Finding Peace of Mind Through Cybersecurity Assessments
To discover areas for improvement and validate the strength of its network to its partners and clients, national law firm Cantor Colburn worked with CDW on a battery of evaluations.
- by Melissa Delaney
- Freelance journalist who specializes in business technology | September 07, 2018
As one of the top patent law firms in the nation, Cantor Colburn’s business is built upon intellectual property. Its clients include product inventors, trademark holders and producers of major movies and TV shows that aren’t yet public.
“We have clients who are extremely sensitive about the protection of their data, and we consider ourselves to be the stewards of that data,” says Dave Christensen, a partner at the Hartford, Conn.-based firm. “That makes us a fairly large target.”
As such, Cantor Colburn has always placed heavy emphasis on IT security, and its clients know that. But with cyberattacks increasingly in the public eye, most large businesses now require law firms and other business partners to complete IT security questionnaires as part of the vetting process for doing business with them.
In order to validate its infrastructure and bring peace of mind to current and potential clients, Cantor Colburn worked with CDW to conduct two vital cybersecurity assessments: a gap analysis, including days-long interviews to review security controls; and a penetration test, in which a white hat hacker attempted to infiltrate its network.
“We wanted to be able to say, ‘We’ve architected a system around security, your data’s safe, but not only that, we’ve had an independent third party validate that,’” explains Christensen.
The Right Partner for the Job
Cantor Colburn’s long-standing relationship with CDW and its highly regarded reputation made it a natural fit when the firm went in search of a qualified independent security assessor, explains IT Director Joel Lepage.
“The thing about CDW is it’s a very low-pressure process. They fit solutions to your needs,” says Lepage. “A lot of the other companies I talked to are super high pressure. They didn’t want to take the time to understand what we were looking to do. They just wanted to apply their own product offering to our system.”
The firm opted for a wireless penetration test, which seeks access through a Wi-Fi network; an external test, emulating an outsider breaking into the network; and an internal test, which aims to access restricted data from within the network.
Viewing infrastructure through an attacker’s perspective can help businesses see it in a new light. “There are a lot of ways we get into systems that are essentially working as intended but have an inherent weakness in the operating system or the network architecture,” says Mark Lachniet, manager of CDW’s information security solutions practice. “People think penetration testers just find unpatched systems and exploit them, but that’s not really the most productive avenue of breaking in.”
Testing the Network from Inside and Out
Businesses can opt for a gap analysis or a penetration test, “but when you put them together, you get the most benefit,” says James Foster, CDW information security consulting technical lead.
There are weaknesses that either assessment will uncover, but some can only be detected through one or the other, he explains. For instance, employees questioned about their patching procedures during a gap analysis might think they’re doing a great job, but a penetration tester may find otherwise. “What could look fine on paper might not hold up to a penetration test,” Foster says. “More organizations than not are doing a bad job at patching, and they’re not necessarily aware of it.”
Conversely, penetration tests don’t examine security controls, but a gap analysis does, and it can uncover issues. For instance, penetration testers don’t typically hack into employees’ phones, so they wouldn’t know if smartphones are exposed. But questions asked during a gap analysis might reveal that a business doesn’t require employees to use a fingerprint ID or password on their phones.
Cantor Colburn’s penetration test began with a week of online investigation by Ian Odette, CDW security consulting engineer, who sought to acquire as much information as he could about the firm — not just technical information, such as the types of servers it uses or whether it uses a VPN, but also personal information, including employee names and other data.
“There’s a perception that hacking is all about crazy, complex things — you need to be a supergenius,” says Odette. “There are aspects of that, but usually we start with the lower-hanging fruit first because it’s the stuff that’s easier to execute on.”
For instance, he can easily find employees’ names online. He then tries to gain access by pairing an actual user with that user’s password — depending on the organization’s password policies, something as generic as “summer2018” might work. Once Odette has administrator credentials, he can move throughout the network. “We can demonstrate how we can go from knowing nothing to having a substantial level of privileged access,” he explains.
