What exactly are security assessments and penetration tests? What’s the difference? Do you actually need to have these done in your law firm? Discovering vulnerabilities and taking steps to keep sensitive data secure should be highly important to all lawyers, and doing so may be simpler than you thought. The Digital Detectives hosts John Simek and Sharon Nelson discuss the elements of these evaluations, break down costs, and share what lawyers should do to ensure their firm’s security.
Special thanks to our sponsor PInow.
2021 Update: Security Assessment and Penetration Testing for Law Firms
Intro: Welcome to Digital Detectives. Reports from the battlefront. We’ll discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches; not theory but practical information that you can use in your law practice right here on the Legal Talk Network.
Sharon Nelson: Welcome to the 122nd edition of Digital Detectives. We’re glad to have you with us. I’m Sharon Nelson, President of Sensei Enterprises, a digital forensics cyber security and information technology firm in Fairfax, Virginia.
John Simek: And I’m John Simek, Vice President of Sensei Enterprises. Today, on Digital Detectives, our topic is 2021 Update Security Assessments and Penetration Testing for Law Firms.
Sharon Nelson: Before we get started, I’d like to thank our sponsor pinow.com. If you need a private investigator you can trust, visit pinow.com to learn more.
John Simek: Today, Sharon and I are going it alone. Unfortunately, our scheduled guest is unwell, but hopefully, will join us next month. In the meantime, the show must go on.
Sharon Nelson: Absolutely, John. And we started this discussion we’re having today as a topic a few months ago, but we realized after the solar wind breach that this topic has gotten white hot and there’s a lot more to say. So, let’s start something we didn’t ever talk about before was let’s start with the ethics rules that compel lawyers to monitor their cyber security. While there may be other rules that have some impact on cyber security like the rules of communication with a client especially after a data breach and supervisory rules to make sure others in the firm or vendors whatever maintain security, the two major rules that are always cited are rule 1.1 competence and rule 1.6 confidentiality. It all comes down to a standard of being reasonable.
What is reasonable for law firms will depend in part on such things as their size and the sensitivity of the data they hold, but even a solo practitioner who is what’s known as a big solo, because he or she has one huge client or a few major clients; that person may be held to a higher standard in spite of size. And no matter what the size, if your firm handles for examples mergers and acquisitions or some other kind of really sensitive matters, you are going to be held to a very high standard indeed. In terms of being competent, you can really understand the tech and the security policies needed to secure your data and that is oh, so rare among lawyers, you can endeavor to learn it, not much more commonly found or you can engage experts who understand cyber security, which is certainly what most lawyers do. It’s important to try to understand some reasonable amount of cyber security so that the lawyer knows something and is at least marginally competent, which is why I think so many lawyers really make a valiant effort to take at least one or two cyber security CLE each year. John, why don’t you describe what a cyber security assessment involves? I’m sure some listeners are not very familiar with them.
John Simek: Well, and they’re going to love the depends answer too. I guess, we could talk in generalities, but it’s essentially a method in which to review your current infrastructure and your implementation of your technology and assess any vulnerabilities that might exist there. So, it’s a combination of automated process, manual process; depending on the tools that you use. A lot of the tools that we use are pretty robust and therefore not cheap. But they gather a lot of data. Some of the items that we have to review maybe the firewalls or networking equipment or those types of things, maybe a manual review to an extent or a combination of the of the automated review and the manual review. And then you gather all of this data in order to assess what might not be right, right? Are you missing patches as an example, are there updates that are available, do you have a configuration setting that’s wrong and it’s just a matter of changing something. Things like that. That’s all part of that cyber security assessment. The scope of it though is going to vary depending on what the client really wants. Are you just testing the network infrastructure and the computers and the servers or do you need to drill down and test web-based applications as an example or database applications; those kinds of things.
Typically, they’re not part of that cyber security assessment. They’re held down more for the the other — the penetration testing; those kinds of things later on. But really, it’s more of establishing that baseline of where does your firm sit. I would certainly recommend that one of the things that all law firms do, all businesses even, is as a minimum aside from the cyber security assessment is to make sure that you’re assessing your passwords.
As you know Sharon, the biggest reason that a lot of data breaches are occurring is because of the password reuse. They’re either weak or we’re reusing them and it’s certainly fairly simple to go and assess what is your password strength, are they being stored correctly? Those kinds of things like that what’s the length of it. As far as cost goes, costs are pretty what I would consider pretty reasonable. I mean, several thousand dollars for a small firm to be able to do this cyber security assessment. Maybe up to 10 grand depending on the size of the — if you’re a little bit larger and have a lot more devices. Because remember, there is some manual effort that goes into it. It’s not just point and click on a piece of software, in a gooey and then out comes this report.
