Our next guest is Curtis Preston, AKA "Mr. Backup". Curtis is a backup and cyber recovery expert, author, podcast host, and technical evangelist for S2Data.com, a firm specializing in helping companies leverage their legacy data. He has been working in the space since 1993 and has written four books on the subject: Modern Data Protection, Backup & Recovery, Using SANs and NAS, and Unix Backup & Recovery. He joined us today to talk about the importance of cybersecurity for lawyers.
Join Curtis and me as we talk about the following three questions and more!
What are the top three things lawyers are doing wrong with their own cyber security, and how can they correct it?
What are the top three issues lawyers are missing or not understanding when it comes to E-discovery?
What are the top three things lawyers should be doing when they're under a ransomware attack?
In our conversation, we cover:
[01.13] Tech Setup β Curtisβs current tech setup.
[03.13] Challenges - Challenges of using Windows and Mac operating systems.
[07.07] Tips & Tricks - Curtis shares his top three tips for balancing between Windows and Mac.
[08.52] Multi-Factor Authentication - Importance of multi-factor authentication and password managers.
[13.00] Data Backup - Curtis explains why not backing up your data is a mistake.
[19.43] Recovery Services - The importance of having a third-party cloud backup.
[20.14] E-Discovery - Curtis explains the E-Discovery challenges and best practices.
[22.49] Documented Process β The importance of having a documented, well-tested process for e-discovery.
[24.38] Ransomware Attack β Curtis explains the initial steps of handling a ransomware attack.
[28.25] The importance of having an authentication and authorization system for a backup.
[32.10] Air Gap Backup - Curtis explains how to make an Air Gap backup.
[36.07] Relationships - Developing a relationship with cyber professionals.
[38.38] Security Questionnaire - The top three things to look for in a security questionnaire from a provider.
RESOURCES
Connect with Curtis
Books by W. Curtis Preston
Equipment Mentioned in the Podcast
Software & Services Mentioned in the Podcast
Transcript:
The Tech Savvy Lawyer Ep 104Curtis Preston
[00:00:00] Title Read
[00:00:00] Michael D.J. Eisenberg: Episode 104, Protecting Your Practices Technology, W. Curtis Preston on Legal Cybersecurity and Device Management for Lawyers.
[00:00:20] Introducing Our Guest!
[00:00:20] Michael D.J. Eisenberg: My next guest is Curtis Preston. A technology evangelist and host of the podcast, The Backup Wrap Up, where listeners learn how to better protect their organizations from data loss, be it from accidents, disasters, or ransomware. Chris and I discussed the challenges of balancing window and Mac operating systems and the importance of cybersecurity measures.
[00:00:38] Michael D.J. Eisenberg: Curtis shares his top suggestions to improve cybersecurity for lawyers, including the need for multi factor authentication. Password managers and proper data backup. Join us as we discuss all this and more. Enjoy.
[00:00:52] Michael D.J. Eisenberg: Have you been enjoying the techsavvylor. page podcast? Consider giving us a five star review on Apple Podcasts or wherever you get your podcast feeds.
[00:01:03] Michael D.J. Eisenberg: Curtis! Welcome to the podcast.
[00:01:04] W. Curtis Preston: Happy to be here.
[00:01:05] Michael D.J. Eisenberg: I appreciate you being here.
[00:01:06] Our Guests Current Tech Stack!
[00:01:06] Michael D.J. Eisenberg: And please tell us what your current tech setup is.
[00:01:09] W. Curtis Preston: Well, that's quite the question as I look over my desk because I am a Mac user. I have a MacBook Pro, one of the newer ones, like a 13 inch MacBook Pro. It's one of the newer, the M, I think it's the M2 chip.
[00:01:24] W. Curtis Preston: And I also have a Windows, uh, Dell. Latitude laptop that I use for literally one purpose. I do a lot of writing and I use voice to text and I, I've used Dragon for years and it only runs on windows. So I have a laptop that literally has one purpose and that's it. Got a Logitech Brio. Camera, I have a Audio Technica 2500X, uh, is the microphone that I'm using at the moment.
[00:01:50] W. Curtis Preston: Ring light behind me. And I got a, um, I don't know, what else? I don't know, some big old headphones that I'm not wearing at the moment. That's what about,
[00:01:57] Michael D.J. Eisenberg: uh, mobile devices and tablets? Oh,
[00:02:00] W. Curtis Preston: mobile devices. I'm not a big tablet guy, but I am an iPhone 15 user, which just yesterday got its screen replaced.
[00:02:07] W. Curtis Preston: Thanks to me stomping on it a week or so.
[00:02:12] Michael D.J. Eisenberg: Did you get that repaired under the Apple care program or did you do it on your own?
[00:02:16] W. Curtis Preston: No, via Verizon. I had the Asurion, you know. Oh,
[00:02:20] Michael D.J. Eisenberg: okay. Cool. The guy
[00:02:21] W. Curtis Preston: just showed up at my house. It was very nice. I, you know, I clicked some buttons and the guy showed up at my house, took my phone out in his van, brought it back a half hour later.
[00:02:29] W. Curtis Preston: All beautiful. It was beautiful.
