On the heels of breaches at Cravath Swaine & Moore LLP, Weil Gotshal & Manges LP among others, The Association of Corporate Counsel (ACC) has issued its first-ever guidelines on the basic data security measures that in-house counsel should expect from their law firms.
Law firms are warehouses of client information making them prime targets for attackers. The legal ethics rules require attorneys to take competent and reasonable measures to safeguard information relating to a client (ABA Model Rules 1.6). Attorneys also have contractual and regulatory obligations to protect information relating to clients and other personally identifiable information, financial and health, for example.
The ACC calls for least privilege
Big law firms are the most vulnerable to hackers, according to an American Bar Association survey. The ABA found that 26 percent of firms with 500 or more attorneys that responded to its survey experienced a security breach in 2016. To put that into perspective that is 1 out of every 4! While many law firms are employing some safeguards and generally increasing and diversifying their use of those safeguards, the industry is not using common security measures that other industries employ. Enter the least privilege model.
As part of the guidance that has been issued, the ACC, calls for adopting a least privilege model for the information that law firms possess. Least privilege is the concept and practice of restricting access to only the information and resources that are necessary for its legitimate purpose. In practice, least privilege means enforcing the minimal level of user rights, or lowest clearance level, that allows the user to perform his/her role.
Privilege in practice
So, how do users acquire privileges? Depending on the system, some privilege assignment, or delegation, to people may be based on attributes that are role-based, such as business unit, (i.e. Finance, Human Resources, or IT) as well as a variety of other parameters (project groups, physical location, executives and decision makers, etc.). Hackers, malware/ransomware, partners, malicious insiders and simple user errors—especially in the case of super-user accounts, are responsible for the most common privileged threat vectors.
Getting to a least privilege model can be complicated, but does not have to be. Here are some best practices to follow on your way to adopting a least privilege model:
- Conduct a privilege audit to discover effective access across every desktop and server. For organizations leveraging Microsoft LAPS, determine if the same or duplicate local admin passwords are in use. Identification of duplicate local admin passwords is essential to help prevent credential abuse.
- Understand where service accounts are being used on local systems and show which services they are running. Often when service account passwords are changed in AD the locally used services constantly lock the account out with invalid credentials
- Lockdown the SYSVOL share. Typically the SYSVOL share is open to everyone and can often contain passwords stored in clear text via logon scripts or in group policy. Clear text passwords are an open door to credential abuse.
- Prevent Local Accounts from Going across the Network – Report if local accounts are allowed access across the network. Common accounts like network service are considered trusted between some systems and could be used maliciously.
- Determine if anonymous access is restricted to systems and what anonymous access is allowed. Anonymous access can be detrimental as anyone is able to read information.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Gabriel Gumbs is the VP of Product Strategy at STEALTHbits Technologies responsible for end-to-end product vision and innovation. With a 16 year tenure in CyberSecurity, he has spent most of that time as a security practitioner, aligning security innovations with business objectives for Fortune 100 organizations. Gabriel is an information security thought leader, privacy advocate and public speaker.