Sharon Nelson: And the report, it takes some time to prepare. So, the value for your dollar is pretty good I think too, don’t you John?
John Simek: Oh yeah. Yeah, it is. But you want to make sure that whoever’s doing this assessment that they’re not totally dependent on the software tools and then we see that as you know also in our forensics work that we do is people want to want to do this point and click stuff and let’s face it, cyber security is way cool today. Everybody wants to get involved in it.
Sharon Nelson: I would add too, John, that they should get a flat fee cost because this is something where people know if they’re in the game, they know after they’ve done a little bit of questioning, talking to you and a little bit about what you’ve got for technology, they know what they can do. So, that that flat fee is really important because you can budget for that.
John Simek: Yeah, and absolutely because it’s not and it’s something that you can in fact do the flat fee for and you should be doing a flat fee for your cyber security assessment.
Sharon Nelson: So, one of the things I tried to do this morning was to find, because I wanted some reliable data for the percentage of law firms that have done security assessments or pen tests, but after a good amount of research, I said, okay, this is not worth it. There is not reliable data here. So, the only the only credible survey I found was from 2019 which showed that 18%, only 18% of law firms at that time had done either an assessment or a pen test and I doubt it’s much higher now, especially since so much ground to a halt with the pandemic in spite of the meteoric rise of ransomware in 2020. So, I took again a look at the ABA 2020 legal technology survey report for some related data, because they had 21 questions focused on security and over 29% of law firms at that point had experienced a data breach. I always thought that that stat has been low in many many firms especially the large ones. Attorneys may never know that there has been a breach unless it becomes public and of course many of them do not and then 34% of respondents had an incident response plan and that’s very — that seems very low to me. Unsurprisingly, 77% of respondents from firms of 100 or more attorneys said that they did have an IRP, which makes a lot of sense. The larger the firm the more likely you are to have a plan, because otherwise you’re going to be headless chickens if you have a breach and you have no plan.
So, let’s move to what the cyber security assessment report should contain, John.
John Simek: Well lawyers are going to love this because it’s a lot of paper. Well, paper. If it’s reduced to paper, it’s going to be hundreds and hundreds of pages. But what it should contain is really kind of the state of your facilities, what kind of critical vulnerabilities are there, what kind of other vulnerability; medium, low vulnerabilities. Not just what vulnerabilities you have, but what’s the fix, right? The assessment really doesn’t help you much if you say, hey, something’s broken, but you don’t tell somebody how to fix it and improve that. What your posture is. So, that’s one thing that it should contain. Potentially, as you’re going through the environment as well, there might be to documentation of screenshots of things whether it’s your password policy or things like that or your configuration of your routers or firewalls or stuff like that.
So, things that you can then highlight for the client to identify and say, see this value right here? You’ve got a zero here and you should have a one. Having a zero means this kind of thing. So, those are the basics of what that that report should be and the reason that it can be hundreds if not thousands of pages is because of the supporting documentation and that’s all that data that your software when you did your scans and those kinds of things that it collected, it’ll all be enumerated within that that report.
But as a minimum, you should have an executive summary open with an executive summary. Hit the highlights and that should only cover several paragraphs in a couple of pages, but give the high level as to okay, here’s kind of the state of the union. You’ve got three critical vulnerabilities, you should be able to fix those within 30 days or whatever it is or you’ve got a lot of things that you need to address and we expect that it might take you up to six months to fix all of these things. So, it’s to help the client understand how bad they really are or how good they are and what do they need to do or what do they need to invest not just in money but potentially in people in order to create a better more secure environment for them.
Sharon Nelson: Well as you know John, our company Sensei Enterprises provides managed IT services to more than 200 law firms and a lot of other kinds of entities as well, but I think it’s only something like two dozen of them that have done security assessments and only one has fairly recently agreed to a pen test. I actually don’t mind that there’s only that one because you and I lecture all the time and counsel our clients all the time to do the security assessment believing that pen testing is overkill for all but the firms that hold extremely sensitive data or the firms themselves are very large. But it’s extraordinary to me that we have such a hard time convincing folks to do a security assessment, which is far less expensive, takes less time and always always gives them important steps in those first few pages as you said; that they need to take to up their security.
I think in all of the time that we have done these kinds of security assessments, we have only found a single law firm that did not have critical vulnerabilities identified and that was a very well-run firm, high-tech law firm. But that’s the only one, right?
John Simek: I’m recalling exactly the firm that you’re talking about and I think that’s correct.