[00:02:30] Michael D.J. Eisenberg: You know. David Sparks of Mac Sparky and Mac Power Users fame. He was, I remember him for many years using Dragon Dictation on his Apple devices. And apparently that's no longer allowed by Apple or no longer supported or
[00:02:46] W. Curtis Preston: No, it, it, it was a Microsoft decision. Microsoft now owns Dragon, naturally speaking, and all they ever had was Dragon Dictate.
[00:02:54] W. Curtis Preston: They never had Dragon, naturally speaking, which is the much more powerful product. And then they decided to just kill that off. Oh, okay. Yeah. Yeah,
[00:03:02] Michael D.J. Eisenberg: well, how do you like kind of like switching between the 2 operating systems windows and Mac?
[00:03:07] W. Curtis Preston: Oh, it's maddening. Luckily. I don't have to do a whole lot. I mean, I was a longtime windows user and, you know, I'm an I.
[00:03:13] W. Curtis Preston: T. guy. So you kind of have to go back and forth between the 2 anyway. And I'm also a Linux user. So, you know, I'm, I'm. Perfectly fine with that as well, but it is maddening, especially if you have to do anything on the command line where, you know, it's the whole backslash versus the forward slash thing.
[00:03:30] W. Curtis Preston: It's it's absolutely maddening. So I wouldn't recommend it for anybody, but the very dedicated person.
[00:03:37] Michael D.J. Eisenberg: Well, let me surprise you with a question here.
[00:03:39] Q?B: βWhat are your top three suggestions when you have to balance between Windows and Mac, having done it yourself?
[00:03:39] Michael D.J. Eisenberg: What are your top three suggestions when you have to balance between Windows and Mac, having done it yourself? And I really, I'm a little surprised question.
[00:03:47] Michael D.J. Eisenberg: It's not part of my three plans.
[00:03:48] W. Curtis Preston: Yeah, it's definitely a surprise question. Well, the difference between the two, I think the Windows laptop needs a little bit more protection than, I think there's a little bit more protection built into the Mac platform. Right, you know, I just like the way that it notifies you when you're downloading things when you're installing things.
[00:04:08] W. Curtis Preston: I just like the way that runs a little bit better. I also like the way the Mac backs up. I'm a backup guy, right? The fact that time machine, which works really well is built into the to the Mac platform is, um, and by the way, I don't use it. I don't use time machine. I use like a third party, uh, software to backup my Mac, but I like it.
[00:04:30] W. Curtis Preston: I'm machine. I like how it works, but why don't you use time machine? If I may ask? Yeah, that's a really good backup question because time machine assumes that the device you're backing up to is right next to it. And that's a really bad thing to do from a backup design standpoint. You want your backup as far away from your primary as possible.
[00:04:47] W. Curtis Preston: And so the best way to do that, especially for, you know, for, Casual users is to, uh, is to have a cloud service that does that.
[00:04:56] Michael D.J. Eisenberg: Well, isn't the whole 3 2 1 concept of, you know, one computer, uh, two different locations for backups, three different backup sources. So tell me, you know, what are your thoughts about the whole 3 2 1 concept of backing up?
[00:05:09] W. Curtis Preston: Well, it's literally by one of my favorite things to talk about, right? It comes up a lot on, on my podcast. Uh, you know, the idea with 3 2 1 rules, you want three copies of your data. On two different types of media, one of which should be offsite and the cloud backup conforms with all of that. Right? So three different copies.
[00:05:27] W. Curtis Preston: Uh, it is really a historical thing. Just make sure, you know, you just don't want one copy two different copies. The primary is considered one of those two copies and then one being offsite. So the cloud, the cloud backup being entirely offsite time machine is a wonderful thing. And it's the best thing.
[00:05:42] W. Curtis Preston: For copying old laptop to new laptop, right? So it's nice to have it's nice to have a time machine backup when you're doing that. But to make sure that you have a backup of all your files, including the files on your phone, right? You need cloud backup software and iCloud is not a backup software. iCloud is a is a synchronization tool.
[00:06:01] W. Curtis Preston: And it's a great synchronization tool, but it's not a backup software because if you delete the primary on your phone, it also deletes it in the cloud. So that's why it's not a backup software, but doesn't
[00:06:10] Michael D.J. Eisenberg: like iCloud. And for instance, my favorite, my personal favorite Dropbox, they have different versions.
[00:06:16] Michael D.J. Eisenberg: So can't you look at the older version?
[00:06:18] W. Curtis Preston: I cloud iCloud doesn't do versioning. Dropbox does basically iCloud. The best iCloud will do for you is if you accidentally deleted, let's say hundreds or thousands of photos, they'll be like in a, in a, um, recycle bin, and you can get them back out if you notice that in advance and all of that, right?
[00:06:36] W. Curtis Preston: But the point is, it's not really, it doesn't behave the way I think of when I think of, you know, backup software. Because there are hacks, by the way, there are attacks against you where you can go in and you can very easily disable. And delete the iCloud account and poof, it's gone. You can do, you can do that from your phone, right?
[00:06:54] W. Curtis Preston: So yeah, so I'm not a big fan of that.
