Security Audits

An outline of what in-house counsel should know about cyber-security in general, with links to checklists and more information about cyber-security audits.

“Companies spend millions of dollars on firewalls, encryption and secure access devices, and it’s money wasted, because none of these measures address the weakest link in the security chain.”

– Kevin Mitnick

“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”

– Bruce Schneier

“Passwords are like underwear: you don’t let people see it, you should change it very often, and you shouldn’t share it with strangers.”

– Chris Pirillo

“If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.”

— Richard Clarke

Security is hard. More often than not, the enemy has time, and they only need to be right once. As with many technologies, networks computers have vulnerabilities commiserate with their benefits. As the quotes above suggest, no single tool will suffice. Rather, a comprehensive strategy is warranted. Accordingly, this outline is a “quick-start” guide to inform in-house counsel (and their outside counsel) on what they should know about cyber-security.

1. Introduction to Cyber-Security Audits

a. Organizations That Can Help

SANS is probably one of the first places that you should go to start developing your own cyber-security audit procedures. From their website, “[t]he SANS Institute was established in 1989 as a cooperative research and education organization.” They run a series of seminars on security topics periodically at various cities in the U.S. They also have a web page that is a good launching point with checklists and step-by-step guides. While not geared to attorneys, the are quite helpful to inform attorneys about what their experts should know. The National Institute of Standards and Technology also has some helpful information, including their "Cybersecurity Framework". NIST's cybersecurity framework has five aspects: identification, protection, detection, response and recovery. The latter aspect has its own paper: Guide for Cybersecurity Event Recovery.

Harvard has a good introduction on the subject, and also lists government organizations involved in cyber-security. Aside from federal agencies, many states have helpful tips for companies and law firms. For example, the State of Utah has a simple checklist for cyber-security controls.

There is an international standard for information security management, namely ISO IEC 17799 2005, which is entitled the "Code of Practice for Information Security Management." ISO IEC 17799 2005 is a widely accepted standard that is used worldwide. ISO IEC 17799 2005 is published by the International Standardization Organization (ISO) and the International Electrotechnical Commission (IEC), and can be obtained at the Standards Store. SANS has devised a handy (43-page) checklist based on the 17799 standard.

There is also the CIS Critical Security Controls, which are a consensus of audit guidelines for preventing many attacks on your computer systems. A non-governmental, non-profit organization called the U.S. Cyber Consequences Unit published a Cyber-Security Checklist in 2007.

b. Topics and Links

cyber-security encompasses a wide variety of topics, each of which is important to a comprehensive cyber-security program and its attendant audit. Below is a list of topics with links to various resources.

  • Physical Security - While locked doors may seem urbane and de rigor, this is an often overlooked topic at law firms. Physical security encompasses more than the security of the devices that can connect to your data. Physical security also includes the physical safety of the facility. Physical security is an essential element of any comprehensive system security plan.
  • Social Engineering - Getting your employees to divulge key secrets) or enabling the cleaning person to read passwords from Post-It notes glued to monitors. Here is a short video that describes social engineering:
    Download Video as MP4
    Download Video as MP4
  • Disaster Preparedness - For many cyber-criminals, a disaster is an opportunity not to be missed. In the frantic effort to get back online (and back in business), companies and law firms often overlook the cyber-security risks. Fortunately, there are some guidelines on how to handle this problem.
  • Wireless Network Access - Google has several good (short) videos on wireless network security, both on and off premises.
    Download Video as MP4
    Download Video as MP4
  • Handheld Devices - The Federal Communications Commission has a smartphone security checker (and checklist) that covers multiple mobile operating systems (Andriod, Apple iOS, Blackberry and Windows).
  • Firewalls - This is generally a problem for smaller law firms. Firewalls can seem complicated, and some vendors charge a fortune for them. Consequently, some small firms rely on the firewall in the cable/DSL modem (which is meant to protect the ISP from them). Cost, however, should not be an excuse. There are many fine Linux firewalls that are free and easy to set up. Moreover, most of them come with the ability to handle virtual private networks, which is a big boost to security. If money is not an issue, there are vendors who sell pre-configured devices that can handle this problem.
  • Operating Systems (Windows, Mac OS X, Linux) - All PC's and servers use the operating system as the core component of a functional system. Operating systems sometimes have default settings that create or exacerbate vulnerabilities. All operating systems can be "hardened" to reduce or eliminate security vulnerabilities. Note, however, that many IT security professionals make a distinction between hardening the design of the operating system versus the configuration (settings) of the operating system. While a good design may play a part in the choice of operating system, most law firms have to address the settings of an existing operating system so as to minimize vulnerabilities. The specific settings for securing your operating system depend on the particular flavor that you're using (e.g., Windows 7/8/10, OS 10.x, Linux (Debian, Ubuntu, RedHat, CentOS), etc.). Once the proper settings have been made, the next most important thing to do is to apply the security updates and packages on a regular basis (preferably daily). Consequently, any cyber-security audit must check for proper operating system settings and security update settings.
  • Web Browsers - Browsers are another major source of security problems. A technology called "cross-site scripting" ("XSS") uses features common to all browsers in order to breach the security of a personal computer or smartphone, which in turn is used to breach the security of a company or law firm. There are plenty of articles on the Web for teaching you how to implement an XSS as well as ways to thwart them. Clicking on ads are a common way to install malware on your PC. Most browsers have add-ons that suppress ads (and thus eliminate that particular threat).
  • Rootkits and other Malware - Malware is software that is designed to circumvent security settings or provisions on devices such as personal computers, smartphones and tablets. Malware is normally distinguished from "adware," the latter of which, while annoying and unwanted, is simply a nuisance (although some adware can be malicious). Malware, on the other hand, is almost always harmful. Viruses, worms, trojans, backdoors, spyware and rootkits are all types of malware. Today, most types of malware evade detection. For that reason, rootkits and other types of malware are useful for corporate espionage and identity theft. Virus checkers, while useful, cannot detect malware that is specifically designed for a particular victim organization, and require different types of software (such as honeypots and network scanners) to detect their presence on a network.
  • Web Applications - Web applications often include a set of independent software applications that are used to perform one or more functions on the "Cloud" and are most commonly accessed via a web browser. Security audits for specific web applications require tailoring for the application in question. SANS has a Web Application Security Checklist that is a good starting place to determine what to check for. Some checklists are specific to an application. For example, Cloudera has a Security Hardening Checklist that is focused on Hadoop. Most server-based software applications have their own security tips for hardening their respective applications. Examples include the Apache web server, the MySQL database server and the PHP scripting language.
  • Penetration Testing - Penetration testing is the act of attacking your own website in order to find vulnerabilities before the criminals do. There are many software applications that are available for penetration testing. Some, like Wireshark focus on wireless networks, while others like Metaspolit focus on websites. Here is a list of 37 penetration tools. Note, tools like Metasploit and Nessus are used by security professionals (and criminals) to stress and test a network. Sometimes, the penetration testing can crash a server or other elements of a network. Because of the risks involved, security professionals who possess credentials by organizations such as ISACA, must adhere to a code of ethics (that criminals do not).