Law Firms Are a Hacker’s Dream

Today I would like to thank Wes Withrow - IT GRC Expert at TraceSecurity for sharing some of his knowledge and expertise. Through  our partnership with TraceSecurity, you can now leverage TraceCSO’s full suite of information security and compliance management capabilities – from risk assessments, training and IT audits, to vulnerability scanning, control and vendor management, compliance reporting and more. 

Law Firms Are a Hacker’s Dream

When we talk about some of the tactics, techniques, and procedures (TTPs) used by hackers during a cyber breach, we usually think of things like sophisticated malware, military-grade encryption-cracking tools, and ransom notes delivered to the world via Twitter. We usually don’t think about the countless hours the attackers had to spend weeding through the terabytes of stolen data to find the nuggets of valuable information they were looking for. 


More often than not it takes more time to filter through the data than it does to steal it. If it takes a lot of time and money to search through massive amounts of stolen data, why do it if you don’t have to? Why not employ an entire fleet of people to do it for you upstream in the process, pro bono of course? 

Doing the Hacker’s Dirty Work

This is exactly why the legal industry is considered one of the most target rich environments for hackers right now. Law firms do a great job at collecting, aggregating, analyzing, and presenting sensitive data – they just don’t protect it that well. The legal industry has some of the most advanced data aggregation tools and well-trained employees who know how to use them; they’re just not skilled in the art of protecting data.   

This isn’t meant to imply that law firms don’t take their responsibilities as the custodian of their clients’ data seriously because most do. The purpose of this blog is to point out the fact that law firms represent a variety of industries, have data rich IT ecosystems, and can be a great launching pad for hackers who want good data that’s already been filtered and massaged for them.

A Situation of “Soft” Compliance

Why are law firms good at the acquisition of data and notoriously challenged at protecting it? This can be attributed to many of the usual suspects like budget cuts and staffing shortages, but the underlying reason is that the legal industry is one of the few remaining self-governed territories left untouched by an industry-specific version of IT security compliance.

Sure, firms have to adhere indirectly to legal and regulatory compliance as requested by their clients, but right now security is still a discretionary expense at firms that is not mandatory. “Soft” compliance requirements passed over by clients aren’t nearly as effective as the financial penalties associated with real compliance frameworks like HIPAA and PCI-DSS. 

This doesn’t mean that law firms go out of their way to get breached nor does this mean that they’re the most profitable organizations to steal data from – it means that firms should be on high alert like the rest of us, maybe a bit more given how much value they might add in the attacker’s favor. 

A Partnership Already Paying Dividends

I want to take a minute and congratulate our newest corporate partner, TraceSecurity, for winning the 2014 GRC Value Award in the IT GRC Management category by GRC analyst firm GRC 20/20.

The reason they’re being recognized as thought and service delivery leaders in this space is because they realize companies are looking for reasonable solutions that make sense and that are responsive. They’re delivering solutions that fit those criteria and it’s allowing for dynamic growth and success. We understand how critical it is for professional service companies to develop and enact functional, working, solutions to the Governance, Risk and Compliance challenges industries are facing every day.

Because of our expertise in infrastructure as a service and in security, we field a number of inquiries every month from companies wanting to form strategic alliances.  We’re meticulous in the way we design and install networks and we’re just as meticulous with who we take on as partners.

We feel joining forces with TraceSecurity allows us to deliver unmatched expertise in the area of secure network infrastructure with our ISVN® (Intelligently Scalable Virtual Network) solution.  We know our clients will be pleased with the results.

WARNING: A severe threat greater than Heart Bleed has been revealed.

This is a very important warning, and it is recommended that any Linux-based system be patched immediately.

A bug discovered in the widely used Bash command interpreter poses a critical security risk to Unix and Linux systems – and, thanks to their ubiquity, the wider internet.

It lands countless websites, servers, PCs, OS X Macs, various home routers, and more, in danger of hijacking by hackers.

Read more here:http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
or here: https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability

Cywest has already deployed patches to critical systems, and we are recommending that all customers do the same as quickly as possible. A reverse shell possibility also exists with this bug, requiring Cywest to isolate and shut down any breached systems.

Asking The Right Questions

I found myself with a career in technology for a lot of reasons but one of the most telling was due to a pursuit of knowledge.  When I was a kid my parents would be delighted by the amount of research I would do on any topic of interest.  They thought it would enable me to go far in life.  I still have a profound thirst for knowledge.  I always want to know the reasons why an action or decision has occurred.  I’m just as happy to answer any and all questions from our customer base about the service we provide.