[00:06:55] Michael D.J. Eisenberg: So going back to my question though, my original question was, my surprise question, what are three tips or tricks that you would suggest for people who have to balance out both Windows and Mac operating systems in their lives?
[00:07:07] W. Curtis Preston: Yeah, you know, um, I mean, I think both of them need antivirus software, right?
[00:07:12] W. Curtis Preston: It's something to keep out, you know, keep looking for that. And then my usual thing for any device is that it needs some kind of backup. And so you're going to whether you're doing Windows, Mac or iOS or Android, you need a backup software that runs all the time and always keeps a copy of your data in some other location.
[00:07:30] W. Curtis Preston: And that's regardless of whether you're not Uh, you're doing Windows or Mac, and then I would say it would be nice if you're going back and forth between the two, it would be nice if you do have some kind of, assuming that you have work that you need to access on one versus the other, that's what synchronization tools are for, right?
[00:07:50] W. Curtis Preston: So things like Dropbox, uh, and similar tools where you can access the data on both sides. Me personally, I don't really have that particular, um, problem, but I, I think it's a really useful one. Okay, cool.
[00:08:02] Michael D.J. Eisenberg: Well, let's get into the
[00:08:02] Q?#1: βWhat are the top three things lawyers are doing wrong with their own cybersecurity and how can they correct it?
[00:08:02] Michael D.J. Eisenberg: questions. question number one. What are the top three things lawyers are doing wrong with their own cybersecurity and how can they correct it?
[00:08:09] W. Curtis Preston: Well, I'd say the first thing they're doing wrong is not using MFA wherever they can, right? So multi factor authentication is, uh, it's a huge, huge thing to stop cyber attacks because there are myriad ways for your password to ultimately get stolen, right?
[00:08:27] W. Curtis Preston: There are password trackers. There are, there are key stroke trackers. There are all kinds of things. That can be used to steal your password and sometimes you just do dumb things and you enter your password where you're not supposed to, right? So the way to stop those attacks is MFA, right? So you'll, you'll get a notification.
[00:08:45] W. Curtis Preston: Hey, someone is trying to log into your account, you know, and you need to enter that other factor. The, and if possible, there was a great message that came out from the FBI actually in this last week. Where they announced about how that, uh, the SMS is just simply not secure and that they believe that many of these, uh, networks have been infiltrated.
[00:09:07] W. Curtis Preston: And so along with MFA, uh, or part of that is to make sure that you, that you're not using Ms. That SMS. As that MFA, if at all possible, many of the vendors, unfortunately, SMS and email are the only ways that they offer as a, as another factor, if you can use a one time password system, like Google Authenticator, or I happen to like Authy, if you can use that, you will be much better off, much more secure.
[00:09:33] W. Curtis Preston: So that's the first one is MFA. The second one is not using a password manager that I am a huge proponent of password managers. And, uh, they are not all created equal and, you know, and you need to do, uh, some research, uh, perhaps you should look into recent news. Uh, and see which ones have, have been, uh, compromised.
[00:09:52] W. Curtis Preston: And I wouldn't recommend using one that's been compromised, but the, uh, you know, you want to have a unique password for every site and you want to have that password be really long, like beyond 16 characters, right? Because fewer than 16 characters is guessable by modern day computers in a relatively short period of time.
[00:10:12] W. Curtis Preston: So you want to have a very long password and you want to have a unique password for every site. And the only way you're going to do that is password management, right? And so, yeah, so number two would be password managers. And number three? It's not backing up your data. We live in a world, especially younger people, they've lived in a world where everything is a solid state and solid state drives fail much less often than regular or than old school hard drives.
[00:10:38] W. Curtis Preston: And so I don't think they have the fear of the hard drive dying that older folks like me have. But the thing is, it's more than just hard drives dying, there's stupid things, and there's cyber attacks, and there's ransomware, and there's all these other things that can take out your data, and you need a third party cloud copy of your, uh, data, encrypted, stored in a completely separate system.
[00:11:00] W. Curtis Preston: So not backing up your data is a huge mistake.
[00:11:03] Michael D.J. Eisenberg: So let's take a pause in the question. And sort of give you an opportunity to talk about what you do over at S2Data.
[00:11:11] Learning a Little More about Our Guest's Work at S2Data!
[00:11:11] W. Curtis Preston: So thanks. S2Data is a company that specializes in, I like the way, the way our CEO puts it is we specialize in data that everyone else is trying to forget.
[00:11:24] W. Curtis Preston: Right? So love working with legacy data, things like backups and archives. We also love looking into forensic data. So pulling data off of hard drives. And mobile devices, laptops, all of those kinds of things for both, both of these are for lawsuit purposes as well as a compliance purposes. Management of employees purposes, basically, it's all of the really hard, gritty stuff when we start talking about managing data in a, in a large or small company.
[00:11:58] Michael D.J. Eisenberg: And are you tailored for large companies, small companies, any size company?
[00:12:03] W. Curtis Preston: Really any size company, because very few companies have the kind of expertise that we have in handling these, these data sets. Very few companies have any kind of forensics, obviously, uh, expertise, right? So that comes into play pretty much in any size company.
