...
Users and administrators of other legal software packages may by surprised by the amount of time and effort Wise Owl Legal has put into security. However, we believe the integrity and secrecy of the data stored within Wise Owl Legal Appliances is of paramount importance. There are have been a number of high profile devices and websites compromised and sensitive data disclosed in the past few years, including personal details (with credit card numbers), passwords, public infrastructure (think power plants or heavy industry), media (US media companies have been experiencing attacks from Chinese government agencies) and the (in)famous WikiLeaks. We do not want Wise Owl Legal to be added to this list, nor your client's legal history to be found for sale on the black market.
Malicious attackers are cunning, incredibly patient and may be highly funded. They are interested in a variety of data typically stored in Wise Owl Legal Appliances such as personal contact details, personal history contained in matters and documents, passwords and financial records. This information can be traded in underground black markets, or may simply be posted publicly as a kind of trophy or badge among other hackers. Given enough time, resources and sufficient motivation (which may not always be strictly financial), a malicious hacker stands a real possibility of stealing data from a Wise Owl Legal Appliance.
Humans are notoriously bad at keeping secrets, choosing appropriate passwords and opening obviously dodgy emails. The human factor is one of the most common ways passwords are stolen these days (using emails and websites designed to look legitimate, but are actually run by the hackerhackers). And once Once an attacker knows a password, they can access a user's account and take whatever that user has access to.
Finally, there is the tried and true approach of break-and-enter. A Wise Owl Legal Appliance is small, easily transportable, and could easily be stolen by a malicious attacker if they thought it brought enough benefit benefit.
Wise Owl Legal has taken steps in all the above areas to prevent data being stolen.
We also use a layered approach, wherever possible, to mitigate the scope of data which may be stolen if one layer is broken. For example, if a user's password is guessed, the attacker will only have access to some of the data on the Appliance.
Online vs. Offline Appliances
Appliances are configured in either Online or Offline mode. When in Offline mode, the Appliance is only accessible from a local network (usually your office) and denies access to any attempt to connect from the Internet. Online mode allows connections from any Internet address, but must implement stricter login policies.
...
Offline appliances simply reject any login attempts from outside your network (technically, they reject any network connection at all). However, this is not particularly convenient when your you are at client's premises or in a courtroom. Online access allows full access to Wise Owl Legal from anywhere on the Internet. But to To reduce the possibility of a malicious hacker gaining access, the following procedures are implemented:
...
It also ensures that the Appliance you're connecting to really is the correct one. Protecting against a hacker who sets up a 3rd party site which looks This protects you against hackers who set up 3rd party sites which look like Wise Owl Legal, but is are actually stealing your password.
...
Wise Owl Legal configures every Appliance with unique, strong administrator passwords during initial configuration (unlike many appliance like devices on the Internet). And remote Remote support accounts must obey the same strict security rules that any other user working outside the office must obey. The underlying operating system follows established best practises and has a unique, strong admin password. They are no open back-doors for attackers to enter by.
...
Passwords are stored in a form which cannot be read unless you know the password itself. Additionally, to make discovery more difficult if an attacker were to gain access to the encrypted passwords, Appliances apply the encryption routine many thousands of timetimes. Technically, Appliances use the PBKDF2 SHA1 hash algorithm with a minimum of 5000 iterations (more on higher end Appliances).
...
Poorly chosen passwords are the number one cause of accounts being compromised (with re-using passwords between multiple accounts a close second). Rather , rather than imposing complicated rules of upper case, lower case, number, length and so forth. We maintain a large list of black listed passwords (there are several million bad passwords on the list). This list is derived from a variety of sources including dictionaries and lists of names, but most importantly, we include long lists of leaked passwords from sites such as LinkedIn and RockYou. Finally, we use the same tools password hackers do to verify passwords that passwords are not easily guessable. How to make a strong password.
...
In addition, Wise Owl Legal Appliances use SQL query parameterisation to prevent one of the most common ways to access sensitive data: SQL injection. SQL injection is how most high profile data disclosure incidents has have occurred. Also, no connections to the SQL database are permitted from outside the Appliance.
...