Outsourcing as a Competitive Business Advantage

Legal firms, whose core business is not IT, can benefit tremendously from outsourced IT & security services.  Advanced outsourcing provides access to services features normally reserved for only the largest companies, such as structured IT program management, ultra-high availability, encryption, and global presence at a fraction of the cost of maintaining such technologies in house. For the majority of law firms, in-house IT is financially disadvantageous, and the lack of high-end features is a business disadvantage and increases risk.  Outsourcing increases performance, reduces risk, and decreases associated costs, enabling any firm to benefit from advanced services and features.

Partnering with a provider who works intimately with the legal industry and understands the needs of a firm equates to better service levels and more productive time with less frustration. A partner that provides a standard platform and services for all its clients provides the most cost effective solutions in a tried and tested format. An outsourcing partner with advanced management services, such as systems architect, security architect, and IT program management can ease the burden on the client firm, improve operations, and spread the cost over the entire client base, so clients only pay for what they get, minimizing overhead.

And with security lapses showing up in the headlines on a near daily basis, everyone can benefit from high quality security management, but even large firms can’t afford to keep an information security expert on staff. It works in everyone’s benefit to spread the load for exceptional personnel.

Finally, use of large scale dynamic infrastructure permits fast adaptation of new features without the cost and problems of “forklift” upgrades. Your outsourcing partner can and should handle all the details of the entire infrastructure, from integration with mobile devices to fault tolerant business continuity services, securely.  In the best of all worlds, you don’t even think about the technology any more, so you can focus on litigation.


Security is the biggest concern after basic operations. But all too often, smaller firms are unable to maintain an adequate level of security which can result in information leaks, loss of data, or lack of availability. A single computer virus can wreak havoc on a law firm’s data repository, taking a terrible toll. Only after the breach does the organization realize they have a problem, and any repairs made in haste typically only last until the next crisis, and the cycle repeats. To make matter worse, any sudden attempt to improve matters without adequate understanding of the overall IT concerns is wasting money. Outsourcing is an appealing alternative because organizations gain the benefit of very experienced staff and insights at a reasonable cost, avoiding missteps or emergency measures.


Encryption is still new on most firm’s radar, and the technologies are varied and not without risk. There’s a reason why encryption was considered a munition by the government with real export restrictions.  Encrypting something completely prevents anyone without the key reading the information. This makes it a great privacy tool, until someone forgets the password. Then the data is effectively destroyed, and that is a serious problem.  Having access to personnel and a proven encryption architecture along with contingency plans for failures is the only way to effectively and safely manage your firm’s information assets and reduce risk. More than any other technology component, encryption must be properly managed or the entire data set of the firm is at risk.


Outsourcing services, particularly computer intensive services and personnel, can greatly enhance a firm’s bottom line and ability to adapt and grow. While IT shops frequently plan for future growth, they cannot anticipate industry shifts.  An outsourced function can capitalize on the dynamic posture and rapidly adapt. That being said, many internal projects can suffer from misaligned scale planning, but with outsourced services, that challenge is overcome with simple changes to allocations. Finally, outsourced services and assets can rapidly scaled and migrate to new technology, something that cannot be done with internal assets, and is particularly useful when offices, temporary or otherwise, need to be stood up rapidly and then torn down when a job is complete.


Outsourcing improves reliability and availability. The use of high quality assets and professional grade architectures provides uptime levels that simply aren’t feasible for an organization operating a service internally. Law firms are not 9-to-5 operations, and we all work nights, weekends, and holidays, from home and on vacation.  Partners expect IT services to be available all the time, every day.

Simple Efficiencies

Outsourced IT services provides firms the opportunity to focus exclusively on core business needs and not get distracted by IT problems and personnel issues. By outsourcing commodity services to providers, Partners can focus their own teams on delivering value directly related to the practice.


Using the best assets and resources available, a firm reduces the risk that an accident or intentional incident will occur.  Further, and specific to law firms, there are distinct liability advantages to using a 3rd party to manage information assets.  Outsourcing reduces risk and creates advantages that are unobtainable through internal IT programs.

Liticode has worked with legal partners for more than 30 years, helping them provide the best technology experience possible.  From basic computer operations to large scale network infrastructure, including forensic technology and experts, we help make your firm more successful. We work in the industry, and we understand your needs better than anyone else.

SSD’s should come with a warning label.

We’ve been working with more and more SSD’s lately, solid state disks, also referred to as m.2 disks, although m.2 is actually the standardized shape of the circuit board and not the drive, with most older SSD’s being strange custom layouts with USB3 and SATA connectors.

Enough about layout and names, let’s get to the important parts.

SSD’s, nearly all current generation, are internally encrypted.  This has great relevance for forensics, because if the drive is not fully operational, you might not be able to retrieve any data from it.  We recently had a case where the controller chip on the disk was damaged and even though the storage chips were intact, no data could be retrieved.  A total loss in a big legal case is no bueno.  Hard drives didn’t have that problem, because they weren’t internally encrypted.  What we mean by that, is the keys are stored in the circuits, they are not input by the user, so there is no optional way to turn it off, and why would you?  You have backups, right?

So here’s three drives, all physically damaged by the same wrong belief, that SATA drives are hot swappable.  SATA drives are only hot swappable if they are explicitly designed that way.  These disks were all hot swapped by the user, with the inevitable *poof* when the magic smoke gets released from the board.

burned board 1
board 1 visibly burned
board 1 burn closeup
board 1 burn closeup

Both of these drives displayed visibly burned components and are POTENTIALLY recoverable, because it does not appear that the controller or storage chips are damaged.  Plus they are old enough they likely are not encrypted anyway.  So we’ll need to physically destroy the chips before disposing of them.