[00:12:19] W. Curtis Preston: And then the other side, the backup side, we deal a lot with really both really large and really Old backup sets, backup and recovery. It's what I've spent most of my career in and backup and recovery is designed to do one thing and that's restore old data, except restore a server to the way it looked yesterday.
[00:12:38] W. Curtis Preston: I mean, just backup and recovery is designed to do one thing and that's restore something to the way it looked yesterday. Maybe to the way it looked last week. The problem is everybody has this tool that's designed to do that and they wanted to do something else. They want to find all the emails that Steve wrote, uh, that said this word, right?
[00:12:57] W. Curtis Preston: They're looking for the, they're looking for the smoking gun. They're looking for proof of malfeasance, et cetera. The backup tools are not designed to do that. Right. And that's where we, we have custom software that's able to go directly into the backups and then extract that data.
[00:13:12] Michael D.J. Eisenberg: So let's say I'm an attorney and whatever, you know, working one day and there's a huge power surge.
[00:13:18] Michael D.J. Eisenberg: And my computer is completely fried. I call you. What could you do to help me recover that hard drive?
[00:13:24] W. Curtis Preston: So that is under the data recovery service. It's a call that honestly, I hope we don't get from you, right? I hope that you listened. It's the call that I hope that you listened to the first part of the episode and you backed up your data and you have it in some sort of third party service.
[00:13:40] Michael D.J. Eisenberg: Let's just say I'm panicking. It's like, Oh my God, it's fried. I'm screwed. You know, the court's going to kill me.
[00:13:46] W. Curtis Preston: Yeah, this is when talking about literally forensic examination of that drive. And this is clean room data recovery situation. It's the hardest thing that we do. We're happy to do it for you.
[00:14:01] W. Curtis Preston: It's just, it's the call that we don't want to take. Right. Right. Of saying, Hey, I mean, we'll take it. Right. But it's, we're hoping that the attorney is doing the things that they're doing to save the data that they're supposed to say, right? Typically, the reason that we're dealing with your hard drive is a forensic type examination where there's a lawsuit again, or, uh, perhaps you have an employee, uh, it off boarding system so that every time a company, an employee leaves your company, you image their hard drive, you image their phone, you image all of these different things.
[00:14:37] W. Curtis Preston: Right. Or potential resources later, right? But it is possible to do digital recovery of a device that's been fried. you know, and I'll just put a but there, that is one of the hardest things to do in IT. So again, I don't want you to have to call us for that. I want you to do, save your data first.
[00:14:57] Michael D.J. Eisenberg: So I'm guessing that it's not cheap, and I'm not asking for you to quote any prices right now.
[00:15:02] Michael D.J. Eisenberg: And how long would something like that take?
[00:15:05] W. Curtis Preston: Yeah, at a minimum, it's going to be many days, right? It'd be longer than that to be. It's just, it's, it is a giant, incredibly variable process. The cost and the complexity all depends on what type of damage has been done to the device. You know, whether or not it's a magnetic rotational device or an SSD.
[00:15:24] W. Curtis Preston: I'll be honest, if it's an SSD, you probably have less success. Then if it's magnetic, uh, yeah, because SSDs are just a giant collection of electrical voltages. Right? Just like you look at, it's just a bunch of little cells that are holding a bunch of voltages. And when you, the scenario that you gave me, where I just get a big electronic from an EMP, right?
[00:15:47] W. Curtis Preston: Electronic magnetic pulse, it can just basically just wipe out all those voltages, right? Whereas with a mechanical hard drive. Typically, what we're talking about is it's a mechanical failure of one of the components and you can disassemble the hard drive and read the remaining components. So,
[00:16:04] Michael D.J. Eisenberg: well, thank you.
[00:16:05] Michael D.J. Eisenberg: I appreciate that's just a lot of complex solutions that could be made easier. Ideally, if we back up, not a guarantee, of course, but not only a backup on site, but a backup as you prefer off site. I prefer both, and I've got a little bit of a mix between the two. Let's continue the questions.
[00:16:23] Q?#2: βWhat are the top three issues lawyers are missing or not understanding when it comes to e discovery?
[00:16:23] Michael D.J. Eisenberg: Question number two.
[00:16:24] Michael D.J. Eisenberg: What are the top three issues lawyers are missing or not understanding when it comes to e discovery?
[00:16:29] W. Curtis Preston: So, the first, it's a continuation of what I was talking about previously, about the fact that, so my summary statement is, not understanding just how hard. It is to do, uh, e discovery against backups. So we're almost always wanting to do email, right?
[00:16:48] W. Curtis Preston: We want to get all of the emails that have this word in them. And just understanding that that one thing alone is the hardest thing to do. It's the most common thing that's done. And it's also the hardest thing to do for, for multiple reasons. One is that backup isn't designed to do this. It's just none of the backup and recovery tools are designed to extract data the way that you're wanting it to be extracted.
[00:17:12] W. Curtis Preston: Number one. Number two. It's a container inside a container inside a container, it's an email that's stored inside of some words inside an email that's inside a database that's inside a backup encapsulated container, right? So it's a, it's a multi depth. It's sort of like, uh, that movie Inception. Right? The deeper you go, the lot, the slower it gets.
