For many law firm clients, penetration testing is not only a friendly suggestion but also a requirement. Penetration tests help ensure adherence to compliance obligations mandated by regulations, including ABA and HIPAA accordingly. Moreover, if clients do not currently require penetration testing, it is good practice to regularly perform them to ensure systems are secure and current and future clients have assurance that sensitive data is protected. 

While it’s possible for firms to perform tests on their own, penetration tests often produce the best results when they are conducted by a third-party partner. Partners have access to a variety of tools to perform the test and can determine which type of test is best based on the firm’s circumstances. Furthermore, a partner will delve deeper into the networks, systems, and applications than a less experienced security professional.

Effective third-party penetration testing partners will guide you through the testing process and provide and explain the reports and necessary next steps to improve security.

2. Scope the Test Properly

Thorough penetration tests will ensure the greatest number of vulnerabilities are found. Comprehensive tests are dependent upon proper scoping. Therefore, to ensure the test is properly scoped, consider all the devices and network elements in your firm’s system. This includes active hosts, Wi-Fi-enabled hardware and applications.

Comprehensive penetration tests will also involve an external and internal scan. External penetration testing targets the network perimeter and identifies defects on the Internet-facing systems. Internal penetration tests target the internal networks used by firm team members.

3. Prioritize Risks 

Once a report from the penetration test is generated, it should be used to determine the priority risks that need to be handled immediately and lower risk factors that can be addressed later.

4. Supplement Penetration Testing with Vulnerability Testing

The cousin of penetration testing is vulnerability testing, which involves scanning all networked devices for potential vulnerabilities. Vulnerability testing can be done automatically, more quickly, and at a lower cost. This type of test reports which vulnerabilities exist and if anything has changed since the last test. Vulnerability testing should also be completed on a regular basis, as often as once a week. The biggest difference is that penetration testing provides a more in-depth and detailed picture of potential risks. Both tests are vital, but penetration testing offers a proactive approach to cyberattack prevention, whereas vulnerability testing is a reactive mechanism.

5. Use the Test’s Findings to Develop or Improve Incident Response Plans

After remedying the vulnerabilities discovered in the penetration test, use those findings to further protect systems and data by reviewing them against your firm’s incident response plan.

Create response policies on how your firm should manage disruption if a bad actor exploits the vulnerabilities found in the testing. Once a threat is identified, the incident response plan should have recommendations on how to contain it. The plan should include instructions on how to eliminate threats and actions the firm must take to recover, including steps on restoring systems and communicating incidents to the appropriate stakeholders.

Gulam Zade is the chief legal officer of Frontline Managed Services.

Read the full article here.

Reprinted with permission from the Wednesday, May 25th issue of the Legal Intelligencer on Law.com. © 2022 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.