have met over the years.  They are smart, sharing and look at things from so many perspectives, often different from my own.  I think those differing perspectives are what I appreciate most.

Now I admit that the IoT scares me.  On the one hand the potential upside is huge.  I get that - time savers, amazing conveniences, new connections, etc.  On the other hand, the downside can be killer.   Prior to the IoT, hacking usually resulted in lost or destroyed virtual stuff.  Now that the IoT acts as a bridge between the virtual and meat worlds, hacking can literally kill you.  The IoT is also growing at a dangerously insane speed.  Gartner says there are 6.4 billion connected things now and that by 2020 that number will reach 20.8 billion!  Add to that the fact that there isn’t any real standards.  It’s truly a wild west type scenario.  If you aren’t scared too, you should at least have a very healthy respect for it.

And, as I said in my LegalSEC presentation, the bulk of the IoT is from consumer companies.  That means there is a huge push for profit - volume over quality.  They want to make it as cheap as possible so they sell as many as possible.  If they have to increase the price of their “thing” by spending more time and energy designing secure software, then they might sell less of them and they don’t want that.  For some software is not a core competency and so while it might get the job done, it doesn’t necessarily do it in the best or most secure way.  And updates cost money, so the software often stays unpatched.  There is also some question about router software with backdoors and smart TVs that phone home regardless of the settings you use.

Consumers can’t seem to get enough of the IoT.  Alexa, Nest, Hue and August Smart Locks in your home.  Apple Watch and FitBits on your body.  Smart TVs.  Smart cars.  Smart buildings.  The Edge in Amsterdam achieves its title of “smartest” and “greenest” building through a network of more than 28,000 sensors measuring motion, light, temperature, humidity, infrared, etc.  (Another way to phrase that might be to say they have 28,000 attack surfaces.)  Now you have the IoT invading college bathrooms and laundry facilities, Barbie dolls, dog collars, baby diapers, slippers/shoes, t-shirts, coffee machines, toothbrushes, toilets and cows (yes there is such a thing as the Internet of Cows!).  It makes me want to paraphrase Dr. Ian Malcolm (of Jurassic Park fame) as it relates to companies stuffing sensors and WiFi in anything and everything, "they were so preoccupied with whether or not they could that they didn't stop to think if they should." 

One of the most intriguing things shared with me by one of the very, VERY serious firms concerned home computers and the IoT.  Now, I know most law firm IT staff do their best to avoid home computers and have tried to do so for years.  The limited resources available at the firm and almost infinite potential hardware and software combinations (games in particular) of home equipment generally make it a lose-lose situation.  Most firms support the bare minimum to get users remotely connected to the firm’s network, often a Citrix or similar remote access solution.  Ideally everyone works remotely on the firm’s servers and the home PC remains separate.  Of course, things don’t always work that way.

A recent ForeScout survey said, "Working from home puts the enterprise at risk: Almost half of all respondents reported that in-office security policies failed to extend to their home networks - even when accessing sensitive company data."  Flawed home setups, or frankly, perfectly configured home setups with just one flawed IoT device has the potential to be that weak link in the security chain that gives the hacker access to your client's data.  No one I talked to said that any of their client security audits were specifically addressing this issue, but I suspect it's just a matter of time.  I had someone comment to me that they did a survey of their users and were astounded to see how invasive the IoT has become.  

So the CIO of a big law firm tells me they’re concerned enough about the explosion of IoT in their employees homes that they are about to reverse the general law firm trend and embrace the home computer.  Some of their plans were shared with me.  First they’re looking at requiring an IoT firewall in any home where someone works remotely, attorney staff, paralegal, it doesn’t matter.  Next, as each computer attempts to connect, it will be scanned and receive a grade.  Fail and you might not be able to connect at all.  But fear not, they’ll do their best to “help” you.  They’ll prompt the user to install those Windows updates, or make sure the anti-virus is up-to-date, or those JAVA patches are there, all in an effort to raise their grade.  However, anything less than an A will still get you quarantined.  I can imagine that at the lowest passing level, maybe all you get is OWA.  Successively better grades get you access to more and more core functions of the firm.  As we discussed this approach, Steve Boyce told me Microsoft has a similar setup for remote access.  Microsoft quarantines and rations access to remote computers unless they are 100% up-to-date and protected.

In my conversations on home PC protection, the name “Cujo” came up.  If you remember Yuri Frayman, of LegalKEY Technologies and Frayman Group fame, he is now the Founder and Chairman of Cujo.  Cujo is a hardware/software device that’s described as bringing “business level internet security” to the home network.  I don’t know much yet about Cujo, their IoT smart firewall device, but the subscription service component would appear to be the reason it could work so well.  It looks pretty interesting and with Yuri involved, you know it’s going to be exciting. 

So depending on where you are in developing your firm’s security posture, embracing the IoT and home computers might not make number one on your to-do list. And that’s as it should be.  Go after bigger game first.  But don’t ignore it.  It should be on your list somewhere.  I’m not particularly keen on doubling the number of computers I support, but I know I’m seriously reconsidering my previous posture on home computer support.  Start with a survey to see how far the IoT has penetrated your environment.  Some of the numbers from the World Economic Forum (WEF) survey are truly insane.  For example, by 2025 10% of people will wear clothes connected to the Internet and that one trillion sensors will be connected to the Internet!  Start or enhance a security education and awareness program.  In addition to phishing and other topics, make sure users are aware of the IoT and the potential security risks it entails.  Start making your senior management aware of what all is out there and the potential dangers.  Start looking at what resources you can marshal, what changes you need to make to support a dramatically expanded environment.  Maybe you can be your firm’s first CioTO (Chief Internet of Things Officer)!