what a locked down law firm looks like updated

© 2016 Denim Group – All Rights Reserved 0

What a Locked Down Law Firm

Looks Like

John B. Dickson, CISSP

@johnbdickson

© 2016 Denim Group – All Rights Reserved

John’s Background

• Career security professional

• Ex-Air Force cyber guy

• Helps CIOs build security programs

• Security author and speaker

• Worked with numerous industries, including

legal


Denim Group | Company

Background

• Professional services firm that works

closely with companies on matters of

software risk

• Network & information security services

• Outsourced managed security services

• Law firm experience


• Disruptive Security Trends

• The Nature of Law Firms

• Likely Threats Against Law Firms

• Suggested Strategies

• Questions, Answers, & Discussions

Overview


1. IT & security as we know it is evolving

at breathtaking speed

• Cloud Computing—Risks and Benefits

• Mobile Risks and Benefits

• Digital vs Paper

Disruptive Security Trends


2. Sophisticated attackers are targeting

smaller businesses

• Mostly organized criminal syndicates

• Advanced collection and exploit tools that

scale

• Ransomware

• Sophisticated financial fraud



3. Cyber attacks have become

exponentially more disruptive

• Risks have evolved from

• Web defacements

• Loss of personally identifiable information (PII)

• To attacks that have shut down businesses:

• Sony Entertainment

• Saudi Aramco



Root Cause Analysis

• Hacked email/web servers

• Outdated software

• Email not encrypted

• Lack of “basic cybersecurity precautions”

• “An Ounce of Prevention”

The Panama Papers--Breakdown


• Strong expertise-driven culture

• Not unlike hospitals, Air Force fighter

squadrons, and higher education in that

regard

• Partner-driven culture in many instances

• Stove-piped practices that may or may not

work together

The Nature of Law Firms


• Firms contain the most sensitive information of their clients• IP filings, M&A transactions, HR investigations, to

name a few

• They may or may not mirror the security posture of the clients they serve

• Firms can be an attractive 3rd-party attack vector for sophisticated threat

• Rely on the rule of law for enforcement of client attorney privilege. Attackers are not bound by this



• Challenges & Risks Vary from Large to Small Firms

• Large • Risks mirror that of the largest, most complex

companies

• Multiple locations, multiple countries

• Medium• Risks likely more complex but no dedicated CISO

• Several locations

• Small• Risks more akin to risks with small businesses (e.g.,

malware, ransomware, etc.)



• What are the threats that are likely to

target law firms?

Threats


• Three types of threat actors

• Nation states

• Organized criminal syndicates

• Hacktivists

Broad Threat Categories


• Large & Medium Firms

• Hacktivists

• Targeted because clients they serve; likely could

attract the attention of the likes of Anonymous

• Nation state

• IP filings or other information firms hold could be

attractive to nation state threats

• Small Firms• Ransomware, malware, etc.

Likely Threats Against Law Firms


Where do You Go from Here?

14


• Understand your Attack Surface -

General

• …and where your firm’s most sensitive client

data lives

• Tailor rigorous testing to agreed-upon threat

• Don’t forget mobile/cloud/social media

• Regularly conduct penetration tests mimicking

your most likely threat

Suggested Strategy #1


• Understand your Attack Surface - External• Conduct monthly (or quarterly) network and

application vulnerability tests to eliminate most obvious vulnerabilities

• Consider quarterly phishing campaigns using context from firm clients

• Review DNS registry & shared secret

• Conduct social engineering exercise with firm leadership buy-in

• Identify 3rd-party network connections or federated trust relationships


(Continued)


• Understand your Attack Surface - Internal• Conduct monthly automated scans to validate

patching program

• Conduct annual security testing of key suppliers

• Understand admin technical segregations of duty• Move roles around is possible and without notice

• Maintain and inventory of USBs in desktops and laptops

• Review policies on 3-party storage system (e.g., Dropbox)

• Capture what existing sys log review processes exist

• Examples: alerting auth events


(Continued)


• Protect Information at Rest and in Transit• Tailor DLP to firm’s needs

• Implement at desktop, gateway, or federated entry points

• Disable USBs through technology acquisition or Active Directory (AD) Group Policy Objects (GPO)

• Example: IEEE 802.1X-authenticated wired connections through Group Policy

• Implement trusted sys logging for admins

• Test portal authorization implementation with manual testing

• Secure 3rd-party FTP or mail service for most sensitive documents (obviously)



• Protect Information at Rest and in

Transit

• Rollout mobile device management for all

mobile devices implementing:

• Remote wipe, OTA Updates, Containers etc.

• Deploy full disk encryption on ALL laptops

• Rollout next-generation anti-virus and

malware detection

• Enable alerting for key events

Suggested Strategy #2 (Continued)


• Protect Information at Rest and in

Transit

• Consider 2-factor authentication or tokens for:

• Administrative accounts

• Particularly sensitive client documents

• And don’t forget! Implement encrypted email

at all times!

Suggested Strategy #2 (Even

more!)


• Reduce your External Attack Surface

• Implement organization-wide patching

• Understand risks of 3rd-party risks of CMS or

portal software

• Catalog trusted entry points from 3rd parties

• Ensure your web-facing sites are devoid of

SQL injections/XSS vulnerabilities

• Start to build a “defense in depth” approach to

your organization




• Implement organization-wide patching• Not just for Microsoft products (Reference: Verizon

Data Breach Report)

• Understand risks of 3rd-party risks of CMS or portal software

• Implement hardening configs for SharePoint, Drupal, WordPress, others

• Monitors security lists and quickly apply patches




• Monitor & reduce (possible) trusted entry

points from 3rd parties

• Ensure your web-facing sites are devoid of

SQL injections/XSS vulnerabilities

• Again, watch 3-party vulnerability notifications


(Continued)


• Be Able to Identify an Attack

• Deeply understand your “base” network and application operations tempo

• Do you regularly monitor network stats?

• Build the competency to regularly review key events via logging

• IPS/IDS + SEM if you’re big enough to warrant capability

• Exfiltration logging for after the fact -think Mossack Fonseca!



• Don’t go it alone!

• Gain and maintain a trusted relationship with

an organization that understands firm risk and

can conduct knowledge transfer

• Particularly given the broad technology stack

• Consider a Managed Security Services

Provider (MSSP) for 24/7 coverage

• Have a relationship with an IR and crisis

communication firm.



Discussion, Questions, and

Answers

John B. Dickson

@johnbdickson

what a locked down law firm looks like updated

Technology