Are your eDiscovery vendors secure? Great questions to ask ESI Records Custodian

There are many security issues relating to vulnerabilities in hardware firmware that now require a strict approach to handling ESI (Electronically Stored Information) belonging to clients and third parties.  Just last week, LegalTech News published an article detailing claims that Verizon allegedly is liable for ESI leaked by one of Verizon’s vendors.  If this holds true, this means that Law firms can’t simply pass the Data Breach liability to eDiscovery & Computer Forensics vendors through rigorously written contracts.  Law firms need to determine their own risk and the risk of the vendors they entrust as custodians to their client related ESI, otherwise they may fall into a similar situation facing Verizon as a result of Verizon’s vendor’s data breach.  Should any eDiscovery, Computer Forensics, or other third party vendor to a law firm experience a data breach that leads to dissemination of confidential information, trade secrets and other protected ESI, the law firm may find they are liable for the security breach and related damages.

Early on, my past Computer Forensics firm took proactive actions to aggressively secure client data, includiing implementation of many of the following current recommendations I am now suggesting law firms require of their third party vendors handling ESI:

  • Only using encrypted hard drives to transport client production sets
  • Isolating processing machines handling ESI from the Internet to protect client data from the potential of exfiltration due to malware infections
  • Migration of all client data to dedicated external hard disk media and utilizing encryption to keep data segregated and safe from access while physically locked up offline or in transit
  • Usage of hardware based storage device blocks when acquiring original evidence media to ensure integrity of the collected ESI and protect against on-board hardware based vulnerability that could override software based write blocking technology causing alteration of the original evidence
  • Ensuring that processing machines are fully patched (firmware and software) and that internet access was severed except when necessary to apply software updates
  • Removing unnecessary hardware components from collection equipment, such as Bluetooth, WiFi, infrared capable peripherals, sound cards and other near field communications capable hardware are physically disabled (not relying solely on the computer’s control panel settings) [more on this here]
  • Using never used brand new mice and keyboards that are corded, as opposed to wireless, for processing machines that have never been shared with other computers (Ideally the pre-2005 models that utilize the old PS2 plug ports and lack any local on USB driver storage USB mice and keywords
  • Deploying Splunk (a Syslog server) to collect log files from key ingress and egress firewalls and servers in order to have insight into local traffic in and out to the internet
  • Implementing a strong Extended Verification Certificate issued by a reputable third party Certificate Authority to secure public facing web servers

For anyone considering hiring an eDiscovery or Computer Forensics vendor, here are some questions you might want to ask to better understand the risk of exposure of your data to unauthorized parties.  This list might also be relevant for 30B6 interrogatories, or for potential inclusion as deposition questions posed to the ESI records custodian or consultant that conducted the ESI collection, search and production.

Important Questions to Ask Regarding the Handling of ESI Productions:

