What We Do
How we do it
Resources
SECURITY ADVISORIES
May 11, 2022
CVE-2022-26923 - Active Directory Domain Services Elevation of Privilege Vulnerability
THE THREAT Microsoft has disclosed a new vulnerability impacting Active Directory Certificate Services (ADCS) tracked as CVE-2022-26923 (Active Directory Domain Services Elevation of Privilege Vulnerability). If exploited successfully, an authenticated attacker can escalate privileges in environments where ADCS is running on the domain. eSentire is aware of technical details and tooling [2] for…
Read More
View all Advisories →
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1200+ organizations in 75+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
May 17, 2022
Cybersecurity Leader eSentire Continues Its Commitment to Rigorous Security Standards Earning PCI DSS Certification
Waterloo, ON, May 17, 2022 — eSentire, the Authority in Managed Detection and Response (MDR), maintains one of the most secure and robust IT environments of any MDR provider in the industry. To that end, eSentire today announced that it has received the Payment Card Industry Data Security Standard (PCI DSS) certification, considered one of the most stringent and comprehensive payment card…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — Feb 02, 2018

Second ABA cybersecurity handbook reflects the need for greater awareness

Speak With A Security Expert Now

As 2017 came to a close, the American Bar Association opened the next chapter in cybersecurity awareness with the release of the second edition of its ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms and Business Professionals. The new edition comes nearly five years since the first edition made its rounds.

Following the 2012 formation of the ABA Cybersecurity Legal Task Force, the first edition of the handbook was a brave move to enlighten both attorneys and law firms to cyber risk, and the evolving interpretation of professional obligations to protect clients’ confidentiality as the playing field moved from physical records to easily pilfered electronic documents. At the time, the FBI advised law firms about shoring up cyber defenses, as criminals considered law firms “the soft underbelly of American cyber security.”

At the time, I was working with law firms to expose the risks associated with the types of information they controlled. Of course, five years ago, most public coverage circled around major banks, based on the Willie Sutton quote about robbing banks “because that’s where the money is.” At the time, several financial regulators were swinging their “Eye of Sauron” toward the elements of their sector they deemed most vulnerable. As a result, we’ve seen half a decade of cyber sweeps, recommendations, and requirements through the Security Exchange Commission (SEC) and other financial regulators.

A lot has happened in five years. I’ve grown from my early experiences at LegalTech, where, as one of three security vendors, I was lost in a sea of document management and sexy e-discovery vendors. The legal community has come under fire, been the victim of a multitude of public attacks, and learned its lessons the hard way. And the second edition of the ABA Cybersecurity Handbook reflects a more seasoned approach to cybersecurity and client obligations. Jill D. Rhodes reprised her role as editor and was joined by Robert S. Litt.

The handbook is organized into four major sections: 1) cybersecurity background information; 2) an overview of legal and ethical obligations; 3) specific considerations of different legal practices; and 4) incident response and cyber insurance. The book is a must-read for attorneys, but also senior level security personnel in law firms, or those officers responsible for risk and compliance oversight. In fact, it provides a deep dive into the National Association of Corporate Directors (NACD) Director’s Handbook on Cyber-Risk Oversight that frames out the fiduciary responsibilities of board and executive officers. The reality is that it’s not just about protecting your reputation or your client’s information. Today, the stakes are much higher and the damage associated with cybercrime is far reaching with a high risk of material damage to the affected business.

The ABA Cybersecurity Handbook contains noticeable depth and exploration of cybersecurity risks, drawing from a plethora of anecdotes, findings, and post-breach outcomes with which to frame the risks facing law firms. The exploration of threats, such as social engineering, ransomware, and business email compromise (BEC) demonstrates that both sophisticated and non-technical attacks continue to plague law firms (as they do across most industries). Data from eSentire’s security operations center (SOC) shows two significant trends.

The first trend is that over five years, law firms have improved their cybersecurity hygiene and practices, which has reduced the overall number of successful attacks and even eliminated much of the background radiation type of threats. In fact, in 2017, law firms saw up to 10% less of these attacks compared to businesses in finance, healthcare, energy and others.

Unfortunately, law firms saw over 30% more malicious code attacks, which aligns with other industries that have strong cybersecurity practices, such as financial institutions. So, what does this mean? As an industry, the majority of unsophisticated criminals give up and look for easier prey, but that leaves us with the talented criminals who continue to prowl for valuable confidential information.

The handbook also explores how to address these threats and considers the risks associated with the critical technologies that now pervade law firms. The book provides greater depth around regulatory requirements and international legislation and explores when and how counsel should initiate a conversation with the client about cybersecurity (let’s hope most are proactive and not reactive, in the event of a breach). More often than not, the client initiates the conversation based on the nature of their business, the sensitivity to reputational or intellectual damage, or presence of a regulator in their market.