[00:17:32] W. Curtis Preston: Right? By the way, I've never made that analogy before, but I like it. Right? And so it's the hardest thing to do, and it's the most common thing that we do. So, so understanding that it's just really, really difficult to do if you're using the standard tools. And so the second thing I'm going to say that's going to sound like I'm, I'm conflicting with the first thing is, How easy it is to do if you have the right tools, right?
[00:17:53] W. Curtis Preston: If they're a lot of times, they're, they're directing a client to, you know, go take, let's say, pick your favorite backup software, that backup network or TSM rubric, Cohesity, any, any of these guys take these tools and go and, uh, you know, extract this email and they're not realizing that there is some alternative that can be done, right?
[00:18:15] W. Curtis Preston: And so the idea is that again, it sounds like I'm being contradictory. But if you use a third party service that is actually able to understand this format and pull it out, understanding just how easy it is to do it, if you do that. And then the third would be, not, a mistake would be not understanding the value of a documented process.
[00:18:38] W. Curtis Preston: So if you, You know, when you're standing in front of a judge, right, and you're making an argument in a particular matter, when you can say, we followed this documented, well tested, well vetted process, and we didn't find the smoking gun, right, especially when you're a defendant, right, we followed, we were given the e discovery request, we followed this process that has been used, you know, in many other places, and we didn't find the smoking gun, The value of that process is huge, right, being able to say, as opposed to, let's say, the contrast of that is, well, we had our tech guys look at the net backup backups and they didn't find it.
[00:19:18] W. Curtis Preston: Right? And so not understanding the value of that of that process. I think is another mistake that they make right that they just try to sort of do it themselves, right? And especially this is even stronger when the defendant, you know, the recipient of the discovery request, whether it's a defendant or the or the plaintiff when that recipient is not used to receiving such requests.
[00:19:44] W. Curtis Preston: So if it's a first time discovery request for somebody who's never searched email, they're not going to have the slightest clue. So putting all of these things together. They're not going to be able to easily do it. Uh, they're not going to have the tools that we have, and they're not going to have the process that we have to be able to fill out an affidavit and say, hey, we searched for this and these were the things that we found.
[00:20:05] W. Curtis Preston: And we used a process that's been used in, you know, hundreds of clients before you.
[00:20:08] Ad #2: Consider Buying The Tech-Savvy Lawyer a Cup of Coffee βοΈ or Two βοΈβοΈ!
[00:20:08] Michael D.J. Eisenberg:
Pardon the interruption.
[00:20:11] Michael D.J. Eisenberg: I hope you're enjoying the techsavvily. page podcast as much as I enjoy making them. Consider buying us a cup of coffee or two to help defray some of the production costs. Thanks and enjoy.
[00:20:21] Q?B: What are the Top 3 Gaps in Documented Processes that Attorney Overlook?
[00:20:21] Michael D.J. Eisenberg: Can you suggest, I'm going to ask for the top three of course, top three common holes that either attorneys who are producing or attorneys who are receiving aren't necessarily thinking about when they look at these documented processes that maybe it needs to be filled in?
[00:20:36] W. Curtis Preston: Well, I don't know if I can come up with three, you know, a list of three things, but um, I think it's just, it's just a matter of whether or not there is a process that has been used before, is properly documented, and can be testified to via an affidavit. I don't know, there's your three, right? So it's documented, it's been used before, and you can easily explain it.
[00:21:00] Michael D.J. Eisenberg: You know, it just as you're saying this, it's got me thinking of a couple of cases in my past where, you know, during discovery, you know, came out later that they produced the smoking gun, not because it wasn't asked for properly in discovery, but because the opposing party thought, you know, it wasn't relevant, you know, although it's the smoking gun, it says, yeah, we screwed up or yeah, we did something wrong.
[00:21:23] Michael D.J. Eisenberg: They just decided it wasn't relevant at the time, which was hogwash. Yeah. And then they got in trouble for it later. But are, have you seen, or are there ways that parties have tried to say, you know, well, we ran this, but we didn't think this one, this part was relevant. So we didn't Produce it.
[00:21:39] W. Curtis Preston: Yeah, I think the key here is to be able to say we used this tool.
[00:21:46] W. Curtis Preston: Right? Right? Like we looked, we use this tool. We read, you know, the more specific you can be on. We ran, you know, I'm going to use some tech terms, right? We ran a regular expression search on this phrase. Did not find the thing that you're looking for. So that's very specific, right? And we use this tool relativity or whatever, whatever the right tool is.
[00:22:08] W. Curtis Preston: Right. I use this tool and we didn't find it right. That's not the same as saying it's nowhere near the same as saying. Well, we looked at our stuff and we didn't find anything that was relevant. You asked for this phrase, right? You asked for this phrase. We ran a regular express and search against that phrase.
[00:22:26] W. Curtis Preston: We did not find it anywhere in the data or the metadata.
[00:22:30] Michael D.J. Eisenberg: Have you ever found like, you know, a party, a replying party saying, you know, we ran the phrase. Actually, we came across that, but we didn't think it was really well lit. So we didn't bother to give it to you.