The second week of the assessment is the internal portion. “We scrap all the stuff we’ve collected before and act as though we’re coming from an entirely new perspective — a disgruntled employee or hacker with internal access,” says Odette. “Our goal is to look at whatever we can in the time period we have and get them as exhaustive a list as possible of serious threats with recommendations to remedy them.”
A Customized Gap Assessment
For the gap assessment, which relies on the National Institute of Standards and Technology Cybersecurity Framework, Foster started with a week of phone interviews followed by onsite interviews for three days. During the onsite portion, he interviewed staff in IT and various business units.
“You have to learn about their business — how they’re organized, what they do, how many employees they have, what type of clients they work with, what type of data they have, if they have regulatory requirements and more,” Foster says.
The next step is to examine the technical environment, including systems, policies (such as how users are provisioned on the network) and technologies used to prevent or detect attacks, explains Lachniet.
Each CDW gap assessment is tailored to the client. “If it’s a manufacturing business, we walk about the manufacturing floor. If it’s healthcare, we talk to nurse supervisors,” Foster explains. “We’re trying to sample all parts of the organization for where security processes touch them to figure out where weaknesses might be.”
All CDW engineers who perform gap assessments have had penetration testing experience. That way, they know to ask questions that matter instead of just relying on some boilerplate from a checklist, Foster explains.
The interview process was intense but enlightening, says Lepage. “We learned quite a bit from them with regard to what we can do to improve our processes and even what to look for in the IT world in general.”
Detailed Findings and Recommendations
A security assessment can put organizations in something of a Catch-22, explains Christensen. The Cantor Colburn team wanted the assessors to find problems if they existed. “If there were no issues, I’d suspect the process itself,” he says. But at the same time, they were hoping to validate their long-standing faith in the security of their systems.
During the internal test, Odette used Microsoft’s group policy to gain access to secured resources on the network. Cantor Colburn had implemented the policy according to Microsoft standards, but Odette used a newer exploit it hadn’t yet heard about.
“He showed us how he got in,” says Lepage, “and we were able to address it immediately.”
The breach illustrates an old cybersecurity adage: Those attacking have the easier job, because they need to discover only a single weakness to be successful, while those protecting networks must be perfect all the time.
After the assessments, the CDW team provided a list of suggested improvements ranked by greatest benefit and lowest cost. That helped the firm prioritize its projects. For instance, Cantor Colburn’s leaders had already been planning to implement multifactor authentication, but the audit made clear what a tremendous improvement it provides relative to the cost. “So that moved to the very top of the list,” says Christensen.
Training also came up. Rather than limiting training to when new employees come on board or when systems are replaced or upgraded, CDW suggested periodic refreshers to remind employees of threats and best practices.
Knowledge Is Value
Cantor Colburn didn’t have to purchase any new systems after the assessments. It was able to make improvements simply by modifying or updating its systems and processes. “There was almost no impact from a budget perspective,” says Lepage.
That is often the case. Talking to a seasoned security professional for an extended period helps most businesses learn ways to improve their security for little or no cost, says Lachniet.
Another advantage of a security assessment is that it sets a self-imposed deadline for businesses to get their systems in order. Lepage and his team thought they could predict issues the assessors would raise, “but the reality was, they’re the experts. Our IT team’s job isn’t just information security, so there are going to be holes in our analysis,” he says. “Having these experts come in and say, ‘This is where you should be focusing’ helped us become more efficient.”
Four Tips for Getting — and Staying — Secure
Security is an ongoing process, not a one-time event. Here are four must-do items to help keep your data safe.
- Establish a system of ongoing improvement. Form a working group to spearhead and track projects resulting from security assessments.
- Switch assessors periodically. It helps to get different perspectives with varying skill sets.
- Follow through on patching. Most organizations are good at managing Windows environments, but they fail to update third-party applications.
- Start small. Before investing in costly security tools, try CDW’s complimentary Threat Check service. A malware detection device passively monitors an organization’s network traffic, then CDW security professionals review the findings and make recommendations to address issues.
Learn how to get started on your own no-cost security assessment.