Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

12/8/2016
02:55 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Law Firms' Security Cross-Examined

Legal sector earns a respectable score for its cybersecurity posture overall, but a large number of law firms remain weak when it comes to security.

The good news: the legal sector scored second-best in the latest security ratings report by BitSight, just ahead of retail, and behind the formidable financial industry.

The bad news: More than half of law firms are vulnerable to a known attack called DROWN that breaks encryption and exposes communication and information in Web and email servers and VPNs, and a large percentage of law firms scored low security-wise.

"Even though as a sector, legal is performing pretty well in security, we wanted to call out that there are poorly performing firms," says Stephen Boyer, co-founder and CTO of BitSight, which provides a credit-score type security rating system for various industries. "The story here is not that legal is performing well. The story is there is risk there and if people [in the sector] don't manage that, it could be catastrophic."

On a 250 (lowest) to 900 (highest) security rating scale, finance scored 703; legal, 687; retail, 685; healthcare, 668; energy/utilities, 667; and government, 657. Legal actually dropped two points from last year's rating of 690.

BitSight maps organizations' online servers and domains, and analyzes potential vulnerabilities, configurations, and publicly disclosed breaches to benchmark security posture. The firm's tools can observe hundreds of thousands of organizations within an industry sector, for example.

For this study, BitSight analyzed 20,153 organizations in finance (8,567), healthcare (4,239), legal (1,269), energy/utilities (2,841), retail (1,900), and government (1,337), and the firm gathered evidence of about 3.6 million malware infections in those industries.

This year's security rating index report drilled down on the legal sector, which had its Stuxnet "moment" with the Panama Papers breach earlier this year. A data breach at Panamanian law firm Mossack Fonseca resulted in the theft of 11.5 million sensitive records from the firm. The International Consortium of Investigative Journalists later released some of the information publicly to expose shell corporations used to evade taxes and other nefarious purposes.

"Panama Papers really woke everyone up ... and [made them wonder] 'What could that mean for us as a law firm?'"

Some 70% of law firms surveyed in the recent Law Firm Cybersecurity Report by ALM Intelligence said they are under pressure from their clients to beef up internal data security, but only about half conduct regular "fire drills" for incident response. The report said firms were confident in their ability to thwart attacks.

"Many firms' confidence in their own cyberattack preparedness seems misguided. Our research indicates that most remain surprisingly unprepared for the threat," said Daniella Isaacson, co-author of the report and ALM Intelligence senior legal analyst, in a statement. "For example, many never test their cybersecurity protocols. This means that on the day of a breach, those firms are using an unproven response plan."

The legal sector long has been considered an obvious lucrative target for cybercrime and cyber espionage, given the confidential information they hold about their corporate, government, and individual clients.

Chinese state actors reportedly were behind the theft of partner emails and information from several major US law firms, according to Fortune. One firm lost seven gigabytes of data in a March 2015 hack, according to Fortune's reporting. The attacks likely were standard cyber espionage for competitive gain, the calling card of China's nation-state hacking machine.

The FBI earlier this year warned of cybercriminals attempting to hack law firms for insider trading operations, yet another wakeup call for firms to crack down on security. "The FBI has seen people trying to attack specific law firms," Boyer says.

Red Flags

Meanwhile, BitSight's study found that the energy/utilities sector's security posture is declining. Some 133 organizations in this industry had ratings of 500 or lower. "This is important to note considering previous studies by BitSight finding that companies with a rating of 500 or lower are nearly five times as likely to experience a breach than those with a 700 or above," the report said.

And some 80% of organizations across all industry sectors in the analysis were vulnerable to two known – and patchable - web server flaws, Logjam and POODLE.

Related Content:

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-35196
PUBLISHED: 2021-06-21
** DISPUTED ** Manuskript through 0.12.0 allows remote attackers to execute arbitrary code via a crafted settings.pickle file in a project file, because there is insecure deserialization via the pickle.load() function in settings.py. NOTE: the vendor's position is that the product is not intended fo...
CVE-2010-1433
PUBLISHED: 2021-06-21
Joomla! Core is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to properly verify user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauth...
CVE-2010-1434
PUBLISHED: 2021-06-21
Joomla! Core is prone to a session fixation vulnerability. An attacker may leverage this issue to hijack an arbitrary session and gain access to sensitive information, which may help in launching further attacks. Joomla! Core versions 1.5.x ranging from 1.5.0 and up to and including 1.5.15 are vulne...
CVE-2010-1435
PUBLISHED: 2021-06-21
Joomla! Core is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently retrieve password reset tokens from the database through an already existing SQL injection vector. Joomla! Core versions 1.5.x ranging from 1.5...
CVE-2010-0413
PUBLISHED: 2021-06-21
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.