what a locked down law firm looks like updated
TRANSCRIPT
© 2016 Denim Group – All Rights Reserved 0
What a Locked Down Law Firm
Looks Like
John B. Dickson, CISSP
@johnbdickson
© 2016 Denim Group – All Rights Reserved
John’s Background
• Career security professional
• Ex-Air Force cyber guy
• Helps CIOs build security programs
• Security author and speaker
• Worked with numerous industries, including
legal
© 2016 Denim Group – All Rights Reserved
Denim Group | Company
Background
• Professional services firm that works
closely with companies on matters of
software risk
• Network & information security services
• Outsourced managed security services
• Law firm experience
© 2016 Denim Group – All Rights Reserved 3
• Disruptive Security Trends
• The Nature of Law Firms
• Likely Threats Against Law Firms
• Suggested Strategies
• Questions, Answers, & Discussions
Overview
© 2016 Denim Group – All Rights Reserved 4
1. IT & security as we know it is evolving
at breathtaking speed
• Cloud Computing—Risks and Benefits
• Mobile Risks and Benefits
• Digital vs Paper
Disruptive Security Trends
© 2016 Denim Group – All Rights Reserved 5
2. Sophisticated attackers are targeting
smaller businesses
• Mostly organized criminal syndicates
• Advanced collection and exploit tools that
scale
• Ransomware
• Sophisticated financial fraud
Disruptive Security Trends
© 2016 Denim Group – All Rights Reserved 6
3. Cyber attacks have become
exponentially more disruptive
• Risks have evolved from
• Web defacements
• Loss of personally identifiable information (PII)
• To attacks that have shut down businesses:
• Sony Entertainment
• Saudi Aramco
Disruptive Security Trends
© 2016 Denim Group – All Rights Reserved 7
Root Cause Analysis
• Hacked email/web servers
• Outdated software
• Email not encrypted
• Lack of “basic cybersecurity precautions”
• “An Ounce of Prevention”
The Panama Papers--Breakdown
© 2016 Denim Group – All Rights Reserved 8
• Strong expertise-driven culture
• Not unlike hospitals, Air Force fighter
squadrons, and higher education in that
regard
• Partner-driven culture in many instances
• Stove-piped practices that may or may not
work together
The Nature of Law Firms
© 2016 Denim Group – All Rights Reserved 9
• Firms contain the most sensitive information of their clients• IP filings, M&A transactions, HR investigations, to
name a few
• They may or may not mirror the security posture of the clients they serve
• Firms can be an attractive 3rd-party attack vector for sophisticated threat
• Rely on the rule of law for enforcement of client attorney privilege. Attackers are not bound by this
The Nature of Law Firms
© 2016 Denim Group – All Rights Reserved 10
• Challenges & Risks Vary from Large to Small Firms
• Large • Risks mirror that of the largest, most complex
companies
• Multiple locations, multiple countries
• Medium• Risks likely more complex but no dedicated CISO
• Several locations
• Small• Risks more akin to risks with small businesses (e.g.,
malware, ransomware, etc.)
The Nature of Law Firms
© 2016 Denim Group – All Rights Reserved 11
• What are the threats that are likely to
target law firms?
Threats
© 2016 Denim Group – All Rights Reserved 12
• Three types of threat actors
• Nation states
• Organized criminal syndicates
• Hacktivists
Broad Threat Categories
© 2016 Denim Group – All Rights Reserved 13
• Large & Medium Firms
• Hacktivists
• Targeted because clients they serve; likely could
attract the attention of the likes of Anonymous
• Nation state
• IP filings or other information firms hold could be
attractive to nation state threats
• Small Firms• Ransomware, malware, etc.
Likely Threats Against Law Firms
© 2016 Denim Group – All Rights Reserved
Where do You Go from Here?
