Law Firm Websites Security Risks... Beyond SSL Basics

When you speak to most people in legal marketing or tech about website security they say something like: “Yeah, our site is secure - we have SSL!” They may not realize that this is merely the first step in securing a website and protecting user’s data. This subject is not one to be taken lightly as clients’ privacy is at risk. In fact, this has become such a concern that many legal insurance carriers have been mandating that law firms take additional steps to protect their clients and have been conducting basic security audits. (Does yours?)

You can get a free report for your own website here: https://securityheaders.com/? If you find issues you should fix them immediately. My team is ready to help (pm me).

These vulnerabilities are not too difficult to comprehend as I will review them below, but implementation will vary based on the platforms in play, and the technical experience of the providers. Let’s dive into the fundamentals of securing websites together (don’t worry too much about the acronyms, but the concepts are fundamental to legal mar-tech)…

HTTP/S: If you liked it then you shoulda put an “s” on it.

Websites have used HTTP since the beginning of the internet to share data, but one major downside of the technology is that it passes information in “clear text”. This means that anyone with access to the network routers may watch and record the traffic coming through (it’s called sniffing). Why is this a problem? Obviously exposing credit card numbers could lead to identity theft, but even leaking someone’s personal search history could be damaging. The solution is to request a trusted party to issue a secure certificate to encrypt such data on the user’s browser, and decrypt it at the server using secured connections (SSL). The security certificate is designated by a padlock symbol in the browser, and the added “s” in the location bar’s protocol… HTTPS. The good news is that the majority of law firm websites already have some version of this in place, but unfortunately, not all certificates are created equal. Cheap or Free certificates tend to use less complex encryption methods, and come from less trustworthy sources. The more robust operations will not provide certification without first validating your law firm’s existence, good standing and domain ownership.

HTTP/CSP: Who’s down with CSP? Almost nobody!

Now, while your website pages may be secured with HTTPS, you must realize that almost all web pages on the internet are composed of text, images and scripts from numerous different websites, any of which may be compromised without your knowledge. A Content Security Policy will set strict guidelines for what is and is not allowed to occur on your website. Sadly, very few law firm websites employ one. It’s like a bouncer at a nightclub, simply blocking the bad ones from coming in and ruining the party. But if your bouncer is too selective, some things will stop working. Without a well written policy, your bouncer may let in the dancers, but not the DJ. Thorough testing is required! UPDATE: There now also a separate permissions policy you can add the your website headers.

HTTP/STS: I’m talking to the man in the middle.

Most traffic to a law firm’s website will be repeat visits. The first time will typically be in a trusted environment, such as from a work computer. But the next time may be from a less trusted wifi connection at the Airport. What if the airport wifi is offered by a scammer? It’s a stretch - I know - but let’s indulge… This scenario exposes a man-in-the-middle attack scenario, allowing the scammer to downgrade security protocols on your website, and eavesdrop on users. But STS headers prevent this by placing a restriction on the security levels the first time a user visits, which is set for all future visits. You should also disallow the use of your website without HTTPS (not simply offer it, but mandate it). Again, you need to be vigilant about not over-securing the protocol, as you may be restricting yourself from downgrading security levels in the future.

GeoBlocking & Obfuscating:?live together in perfect harmony.

One obvious method of thwarting attacks is by closing any security holes that exist. Over 90% of cyber attacks on US companies come from outside the US. While many firms have offices and clients in other countries, the vast majority do not - and certainly not in China, Iran or North Korea. Geoblocking these countries from accessing your website is easy to do by IP address. For an additional layer of protection, obfuscation of your web servers through proxies and content delivery networks will provide peace of mind. While web servers are generally secure, a properly incentivized hacker can still break in - unless they don’t know where the servers are.

Conclusion

Using the methods above, in addition to security products such as WAF (outside this scope) will level-up your security and show clients that you really care about protecting them. If you ignore this until it becomes a problem - well, consider this a warning - DON’T!

If you know of other measures to be taken to secure websites, please comment below.