Asking - and getting the answers to questions is something I still find many folks are unwilling to do when considering critical technology questions.  They cover the basics – they just don’t ask the more detailed questions possibly because they don’t know what they should be.  If you’re looking at an infrastructure or telecom project, these are some of the additional things I’d want to know.  I encourage you to compare the answers we give to any of our competitors.

1.    What is the average retention rate of the company’s customer base?

2.    Does the provider directly operate/manage the services platform its providing or is it reselling the services of a third party?

3.    What kind of technical certifications or qualifications have the company’s employees achieved?

4.    Does the company you’re considering actually offer a broad array of services including configuration and legitimate network design?

There are a number of other things I’d want to know including any strategic partnerships the provider has with existing companies so that I was aware of any synergy with companies I already used but if you just start by asking the four listed above you’ll be off to a good start in your research.

International Legal Technology Association (ILTA) Roadshow - Salt Lake City

Cywest hit the road last week for our first ILTA roadshow of  2014. We were honored to work with ILTA in providing educational content and talk with some of the legal industry's thought leaders about what the future of network security looks like. The main topic of the show was "New Encryption Strategies For Communications".

Clients are beginning to demand that law firms address security in a more proactive manner and Cywest is leading the way with its innovative encryption technology that is embedded in the Intelligently Scalable Virtual Network (ISVN).

There was a lively discussion and one attendee even gasped as we demonstrated ways that today's threat actors go about obtaining sensitive and proprietary information. We realize the value in putting our minds together to solve today's challenges. Listen to what some of the attendees said.

"Very informative!'

"Great info."

We are really looking forward to the next show! Houston here we come!

Cywest at 2014 ILTA LegalSEC® Summit

Cywest is proud to be presenting at the 2014 ILTA LegalSEC® Summit on June 11th and 12th at the Westin Lombard in Chicago. This special two day event is a gathering of experts from across the legal industry security field talking about their experiences and sharing best practices for strategic information technology leaders tasked with managing their own vulnerable infrastructures.

We are delivering the first of its kind approach to network security and excited to offer a glimpse at that technology during this year’s summit. With internal and external security threats looming on the horizon it is important to take a more pro-active and innovative approach to securing your confidential and proprietary information. Law firms must be diligent in addressing these challenges by implementing industry standard technologies, performing reviews of their providers, and including the right contract provisions in their agreements.

But is that enough? Cywest believes that the magnitude of the problem necessitates that law firms go well beyond the norm. The future of network design will include 24/7/365 proactive network monitoring, innovative encryption technologies and regular auditing to test the integrity of your network with services like vulnerability scanning and penetration testing. All of this needs to be done without affecting the performance or availability of the network and without significantly increasing IT spend.

If you’re coming to the show, we invite you to stop by Booth 10 and take a peak at our ISVN® (Intelligently Scalable Virtual Network) offering and how its embedded Expert Security Services include the following:

• Network Security Assessments
• 24/7/365 Proactive Network Monitoring
• Penetration Testing
• Encryption as a Service (EaaS)

State of the Industry – Q2 Snapshot

I thought I’d comment on two recent studies centered around trends in the telecommunications area that are generating a number of headlines with different providers. Interestingly, both studies point to a common trend, that the majority of companies are wholly unprepared to handle the continuing increase in demand required by cloud computing, social media, mobile devices and data analytics. In fact, according to an IBM analysis of more than 750 CIOs across the country, less than 10% say their infrastructure is properly scaled to meet demand and 62% intend to increase infrastructure spending over the next 18 months in order to try and meet the demand. The IBM study also points out that 46% of respondents struggle with maintaining a secure environment and self-admit that they lack a strategic infrastructure road map. The full study will be published in July but the preliminary results do not come as a surprise to us. We see many of the same issues confronting both our existing and prospective customers during our conversations.

Thankfully, according to another just released study by Akamai, the world just recently reached a critical plateau in terms of available average connection speed in that all ten of the most populated countries or regions in the globe now surpass the high broadband threshold. In fact, on a year over year comparison, global average peak connection speeds increased 38% in the fourth quarter of 2013 compared to 2012 and analysts forecast another sizable jump when the end of year numbers come in for 2014.

All of this means it’s a buyers market out there and a good time to evaluate your options about infrastructure planning – even if your existing contract has plenty of months remaining. These types of projects require significant advanced planning to deliver quality service and a clean, painless transition