What a locked down law firm looks like updated

© 2016 Denim Group – All Rights Reserved 0
What a Locked Down Law Firm
Looks Like
John B. Dickson, CISSP
@johnbdickson

© 2016 Denim Group – All Rights Reserved
John’s Background
• Career security professional
• Ex-Air Force cyber guy
• Helps CIOs build security programs
• Security author and speaker
• Worked with numerous industries, including
legal

Denim Group | Company
Background
• Professional services firm that works
closely with companies on matters of
software risk
• Network & information security services
• Outsourced managed security services
• Law firm experience

• Disruptive Security Trends
• The Nature of Law Firms
• Likely Threats Against Law Firms
• Suggested Strategies
• Questions, Answers, & Discussions
Overview

1. IT & security as we know it is evolving
at breathtaking speed
• Cloud Computing—Risks and Benefits
• Mobile Risks and Benefits
• Digital vs Paper
Disruptive Security Trends

2. Sophisticated attackers are targeting
smaller businesses
• Mostly organized criminal syndicates
• Advanced collection and exploit tools that
scale
• Ransomware
• Sophisticated financial fraud

3. Cyber attacks have become
exponentially more disruptive
• Risks have evolved from
• Web defacements
• Loss of personally identifiable information (PII)
• To attacks that have shut down businesses:
• Sony Entertainment
• Saudi Aramco

Root Cause Analysis
• Hacked email/web servers
• Outdated software
• Email not encrypted
• Lack of “basic cybersecurity precautions”
• “An Ounce of Prevention”
The Panama Papers--Breakdown

• Strong expertise-driven culture
• Not unlike hospitals, Air Force fighter
squadrons, and higher education in that
regard
• Partner-driven culture in many instances
• Stove-piped practices that may or may not
work together
The Nature of Law Firms

• Firms contain the most sensitive information
of their clients
• IP filings, M&A transactions, HR investigations, to
name a few
• They may or may not mirror the security
posture of the clients they serve
• Firms can be an attractive 3rd-party attack
vector for sophisticated threat
• Rely on the rule of law for enforcement of
client attorney privilege. Attackers are not
bound by this 

• Challenges & Risks Vary from Large to Small
Firms
• Large
• Risks mirror that of the largest, most complex
companies
• Multiple locations, multiple countries
• Medium
• Risks likely more complex but no dedicated CISO
• Several locations
• Small
• Risks more akin to risks with small businesses (e.g.,
malware, ransomware, etc.)

• What are the threats that are likely to
target law firms?
Threats

• Three types of threat actors
• Nation states
• Organized criminal syndicates
• Hacktivists
Broad Threat Categories

• Large & Medium Firms
• Hacktivists
• Targeted because clients they serve; likely could
attract the attention of the likes of Anonymous
• Nation state
• IP filings or other information firms hold could be
attractive to nation state threats
• Small Firms
• Ransomware, malware, etc.
Likely Threats Against Law Firms

Where do You Go from Here?
14

• Understand your Attack Surface -
General
• …and where your firm’s most sensitive client
data lives
• Tailor rigorous testing to agreed-upon threat
• Don’t forget mobile/cloud/social media
• Regularly conduct penetration tests mimicking
your most likely threat
Suggested Strategy #1

• Understand your Attack Surface - External
• Conduct monthly (or quarterly) network and
application vulnerability tests to eliminate most
obvious vulnerabilities
• Consider quarterly phishing campaigns using
context from firm clients
• Review DNS registry & shared secret
• Conduct social engineering exercise with firm
leadership buy-in
• Identify 3rd-party network connections or
federated trust relationships
(Continued)

• Understand your Attack Surface - Internal
• Conduct monthly automated scans to validate
patching program
• Conduct annual security testing of key suppliers
• Understand admin technical segregations of duty
• Move roles around is possible and without notice
• Maintain and inventory of USBs in desktops and
laptops
• Review policies on 3-party storage system (e.g.,
Dropbox)
• Capture what existing sys log review processes
exist
• Examples: alerting auth events
(Continued)

• Protect Information at Rest and in Transit
• Tailor DLP to firm’s needs
• Implement at desktop, gateway, or federated entry
points
• Disable USBs through technology acquisition or
Active Directory (AD) Group Policy Objects
(GPO)
• Example: IEEE 802.1X-authenticated wired
connections through Group Policy
• Implement trusted sys logging for admins
• Test portal authorization implementation with
manual testing
• Secure 3rd-party FTP or mail service for most
sensitive documents (obviously)

• Protect Information at Rest and in
Transit
• Rollout mobile device management for all
mobile devices implementing:
• Remote wipe, OTA Updates, Containers etc.
• Deploy full disk encryption on ALL laptops
• Rollout next-generation anti-virus and
malware detection
• Enable alerting for key events
Suggested Strategy #2 (Continued)

• Protect Information at Rest and in
Transit
• Consider 2-factor authentication or tokens for:
• Administrative accounts
• Particularly sensitive client documents
• And don’t forget! Implement encrypted email
at all times!
Suggested Strategy #2 (Even
more!)

• Reduce your External Attack Surface
• Implement organization-wide patching
• Understand risks of 3rd-party risks of CMS or
portal software
• Catalog trusted entry points from 3rd parties
• Ensure your web-facing sites are devoid of
SQL injections/XSS vulnerabilities
• Start to build a “defense in depth” approach to
your organization

• Implement organization-wide patching
• Not just for Microsoft products (Reference: Verizon
Data Breach Report)
• Understand risks of 3rd-party risks of CMS or
portal software
• Implement hardening configs for SharePoint,
Drupal, WordPress, others
• Monitors security lists and quickly apply patches

• Monitor & reduce (possible) trusted entry
points from 3rd parties
• Ensure your web-facing sites are devoid of
SQL injections/XSS vulnerabilities
• Again, watch 3-party vulnerability notifications
(Continued)

• Be Able to Identify an Attack
• Deeply understand your “base” network and
application operations tempo
• Do you regularly monitor network stats?
• Build the competency to regularly review key
events via logging
• IPS/IDS + SEM if you’re big enough to
warrant capability
• Exfiltration logging for after the fact -
think Mossack Fonseca!

• Don’t go it alone!
• Gain and maintain a trusted relationship with
an organization that understands firm risk and
can conduct knowledge transfer
• Particularly given the broad technology stack
• Consider a Managed Security Services
Provider (MSSP) for 24/7 coverage
• Have a relationship with an IR and crisis
communication firm.

Discussion, Questions, and
Answers
John B. Dickson
@johnbdickson

What a locked down law firm looks like updated

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to What a locked down law firm looks like updated

Similar to What a locked down law firm looks like updated (20)

More from Denim Group

More from Denim Group (20)

Recently uploaded

Recently uploaded (20)

What a locked down law firm looks like updated