  1. Storage Media: Will any of my ESI be stored on encrypted media that is inaccessible in the event of a power outage without the need for a strong (14 character plus) decryption passcode?
  2. Cloud Storage: Will any of my ESI be stored in the cloud and if so, what type of data?  Does access to data in the cloud require a second factor means of authentication?  If so, what type of second factor?
  3. Hardware & Peripherals: What if any peripherals will be attached to my original evidence that is subjected to forensic imaging or collection? Monitor? Keyboard? Mouse?  External Storage Devices?
    1. Do any of those peripherals implement strong firmware encryption validation at or in excess of SHA256 to ensure that the devices drivers and firmware are not tampered with?
    2. Are the external storage devices reused?  If so, what steps are taken to ensure they are clean and using the manufacturers current and valid firmware?
    3. Have you stored offline hard copy documentation of the baseline hash values for your equipment’s hardware’s firmware and software in order to be able to verify the base computer examination equipment is secure and matches the last standard trusted build?
    4. When a forensic search is being conducted against original evidence, is the workstation processing the search reset to a baseline image?  (Given recently disclosed hardware and software vulnerabilities, not restoring to the last documented baseline Virtual Machine or Baseline Image, requires some level of validation of the examination station to ensure tampering with the system has not occurred, which could taint the resulting production sets, leading to false negatives and overlooking important smoking guns!)
    5. What level of validation takes place against the forensic workstation conducting the search to ensure that only trusted software exists on the processing workstation at the beginning of the examination?
    6. Does the company store tamper proof read only versions of their process machine image builds offline with hash verification values so that any restoration of a processing machine to baseline image build can be verified as authentic?  Is that information available for review and inspection?
  4. Cell Phones: What steps are taken to secure cell phones against remote tampering or wiping while being booted up so that the device can be acquired?  (A Faraday RF blocking cage or bag is a must in today’s vulnerability threat environment!)
  5. WiFi: Does the organization utilize WiFi within their office?  If so, are any of the recently leaked vulnerable WiFi routers in use with the organization?  What are the specific WiFi router makes and models in use at your firm and what is the current firmware build date and version in deployment by the vendor?  What encryption cipher does the WiFi router use to protect clients connection to their WiFi router, access of resources on the local network and onward to the Internet?  Do any computers that use WiFi ever hold copies of project related ESI and if so, under what circumstances?
  6. Remote Access:  Are technical staff able to remote in from home to check work in process?  If so, how?  What software and what security configurations are used to secure the ccnnection?  What steps are taken to lock down access to forensic processing stations to ensure they can’t be connected to by unauthorized parties?  Is a second factor of authentication required beyond a simple username and password?  Does the Second Factor of authentication expire every minute or less and is it unique to a device carried by the authorized user?
  7. FIPS 140-2 Compliance:  Does the vendor store all ESI while in processing or while in transit on FIPS 140-2 Level 4 Compliant media?  (Level 4 provides thee highest level of security and protection against physical tampering with the cryptographic module, keeping the data safe.)
  8. Document Review Hosting: Does the vendor offer remote access to the ESI data for review or transfer over the Internet?
    1. What type of encryption algorithms are used to protect the data while in transit?  If the vendor if using 3DES, SHA1 or MD5, then the level of encryption is too weak by today’s standards.
    2. Has the vendor secured their Internet Domain associated with any VPN, email, ftp or web server effectively against current threats including MITM (Man-in-the-Middle) attacks by properly implementing DNSSEC and other DNS security measures?  If not, the vendor may be compromised already or could be a target for future attackers wanting to obtain you or your client’s ESI.  Does the vendor’s online portal URL, e.g. ediscoveryreview.leeneubecker.com report any vulnerabilities on any of the following free vulnerability search tools?
      1. Try this on my domain with Verisign’s tool at http://dnsviz.net/d/ediscoveryreview.leeneubecker.com/dnssec/
        If you see any insecurities noted, such as those I reported involving the recently data breached parliament.uk, there may be a problem!
      2. Now try again but replace ediscoveryreview.leeneubecker.com in the prior URL with your vendor’s remote access web portal URL.
      3. Check out what Qualys’ SSLLabs.com domain testing tool says about the strength of encryption ciphers being used by your vendor to ensure they are not using exploitable Cipher suites, such as 3DES and others.  If they don’t have an A, that means your ESI is at high risk to attack.  3DES has been determined to be exploitable after a couple of days of targeting a victim.  I still have it as a usable cipher on my blog in order to improve the accessibility of my content to older web browsers, but would not want that deployed as a usable cipher suite with my eDiscovery’s ESI document review platform since 3DES is now known to be exploitable by today’s consumer grade computers. I have no client ESI on my website so I have chosen to allow 3DES cipher suite connections to my blog in order to maximize the number of readers that may access my blog.
      4. https://www.ssllabs.com/ssltest/analyze.html?d=leeneubecker.com&latest shows I have an A on the overall security of my https  implementation.  Please repeat this test but swap out your vendor’s domain name to see if they are properly securing internet content transferred via their domain name.  I encourage you to broadly test any domains you are concerned about and send relevant parties a link to this post!

These are just a few areas that should be of concern to any party being asked to hand over their sensitive ESI to a third party attorney, cloud hosting provider, computer forensics or eDiscovery firm.

If you found this article useful, please click the share buttons below to post it to your various social media accounts, or email it to your friends directly.

Thanks for reading and sharing!

Facebook Comments

Be the first to comment on "Are your eDiscovery vendors secure? Great questions to ask ESI Records Custodian"

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.