14
© 2016 Denim Group – All Rights Reserved 15
• Understand your Attack Surface -
General
• …and where your firm’s most sensitive client
data lives
• Tailor rigorous testing to agreed-upon threat
• Don’t forget mobile/cloud/social media
• Regularly conduct penetration tests mimicking
your most likely threat
Suggested Strategy #1
© 2016 Denim Group – All Rights Reserved 16
• Understand your Attack Surface - External• Conduct monthly (or quarterly) network and
application vulnerability tests to eliminate most obvious vulnerabilities
• Consider quarterly phishing campaigns using context from firm clients
• Review DNS registry & shared secret
• Conduct social engineering exercise with firm leadership buy-in
• Identify 3rd-party network connections or federated trust relationships
Suggested Strategy #1
(Continued)
© 2016 Denim Group – All Rights Reserved 17
• Understand your Attack Surface - Internal• Conduct monthly automated scans to validate
patching program
• Conduct annual security testing of key suppliers
• Understand admin technical segregations of duty• Move roles around is possible and without notice
• Maintain and inventory of USBs in desktops and laptops
• Review policies on 3-party storage system (e.g., Dropbox)
• Capture what existing sys log review processes exist
• Examples: alerting auth events
Suggested Strategy #1
(Continued)
© 2016 Denim Group – All Rights Reserved 18
• Protect Information at Rest and in Transit• Tailor DLP to firm’s needs
• Implement at desktop, gateway, or federated entry points
• Disable USBs through technology acquisition or Active Directory (AD) Group Policy Objects (GPO)
• Example: IEEE 802.1X-authenticated wired connections through Group Policy
• Implement trusted sys logging for admins
• Test portal authorization implementation with manual testing
• Secure 3rd-party FTP or mail service for most sensitive documents (obviously)
Suggested Strategy #2
© 2016 Denim Group – All Rights Reserved 19
• Protect Information at Rest and in
Transit
• Rollout mobile device management for all
mobile devices implementing:
• Remote wipe, OTA Updates, Containers etc.
• Deploy full disk encryption on ALL laptops
• Rollout next-generation anti-virus and
malware detection
• Enable alerting for key events
Suggested Strategy #2 (Continued)
© 2016 Denim Group – All Rights Reserved 20
• Protect Information at Rest and in
Transit
• Consider 2-factor authentication or tokens for:
• Administrative accounts
• Particularly sensitive client documents
• And don’t forget! Implement encrypted email
at all times!
Suggested Strategy #2 (Even
more!)
© 2016 Denim Group – All Rights Reserved 21
• Reduce your External Attack Surface
• Implement organization-wide patching
• Understand risks of 3rd-party risks of CMS or
portal software
• Catalog trusted entry points from 3rd parties
• Ensure your web-facing sites are devoid of
SQL injections/XSS vulnerabilities
• Start to build a “defense in depth” approach to
your organization
Suggested Strategy #3
© 2016 Denim Group – All Rights Reserved 22
• Reduce your External Attack Surface
• Implement organization-wide patching• Not just for Microsoft products (Reference: Verizon
Data Breach Report)
• Understand risks of 3rd-party risks of CMS or portal software
• Implement hardening configs for SharePoint, Drupal, WordPress, others
• Monitors security lists and quickly apply patches
Suggested Strategy #3
© 2016 Denim Group – All Rights Reserved 23
• Reduce your External Attack Surface
• Monitor & reduce (possible) trusted entry
points from 3rd parties
• Ensure your web-facing sites are devoid of
SQL injections/XSS vulnerabilities
• Again, watch 3-party vulnerability notifications
Suggested Strategy #3
(Continued)
© 2016 Denim Group – All Rights Reserved 24
• Be Able to Identify an Attack
• Deeply understand your “base” network and application operations tempo
• Do you regularly monitor network stats?
• Build the competency to regularly review key events via logging
• IPS/IDS + SEM if you’re big enough to warrant capability
• Exfiltration logging for after the fact -think Mossack Fonseca!
Suggested Strategy #4
© 2016 Denim Group – All Rights Reserved 25
• Don’t go it alone!
• Gain and maintain a trusted relationship with
an organization that understands firm risk and
can conduct knowledge transfer
• Particularly given the broad technology stack
• Consider a Managed Security Services
Provider (MSSP) for 24/7 coverage
• Have a relationship with an IR and crisis
communication firm.
Suggested Strategy #5
© 2016 Denim Group – All Rights Reserved
Discussion, Questions, and
Answers
John B. Dickson
@johnbdickson