Cyberattacks can happen anytime, anywhere—How you react is the key

The headline was clear and scary. “Cyberattack Hits Administrative Office of Pennsylvania Courts.” Yes, another attack on the courts. The attack disabled online docket sheets and the electronic case document filing portal. Court officials claimed that there was no evidence that the hackers had stolen data.

When you read a little further, you learned a lot of other information, even if the courts did not supply all the details.

First, the attack was a denial of service (DOS) attack. That’s not the type of hack we are used to hearing a lot about. More often, we hear about ransomware and malware. But there are many other types of attacks. And of course, it was disruptive. That presumably was the hacker’s goal. So, what is a DOS attack? According to CISA, the Cybersecurity and Infrastructure Service Agency (https://cisa.gov), a denial of service cyberattack occurs when an attacker overloads a target with traffic. CISA is the agency charged with protecting the nation’s cyber infrastructure. It is also one of the best resources available for everything you want to know, and more, about cybersecurity.

When a DOS attack occurs, the attacker floods the targeted network with traffic until it cannot respond or simply crashes. As a result, legitimate users are prevented from gaining access to the site. The website, cloudshare.com, explains that there are two types of DOS attacks: buffer overflow attacks and flood attacks.

A buffer attack causes the attacked system’s memory to use all available hard disk space, memory, or CPU time. As a result, the site cannot handle all of the information and stops functioning. Conversely, a flood attack targets the server with an overwhelming amount of packets, which are massive amounts of small bits of information, that flood the server, causing a DOS. Picture one person trying to catch baseballs thrown at him from hundreds of people at the same time.

The attack on the AOPC was a flood attack. Pennsylvania Supreme Court Chief Justice Debra Todd acknowledged this in a statement released to the public. She termed it a “denial of service” cyberattack. She used the CISA’s description, noting that they “flooded the targeted host or network with traffic until the target cannot respond or simply crashes, preventing access for legitimate users.”

Compare this with ransomware, which in essence locks down a computer or computer network until the victim pays a ransom and then, they hope, regains access to the network. Delaware County, for example, suffered a ransomware attack in 2021 and paid $25,000 to regain access. While no attack is good, it is often easier to recover from a DOS attack than a ransomware attack.

Second, it appears that the AOPC had a plan, implemented the plan, and was transparent. That is the best practice for how an attack victim should react. Plan, implement and be transparent. Promptly after the attack was discovered and the court knew what was happening, Todd issued a statement providing information about the attack and what was being done in response. She also noted that the “court information technology and executive team continues to work closely with the FBI and Homeland Security to analyze and investigate the cyberattack.” And while you may not realize it is important, you should always notify the appropriate governmental agencies as soon as possible.

Third, it appears that the DOS attack did not involve any access to information. If it had, the court would likely have indicated that, and begun to assess that damage. Like ransomware attacks, if court data is breached, the implications are much greater.

Finally, the court was transparent. And therein lies a lesson for all. In short, while no one wants to be the victim of a cyberattack, the ramifications of this were minimized.

If the courts can be hacked, law firms can too. Law firms, like other businesses, must have a plan for when an attack occurs. It is impossible to prevent all attacks. DOS attacks, while not 100% preventable, can be minimized. CISA recommends proactive steps you can take to reduce the impact of an attack on their network.

Use a DOS protection service that will detect abnormal traffic and redirect it away from your network. This makes sense for larger firms that are more likely to experience a DOS attack. Create a disaster recovery plan. This is essential for all types of cyberattacks. Doing so will ensure more efficient communication, mitigation, and recovery in the event of an attack.

For most law office networks, the chances of a ransomware attack or some other virus are greater threats, and ones they must prepare for. After all, it bears repeating that there are two types of firms, ones that have been hacked, and those that will be.

According to the cyber-insurance broker, embroder.com, cyberattacks were rated among the top-rated risk in the 2020s and were the “new norm” across public and private sectors. More troubling is the types of attacks on businesses that are most common:

• Phishing/Social Engineering: 57%
• Compromised/Stolen Devices: 33%
• Credential Theft: 30%

Equally troubling is the fact that the primary cause of ransomware and other common attacks was “exploitation of remote access,” i.e., users clicking on links in spam or phishing emails. In other words, the number one cause of ransomware attacks is user error or ignorance, not proactive efforts by cyberhackers. Thus, in most cases, the weakest link was staff.

Fortunately, it is relatively easy to prevent many of these attacks, with user training being the first and most important line of defense. Firms can hire outside trainers to educate staff. There are also excellent guides that explain how to prevent a ransomware attack.

Most cybersecurity experts agree that by taking the following precautions, you can prevent most attacks:

• Never click on links in email unless you are absolutely certain they are valid.
• Do not click on links in spam emails. Not all spam emails look like spam. Hackers can “spoof” email addresses fairly easily. If an email message or format does not seem quite right, or your inner “alarm” is going off, instead of clicking, hover your mouse over the link and if the address that displays is one that you are not familiar with, do not click on it. If you are not sure that the link is valid, contact the sender by sending a separate email (do not forward the potential spam) and asking whether they were the source of the email. Clicking on these forms of malicious links is the number one way computers get infected, not only with ransomware, but also all forms of viruses.
• Do not open untrusted email attachments. Do not click on attachments to email unless you are certain that the email came from a source you know and trust. If you are not sure that the attachment is safe, contact the sender by sending a separate email (do not forward the potential spam) and asking whether they were the source of the email.
• Only download files from websites you trust.
• Do not give out personal information if you receive an email from an unknown or untrusted source. Similarly, do not give out this information in response to a text or phone call.
• Keep your software up to date.

Related: Email users vulnerable to phishing when message ‘comes from’ trusted source

As AOPC made clear, yet again, high-profile sites are targets for hackers. So too are law firms, regardless of size. Law firms have information that hackers want. They have all types of information, such as Social Security numbers, financial data, personally identifiable information and more. It is therefore essential that firms plan for a possible breach. And when the breach occurs, have a plan.

Daniel J. Siegel, principal of the Law Offices of Daniel J. Siegel and chair of the Pennsylvania Bar Association committee on legal ethics and professional responsibility, provides ethical guidance and Disciplinary Board representation for attorneys and law firms; he is the editor of “Fee Agreements in Pennsylvania” (6th Edition) and author of “Leaving a Law Practice: Practical and Ethical Issues for Lawyers and Law Firms” (First and Second Editions), published by the Pennsylvania Bar Institute. He can be reached at dan@danieljsiegel.com.