Sharon Nelson: I’m pretty sure because it really it startled me that there were none.
John Simek: That was a couple years ago too.
Sharon Nelson: Yes, it was. It was and of course you get terrific value for your money with these reports because as you said, there’s multiple pages that identify critical vulnerabilities, medium vulnerabilities and low vulnerabilities. Now, the critical ones, you got to fix those asap and yes, it might cost money, but they’re critical vulnerabilities. Medium, you can maybe more make a plan to address them as you can without simply forgetting about the mind you because they still exist and the lower vulnerabilities are less significant and maybe can wait. But remember too that not all vulnerabilities are expensive to fix. So, you could still do the low or no cost ones throughout all of the vulnerabilities potentially if it’s not a lot of cost or time. But it drives me crazy that some folks get the reports and then they take their own sweet time to do anything at all even with the hard evidence in hand that they are exposed. It is difficult to get buy-in who says go do it sometimes from firm leaders, which is as Mr. Spock might say, most illogical.
John Simek: Well, the other the other issue with that too though is that the longer you wait, the more vulnerabilities you’re going to have, because more things are found out.
pen testing Absolutely.
John Simek: Remember, it’s a point in time, it’s a snapshot and so if you drag your feet on fixing something besides the risk, right? Of you being exposed, something else might happen. Vulnerabilities and some other software that you’re using or some other equipment. There’s all kinds of things.
Sharon Nelson: Well, as you know, there’s no set it and forget in cyber security.
John Simek: Yep, yep. Well, before we move on to our next segment, let’s take a quick commercial break.
Midtro: Does your law firm need an investigator for a background check, civil investigation or other type of investigation? Pinow.com is a one-of-a-kind resource for locating investigators anywhere in the U.S. and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up-to-date on the latest technology and have extensive experience in many types of investigation including workers compensation and surveillance. Find a pre-screened private investigator today. Visit www.pinow.com.
Sharon Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today, our topic is 2021 Update Security Assessments and Penetration Testing for Law Firms John, let’s talk about penetration testing, which I think is more poorly understood than cyber security assessments. What does pen testing as it is more commonly called involve and what does it cost?
John Simek: Well, pen testing is basically you being attacked where the tester is acting as if they were hostile, whether they’re some sort of an attacker or a hacker; whatever label you want to put on them. It’s a lot more involved, it’s a lot more difficult. The skill set required is much higher in order to do pen testing. You’ve got various types of pen tests in that you can start on the inside of the network. It’s where you’ve had a lot of knowledge where the client says, here’s my IP addresses, here’s the names of my servers and my computers and here’s all the user names and IDs that are there and yadi yada. And so, you have all this knowledge up front that you can then go and try and what you’re trying to do is break something and act like an attacker would attack. Then there’s the other type of pen test, which is more difficult, more expensive, where you have no knowledge. The only thing that’s available to you is whatever’s publicly available; your website, those kinds of things or you can get certain information and then you come in from the outside and pass through, try to you know compromise the firewall and get inside the network and do those types of things. But from a cost perspective, it’s rather expensive. You’re looking at tens of thousands of dollars to start with these things and depending on your complexity and how much you want the pen tester to go after. As an example, maybe you would say just do my servers. I don’t want you to try to attack or penetrate any of the workstations. Well, that’s a small subset and therefore it’s going to be less expensive than if you said go after everything, right? Within the network and it’s application-wise too I mentioned before about vulnerabilities in web applications. But are you trying to break things that are hosted databases that are hosted for the client. You may not necessarily even, they may not necessarily host it. They might be using Cloud services. Well, now, you got a whole different game, right? If you’re going after salesforce data or some case management that’s in the Cloud, the provider of that case management service better know that you’re going to be attacking them as a penetration tester, because they’re going to see it as a hostile attack and then take appropriate physical and potentially legal action as well.
But again, depending on the scope and how many devices and what kind of scale you want the pen tester to get, how deep you want them to go into the stuff, tens of thousands even you know 100 plus grand again depending on the size of the firm. So, it’s not a cheap endeavor which is I think one of the reasons that you and I have always recommended. Let’s start with the base level security assessment first.
Sharon Nelson: And it may be enough.
John Simek: It might be enough. Yeah, and then, take a look at pen testing later on. But again, it depends. You talked earlier about the sensitivity of the data. If the data is very very sensitive, you may well want to consider pen testing, because it would be extremely damaging if that data ended up getting out as an example.
Sharon Nelson: Oh, absolutely. We find that very few people understand too much about the pen testing. They don’t know what red, blue and purple teams do in the pen testing world. Of course, in cyber security, everybody knows, but if you’re just a lawyer doing your job and family law, you’re not going to know about that. So, let me talk.
