• How secure is your law firm’s extranet?

    07 Sep 2007

    Do you work for a law firm that provides a client Web portal that houses extremely sensitive case information (or other similar system that allows a client to manage their own data)? If so, chances are there are weaknesses in the system waiting to be exploited. Be it the commonly-used SharePoint or any other commercial or home-grown system, all it takes for someone with ill intentions to create a problem is a weakness in the login mechanism or login requirements, poor input validation (JavaScript and SQL statements), test files left loaded on the site – you name it – the possibilities are endless.

    It doesn’t matter if the application is “behind the firewall”. It doesn’t matter if it uses SSL for encryption. And it doesn’t matter if all the software in use is patched with the latest hotfixes or service packs. The problems are at the application level and they’re still there regardless of how hardened the environment is.

    I bring this up because it’s so easy for business managers to Web-enable anything and everything to woo their clients/customers. I’m seeing these types of Web vulnerabilities more and more. Business apps are cropping up on the Internet more and more – especially in the legal field. A lot of them are not being tested for security vulnerabilities in the slightest way. OK, some are being scanned with whatever freeware security scanner the network admin is familiar with, but that’s not enough – not even close! Commercial OS and Web application scanners – and more importantly – manual testing is required to really figure out how Web portals such as this can be exploited.

    There are so many complexities and variables in Web applications which, again, is one of the reasons I love testing software (see my related post on this). If you’ve got a law firm extranet or some other type of Web portal housing information you can’t afford to have compromised, you’ve got to look at the environment from a malicious attacker’s perspective. Test and test again – now and as long as the system is publicly-accessible. The Web application flaws will eventually be found by someone – might as well be you!

Resources

view all

Client Testimonials

“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.

His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”

(IT managed services firm)
Read More

 

I’ve written/co-written 12 books on information security including:

 

Tags

application security appsec basics books careers censorship CISO CISSP cities compliance coronavirus covid-19 cybersecurity data breaches hacking Hacking For Dummies heads in sand health incident response information risk keynote speaker leadership macOS networked cameras passwords patching racing resilience Russian hacking SDLC security culture security leadership security program management security speaker selling security social engineering speaking engagements spec miata sql injection tiktok time management training vulnerability and penetration testing web security

© Copyright 2001-present, Principle Logic, LLC - All Rights Reserved.

For your convenience I accept