Operations
12/8/2016
02:55 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Law Firms' Security Cross-Examined

Legal sector earns a respectable score for its cybersecurity posture overall, but a large number of law firms remain weak when it comes to security.

The good news: the legal sector scored second-best in the latest security ratings report by BitSight, just ahead of retail, and behind the formidable financial industry.

The bad news: More than half of law firms are vulnerable to a known attack called DROWN that breaks encryption and exposes communication and information in Web and email servers and VPNs, and a large percentage of law firms scored low security-wise.

"Even though as a sector, legal is performing pretty well in security, we wanted to call out that there are poorly performing firms," says Stephen Boyer, co-founder and CTO of BitSight, which provides a credit-score type security rating system for various industries. "The story here is not that legal is performing well. The story is there is risk there and if people [in the sector] don't manage that, it could be catastrophic."

On a 250 (lowest) to 900 (highest) security rating scale, finance scored 703; legal, 687; retail, 685; healthcare, 668; energy/utilities, 667; and government, 657. Legal actually dropped two points from last year's rating of 690.

BitSight maps organizations' online servers and domains, and analyzes potential vulnerabilities, configurations, and publicly disclosed breaches to benchmark security posture. The firm's tools can observe hundreds of thousands of organizations within an industry sector, for example.

For this study, BitSight analyzed 20,153 organizations in finance (8,567), healthcare (4,239), legal (1,269), energy/utilities (2,841), retail (1,900), and government (1,337), and the firm gathered evidence of about 3.6 million malware infections in those industries.

This year's security rating index report drilled down on the legal sector, which had its Stuxnet "moment" with the Panama Papers breach earlier this year. A data breach at Panamanian law firm Mossack Fonseca resulted in the theft of 11.5 million sensitive records from the firm. The International Consortium of Investigative Journalists later released some of the information publicly to expose shell corporations used to evade taxes and other nefarious purposes.

"Panama Papers really woke everyone up ... and [made them wonder] 'What could that mean for us as a law firm?'"

Some 70% of law firms surveyed in the recent Law Firm Cybersecurity Report by ALM Intelligence said they are under pressure from their clients to beef up internal data security, but only about half conduct regular "fire drills" for incident response. The report said firms were confident in their ability to thwart attacks.

"Many firms' confidence in their own cyberattack preparedness seems misguided. Our research indicates that most remain surprisingly unprepared for the threat," said Daniella Isaacson, co-author of the report and ALM Intelligence senior legal analyst, in a statement. "For example, many never test their cybersecurity protocols. This means that on the day of a breach, those firms are using an unproven response plan."

The legal sector long has been considered an obvious lucrative target for cybercrime and cyber espionage, given the confidential information they hold about their corporate, government, and individual clients.

Chinese state actors reportedly were behind the theft of partner emails and information from several major US law firms, according to Fortune. One firm lost seven gigabytes of data in a March 2015 hack, according to Fortune's reporting. The attacks likely were standard cyber espionage for competitive gain, the calling card of China's nation-state hacking machine.

The FBI earlier this year warned of cybercriminals attempting to hack law firms for insider trading operations, yet another wakeup call for firms to crack down on security. "The FBI has seen people trying to attack specific law firms," Boyer says.

Red Flags

Meanwhile, BitSight's study found that the energy/utilities sector's security posture is declining. Some 133 organizations in this industry had ratings of 500 or lower. "This is important to note considering previous studies by BitSight finding that companies with a rating of 500 or lower are nearly five times as likely to experience a breach than those with a 700 or above," the report said.

And some 80% of organizations across all industry sectors in the analysis were vulnerable to two known – and patchable - web server flaws, Logjam and POODLE.

Related Content:

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.