Biglaw

Strengthening The ‘Soft Underbelly’ Of Cybersecurity (Part I)

Attack simulations, physical security, social engineering, and open source intelligence assessments can help law firms learn and self-correct before a real hacker gets through first.

By  
on

(Image via Getty)

Ed. note: This is Part One of a two-part series on how law firms can address critical vulnerabilities in their security posture.  Part One will focus on setting the stage for an external expert assessment and use a case study to examine physical security issues law firms should be examining.  Part Two will continue with the case study by addressing assessment techniques including attack simulations, social engineering, and open source intelligence review.

Law firms face cyber threats from sophisticated attackers including nation-state and criminal syndicates who target them for their corporate IP, sensitive information, and access. Companies increasingly need partners who can assist with sophisticated security issues while providing a defense-in-depth strategy and 360-degree view of the firm’s security posture, whether physical or digital.

The benefits of this proactive approach to security is twofold: one, the process itself — engaging in a holistic and interactive learning exercise with a trusted security advisor helps promote buy-in with stakeholders as well as educates the law firm security team. This interaction helps teach both the defensive and offensive techniques and processes that are repeatable, immediately implementable and reflect actual tactics employed by adversaries.  Finally, the findings themselves provide a viable business impact analysis which allows for both a business impact view as well as an unfettered view by all stakeholders. This helps bolster an enhanced security posture for critical assets in the law firm’s environment.  Spoiler alert: as with everything in life, there is always room for improvement.

Case Study of a Law Firm Security Audit

Law Firm X (X), with global offices in 10 locations, is concerned about its security posture.  There have been a few close calls where the potential for client data leakage, financial theft, or compromise of critical assets was almost realized.  Also, in the past six months, there has been some significant movement within the firm’s partners and board.  The executive management committee is asking its head of (information) security (CISO X) — is the security is enough?

The CISO X has reassured the firm stakeholders that it has a top-notch security team dedicated to tackling the firm’s security issues head-on.  However, to get more certainty about the firm’s security posture, CISO X has engaged an experienced and reputable Cyber Firm Y (Y) to identifying and prioritizing critical, systemic, and unknown vulnerabilities discovered within their applications, network, and security technologies, practices, and human resources. Often the gap between the known tactics, techniques, or procedures of current threat actors is far separated from known risks and protective mechanisms that defenders often rely on.

Sponsored

The CISO utilizes the security firm over a series of weeks, to perform attack simulations, physical security testing, social engineering, and application security testing.  These services aren’t cheap, plus X already has a top-notch information technology and security team in-house that handles security issues.  So why is all this necessary, and what does this really accomplish?  Let’s dig in.

How Physical Security Assessments Help

Typically physical security assessments are performed to accomplish one of two goals. One, to get buy-in and understanding from top down around how easily an adversary can compromise almost any physical security. Or two, to accurately evaluate the gaps in the defense-in-depth security strategy being relied upon to protect and mitigate these risks. This helps paint an accurate picture of X’s ability to withstand a real-world physical breach, a physical security assessment will focus on breaching its physical facilities, evading physical security, compromising personnel, abuse current processes, and assessing or counter in-house security teams (also known as “blue teams”).    These physical engagements will provide the CISO X with a realistic evaluation of its actual security maturity not only technologically but also operationally and culturally. After all, law firms organically allow all forms of clients, vendors and deliverable in without prejudice of their actual intent.