[00:22:39] W. Curtis Preston: I haven't seen that. To me, that's not a valid production.
[00:22:43] W. Curtis Preston: And if you requested the phrase, any emails with this phrase in them, that is discoverable, right? And relevant. I'm not saying that
[00:22:51] Michael D.J. Eisenberg: the party is proper in doing that. I'm just, just kind of curious if they tried, you know, anyone has tried to do the loopholes, if you will.
[00:22:58] W. Curtis Preston: Well, what we produced the data. Our client, which is the attorney or the right, the, you know, the, the person, what they did with the data.
[00:23:07] W. Curtis Preston: It we're not party to that. So,
[00:23:09] Michael D.J. Eisenberg: okay. And, and mind you, I'm not accusing you guys of doing anything. Yeah. I'm specifically referring to the, the attor, the attorney or the company or whoever the, you know, party may be. Cool. Well, let's move on to our last question,
[00:23:20] # Q?#3: βWhat are the top three things lawyers should be doing when they're under a ransomware attack?
[00:23:20] Michael D.J. Eisenberg: what are the top three things lawyers should be doing when they're under a ransomware attack?
[00:23:24] W. Curtis Preston: Well, I'd say the first thing that they should be doing is Hopefully, hopefully they have a time machine and hopefully before the ransomware attack happened They developed a relationship with cyber professionals, right? And this is incredibly important when we talk about things like from a cyber attack standpoint, any kind of protection is better than no protection and any protection has to be done before the event, right?
[00:23:51] W. Curtis Preston: It's time to talk to someone now. Talk to, because this is absolutely not something that you should be doing yourself. Whether you're an attorney or a multi billion dollar multinational conglomerate, you should not be handling a cyber attack by yourself. And so the time is now to develop a relationship, to find yourself, they're, they're called blue teams, right?
[00:24:17] W. Curtis Preston: In the cyber defense world, there's the red team and the blue team. The red team is one that you pay to attack you. To see how your defenses are. The blue team is someone who comes to your defense. There are myriad companies out there that you can talk to that you can talk to now so that when a cyber attack happens and notice I said when, not if, right?
[00:24:35] W. Curtis Preston: The odds just go up every day when a cyber attack happens, you can call your blue team. They come by your side you've got cyber insurance, right? If you've got cyber insurance, talk to them about. Who they have access to and who you would have access to in an attack. And so the, the, the 1st thing you should be doing is contacting their, their cyber defense team.
[00:24:56] W. Curtis Preston: And by the way, shutting off everything should probably be the 1st 1st thing, right? Just shutting off everything and then contacting the cyber defense team. The other thing that this is like a mistake that they often make is like, we're just going to keep this quiet, right? We're not going to tell anybody.
[00:25:10] W. Curtis Preston: And again, I think maybe there was more stigma to that. I don't know, five, six, 10 years ago. Now everybody assumes everybody's getting. So there's no point, there's no value in concealing the fact that you were attacked. The next thing is to be open with your clients, your customers, your partners. About the things that are happening, what's being done, what, you know, don't say what you don't know, right?
[00:25:38] W. Curtis Preston: Don't say things like no client data was compromised. You can say things like there is no evidence yet that client data was compromised, right? Don't make statements that you can't ultimately backed up. Things are being looked into again. We have a cyber defense blue team on, you know, that is working hard figuring all this out and the communicate.
[00:25:58] W. Curtis Preston: Early and regularly throughout the event, just the more open. The way I like to do is I like to send everybody an email, send, point them to a webpage that you will then update as the event is, is, uh, unveiling. Right. So communicate early and often, and then finally, and that is hopefully, and again, this is a, you know, a broken record for me, hopefully you had a offsite cloud based backup that is not accessible.
[00:26:27] W. Curtis Preston: Via your system, right? So we talked about, uh, something as little as time. Machine time machine's great, but I can wipe out a time machine backup if it's physically connected to my system, right?
[00:26:37] Michael D.J. Eisenberg: What if it's wirelessly or does that make no difference?
[00:26:40] W. Curtis Preston: It doesn't make any difference, right? My my point is if, if it's online and it's connected, you know, and it's, it's accessible to my computer.
[00:26:47] W. Curtis Preston: If I know what I'm doing and I have administrator access. I can wipe out that backup, right? So you really want to have a backup. And this is true whether you're 1 lawyer and a laptop or again, a giant, you know, right. You want to have a cloud based copy that has a completely different authentication and authorization system.
[00:27:09] W. Curtis Preston: And hopefully you have 1. That has this concept of immutability, right? So, you know, it's, it's a term that comes up in the law a lot where you say, you know, can you prove that this email is the same as it was, you know, a year ago when it was written, right? The one that you're producing is the same. You can say, yes, we use this immutable system.
[00:27:27] W. Curtis Preston: In this case, what we're talking about is that the best system is one that you can't delete, right? If you can create a system. I will say it's, it's the hardest feature to get in consumer or prosumer backups. But if you can find that, it's much better in that because the ransomware attackers are getting more savvy and more savvy, and they're learning how to attack your backup system.
