Operations
12/8/2016
02:55 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Law Firms' Security Cross-Examined

Legal sector earns a respectable score for its cybersecurity posture overall, but a large number of law firms remain weak when it comes to security.

The good news: the legal sector scored second-best in the latest security ratings report by BitSight, just ahead of retail, and behind the formidable financial industry.

The bad news: More than half of law firms are vulnerable to a known attack called DROWN that breaks encryption and exposes communication and information in Web and email servers and VPNs, and a large percentage of law firms scored low security-wise.

"Even though as a sector, legal is performing pretty well in security, we wanted to call out that there are poorly performing firms," says Stephen Boyer, co-founder and CTO of BitSight, which provides a credit-score type security rating system for various industries. "The story here is not that legal is performing well. The story is there is risk there and if people [in the sector] don't manage that, it could be catastrophic."

On a 250 (lowest) to 900 (highest) security rating scale, finance scored 703; legal, 687; retail, 685; healthcare, 668; energy/utilities, 667; and government, 657. Legal actually dropped two points from last year's rating of 690.

BitSight maps organizations' online servers and domains, and analyzes potential vulnerabilities, configurations, and publicly disclosed breaches to benchmark security posture. The firm's tools can observe hundreds of thousands of organizations within an industry sector, for example.

For this study, BitSight analyzed 20,153 organizations in finance (8,567), healthcare (4,239), legal (1,269), energy/utilities (2,841), retail (1,900), and government (1,337), and the firm gathered evidence of about 3.6 million malware infections in those industries.

This year's security rating index report drilled down on the legal sector, which had its Stuxnet "moment" with the Panama Papers breach earlier this year. A data breach at Panamanian law firm Mossack Fonseca resulted in the theft of 11.5 million sensitive records from the firm. The International Consortium of Investigative Journalists later released some of the information publicly to expose shell corporations used to evade taxes and other nefarious purposes.

"Panama Papers really woke everyone up ... and [made them wonder] 'What could that mean for us as a law firm?'"

Some 70% of law firms surveyed in the recent Law Firm Cybersecurity Report by ALM Intelligence said they are under pressure from their clients to beef up internal data security, but only about half conduct regular "fire drills" for incident response. The report said firms were confident in their ability to thwart attacks.

"Many firms' confidence in their own cyberattack preparedness seems misguided. Our research indicates that most remain surprisingly unprepared for the threat," said Daniella Isaacson, co-author of the report and ALM Intelligence senior legal analyst, in a statement. "For example, many never test their cybersecurity protocols. This means that on the day of a breach, those firms are using an unproven response plan."

The legal sector long has been considered an obvious lucrative target for cybercrime and cyber espionage, given the confidential information they hold about their corporate, government, and individual clients.

Chinese state actors reportedly were behind the theft of partner emails and information from several major US law firms, according to Fortune. One firm lost seven gigabytes of data in a March 2015 hack, according to Fortune's reporting. The attacks likely were standard cyber espionage for competitive gain, the calling card of China's nation-state hacking machine.

The FBI earlier this year warned of cybercriminals attempting to hack law firms for insider trading operations, yet another wakeup call for firms to crack down on security. "The FBI has seen people trying to attack specific law firms," Boyer says.

Red Flags

Meanwhile, BitSight's study found that the energy/utilities sector's security posture is declining. Some 133 organizations in this industry had ratings of 500 or lower. "This is important to note considering previous studies by BitSight finding that companies with a rating of 500 or lower are nearly five times as likely to experience a breach than those with a 700 or above," the report said.

And some 80% of organizations across all industry sectors in the analysis were vulnerable to two known – and patchable - web server flaws, Logjam and POODLE.

Related Content:

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio