The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/80353
case studies Hack the Company To Protect Information by Jeffrey T. Kunz of Foley & Lardner, LLP One of the greatest IT challenges we face in the legal profession is compliance. Our clients demand ever- increasing security requirements, and it's no longer uncommon to have potential clients examine your security posture before they will even do business with you. Most firms have implemented myriad security products, such as firewalls, intrusion detection systems (IDS), proxy servers and email gateways to help protect the network from security breaches. Coupled with a security policy framework and user awareness training, these products are part of a good defense-in-depth strategy. Naturally, the next step is to test the effectiveness of these security controls. Many firms contract third parties to do some type of vulnerability assessment or penetration testing, but there are two major flaws with relying solely on these results — scope and time. It is extremely cost-prohibitive to scope out the entire infrastructure for a contracted assessment, and they are usually done on a timed basis that depends on how the security policy mandates it — typically six months to a year between audits. An automated vulnerability management solution that has the flexibility to meet the scheduling requirements of any security policy is the best way to bridge the gap between audits. Setting Up Our Test In one of our cases, we set up such a solution for a client firm. The first step in our process was to identify all logical networks in use within the firm. Since we maintain solid documentation on our network topology, it was easy to gather this information. Then we assessed the data to create a schedule that would break up the entire network topology into regional sections that would allow us to scan all networks on a weekly basis. Using the schedule, we configured Nessus, our vulnerability management software, to scan the networks and output the results to a secure server. We built custom scanning profiles based on the type of environment that we were scanning and the results we were looking for. For instance, some of the scans were using no credentials (to mimic an attacker) while other scans of the same networks were set up with privileges to access the server. Using a combination of these two scanning types, we were able to get a lot more information that would help deal with threats, both internal and external. The next step was to configure Core Insight, our automated penetration testing solution, to scan the same networks using a combination of the Nessus results and the built-in predictive 34 Peer to Peer