In the wake of recent BigLaw data breaches and data security lawsuits, clients are starting to demand more from law firms when it comes to protecting their data. This is becoming an especially important issue for clients since over a quarter of firms with at least 500 attorneys and more than 15 percent of firms with 100-499 attorneys have experienced data breaches. To find and fix potential data security backdoors and vulnerabilities, law firms of any size should be consulting with independent, third-party experts who are qualified to conduct penetration tests -- in other words, authorized hacking attacks on firm servers and IT systems.
That being said, lawyers, law firms and their internal IT teams can use a number of online tools and apps to automate potential attacks and discover potential vulnerabilities they can either immediately fix themselves or bring to the attention of an outside expert.
While no single program can give you a complete picture of the IT health of your firm’s website, the following online tools and apps can help give firms and their IT teams a better grasp on the current state of their data security safeguards.
1. Metasploit, for Hacking Yourself
Metasploit, a tiered-package, automated penetration testing program offered by Rapid7, gives lawyers and their in-house IT teams the ability to step into the shoes of a potential hacker and launch different types of attacks on their firm’s servers.
This is because Metasploit relies on a continually-updated playbook of over 1,300 hacking attacks that users can execute to see how their firm’s servers, antivirus programs, and IT systems respond to different types of known attacks. With over 200,000 active users and experts updating and contributing to its open-source framework, Metasploit’s community provides extensive support forums and adds at least 1 new hacking attack per day, to ensure that the program’s library of hacking attacks is as up-to-date as possible. Although it can only be used on Windows and Linux-based computers at this time, Metasploit is worth looking into if your firm utilizes one of these operating systems.
2. iRet, for Testing Your Mobile Device Security
The growing trend of BYOD workplaces means that legal professionals are continually relying on their personal devices to perform work tasks -- especially mobile devices. This approach, however, can easily backfire if attorneys and employees are using outdated device operating systems or apps on their devices. iRet, which is available as a free download, can help with spotting these kinds of issues. This is because iRet runs the same kinds of automated tests a qualified mobile device penetration test developer would conduct, all on the mobile device itself.
iRet, therefore, can be a valuable tool for diagnosing issues on particular cell phones and with identifying apps and other software that could lead to issues such as stack smashing attacks, password phishing, and other vulnerabilities that experienced consultants could address.
3. High Tech Bridge, for Server Security Analysis
For lawyers and law firm IT techs looking for a broad overview of potential server issues, or for firms that are shopping for web hosts or checking to see how their existing website and servers are doing, High Tech Bridge’s free SSL and server analysis tools are good place to start.
No coding knowledge is needed; all you need to do is enter the URL of your law firm website and the tools will do the rest. While this isn’t necessarily a penetration tool on its face, lawyers and IT tech workers can use High Tech Bridge’s tools to spot potential web server, SSL certificate, mail server and app server issues that could create unintended server entryways that hackers could exploit. These tools can also analyze whether your website and servers are properly configured to ensure PCI DSS, HIPPA, and NIST compliance, and can even help pinpoint potential cybersquatting activity.
4. Viproy, for Your VoIP Networks
In addition to computer servers, voice over internet protocol (VoIP) phone systems are another favorite target of cybercriminals. Unlike traditional phone lines, VoIP systems store phone conversations as “packets” of electronic data that can be hacked into much like any other kind of data.
Fortunately, VoIP penetration tools such as Viproy can help spot and diagnose potential weaknesses in firmwide VoIP system. Viproy is a free penetration testing kit offered on GitHub that can be used to spider through a firm’s VoIP system to uncover patchable problems with your firm’s VoIP cloud storage, software, or service connections. While Viproy does require some coding knowledge to operate, it can be a helpful tool for tech-savvy lawyers or law firm IT professionals to diagnose VoIP issues internally.
5. Arachni, for Testing Your Web Apps
Many law firms and companies today utilize web-based applications that rely on internet connections to third-party servers to carry out important office functions and to streamline communications with clients. Programs such as Dropbox, for instance, are a good example of this.
Certain web-based applications, however, can open potential backdoors and exploits for hackers if they aren’t regularly patched and updated. In one noteworthy case, for example, potential vulnerabilities resulting from a commonly used, outdated application, JBoss, led to malpractice claims in Shore et al. v. Johnson & Bell, Ltd., widely considered to be the first data security class action lawsuit against a law firm.
Many such issues can be addressed using programs such as Arachni. Arachni, which can operate on Windows, Mac OSX, and Linux computer systems, is a Ruby-based scanner that crawls through web applications to detect possible vulnerabilities, and can adapt its attack strategies on the fly to try different hacking approaches on a single web-based app. It’s designed to not only work well with other products, but can also be enhanced by using plug-ins and other add-ons. Although installing and running the program requires some knowledge of Ruby, Arachni is useful for testing the health of your firm’s web-based applications.
Of course, DIY solutions are rarely an adequate replacement for the opinion of a skilled professional. But if you're just starting to explore your firm's data security and IT health, these five tools are a good place to start.