The new cyber vulnerability: Your law firm

Companies with top-notch IT security are still vulnerable to having their networks penetrated and their information stolen as hackers look to hit their subsidiaries, suppliers, and even law firms that don’t practice good network defense.

Small subcontractors or law firms can often access the networks and intellectual property of a large firm although they don’t necessarily have the security infrastructure of the big firms.

"The bad guys have really switched to things like going after third parties, places where the company’s data is stored or manipulated," Richard Bejtlich, chief security officer with the cybersecurity firm Mandiant told Killer Apps yesterday. "That’s why we’ve seen, over the last couple of years, [hackers targeting] law firms. You can’t get the data from the original source, so get it from somebody that has a copy or is processing it."

Law firms — which, ironically, are often the organizations tasked with helping to defend a company’s intellectual property — are "a very target-rich environment, their IT is generally not up to the level it needs to be, the victims themselves are very reluctant to implement any of the defenses that would work against this sort of thing," said Bejtlich. "All the confidentiality and privacy tends to work against seeing what’s happening [on a network]. If you tell a law firm partner, ‘Oh yeah, we’re going to monitor your computer and see everything that’s coming to and from that and everything that’s on the hard drive’…that’s completely antithetical to their culture; it’s pretty much the perfect place to steal data from."

This problem is exacerbated by the fact that so many businesses are connected to each other’s networks or have access to each other’s information — over the normal course of doing business — despite the massive disparity between the best players in the private sector and the business without much in the way of security standards.

Gen. Keith Alexander, chief of U.S. Cyber Command and the NSA, lamented this disparity in the private sector’s cyber security standards today.

"We have a problem, especially when you look at different sectors. So the banking industry and the higher-end defense-industrial base are pretty good. They’re right there at the top," said Alexander during a speech at a Symantec-sponsored cyber security conference in Washington. "Then you go out to some companies that are getting exploited, and they don’t know what the threat looks like, they don’t know what they should do. And some of those are in critical infrastructure."

Alexander reiterated his desire to see the private sector — especially so-called critical infrastructure providers like banks, defense companies, and energy and transportation firms — adopt cyber security best practices to quickly share information in the event of a cyber attack. Legislation that would deal with these issues, and several more, has been stalled in the Senate since August.

A host of other government cybersecurity officials today echoed Alexander’s point about the massive gap in security standards throughout the private sector, even among critical infrastructure providers.

Even in sectors like the defense industry that are better on the whole at implementing security standards, there is massive disparity in security practices.

"We do see some sectors who are in general more sophisticated. Now, if we’re talking about the defense-industrial base, what do you mean by that?" said Jenny Menna, acting director of the Department of Homeland Security’s Computer Emergency Readiness Team during the same conference. "They’re the big companies that we can all name off the top of our heads. But then there are little companies six levels down on the supply chain, and so I don’t think there is a consistent posture between the really big guys and the small companies."

She added that, among critical infrastructure providers, banks tend to be "extremely sophisticated. I sometimes refer to them as the AP class . . . Why is that? Because they’re protecting their money."

Brian Varine, director of cyber incident management at the Department of Energy, added that banks have high security standards because "they have had tangible loss" when their networks have been penetrated. However, "if I go into your company and I steal all your intellectual property, it’s still there, you don’t know it’s gone ‘til five years down the road and your competitor is kicking your butt because they’ve taken your product, reverse-engineered it, and produced a bigger, better, cheaper product."