The irony.

  • @[email protected]
    link
    fedilink
    English
    4011 months ago

    I just spent a bit digging into that company just now. You can figure out a good portion of their software stack from their IT employee profiles on LinkedIn, btw.

    Given that their org is mainly composed of attorneys, it is probably a safe bet to say they are Governance, Risk and Compliance (GRC) top-heavy. This almost always results in security-by-spreadsheet and poor classification of risk. While I am sure their broad risks are well documented and tracked, it’s highly unlikely that real issues get the time of day because those don’t make for meetings senior managers can understand.

    In this drive for pristine paperwork, they likely have compliance reports for all of their larger customers. This generally includes all applications used, how servers are secured and how often they are patched, access control lists, detailed network diagrams and much, much more. That documentation probably also has all application and database “interface” lists, what ports they are running on and how those service accounts are maintained. Best of all, they likely have lists of “security exceptions”, or security issues that are in the process of getting fixed… Just to reiterate, this is not only for Orrik, but any of their customers they have done security reviews for.

    Without a doubt, their IT and security staff is minimal. When everything is in the cloud, it’s somebody else’s problem, amirite?

    It makes me chuckle a little to see GRC folk get taken down a few notches in organizations like these.

    • @[email protected]
      link
      fedilink
      English
      811 months ago

      I remember when I realized that the lawyers had taken over cybersecurity. It was 2018. I was in a meeting, looked around, and realized that I was the only person in the room who codes or has ever coded, and also the only person without formal certifications in security. 5 years earlier, security teams were full of people from all walks of life, who often got into security from (let’s call it) “practical” experience.

      • @[email protected]
        link
        fedilink
        English
        611 months ago

        Thankfully, that really depends on the org. I started in security before “security engineer” was a thing. It was different times, for sure. When the 2008 housing bubble popped, banks started the trend of splitting out engineering roles from the newly formed risk and governance groups. This eventually morphed into what we have today: Security engineering teams and separate GRC/Legal teams.

        I can’t hate on compliance too much through. If ran correctly, tracking and auditing networks and processes is an extremely important thing to do.

        I just learned both worlds over the years. At my age, I have the technical experience to hold my own and also the balls to push back on stupid compliance requirements to people very high up in organizations. (The trick is to not give a fuck about getting fired for speaking my mind.)

        Sorry. Went on a bit of a tangent to say “I understand you completely.” ;)

        • @[email protected]
          link
          fedilink
          English
          211 months ago

          Haha, no worries, and totally agreed. I’m finding that more and more, not only is there no security engineering team, but the legal side of security has no concept of that whatsoever. They are the security team. Security, to them, is fundamentally a compliance process, which of course involves coordinating and working with the engineering team, but it isn’t really a technical practice so much as a managerial and administrative one.

  • AutoTL;DRB
    link
    fedilink
    English
    511 months ago

    This is the best summary I could come up with:


    An international law firm that works with companies affected by security incidents has experienced its own cyberattack that exposed the sensitive health information of hundreds of thousands of data breach victims.

    Orrick works with companies that are hit by security incidents, including data breaches, to handle regulatory requirements, such as obtaining victims’ information in order to notify state authorities and the individuals affected.

    The number of individuals known to be affected by this data breach has risen by threefold since Orrick first disclosed the incident.

    Orrick said in its most recent data breach notice that it “does not anticipate providing notifications on behalf of additional businesses,” but did not say how it came to this conclusion.

    Orrick spokesperson Jolie Goldstein said in a statement: “We regret the inconvenience and distraction that this malicious incident caused.

    “We are pleased to reach a settlement well within a year of the incident, which brings this matter to a close, and will continue our ongoing focus on protecting our systems and the information of our clients and our firm,” added Orrick’s spokesperson.


    The original article contains 509 words, the summary contains 178 words. Saved 65%. I’m a bot and I’m open source!