[00:27:50] W. Curtis Preston: And they do that, and they, they know to do that because they know that if they're able to successfully attack your backups and take out your backups, then you're more, uh, You're more liable to to pay the, you know, the ransom.
[00:28:01] Michael D.J. Eisenberg: I have some follow up questions for each of your answers on this last answer.
[00:28:05] Michael D.J. Eisenberg: It's a concept that I'm in the process of learning. But what is it called when you you have a backup and then you make another backup on the same backup service device and the two backups are independent of each other. So if I made a backup for day one and then a backup for day two, those two backups are completely independent of one another.
[00:28:27] W. Curtis Preston: I would just say that there is two full backups, two traditional needful backups.
[00:28:32] Michael D.J. Eisenberg: Okay. So they're just not connected. They're not, they're not,
[00:28:35] W. Curtis Preston: they're, they're independent of each other.
[00:28:37] Michael D.J. Eisenberg: So if like, if day two somehow got a virus or some sort of ransomware, it won't affect back up day one,
[00:28:44] W. Curtis Preston: right? It's really important.
[00:28:46] W. Curtis Preston: To make sure that the authentication and authorization system for your backup, which hopefully is a cloud based system is completely separate. You're not storing the password in a place that if someone you're not storing it in a spreadsheet on your laptop for God's sakes. Right? Which is a thing, right?
[00:29:03] W. Curtis Preston: That is technically a password management system. That is not what I'm talking about. Right? And hopefully you also have, uh, MFA and you have like the best kind of MFA on that. Right? So that they just cannot log into that system as you and especially from another location. Right? Uh, that, that's the whole point of MFA is even if they got the password, they wouldn't be able to log into that backup system as you and then they wouldn't be able to.
[00:29:27] W. Curtis Preston: Corrupt, encrypt, delete, whatever those backups. Gotcha. So, it's not just that they're independent of each other. An air gapped backup is one that's stored in a way that's just, literally, it meant there was a gap of error between the thing being protected and the protected copy. That has become, it's a term that gets thrown out a lot in the cloud backup space.
[00:29:49] W. Curtis Preston: Technically, none of the backups in the cloud are air gapped. Right? Not any traditional long term sense of the word because they're still online, right? They're still online. They're not really air gap there. But having said that, if you can make a copy into a fully immutable storage system, so that if not even you, this is the key, not even you.
[00:30:13] W. Curtis Preston: Can delete that backup for some period of time that's fully immutable, really immutable again, immutable should be a binary condition like dead. You're either dead or you're not right immutable should be a binary condition. Unfortunately, it's like a lot of things they marketed it and they'll say it's immutable and it's not really immutable.
[00:30:32] W. Curtis Preston: But if even you cannot delete that backup, if you wanted to, then that is going to be as protected as it can be in the cloud world.
[00:30:41] Michael D.J. Eisenberg: And then how do you make an air gap backup?
[00:30:44] W. Curtis Preston: Well, the only way truly to do that, you know, for real would be to make like an. In the case of, uh, either Windows or to make a physical copy onto a hard drive or tape drive.
[00:30:57] W. Curtis Preston: In most cases, it's going to be a hard drive, right? Right. I'll just use one example. Make a time machine backup to a time machine physical hard drive, and then unplug that hard drive and put it somewhere else. It's offline. That would be an air gap back up the downside to that and the reason why this is I don't recommend this as a normal everyday case is that you didn't have to plug it back in tomorrow when you're making the next backup and then you got to unplug it and put it back.
[00:31:22] W. Curtis Preston: So, you know, and so that's why I prefer the cloud backup because it just happens. Gotcha. You know, all the time.
[00:31:27] Michael D.J. Eisenberg: Gotcha. Okay. And actually that, that answered, well, two questions. One I knew and the other one I didn't. So going back still, what do you suggest about informing the bar association when you've had a ransomware breach?
[00:31:40] W. Curtis Preston: I would recommend that you follow the laws in your state, right? I don't know what the laws are in different states, but number one, I would recommend that you be aware of those now, learn what the notification laws are, especially if you are aware of. Client data being compromised and then just simply follow those regulations.
[00:31:58] W. Curtis Preston: I do think that again, early and often notification is advised. And that I think it's better for you that you notify and then notify of what, you know, what remediation steps that you've done, how you protected to data, uh, et cetera. And the ultimate case from what I've seen again, I can't speak specifically to bar associations, how they've handled it, but historically in breaches the what.
[00:32:27] W. Curtis Preston: Regulatory bodies in general, when they seek to hold a party responsible for a breach, what they're looking for is, did you follow the industry best practices? Did you do the things that you were supposed to do? Everybody can get hacked, like companies that do security get hacked, right? And so the simple fact that you got hacked or that you got ransomware isn't enough to get to, I would not think again, not giving legal advice.
[00:32:56] W. Curtis Preston: I'm just thinking that is not something that a bar associate would seek to hold you liable for, right? But, if it's clear that you didn't do any of the things that you were supposed to do, you didn't protect your data, you didn't put in, you know, antivirus, you didn't put in a firewall, you didn't put any, you didn't do any of these things, that's where I think you might have some liability.