John Simek: It’s not the color of the sweatsuit they’re wearing either.
Sharon Nelson: Uh, no. Absolutely, it is not. So, a red team exists to attack and the blue is to defend. And the goal is to strengthen the firm’s security by learning from the combat between the two teams. Now, sometimes there’s a purple team which is set up to support the whole process. Most of the time, we have only seen red and blue teams. If you’re in a really mega organization or in a big law firm, you might see the purple. But the red team, that’s the one everybody wants to be on because that’s the sexy team. They’re the one who mounts the attack and hopefully has success and so everybody wants to be on the red team. But as many an expert has noted, what you really want is more defenders. That’s the part you really want to shore up. But a red team is it can be within the company, but typically, where we see it with law firms, they are independent of the company and they’re hired to covertly test the law firm’s defenses. And the team, the red team consists of one or more skilled ethical hackers whose objective is to identify and safely exploit vulnerabilities in the target’s cybersecurity or physical perimeters. And so by deploying real-world threats, the exercise is very realistic, the red team uses cutting edge hacking tools and techniques to infiltrate systems and even physical premises. They might write their own malware and devise new methodologies just like the real life hackers do.
They’re stealthy and they’ll do everything they can to avoid detection. In a red team engagement, anything goes. I mean, they could come into the reception area as a delivery person there to make a pickup directly from an attorney. You can lie. It’s fine. That’s all okay. That’s what red teams do. And as they pass through the office, they’ll insert a USB drive somewhere into a PC and score. They have just won. So, the red team’s objectives and duties include compromising security by stealing information, getting into the network or breaching physical perimeters, avoiding detection by the blue team of course and exploiting bugs and weaknesses in the target’s infrastructure and it could go on much more than that, but I want to be a little bit simple here.
The blue team is the company’s own cyber security personnel, which assumes of course, a larger organization because not everybody has cyber security personnel but certainly, they do in large law firms. The blue team is supposed to detect and stop the red team’s attack and really, the ultimate objective for that team is to enhance their skills by preparing them for the dangerous real-world attacks. So, they are supposed to understand every phase of incidents and respond appropriately, note suspicious traffic patterns and identify indicators of compromise, quickly shut down any form of compromise etcetera, etcetera. So, they review and analyze log data, they use security information and event management that’s called SIM platform for visibility and detection of live intrusions and triaging alarms in real time. So, if that’s not something that you’ve been accustomed to hearing about, SIM is all the rage these days. They gather new threat intelligence; they perform traffic and data flow analysis and then there’s that purple team which oversees and optimizes the red and blue team exercise. It’s typically comprised in a larger organization of security analysts or senior security personnel within the organization So, if the red team and the blue teams work well together and sometimes they don’t, there’s a lot of potential conflict here, but if they do work well together, the purple team and the need for it. The purple team may be redundant, so you can maybe dispense with them. We don’t see them very often, but then we don’t work at that mega level.
John, I may have started to talk when you wanted to. Was there something you wanted to say?
John Simek: Well, the red team’s generally as you say it’s outsiders that are doing it and people they want to be on a red team because of the ego, right? This is cool stuff and they’re not responsible for it, but it doesn’t do the law firm much good unless your goal is to shore up your defenses. You want to prevent that stuff. So, you need to make sure. And then the smaller firms, you’re not even going to have a blue team. Hopefully, what you have as a substitute is a managed service provider that has tools that are already installed and they have let’s say a remote SIM, so that any of these events are going to them so that they can analyze them and then take appropriate action on your behalf.
Sharon Nelson: Yeah. No, that’s true. That’s true. But as we were talking about before, John; pen testing sounds very cool and it is. When you go in there and you say I am so good, I am so cool. I am the man or I am the woman and you’re in. You got their data. It is very sexy, but if you had to judge the relative need for security assessments versus pen testing, what would you say to someone?
John Simek: Oh, hands down, security assessment. Forgo the pen testing, the costs and the bang for the buck just I don’t think are there for most firms unless again, you’re a larger firm, you’ve got sensitive data, but understand, that the caveat there; the client may require it.
Sharon Nelson: True. True. No, that is true.
John Simek: So, even though you’re a small firm or whatever it is, I mean, your particular client may say, you know what, I need you to do a pen test and I need you to do it every so often. Security assessments though is what as you know, we see those more often and we see clients requiring them of their law firms more often. Not the pen test, but the security assessment. So, they want to make sure that they have something that says before they entrust their data to the law firm, they know that they stand a pretty good chance of it being protected.