Those who have heard me speak on this topic know the client is the new regulator. And for those who haven’t, I’m certain you shudder at the words “cybersecurity due diligence.” This information forms the basis from which attorneys, administrators, and clients must consider inherent risks, eliminating some, mitigating others, and accepting the risks that cannot be removed. At a minimum, this information serves to establish a level of protocol across the law firm, no matter an individual’s role.

The second key trend explored in several chapters of the second edition reveals the specific sensitivity of the varying, yet potentially damaging information controlled in different types of practices. And this is the critical message: No matter your practice, you still have unparalleled access to critical, potentially business altering, client information. Law firms are privy to myriad confidential information that can be used to front run trades, evade prosecution, or perhaps topple governments (at least select politicians).

Last year’s attack on Wall Street law firms Cravath, Swaine & Moore LLP and Weil, Gotshal & Manges LLP demonstrated how stolen information, such as FDA filings and press releases, could be used to front run trades. The Paradise Papers represents the next evolution of the Panama Papers. Even tax law information can be monetized or weaponized by (self-proclaimed) ethical hackers. Even an off-the-radar law firm in a tropical paradise could house the type of information that can destabilize a government or ruin the career of elitist politicians and socialites. It’s a privilege to be exposed to the fuel that drives our economy, but it’s also a responsibility. No one practice is the same. And the specific nature of your firm should be taken into consideration when developing a risk assessment that will serve as the compass used to map out your cybersecurity programs.

Of course, the type of practice is one element that helps frame a sound cybersecurity practice, but the size of the firm often sets the budgetary tone. A small law firm cannot afford the security technologies and practices adopted by their larger peers. And it’s not unreasonable to think that the standards, to which a large law firm is held, are not the same as those that a small firm can manage. There is no one-size-fits-all when it comes to establishing standards of reasonable care. To this end, the second edition offers guidelines for both large law firms and “the little guy.”

Ransomware doesn’t prejudice by size of firm. It just locks files and demands payment. All too often, smaller firms have no back-up mechanisms in place and fall victim to such extortion; whereas larger firms use multi-level back-up services to weather these kinds of attacks. The book contains a resource-right-sized approach with a 12-point checklist that smaller firms can use to build a simplified cybersecurity program.

For larger firms, the recommendations are more strenuous and strike a tone of requirement rather than “nice-to-have” or “try-your-best.” The recommendations are aligned to industry best practices and reflect the core tenants of other security frameworks, such as NIST and HIPAA for healthcare firms. This section of the handbook lacks in practice guidelines and establishing “must-haves” compared to more aspirational goals in a cybersecurity program. And like NIST, such a program should start with an analysis of its current state to determine the gaps that need closing to reach the desired state.

This is where related organizations, such as ILTA, could do more to publish these sorts of findings and help build a subjective standard of care. As in “this is what most firms of similar size are doing.” The recommendations also include guidelines such as, “firms should log and monitor network access and deploy data loss prevention tools to monitor where data is going and to flag or block unusual file transfers.” Such guidelines are high-level and, to some degree, outdated. That is not to say firms should not employ logging or data loss prevention systems, but it ignores the cost and complexity of such systems. And it does not include other systems, such as endpoint protection and real-time detection and response services that are growing in adoption. Nonetheless, this second edition takes many good steps forward in its thoroughness and recommendations. For more details, I would refer to the aforementioned NIST and HIPAA frameworks that provide greater detail.

The second edition of the ABA Cybersecurity Handbook is a must read and should have a place on the desks of any attorney and firm’s cybersecurity leaders. The book does an excellent job of outlining what to do to improve firm and attorney cybersecurity practices. With that said, the one future improvement I would like to see is for the ABA to suggest the how. That is, a framework that is tailored to law firms, with specific critical, important, and “nice-to-have” services based on firm size. The point here is not to be prescriptive for sake of control. It’s more about setting a collective industry bar (pardon the pun) that establishes a standard of care to which all firms can aspire and better protect their reputation and clients.

This article originally appeared on Law Journal Newsletters.

View Most Recent Blogs
eSentire
eSentire

eSentire is the Authority in Managed Detection and Response, protecting the critical data and applications of 1200+ organizations in 75+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events. Combining cutting-edge machine learning XDR technology, 24/7 Threat Hunting, and proven security operations leadership, eSentire mitigates business risk, and enables security at scale. The Team eSentire difference means enterprises are protected by the best in the business with a named Cyber Risk Advisor, 24/7 access to SOC Cyber Analysts & Elite Threat Hunters, and industry-leading threat intelligence research from eSentire’s Threat Response Unit (TRU). eSentire provides Managed Risk, Managed Detection and Response and Incident Response services. For more information, visit www.esentire.com and follow @eSentire.