Law Firm Security Architecture 101

by Joseph Raczynski

In a granular overview of the appropriate security procedures a law firm should have in place, Douglas Brush, Director ISG, Kraft Kennedy; Brad Bragg, CIO Womble Carlyle; Scott Rolf, CIO, Tucker Ellis, LLP; and Tim Golden, Manager, Enterprise Architecture & IT Governance, McGuireWoods; discussed “Security Architecture 101” at the ILTA LegalSEC Summit 2015 in Baltimore, MD.


Looking at the foundation level of security, the triumvirate used a security bench marking technical guide to offer an overview of the top 20 critical security controls.  The SANS Top 20, renamed the CIS Top 20 establishes specifics that companies should follow to maintain the highest level of security around their systems.


The emphasis surrounding these controls focus on the classic trifecta in a firm; people, process and technology.  The details of the twenty security controls are very specific and so I have bulleted the primary points for each below.


CIS Top 20: Critical Security Controls and Firm Preparation:

#1 Inventory of Authorized and Unauthorized Devices

  • Know where all of your hardware is located
  • Assign responsibility to each group: Servers, computers, mobile devices
  • Control your release management: If you have a new piece of hardware inventory it and place controls on it when it is brought into service

#2 Inventory of Authorized and Unauthorized Software

  • This is much more difficult to control than #1
  • Each group within the firm is unique and creates challenges – think expectations of the partner vs. admin assistant
  • Forbid users from loading their own software
  • Use the technology Microsoft has in place to prevent unauthorized installations – think of those annoying but helpful popup warnings
  • Develop a life-cycle for your software up front and retire older software

#3 Secure Configurations for Hardware and Software on Laptops, Workstations, & Servers

  • Test your “gold images” to make sure that all flaws are identified and the image is stable and secure
  • Use virtualization now!
  • Implement auto patching
  • Keep all logs for each image you have created

#4 Continuous Vulnerability Assessment & Remediation

  • Not every patch update is critical – stack rank which actually needs to be implemented
  • Sometimes outside organizations need to patch their third party software
  • Track time on what is being done for the firm management updates

#5 Malware Defense

  • Utilize common industry standard tools like FireEye
  • Web Sensors: break-the-link services are an excellent way to keep users from hitting corrupt sites, because these services visit the site before the page loads

#6 Application Software Security

  • Train your coders to use secure code
  • If you use outside developers vet them with background checks
  • Use common requirements
  • Mobile apps need to be encrypted – each piece can touch several parts of the mobile device, be mindful of that impact

#7 Wireless Device Control

  • Firms still do not lock down the WiFi (Major doors are open when access is available from the parking lot across the street.)

#8 Data Recovery Capability

  • Backup, backup, backup – include logs
  • If you are still using tapes – use encryption

#9 Security Skills Assessment & Appropriate Training to Fill Gaps

  • Make sure you have the right trainers – look inside your organization at firm training.  They know how to teach best.
  • Goal is to improve performance
  • Look at getting CLEs to incentivize the user base
  • Use metrics – where are they now verses before

#10 Secure Configuration for Network Devices such as Firewalls, Routers, and Switches

  • Document so that you can see what has been opened (a port) and then go back and close it when a task or client use is complete
  • Use Outlook calendar as a reminder for what was opened for a client
  • Look into two factor authentication
  • Use password vaults

#11 Limitation and Control of Network Ports, Protocols, & Services

  • Keep logs on who is doing what over which port and services

#12 Controlled Use of Administrative Privileges

  • Get people out of the pattern of logging in as an Admin all the time
  • Users should only be an Admin when doing a specific task needed with those privileges

#13 Boundary Defense

  • Identity is the new perimeter – create access via user access rights
  • Be mindful of the cloud in the space. The more you rely on the cloud, the more access users can gain

#14 Maintenance, Monitoring & Analysis of Audit Logs

  • Take snap shots of normal traffic
  • Look for the anomalies
  • Keep vigilant

#15 Controlled Access Based on Need to Know

  • Try to “close” access to the DMS – verses open DMS – creates more security on that platform
  • Suggestion: Move email into the DMS – this is controversial at law firms
  • Delete stuff that does not need to be there
  • Two factor authentication - should be used where possible
  • Ethical walls - need to be established
  • Activity trackers - help admins to see who is doing what and why

#16 Account Monitoring and Control

  • Create documentation, auditing and a ticketing process
  • Create good password policies
  • Look at not only unsuccessful logins but successful logins as someone from China could be logging in successfully every time – but you do not have someone working from there

#17 Data Protection

  • Use complex passwords – but teach users how to do – use new tools available
  • Help your firm use encryption – many options such as WinZip, BitLocker, etc.
  • Push for secure Cloud drives if they are done correctly they are better than a thumb drive

#18 Incident Response and Management

  • This is a living document that walks people through what needs to be done and when
  • Define what an incident is at the firm
  • Classify an event as an incident and what level of threat is poses

#19 Secure Network Engineering

  • Isolate user locations so that you can separate people, hardware and software. If you have everything in one bucket, when one goes awry the whole thing goes awry
  • Create a firewall rule that is ready so critical services can stay up if everything else goes down
  • In your server room, color code your network cables for ease of fixing

#20 Penetration Testing and Red Team Exercises

  • You should have firm technology people that can do penetration testing
  • Make sure they test using Social Engineering
  • Have rotating outside vendors perform this testing so that you always have different looks at your systems