[00:33:17] W. Curtis Preston: And I'll just give you one example. There was, uh, you're familiar, I'm sure, with the GDPR. There was a hospital in Portugal that wasn't a breach. There was a hospital in Portugal that had a GDPR violation. And when the body looked at what they did, their response was Okay, it was clear that you didn't try at all, right?
[00:33:40] W. Curtis Preston: So one of the things that they did was for ease of administration, they gave every employee in the hospital doctor level access to patient records. Oh, because it was easiest to just make everybody a doctor than to figure out who was a doctor and who was a nurse and who was a janitor. They just gave everybody access.
[00:33:58] W. Curtis Preston: So they were like, Hey, it's clear that you didn't even try. So that's the thing I think you should be focusing on is making sure that you're doing the industry best practices to protect your data, to protect your clients, and then, you know, notify your bar association as appropriate based on the laws in your state.
[00:34:15] Michael D.J. Eisenberg: And thank you. Let me ask you one more follow up question and to your first your first answer to the third question. You talk about developing a relationship with a cyber professional. I'm Joe lawyer. I call you and your company, what are the three questions I should be asking?
[00:34:32] W. Curtis Preston: Michael, that is a tough one.
[00:34:33] W. Curtis Preston: Let me just think about that for a second. I would say that the first thing you want to establish is that they're a blue team versus a red team. That's what you're looking for. I mean, you might have interest if you want to take it to the next step. The idea of using a red team is that's something you're going to proactively use.
[00:34:50] W. Curtis Preston: Right. To see how your cyber defenses are, right? You can do, uh, what's called a pen test or a penetration test. Those are great teams to have, but what you want at your side in an attack is you want to, you want a blue team. You want to establish that they're a blue team company. And the next question is, do they have a security posture questionnaire and can you see it?
[00:35:11] W. Curtis Preston: Right? So that's going to be the question, basically a questionnaire that they're going to give to you and to see what your security posture is, which is just a term to say, how good is your cyber security, right? You can learn a lot if you talk to half a dozen companies, you can learn a lot just by reading those, uh, security questionnaires, by the way, and if their answer is, we just ask if you have antivirus, not really the, you know, the company that maybe you should be looking at.
[00:35:36] W. Curtis Preston: Gotcha. And then third would be. If they have tools that they use on a regular basis with clients to monitor your cyber posture, right? And the answer you're really looking for is yes there, that hopefully what they've got is something that they've contracted with that they can use as opposed to you going out and choosing one of the 700 cybersecurity tools that are available to you.
[00:36:01] W. Curtis Preston: You have a, you're contracting a cybersecurity professional, this is what they do and they say, yes, we have a tool, you know, like an XDR tools, what they call extended detection and response. We have a SIM tool. These are the various tools. That they can install on any devices that you use to help protect you and to help you respond.
[00:36:21] W. Curtis Preston: And also, even more importantly, to be able to forensically figure out what happened after it happens. Because that's really the most important part of the response. Assuming you did everything you were supposed to do in advance of protecting your data and backing it up and all of these things. The hardest part of the entire process is figuring out what happened and good forensic tool that you installed in advance will be your best friend in that case.
[00:36:50] W. Curtis Preston: So,
[00:36:51] Michael D.J. Eisenberg: well, then what are the top three things a lawyer should be looking for, or anyone for that matter, when it comes to a security questionnaire from a provider?
[00:36:58] W. Curtis Preston: Well, I'd say that the first thing I would say it's depth, right? It is the degree to which they're asking. The appropriate questions, the 2nd, I would say, is it focused entirely on just defense, right?
[00:37:13] W. Curtis Preston: Meaning, is it only focused on preventing you from, uh, doing it and or is it also does it have questions that are asking about, like, for example, do they ask you about your backups? Do they ask you about what are you doing to be able to respond to an attack when it happens? And then finally, I would say, this is very touchy feely.
[00:37:35] W. Curtis Preston: Does the questionnaire seem like it's just designed to show you some software? Or is it designed to see how well you have prepared yourself for an attack?
[00:37:47] Michael D.J. Eisenberg: Gotcha.
[00:37:47] W. Curtis Preston: Right? It's really a touchy feely thing. That'd be my final one.
[00:37:51] Michael D.J. Eisenberg: Excellent. Well, Curtis, I appreciate you sharing all that with us. Tell us, where can people find you?
[00:37:56] W. Curtis Preston: So you can find me at BackupCentral. com and also Backup Wrap Up. That is my podcast. And you can find my company at, that's the number two, Data. com. Obviously, contact us to help you with your, especially e discovery requests against backups.
[00:38:12] Michael D.J. Eisenberg: Excellent. Well, Curtis, again, I want to thank you for being here, and I hope you have a great day.
[00:38:16] Michael D.J. Eisenberg: Thanks.
[00:38:17] See You in Two Weeks!
[00:38:17] Michael D.J. Eisenberg: Thank you for joining me on this episode of the techsavvylawyer. page podcast. Our next episode will be posted in about two weeks. If you have any ideas about a future episode, please contact me at michaeldj at the techsavvylawyer. page. Have a great day and happy Lawering.
