"Unprepared law firms vulnerable to hackers" - do tell!

 I recently read an article HERE describing how law firms may be vulnerable to cyber-attacks as Mr. David Ries is pictured holding technologies that are at least ten years old.

Mr. Ries is considered to be a "leading expert" in cyber-security and is only now coming to the press with this information?

I guess the joke is on "them"...

Indeed this article addresses security concerns, ones that will not be addressed until the hand is strictly forced.  

Having performed security consulting work in these environments, I have made numerous attempts to “pitch” the need for robust security infrastructure and methodologies inside law firms. 
Training and education, standards, quality security employees or teams, etc. etc… before the tsunami strikes.

Unfortunately, many law firms tend not to employ highly trained, experienced or recognized security professionals, particularly those seated at “higher” positions within the firm.

Law firms tend to keep the circle tight and don't always subscribe to industry style structuring, especially regarding information security. Many firms are accustomed to hiring "experts" for cases or trial and then quickly giving them the broom.

My personal experience has been that many law firms generally hire those that are average at best, and give those average employees too much to protect with too little funding or personnel to achieve their goals – because law firms are not being strictly “compelled” to protect those assets.
It all comes down to risk vs reward and many law firms do not see the need… especially when it comes down to allocating the required funds for experienced security “leaders”.

Read the exhaustive list of standards and requirements and you will not find where law firms are strictly or specifically included… where are formal reporting or audits included? 
I would argue that law firms (lawyers) make incredible arguments, considering that is what they are paid to do, and that it will be difficult for any outside body to compel them to follow a strict standard – Judges are lawyers too.

I have read many articles that state “no large breach has taken place that would require notification”. Considering there are no real legal requirements to do so, it is disingenuous to make such a statement.  There have been reported breaches, but those are only the tip of the iceberg.  There is much, much more taking place behind the curtain that is not being reported.

Most importantly, some of this information can be just as confidential, if not more confidential, than medical and financial information.

So where is the outcry and why is this sector largely ignored?

I personally believe that the general public is ignorant regarding the information possessed by law firms, that law firms inherently know the laws and willingly accept the risk because there are few “real” deterrents or penalties that could be easily administered.

When the ethics rules and opinions relating to law firms openly use wording such as “reasonable” to define what must be done to safeguard information, and then does nothing to define "reasonable"… that is clearly an ambiguous statement that allows for plausible deniability.

If Mr. Ries and those like him wish to truly secure their assets and trade-craft, I would strongly suggest hiring long term, highly qualified security leaders that are capable of leading a team of security professionals.

Professionals that understand the threats of today, potential threats of tomorrow and have already covered the passé threats of yesteryear.

Mitnick - Security Expert or Security Whore?

Rarely blogging, it's hard to be taken seriously - I know, enough said.

Kevin  Mitnick started his foray into "hacking" well before most reading this (if there is anyone reading this) were even born, as I doubt many over the age of forty-something read these types of articles.

If you are reading this, chances are that you already know who Mitnick is and why he has received so much notoriety - good and bad.
If you do not know of him, I'd recommend reading the Wikipedia page HERE before reading the rest of the post, else it really won't mean that much.

Kevin started into the computer age just a few years before I had.  It was a wonderful new world whereby many geeks were freed and came together to share in their geekdom.
The major differences between Kevin and those like Kevin and myself and those like myself was, and still is, integrity and respect for others.

In 1982ish, I too performed some low level "hacking" on a DEC that allowed me to access the neighboring rival school's system.  Of course their geeks thought that our geeks were not up to the challenge and "we" needed to disprove that misguided thought - no matter the cost.

It wasn't long before I and another were called to the principal's office and were asked a series of questions regarding the incident that had been discovered some two weeks later.  Only after listening to this voice of reason for what seemed to be an hour, I was sent on my way... fortunately with no real penalties.
I gave the interaction a bit of thought and realized that the geeky"new toys" that we had access to were not to be used to make people's lives more difficult but to enhance and assist lives - everywhere. That's not to say that "fun" and "pranks" don't have their place - we wrote many pieces of code that today would be deemed "viruses" or "malware".

That stated, Kevin had his fun and proved his points many times in the past - we all get it! Additionally, he made money with his nefarious doings, past and present.
Yes, he "did his time" for the wrong doings of the past, but now it seems that being away from the spotlight just isn't doing it for him.

I had read where Kevin was taking his consulting firm to the next level - at least in his eyes.  Kevin decided that "Zero Day" exploits could be a lucrative business and that his business model needed a shift.

Welcome the Kevin Mitnick 0-day exploit for hire business model!  Have a look HERE.

Knowing that we live in the United States of America, considered to the "freest" country in the world, I can understand how Kevin thinks this could be "good" idea.

Sadly and pathetically, this is far from a good idea and begs the question, "Was Kevin ever anything less than a 'whore' within the computer and security field?"
In my opinion, Kevin has "jumped the shark" with this business endeavor and has lost what little respect I had in reserve.

Mr. Mitnick has once again decided that "criminal type" behavior is where he likes to live.  I use the term "criminal type" because he's engaging in behavior that is not clearly criminal, just looks, walks and acts like that type of behavior... anyone remember the duck analogy?

This is really nothing less than old school pirate or mercenary behavior - period.

Plausible deniability has its roll here as you may be able to infer on his website.

Okay, so Kevin is the broker of "wrong-doing" but not the actual "wrong-doer"... that makes it so much better, right?

I am sure that every transaction will be throughly investigated so that the 0-days do not fall into the hands of the Devil.  Certainly these 0-days cannot be traced, certainly the buyers will abide by any type of professional Terms of Use, and the buyers would never pass it on to an insidious user of the 0-day - anyone every hear the term "straw purchase"?
After all, Kevin has never been known to do anything that would be deemed inappropriate or nefarious himself, right?

Regardless of the outcome of this "business", why would anyone consider Kevin Mitnick a security professional?
From this moment on, I hereby propose the title - Kevin Mitnick, Security Whore.