Physical assessments provide visibility into various risks posed by a would-be attacker with physical access to, or within wireless range of, X’s locations. Companies conducting physical assessments (also known as “red teams”) should use current tactics, techniques, and procedures (TTP’s) from today’s most sophisticated physical attacks to accurately reflect real-world vulnerabilities and plausible scenarios. Often these TTP’s are not thought of or accounted for, such as:

  • Bypass Mechanisms for Physical security (exterior gates, fences, perimeter and interior camera systems, etc.)
  • Manipulation of Access management systems and logging/monitoring of staff/tenants/visitors.
  • On-site power generation disruption.
  • Business continuity provisions and standard, including failover/failback standards and SLA specifications for uptime and the abuse of encompassing derivative plans.
  • Abuse of environmental infrastructure (heat/air conditioning/water).
  • Security provisions for utility access points and the misuse of such access.
  • How are power, technology/network, and security teams organized?  What are the credentials/backgrounds of the teams?  How are they vetted?  Do they maintain a 24/7 presence on site?
  • Equipment/delivery receiving and security abuse.
  • Monitoring and logging of access to server cages and the bypass possibilities.

Sponsored

Goals of a typical assessment may include:

  • Gain general access to a facility that should be off-limits to non-employees
  • Gain access to sensitive areas within a facility
  • Gain an initial foothold on the computer network, that will enable future remote access
    • Access to the wired network via a firm computer, cabling, network appliance, etc.
    • Access to the wireless network
  • Demonstrate the ability to retrieve sensitive or proprietary equipment.
  • Obtain sensitive information, credentials, or access that could further a future attack.

Tradecraft Employed During the Physical Assessment

Initial Surveillance

Using open-source research and visiting the target facilities, Y’s red team performs its initial surveillance in order to accomplish the following:

  • Identify physical protections and procedures at the facility.
  • Monitor nearby locations for facility personnel to measure operational security (OPSEC) weaknesses that lead to disclosure of information (e.g., badge pictures).
  • Observe personnel at the facility to gather information about pattern of life, security procedures, and employee characteristics.
  • Obtain information digitally (badge cloning) or physically (photograph) of access controls (badging systems) for later access and or impersonation.
  • Interact with employees at the facility including employees in outdoor areas, lobby personnel and those commuting to/from work.
  • Explore the facility to map all locations and discover sensitive areas.
  • Identify entry/exit points.
  • Identify security personnel and their surveillance patterns.
  • Identify CCTV coverage, or lack thereof.

Badge Cloning and Facility Entry

Employee badges are the keys to the kingdom.  Surprisingly, they are typically not difficult to clone, impersonate, or copy.  Y can use cloning devices in order to capture badge data from a badge belonging to an employee. If successful in creating a cloned badge, it can be used to access the facility. Without a badge, social engineering techniques such as tailgating (walking closely behind a badged employee) can be used to access the target facility without the required credentials.

If access is gained, Y operators will search for a means to access the corporate network and enable long-term remote access through deploying a device (aka a “leave behind device” or “dropbox”) that gets plugged into the target network.  Alternatively, Y can also attempt to gain access to any Wi-Fi networks located at the facility through capturing key exchanges and brute forcing keys.  Once connected through the internet or a bridged out-of-band backup link such as a cellular connection, this dropbox provides Y with remote access to X’s network.

With physical, wireless, and hardwired network access, Y and the internal knowledge obtained, operators are now wholly embedded within X environment.  It’s worth noting here, that engagements like this occur with the express consent of X.  In fact, Y will require a letter of authorization signed by a C-level executive of X to present as a “get out of jail free” card, if its operators are caught in the proverbial act.  And X’s security team can be “in” on the assessment, or only certain members of X’s security team can be made aware these exploits, to truly test the security team response capabilities as well as it’s processes and procedures.  The decision of who participates is up to X based on the ultimate goal or objectives of the assessment.

In Part Two, we’ll explore how external security assessments can help law firms understand other types of vulnerabilities outside of its physical posture — from executives to apps to simulating an attack on the network itself — and there is a lot of “tradecraft” to get into, so stay tuned.

Jennifer DeTrani is General Counsel and EVP of Nisos, a technology-enabled cybersecurity firm.  She co-founded a secure messaging platform, Wickr, where she served as General Counsel for five years.  You can connect with Jennifer on Wickr (dtrain), LinkedIn or by email at dtrain@nisos.com.

Topics

, , , ,