Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/12/2016
09:55 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Law Firms Present Tempting Targets For Attackers

Panama Papers breach just scratched the surface of the relative lack of budget and resources in the legal sector that leaves many law firms vulnerable to cyberattacks.

The recent data breach at Panamanian law firm Mossack Fonseca that resulted in the theft of a staggering 11.5 million sensitive records highlights what analysts say is a disturbing lack of security preparedness at many law firms.

Mossack Fonseca has not disclosed how exactly it was breached. But it has blamed external actors for a theft that has exposed the potentially illicit offshore financial dealings of numerous political leaders and public figures around the world including Russian president Vladmir Putin and British prime minister David Cameron.

Many view the sheer scope of the data breach—over 2.6 terabytes of data was stolen without the firm detecting the theft—as a sign that MF did not have basic controls in place for detecting and mitigating such incidents. Unfortunately, such a lack of preparedness is fairly common in the legal industry.

Security firm BitSight, which uses a credit-score-like metric for rating the cybersecurity effectiveness of organizations, currently gives law firms a score of 690 out of 900. That puts them ahead of public relations and communications companies, but behind several other industries. Accounting firms. for example. have a rating of 740, and firms in the benefits administration space have a 750 rating from BitSight.

“The legal industry is a middle-of-the pack performer,” says Jake Olcott, vice-president at BitSight and former counsel to the House of Representatives Homeland Security Committee.

While BitSight has not done a formal study on the security posture of the legal industry, the company says it actively tracks the security performance of organizations across 22 industries using a global network of sensors. The goal is to give enterprises information to benchmark their security status against averages for their industry.

What the data shows is that little has changed on aggregate with law firms since the last time BitSight reviewed the industry’s security effectiveness a year ago. “Many of these companies are still vulnerable to high profile vulnerabilities,” he says.

For example, in a random sample of 30 large law firms with over 500 attorneys each, BitSight says it found 97% still running services that are vulnerable to the Poodle SSL flaw first reported in October 2014. About 57% had services that were vulnerable to the Freak OpenSSL issue from last year and 100% were running services that were open to the LogJam encryption flaw.

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

“Law firms,” says Olcott,” face many of the same challenges as other organizations in protecting their sensitive data.”

He points to a recent study of the legal industry’s information security assessment practices, which showed that 90% of law firms had five or fewer employees dedicated to information security. Seventy six percent had information security budgets of less than $100,000 per year.

At the same time, they present a popular target for hackers because of the sensitive information on clients that they possess. “Law firms are a key third party for many organizations,” Olcott says.

In addition to holding personally identifiable information, they often also have other highly sensitive data pertaining to things like current litigation, evidence in legal proceedings, and potentially sensitive information on company directors and officers, he says.

The value of the data stored by many law firms and the relative lack of controls for protecting it, present an opportunity for cybercriminals. According to a report by the American Bar Association last September, 25% of law firms with at least 100 attorneys are data breach victims. Yet, 47% of the law firms surveyed for the report said they had no incident response plans, while 58% of respondents in large firms said they had no chief information security officer to head the security effort.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kwestby
50%
50%
kwestby,
User Rank: Author
4/14/2016 | 2:16:08 PM
Tip of the iceberg
I agree completly with your articles message. Having some first hand experience the vulnerability profile is much higher and risk controls even less mature than you characterize. Bitsite is only agrigating external vulnerability, bot and malware intel. The legal industry has a generally light external footprint, but a very large information sharing profile that is non-public. This is where you see the lack of focus on IT security or regulatory oversight highlighting an industry at risk for many more breaches.
cyberpink
100%
0%
cyberpink,
User Rank: Strategist
4/13/2016 | 9:32:47 AM
"Here's your sign" Moment
Thanks for giving us the here's your sign moment.  I really enjoy your articles, but this one just laid it out there for law firms. Great job.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/10/2020
Zscaler to Buy Cloudneeti
Dark Reading Staff 4/9/2020
The Coronavirus & Cybersecurity: 3 Areas of Exploitation
Robert R. Ackerman Jr., Founder & Managing Director, Allegis Capital,  4/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Yes, I do have virus protection on my system, now what?
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11669
PUBLISHED: 2020-04-10
An issue was discovered in the Linux kernel before 5.2 on the powerpc platform. arch/powerpc/kernel/idle_book3s.S does not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR, aka CID-53a712bae5dd.
CVE-2020-1801
PUBLISHED: 2020-04-10
There is an improper authentication vulnerability in several smartphones. Certain function interface in the system does not sufficiently validate the caller's identity in certain share scenario, successful exploit could cause information disclosure. Affected product versions include:Mate 30 Pro vers...
CVE-2020-3952
PUBLISHED: 2020-04-10
Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls.
CVE-2020-4362
PUBLISHED: 2020-04-10
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector. IBM X-Force ID: 178929.
CVE-2020-1802
PUBLISHED: 2020-04-10
There is an insufficient integrity validation vulnerability in several products. The device does not sufficiently validate the integrity of certain file in certain loading processes, successful exploit could allow the attacker to load a crafted file to the device through USB.Affected product version...