Less Than Suitable Security Invites Issues to Law Firm
It has been noted repeatedly that the persons intent on compromising company systems are not completing this endeavor for practice. Given the risks involved, criminal and otherwise, there is a goal in focus for these individuals or groups. This may be to exfiltrate data or other much valued information.
These compromises, depending on the target, can have rather far-reaching repercussions. For a hospital, this may involve the medical records of the average citizen or a more targeted approach for the specific records of C-level executives, Hollywood personalities, and other highly valued targets. This may be costly from a HIPAA exposure standpoint along with the indirect, short-term cost of the issue within the community.
One such compromise was recently announced. Appleby, an off-shore law firm, confirmed recently that they had been compromised. For a law firm this is a rather significant issue given the data and information the firm would possess as a normal course of business. This could be used for insider trading, to maximize market placement, and other applications. This could also be used for nefarious acts, such as bribery of individuals or entities.
If this were to not be disturbing enough, the compromise occurred in 2016. This has provided ample time for the information and data to be leveraged by the individual(s) involved in the breach. The impact from the vast amount of time that has lapsed without this being confirmed may not be measurable in any realistic manner. This may not have even been publicized had it not been for the International Consortium of Investigative Journalists and other organizations which partner with them contact Appleby for confirmation.
Although this would be provide for an in-depth, robust case study, there are insights to be collected without the mass amount of research. When a business, firm, or other entity is compromised and data exfiltrated, the entity should not place their head in the sand. Hoping the issue will go away as their data is being sold repeatedly on the Dark Web is generally not a good idea. To pull the band-aid off quickly and immediately is generally the best course of action. Notwithstanding any pertinent, germane federal laws, e.g. HIPAA, once the compromise is confirmed and the data exfiltration documented via a forensic team or a suitable trained department at the firm, this should be addressed immediately. To wait much like the firm breeds contempt and thoughts of the firm attempting to hide or camouflage what happened. To avoid this creates the environment the business has more control over, in comparison to flowing in the wind until someone else finds out and calls you.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.