Phishing in the Desert
By Caleb L. Green, Esq.
Moore’s Law provides that the number of transistors on a computer microchip doubles every two years, while the cost of computers decreases by 50 percent in that same time. Established by Gordon Moore—the former CEO of Intel—this observation stands for the proposition that we can expect the speed and capability of our computers to increase every couple of years while paying less for them. Indeed, we have seen Moore’s law in action down through the years. Long gone are the days of bulky cell phones and room-sized computers. Nowadays, we have more advanced technology in our pocket than the Apollo 11 spacecraft that made America’s first voyage to the moon in 1969.
As a society, we have become more reliant on this technology as it grows faster and more compact over the years. In fact, information technology makes up the backbone of modern businesses, law firms, and government agencies. Consequently, this makes organizations, both large and small, targets for cyber-crimes and attacks. Most organizations rely on various forms of information technology to further their business and operations, including smart devices, personal computers, and cloud-based systems to store consumer data, employee information, valuable intellectual property, and other sensitive information. As a result, hackers view these institutions as a reservoir of valuable information that can be exploited, held for ransom, or sold on the black market.
Notably, in light of the current state of foreign affairs, cyber-attacks are likely to increase. Recently, President Trump ordered an airstrike, killing one of Iran’s most powerful generals. The Iranian government has a well-documented reputation for using cyberattacks on critical infrastructures as a form of terrorism. Iran has attacked and successfully planted malicious malware in significant U.S. infrastructures, including dams. More recently, shortly after the U.S. airstrike, hackers claiming to be affiliated with Iran took over the website of the Federal Depository Library Program—an American government agency—and vandalized it with a defaced image of President Trump. Iran has also demonstrated a destructive appetite for malicious cyber warfare against other countries. For example, Iran hacked key oil workstations across Saudi Arabia in 2012 and 2016, causing damage to over 30,000 computers. Given Iran’s track record and the current level of conflict between the U.S. and Iran, U.S. officials are preparing for retaliation in the form of cyber-attacks.
Accordingly, cyberattacks should be viewed as an immediate and urgent challenge for institutions, including Nevada organizations. Nevada organizations and infrastructures are at significant risk from cyber warfare. As the entertainment capital of the world, Las Vegas, Nevada is a magnet for consumer data. In 2019, the City of Las Vegas welcomed a record of 51.1 million visitors, many of whom shared their personal data through gambling, entertainment services, sports activities, and healthcare, among other activities. Traveler consumer data volume is likely to increase in the coming years with the expansion of sports and entertainment in Southern Nevada, namely the addition of the Las Vegas Raiders and the 2020 NFL draft. As a result, Nevada will remain at high risk for cyber-security attacks as hackers will likely attempt to access the mounting amounts of consumer and personal information our businesses, municipalities, and organizations store.
The leading cause of cyber-attacks worldwide is phishing attacks. Phishing is the use of electronic communications, including phone calls, text messages, and even social media tools, to disguise fraudulent communications as legitimate messages from trusted sources. These attacks seek to acquire sensitive information, including usernames, passwords, financial metrics, biometric data, intellectual property, and network credentials. Often, the email or message will contain a malware-infected attachment or hyperlink that if opened, will install malicious software on the device and surrender sensitive information. Cyber-attackers couple social engineering schemes with phishing ploys to manipulate users to carry out specific tasks, such as opening the malware-infected attachment, clicking the compromised link, or otherwise divulging confidential information.
The most recent example of a phishing attack occurred in Southern Nevada earlier this year. In January 2020, on the opening day of CES—the world’s largest consumer technology trade show—the City of Las Vegas prevented a major data breach. After the city’s computer network was breached, it was forced to take several systems offline, including its own website. Several reports have surfaced suggesting that the attack originated through an employee falling victim to a phishing email.
Additionally, law firms are not immune to phishing attacks. In recent years, cybercriminals have targeted law firms to gain access to the highly confidential data attorneys possess. The past few years have seen an increase in phishing attacks on law firms to steal data for insider trading. Cybercriminals also attempt to breach law firm networks to hold client information and sensitive data for ransom.
So, what can Southern Nevada institutions do to protect themselves from cyber-attacks? While you cannot guarantee the prevention of a cyber-attack or data breach, you can minimize those threats by developing strong cyber safety habits to help prepare for a cyber-attack.
Limit insider threats
Most cyber-attacks derive from human error. In other words, data breaches are often caused by people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization’s security practices, data, and computer systems. Also known as “insiders,” these individuals have legitimate access to organization data to carry out their work duties and, through negligence or malicious conduct, reveal sensitive information to outside threats.
You can limit the risk of insider threats by restricting privileges and access to sensitive data and your organization’s computer network. For example, organizations can limit the end user’s administrative privileges and restrict certain users from downloading content. Likewise, by disabling input/output devices on workstations and computers, employees and associates will be unable to download and install malicious software that could jeopardize your organization.
Invest in information security resources
It is also prudent for organizations and businesses to invest in information security resources. Establishing an information security plan, hiring information technology professionals, installing security devices on your computer network—these may be necessary steps for your organization to take to reduce the risk of a data breach. The more your business or organization relies on technology, the more you should consider consulting with an information security professional about ensuring your business is properly protected.
Understand data breach disclosure requirements
While an institution can take every measure imaginable to prevent cyberattacks and data breaches, no organization or business can completely insulate themselves from outside threats compromising their sensitive information. Organizations that store consumer and customer data must also take additional steps to insulate themselves from legal liability in the event of a data breach. Nevada has adopted legislation mandating that organizations that collect and store personally identifiable information (PII), such as financial data, contact information, and passwords, of Nevada residents must follow specific procedures for notifying victims of the breach. For Nevada businesses that will likely collect consumer data and PII from non-Nevadans, tourists, and visitors, it is especially important to be aware of the notification requirements for other states and countries as well.
About the author:
A former information technology professional, Caleb L. Green is a graduate of the William S. Boyd School of Law, an attorney at Dickinson Wright PLLC, and the Corporate Sponsorship and Fundraising Chair of the Las Vegas Chapter of the National Bar Association.
This article was originally published in the “Technology in Practice” issue (March 2020) of Communiqué, the official publication of the Clark County Bar Association.
© 2020 Clark County Bar Association (CCBA). All rights reserved. No reproduction of any portion of this issue is allowed without written permission from the publisher. Editorial policy available upon request.