Sharon Nelson: Yeah, I think that’s true. So, what do you look for in a vendor that provides either of these services? Well, in one word, references. Make sure you get their references and reach out to them, reach out to your contacts at other firms to see who they’ve used and if they were happy. Cost counts of course, so you got to ask about that. You might research the company online.
A lot of these companies have reviews or ask for a template report with no identifiable information, confidential stuff on a pen test that they’ve done. If you have a preliminary no charge meeting, which I think is always a good idea, you can identify how comfortable you are with the folks who are going to be mounting an assault on your network and you really want to look at the paperwork you’re going to have to sign, waiving any liability on the part of the pen testing company because that will be true of pen testing, not so true with security assessments, but particularly pen testing.
John Simek: But another thing though that certainly you need to focus and concentrate on is what is the scope of the engagement? Are there any boundaries and rules that you can’t do? In other words, as an example, you cannot attack the network between the hours of midnight and 4:00 am or something. There should be some sort of criteria like that or you know all bets are off, 24/7 you can come at us.
Sharon Nelson: Yep, absolutely. I came up with one question, John, that I wanted to ask you because I know you’ve done a lot of research on the SolarWinds incident recently. Do you think that standard assessments or pen testing would have helped protect against SolarWinds? I’m thinking no, but you’re the expert.
John Simek: I’m thinking no as well. And for those folks that that have been sleeping under a rock recently and don’t know what SolarWinds is; that was a supply chain hack and SolarWinds is a in a nutshell, it’s essentially a network monitoring configuration and control tool that a lot of companies use. So, it sits inside your network and it manages and looks for things and then allows a central pane, a single pane of glass so that you can go and manage all of these disparate devices. What happened in the attack was that the SolarWinds software itself was compromised with a back door and they’ve since learned of other malware and other techniques that have been used there, but that tool which as a customer, if I’m a SolarWinds customer and I think there were about 18 000 of them that were impacted if my memory’s right. I’m trusting that software. I’m trusting it and I’m installing it in my network and I’m giving it admin credentials and things like that so that it can go and control things. That software was compromised. It was compromised in the build process that was undetected. We’re always telling people patch and update, right? Install the updates? Well, guess what, one of the SolarWind updates contain this back door.
Sharon Nelson: I guess there are good patches and bad patches.
John Simek: Well, nobody knew it. But I mean, it was really really ingenious. The SolarWinds attack has really set the cyber security world on its head and as more and more people have gone in and analyzed it, Microsoft and FireEye and some other big ones, CrowdStrike. Companies that have gone through and analyzed this attack, this supply chain attack and the methods that they used it’s just phenomenal. They’re going, oh, my god. Not only just how clever they were, but how patient they were. I mean, it was months and months and months that they worked on this in order to avoid detection. As an example, one of the things they did was as they compromised the network, you talked about logging earlier and the SIM being able to capture all the stuff? What did they do? They disabled event logging prior to them actually doing any hands-on keyboard kind of stuff and then when they were done, they re-enabled logging. So, unless you were looking at that stuff and saw this gap, you would have never known, right?
Sharon Nelson: Brilliant. Absolutely brilliant.
John Simek: Oh, yeah. And that’s just one example. I mean, there’s countless other things that they did, but unfortunately, you have to trust the tools that you’re installing in your systems and what you’re using and like SolarWinds in particular. It probably doesn’t surprise you. Remember the whole Zoom fiasco and all the security stuff and what’s the first thing that Zoom did? They went out there and they hired all these security experts and they created this team and they did all that stuff. Well, SolarWinds took that playbook from Zoom.
Sharon Nelson: Well, that can only mean good things for the future.
John Simek: Oh, yeah. They’ve done that. But to answer your question, that was a long-winded answer, but to answer your question, I don’t really think it would have helped much. What you really would have needed to have is something in place that’s watching activity and characteristics of certain traffic. But here’s the downside to that, once these guys get a foothold in there, they do the interrogation. They look to see what kind of tools you have and those are the ones they’re going to disable.
Sharon Nelson: Yeah.
John Simek: You become blind. Yeah.
Sharon Nelson: Yeah. It’s logical. Well, that was that was a fun discussion.
John Simek: But we’re at the end. So, that does it for this edition of Digital Detectives and remember, you can subscribe to all the editions of this podcast at legaltalknetwork.com or an Apple podcast. And if you enjoyed our podcast, please rate us on Apple podcast.
Sharon Nelson: You can find out more about Sensei’s Digital Forensics Technology and Cyber Security Services at sensei ent.com. We’ll see you next time on Digital Detectives.
Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on legaltalknetwork.com and in iTunes.