Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

05:10 PM
Joe Stanganelli
Joe Stanganelli
News Analysis-Security Now

Lawyers Are Friends, Not Foes

When it comes to security allies, your corporate counsel should top the list.

Many programmers and engineers possess a natural distrust of attorneys. Nonetheless, when it comes to protecting their organization's data, the attorney and the security engineer can be natural allies because of their mutual interests and similar ways of thinking.

Both want to reduce the organization's attack (or liability) surface while doing what they can to mitigate damages should something go awry. Both are paranoid about people out to get them (or, at least, get their employers). And both hold Murphy's Law as a universal truth.

Moreover, the company lawyers, whether in-house or outside counsel, have greater influence and responsibility when it comes to crafting and ensuring the enforcement of company policy. Accordingly, they are arguably the next-to-last lines of preventative defense against ransomware -- before the user himself or herself.

Below are but three things security-minded organizations can learn from -- and do with -- their legal counsel to better protect organizational data.

Plan for everything with compulsive pessimism
Good lawyers (and those inclined or destined to be good lawyers) are great "What if...?" askers -- particularly because asking "What if...?" is the very essence of effective law practice. At least one study has shown that law practice is the sole profession in the world in which pessimists generally enjoy greater career successthan do optimists. Of course, this study was conducted before the field of cybersecurity had taken off to the extent it has today. Lawyers know that just about anything can happen; so too do good cybersecurity workers. The partnership between the two roles should be natural -- and the two can work well together on meaningful data-protection compliance, tabletop exercises, and handling data-breach crises after the fact.

CISOs and InfoSec workers, therefore, are well advised to welcome teaming up with in-house counsel to construct and enforce exhaustive -- yet meaningful -- policies, procedures and solutions for data-protection training, emergency planning, disaster recovery, breach tracking and notification, and other cybersecurity issues.

No policy unenforced
If there's a policy, for heaven's sakes, follow and enforceit!

This may seem obvious, but consider the impact of social engineering. Every year, Social-Engineer, hosts a Social-Engineer Capture the Flag Contest (SECTF), in which contestants compete to obtain as much sensitive information as they can from a selection of major enterprise companies by way of social engineering. The results are often celebratory for the contestants while embarrassing for the targeted companies.

"The companies who happened to do well did so accidentally or out of ignorance in [that] they either couldn't answer the question or didn't know how, so the call shut down," said Michele Fincher, Social-Engineer.org's COO, after the 2013 SECTF -- in which tech giant Apple scored abysmally. "Very few [employees] said, 'I am not allowed to give out this information.' "

This kind of policy-enforcement failure can lead -- and, in the case of Apple, as well as others, has led -- to headline-grabbing data breaches, such as the kind Wired writer Mat Honan suffered in 2012 (the year before Apple was targeted in the SECTF). That year, hackers seized control over all of Honan's major online accounts by using social engineering to exploit mutually unsecure policy flaws at Amazon and Apple respectively -- despite not knowing the answers to Honan's security questions or other key information that only he would know. Had the company lawyers -- or HR people or other leaders with lawyer-like minds -- enforced their organizations' putatively strict policies for customer-service password resets, Honan's hack might never have happened.

Ditto when it comes to NSA employees -- approximately two dozen of whom reportedly may have voluntarily given their password credentials to leaker-to-be Edward Snowden when he simply asked for them.

Don't reuse; don't recycle
One of the biggest threats to information security is password reuse. When a breached organization's compromised user credentials are the same as the those of the employees at your own enterprise, you become all the more vulnerable -- particularly as word across the news and passwords spread across the DarkNet.

Want to learn more about how LTE-A Pro and Gigabit LTE will impact the 5G market? Join us in San Francisco for LTE Advanced Pro and Gigabit LTE: The Path to 5G event -- a free breakfast collocated at Mobile World Congress Americas with a keynote address by Sprint's COO Günther Ottendorfer.

It's happened before. Last time, I wrote about how password recycling led to a major security breach at restaurant-finding service Zomato. The 2014 security breach of DropBox, meanwhile, provides a more notorious (albeit less recent) example; the cloud storage company blamed the hack on their users' password reuse across multiple services along with their own DropBox accounts.

This is where the lawyer-drafted company handbook can help -- particularly in conjunction with proper employee training.

"I wish passwords weren't reusable," lamented Patrick Hynds, Founder and President of New Hampshire-based cybersecurity consultancy DTS, in a keynote he delivered at last year's meeting of the Boston chapter of the National Information Security Group (NAISG). "So we have a format that I've used for the last 20 years, which is that in the employee handbook in every company that I've had any power over has a page -- and a brief that goes with it -- that says, 'The password you use on our network belongs to us. If you use it anywhere else and we find out, you're fired.' "

That stick, granted, is heavy indeed -- but it need never come to that. Recently, security researcher Troy Hunt released a database of 320 million compromised passwords that can be used for preventing reuse of known passwords.

In any case, strict enforceability to the point of actual employment termination is not the point; nurturing a culture of security is.

"We've never fired anybody [over it and] we probably never will," continued Hynds, "but it gets it in their head that this is not a game. It's important."

Joe Stanganelli is founder and principal of Beacon Hill Law, a Boston-based general practice law firm. His expertise on legal topics has been sought for several major publications, including US News and World Report and Personal Real Estate Investor Magazine.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-19
VMware NSX-T contains a privilege escalation vulnerability due to an issue with RBAC (Role based access control) role assignment. Successful exploitation of this issue may allow attackers with local guest user account to assign privileges higher than their own permission level.
PUBLISHED: 2021-04-19
Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older initiate SSH connections to the Fibaro cloud to provide remote access and remote support capabilities. This connection can be intercepted using DNS spoofing attack and a device initiated remote port-forward channel can be us...
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode.
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices with firmware version 4.540 and older an authenticated user can run commands as root user using a command injection vulnerability.
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices in all versions provide a web based management interface over unencrypted HTTP protocol. Communication between the user and the device can be eavesdropped to hijack sessions, tokens and passwords.