“We have refunded the amount of 243 euros to your account. To confirm the payment, click on… » Who has never received a link like this? Every citizen is a target of cyberattacks, and lawyers are especially vulnerable. Paul Bousquet, Commissioner of Police, and Olivier Grall, Delegate for Digital Security, presented on the occasion of the School Universities for Lawyers held in Cap-Ferret on 2 and 3 September, a conference on “Computer Hygiene at the Top”. . It is enough to report on cyber threats to measure the scale of the problem: between 2014 and 2020, the number of cyber incidents is multiplied by 4 every year.
In 2021, the growth was 40%. And there are many regional examples: the theft of data at the Dax hospital and on Cdiscount, the shutdown of production in the laboratory of Pierre Fabre, the attack on the sewage plant in Oloron, or even ransomware at the Chamber of Commerce and Industry of Bordeaux. All of these cyber attacks occurred in the first half of 2021.
Between 2014 and 2020, the number of cyber incidents has quadrupled.
DON’T GIVE IN TO BLACKMARK
As with the latter, the correct answer is not to succumb to blackmail. “It is not worth paying for two reasons,” explains Paul Bousquet, “there are two blackmails: pay for data recovery, they are rarely returned, and for this it is enough to save regularly. There is also the threat of publication and you should be aware that they will still be published because they have a market value. Moreover, payment sends the wrong signal: it shows our vulnerability, and hackers will not hesitate to attack the same target several times and sell “client files” to each other! In addition, the payment, which is usually made in bitcoins, goes through offshore companies that play “mixers”, meaning that any traceability or investigation is almost impossible.
“The main access for a cyberattack is email,” notes Olivier Grall, “we are rarely hacked, in most cases it is the person himself who reports his data. The manipulation technique is called social engineering, and the best way to achieve this is phishing, computer “phishing” which consists of usurping an individual (working relationship, institution, public service) or creating a fake site (for example, Doctolib, Ameli or a banking site). The attack can be general (mass mailing) or targeted. Thus, this method encourages victims to share sensitive information, follow malicious links, download infected programs, or send money. The speaker demo is instructive: the fake Doctolib site, where you enter your password, allows you to take control of your computer.
The hacker can then wait weeks or months because an attack on a large company often involves phishing a simple employee who then launches a chain of attacks (kill chain): “When they control the server, the spread is 500 messages per second.” minute,” warns Paul Bousquet. Thus, the law firm is an ideal target for attacking an important client. And confidential or compromising information then circulates on the dark web, including on the most famous of the sites: Tor.
WHAT ABOUT BEST PRACTICES
Among the main pieces of advice recommended by the speakers is the fact of sensitization of his employees: the attack often takes a detour. We need a secure approach, and not only digital: “We became victims of cyber threats,” says a lawyer participating in the conference, “we refused blackmail, two weeks later our office was robbed and three confidential files were stolen. Another tip: don’t use gmail or hotmail addresses and prefer avocado.fr, make regular backups, and above all, never click on a link without looking at what you’re clicking on.
Beware of a typo, which is changing a letter or character in an email address.
DO NOT MIX DATA FROM PROFESSIONAL AND PRIVATE PHONES
Read the address header carefully: beware of a typo, which consists of changing a letter or character in an email address or a fake website. Be sure to read domain names. And of course: do not save your password in the browser and do not always use the same password. “More and more attacks are coming via SMS,” the speakers also warn, “and here we must be vigilant. “Do not mix data from business and private phones, you create loopholes,” Paul Bousquet warned in front of a surprised audience that clearly does not follow these rules! Finally, you should know that there are effective antiviruses for smartphones, and that it is important to keep all updates. If in doubt, there’s a list of the 10,000 most used passwords and https://haveibeenpwned.com to see if you’ve been hacked already!
CYBER CAMPUS PESSAK
The Regional Council has just created the New-Aquitaine Cybersecurity and Digital Trust Regional Campus, which will be located at the Amperis site in Pessac. The campus, which will open its doors on October 10, aims to respond to computer incidents for local VSEs, SMEs and TPIs, and is also committed to economic development through training and support for regional players. Its director, Guy Flamant, started at the beginning of the year a pre-incubation course organized by Anssi (National Agency for Information Systems Security).