Internet Security Assessment of the Legal Profession: An Easy Target

//” rel=”attachment wp-att-8153″>This is a guest post from Matt Wilgus, Practice Director for AT&T Consulting.

Increasingly, the legal profession is having to deal with internet security incidents. AT&T sees two common scenarios with law firms:

1.       The first involves an attack, or advanced persistent threat (APT), against a specific law firm.

2.       The second involves malware outbreaks, although these outbreaks don’t appear tailored towards a specific firm.

In both cases, the success of the attack and the extensiveness of the incident are dependent on the controls the law firm has in place. This is not limited to technical controls, but also includes common processes and standard operating procedures. In a two-post series, my goal is to raise awareness of the legal profession’s security issues by providing details on what I’ve observed. In terms of internet security, law firms make easy targets (the focus of this post), and I address the ongoing debate about whether a formal security standard (overseen by a formal regulatory body) would serve the legal profession better than its current methodology–self-regulation (the topic of my next post).

Easy Targets

As law firms have become more frequent targets, the industry’s awareness of potential internet security threats has also increased. The end target of many such attacks is client information. Unfortunately, client lists of law firms are some of the easiest to gather. Whether it be posted on the company’s website, published verdicts in public cases, or announcements related to financial transactions such as mergers and acquisitions, connecting a law firm to a particular client is very easy.  Sites like LinkedIn and other resume posting sites can also pinpoint attorneys who work with specific clients. But the threat isn’t limited to client information. Firm growth strategies and human resource data are also sensitive and should be secured.

Crunchy Outside Still Applies

Many law firms have moved to help secure their internet presence with basics such as firewalls and intrusion detection systems, either provided by in-house management or by an outsourced Managed Security Service Provider such as AT&T. For the most part, firms seem to understand this concept, although the number of internet applications firms use tends to be low. In addition to the standard mail server and brochure ware web site, drop box type functionality is generally the only dynamic or interactive site. Websites and extranets such as connections to third party suppliers, ecommerce sites, and online banking environments simply don’t exist. As a result, protecting law firms’ internet facing hosts is easier than doing so for customers in other industries. That said, the perceived strength of a firm’s perimeter sometimes results in overconfidence in regards to the security of the entire network.

The reality is that most law firms’ internal networks have not received anywhere near the same attention as their external networks.  Network segmentation is frequently used to isolate sensitive data on a network; however, in the case of a law firm’s sensitive data, it often appears on many machines, particularly workstations. To further complicate the issue, lawyers are generally provided local administrator access on their laptops, which allows them to install everything and anything. Endpoint security products such as anti-virus software, even with signatures updated daily, can only provide so much protection.

Another issue for law firms is the influx of new devices into the environment. While there are frequently common procedures within the firm, such as the issuance of a BlackBerry device and a laptop, many associates are allowed to use devices not controlled by IT, such as iPhones, Android-based Devices, iPads and other tablets.  How these devices access the law firm’s network varies (e.g. straight Wi-Fi, VPN client, Citrix), as do the security measures assigned to them (if any).

Staffing Issues: Who Focuses on Security?

Large, international firms are not the only targets. Regional and small firms may also be targeted.  It is not uncommon for small to medium-sized firms to have large or multinational clients.  A lot of press has been given to the number of recent law school graduates unable to find positions in law firms. It’s also worth noting that law firms aren’t hiring security analysts or security engineers either. Firms with fewer than 25 attorneys commonly have an outsourced IT department, with no one in house focused on security.  Firms from 25 to 250 attorneys typically have an internal IT department, and security rolls up to that department. Network engineers often perform security tasks as well. But in my opinion it’s rare for firms with less than 1,000 attorneys to have a formal Chief Information Security Officer, and they often have no more than one employee focused on internet security.

Other Industries Be Aware

The awareness around law firm security is just beginning. Unless overall enterprise and technical security improves, APTs will continue to be an issue for law firms, and firms will continue to be low hanging fruit and the subject of other non-targeted security issues.  As it pertains to APT, other professional services organizations and entities such as accounting firms, investment professionals, and university environments with large research facilities, could learn these lessons as well: they are also likely targets.

In my next post, I will address the legal industry’s current methodology of “Security without Compliance” and discuss whether or not a formal body that oversees security standards would be more effective.

Matt Wilgus leads the Secure Infrastructure Services practice for AT&T Consulting.  In this role, he shapes the delivery and direction of offerings involving vulnerability and threat management, incident response and forensics, secure architecture design and other technical solutions.

Bindu Sundaresan Strategic Security Solutions Lead AT&T About Bindu