Law is an interesting space for information security: The legal profession operates within a strict set of ethical guidelines, and lawyers are well aware that violation of those guidelines may end their livelihood, so the risk of an attacker selling information to opposing counsel is negligible; at the same time, lawyers have a sworn duty of care for their client’s information; at the same time, and opposing counsel isn’t the only party that may be interested in the client’s information. Enter our client, an attorney who has recognized a need other attorneys have in preparing cases and has built a business around it. While the firm may be experts in case law, they know their limitations around information security, and have seen the news as to what can happen to a firm who ignores information security risks.
SCALESOLOGY IN ACTION
The Scalesology Team met with the client to conduct a risk assessment. We identified the assets of value to the client, potential threat actors against them, the set of threats from the cross-product of these two, the risks based on the likelihood and impact of these threats, and finally the set of controls to address those risks.
As the firm had recently lost their part-time IT admin (a key-person risk that had already materialized), they were uncertain of the likelihood of many of the more technical components – and even of some of their assets! As we already anticipated that a penetration test would be a likely control, we expanded the scope of work to include a penetration test to help inform the overall risk assessment and set to work, with reconnaissance, surface determination, probing, and non-destructive attacks conducted against their external then internal infrastructure.
While the penetration test added about a week to the overall assessment, its results were illuminating. In particular, they had a number of virtual servers running internally that management knew nothing about (but were actually key to a number of their applications). Additionally, the penetration test helped to establish that some of their key risks came from insiders. This helped inform the risk assessment and security strategy that the firm was able to focus on better internal controls, and the reports were helpful as they onboarded a new managed service provider.