Anyone unsure about the importance of IT security in law firms would have been persuaded otherwise by a panel discussion titled “Believe It or Not, You’ve Been Hacked,” which drew a standing-room-only crowd of about 150 at the International Legal Technology Association’s annual conference in National Harbor, Md., recently.
“Increasingly we’re seeing our clients with more and more security questions. … We have to take a stand that we demand secure software,” said panelist Jim Fortmuller, security manager at Kelley Drye & Warren.
Fortmuller explained several law firm IT weaknesses, with further details provided by Mike Tohivsky, a consultant at EMC Corp.’s RSA security division.
“Management is one of the toys being fooled with. They have difficulty understanding the threats of the landscape,” Fortmuller said. “Security breaches are inevitable. Whether it’s a small compromise or a massive intrusion, we want to be armed and prepared.” RSA itself has seen its systems hacked, he and Tohivsky noted.
Fortmuller cited a variety of specific weaknesses:
• Hackers usually work on weekends, because they know corporate security staff typically work on weekdays.
• Security staff need to log all occasions when their teams use network analysis applications — to ensure that someone else isn’t running the software to find the firm’s vulnerabilities.
• Cybercrooks are known to act when large companies acquire smaller ones, leading to potential network incompatibilities between the entities that can be exploited.
• Network managers should monitor outbound data, not just inbound data, to see if robotic software is secretly installed and sending messages to a home base. Application whitelisting is helpful, as is frequent analysis of which employees and applications may unnecessarily have network administrator privileges. “If one of your vendors says their software needs domain administration accounts, show them the door as soon as possible,” Fortmuller said.
• It’s vital to update all software as soon as the updates are available — not just some software, some of the time. “With the ability of the attackers to use this stuff against us, we’re dumb if we’re not patching this stuff in a week. But that’s for you and your firm to decide,” he added.
It’s hard work, Fortmuller noted, so firms should have dedicated IT security staff, not pile the job atop overworked IT staffers in other roles. “Is this technical? Yes, but we’re supposed to be technical,” he observed. Clients won’t have sympathy when their data is at risk, he noted.
Fortmuller and Tohivsky recommended that law firms follow the SANS Top 20 advice. (SANS is a popular security information clearinghouse.) A recent security document from the International Legal Technology Standards Organization is also helpful, they said, as are the widely respected Australian Defence Signals Directorate publications.
Even when your legal professionals do everything right, things can still go wrong. “My attorneys have been hacked clicking on a legitimate site,” because the site itself had been hacked, unknown to its owners, the staff security expert of a 400-attorney firm in the U.S. Southwest told Law Technology News.
The expert, who asked not to be identified, also lamented that many legal technology applications are still not using modern methods for the popular network authentication protocol known as Kerberos.
Of the panel itself, “I thought a lot of what they said was very right on,” said Adam Carlson, who recently founded SecurityBlawg.com and an associated LinkedIn group.
Evan Koblentz writes for Law Technology News, a Daily Report affiliate.