At the 2017 ILTACON Conference, I was privileged to present a session called “How to Hack a Law Firm.” The room was packed with IT professionals committed to protecting the legal industry and their own law firms. The audience asked thought-provoking questions and shared valuable resources for over 90 minutes. With so much positive feedback and in honor of Cyber-Security Awareness Month, I wanted to make my session available inside a blog series.
The three main areas of defense for protecting your law firm are technology, policy and people. All three work in conjunction with one another, but I want to give each security component the attention it deserves. This week we will cover technology and over the next two weeks we will cover policies and people.
There are no perfect solutions for information security, but new tools and resources are being developed that make it easier than ever to protect your assets from the inside and the outside.
Did you know that law firms have made the “top ten list” of ideal targets for hackers?
Why? For starters, lawyers do not like to be inconvenienced by security measures. Secondly, they have highly valuable information about individuals and clients. In short, legal firms give hackers the biggest rewards for their efforts.
Before new changes can be implemented, you have to get buy-in from the decision makers at your firm. How does that happen?
If you position your security initiative as “an IT thing” — IT. WILL. FAIL.
I know that’s a tough pill to swallow but you must position information security as being a firm business initiative AND everyone’s job, because it is.
Once you have everyone on board with WHY you’re doing this, what are you doing?
- Start with penetration tests and risk assessments that check for vulnerabilities inside and outside of your organization. You must have firewall protection, but in this modern world, that is not enough. However, firewalls should always include a visibility tool (IDS) and a control tool (IPS) for monitoring traffic coming AND going.
- The best way to secure your information is to be proactive rather than reactive. Have systems in place to do behavioral analysis and anomaly detection so that you get alerts BEFORE someone gets in or out of your organization.
- Make sure you get regular check-ups. Vulnerability scans should be followed with vulnerability exploits. These should be run more than once a year. Use your internal tools and outside help for a better look at your potential weak spots. Leave no stone unturned.
INFRASTRUCTURE - Internal defense
What are your printer vulnerabilities? This is one of the most commonly overlooked vulnerable areas. Are you using default credentials on these network-connected devices? If so, the bad guys can get in and possibly spread, do database searches and garner all sorts of information from the content held within that device or the network areas it accesses.
What about your workstations? If I’m the bad guy, I want to get in by any means necessary. Once in, I will spread, elevate and stick around for as long as possible. I want to sniff around your machine and find any leftover administrative credentials.
Then I can go anywhere.
What are the bad guys looking for? Anything.
Names. Addresses. Phone numbers. EMAIL addresses. The bad guys want to know where you go and what you do. They are studying you. They do this so that, ultimately, they can convince you that they are someone they are not. The bad guys are extraordinarily patient.
What should you do?
- Verify all patch levels are current (from gear to servers to endpoint software).
- Verify software settings are in line with security best practices (e.g. Microsoft Office Trust Center Settings like Protected View and Macro Security).
- Verify that user access and user roles are set to correct permissions.
- Use drive encryption on local machines.
If I’m the bad guy, what information can I get from the outside? I can collect tons of information about your firm, simply by studying your website.
I can get names of authors and email addresses. I can find out what versions of software you are using. All of this is being collected to find the chink in your armor.
- Scrub all metadata from content accessible from the outside
- Ethical Walls solutions
- The ability to add and remove people and permissions quickly and easily
- Detect, flag and alert solutions that analyze behaviors and do threat protection
- AI-Machine learning
- New technologies, as they become available
- Mobile Device Management
- Multi-Factor Authentication
Remember, people will have grace if you get fooled. They will not have grace if you know how to prevent an attack and you didn’t take the necessary measures to prevent it.
We are currently in a state of heightened awareness regarding information security. That gives us a real opportunity for change. Leverage the fact that firm decision makers are being made aware of the need for information security from the clients they serve.
The good news is that law firms are starting to invest in resources for information security. Stay tuned for more on “How to Hack a Law Firm.” Next week: POLICIES.
How can we help you?
If you would like more information about OnGuard, our Information Security Awareness Program or any of the Information Security Services we provide, we would love to hear from you.
Want to hear more?
Please feel free to listen to the “How to Hack a Law Firm” session recorded at ILTACON 2017, courtesy of the International Legal Technology Association.