This third drive displays no physical burns, but is also not functional.

drive 3 no visible damage

It will also need to be physically destroyed, to ensure confidentiality of client information.  It’s also a terrible picture.  Sorry about that.

Note that unlike hard disks, working with the guts of an SSD is best left to qualified electronic technicians, as one tiny spark across those teeny-tiny components, which is an incredibly easy mistake to make, can destroy the entire drive.

One bit of humor to all this destruction, the tamper evident label on one of the drives accomplishes nothing other than determining if you peeled off the label.

tamper proof nothing?

We check for screws under labels using a different strategy, so we thought this was funny.  Lab geeks humor is very dry.  We have to add humidity to prevent static discharge in the break room.

Based on other cases involving damaged disks we STRONGLY recommend clients always use a qualified technical forensic lab to handle evidence.  We’ve had 3 cases in recent memory where the client sent it to their local IT support company first before sending it to us, and we have no way of knowing where the fatal damage occurred.  Which can be problematic when discussing spoliation of evidence.  Please call us instead of your local techs.

Liticode is an Authorized OnTrack Data Recovery Partner

We’ve been an authorized partner for years, and there’s nobody we’d recommend more highly for corrupt media data recovery.  Let Liticode coordinate your recovery effort, or request service directly using the link below.  When you let Liticode act as your coordinator, you get analysis assistance, backup copies, and assistance with filtering the results.  Recovery generates a lot of files, and by combining recovery results with forensic search capabilities, we can help clients with special recovery needs locate the information they seek.

OnTrack is the world leader in data recovery, and their process and success rate is second to none.  We wouldn’t partner with them if they weren’t the best.

Trust Ontrack to recover your data

An Expose on the VA and Vendor Certification Fiasco

We’re a veteran owned business. It’s really easy to determine that, because the owner is a veteran with a DD-214 honorable discharge document and he’s the 100% owner of the business. So getting certified as a veteran owned business should be simple, right? No. Of course not. It’s the government. Who in their wisdom, decided to hand off responsibility for veteran verification to the VA, that bastion of bureaucratic integrity and competence we all know from the news articles about them over the decades. What should have been a simple thing has mutated into a 40 hour nightmare of paperwork and back and forth, with invasive requests for documentation, records the VA has no reasonable entitlement to, and the use of subcontracted services providing no recourse to the applicant for any nonsense that may be inflicted on the veteran. This has now cost the firm $10,000 in soft money. Soft money, and hard money, really. Some of it has been nights and weekends, but some of it has been business hours and definitely counts as lost client billable time. So we’ve decided to expose this little waste of taxpayer money for what it is, another fleecing of America by the faceless bureaucracy of Federal government. We’re going to drill down into it until we hit bedrock and can name names and point fingers. Because if they’re going to cost us ten grand, we’re going to get some marketing material out of it and maybe some justice for those still swimming upstream against their petty bureaucratic garbage. Stay tuned for more details.

Drafting Policies for Fun

Not many people think writing policy is fun. Or procedures. Or standards. Or any documentation, really. But policy and documentation can be fun, and more importantly, if done well, contributes directly to the security and safety of the organization, so it’s worth spending time on.

OK, but how can it possibly be fun? Because when you understand what you’re building, how it is like a set of block like toys that click together to create a structure capable of supporting an entire company, then it’s more like a puzzle. And if you don’t like puzzles, anything around the legal industry is probably not for you, and you should get someone else to do it for you. Like Liticode *cough*.

Policy, and all documentation, really, is a support structure. And just like any support structure, requires engineering. Wordsmithing, not metalsmithing, but still, craft that requires study. If you throw something together without adequate understanding and skill, you end up with more problems than before you made the policy. Like a bad bridge, it will collapse at the worst possible time, probably taking careers with it.

A more visually correct representation is a house of cards, because we’re dealing with documents, and most of them are flimsy things that collapse under the faintest pressure.  But we’re going to fix that problem by building using better cards.  Cards made of reinforced concrete and steel, architected not cobbled together.

Policy is the roof. Why not the foundation? Because policy is the first line of defense. It’s what takes the first hits when you’re under attack by hostile lawyers or other nefarious entities, including your own personnel who just want to do things differently. Policy is the shield from stuff falling on the business.

The walls are the procedures and standards that support the policy. Can’t have a policy without process and standards, or it’s a useless policy. For example, if you have a policy that says no personal use of company assets, but you don’t have a process to detect it, or a standard of configuration for the business computers being used, your policy is going to be impossible to support.

So what’s the foundation? That is your charters, bylaws, explanatory documentation, authorities, and anything else that doesn’t count as part of the super structure.  A simplistic example is the criminal laws against theft.  They aren’t part of your policy or your procedures, but they provide the cause that your HR termination policy uses to support a dismissal.  You rely on them, just like you rely on manufacturer’s documentation, government standards, industry standards, and job descriptions, to direct the business.

So, just like building a complex house of cards, your policy in one area might be the foundation in another layer. The procedures of one layer are the foundation of another. The point to internalize being that all these documents are a) tangible, meaning they exist and you can put your hands on them to produce in court, and b) fit together like a puzzle, reinforcing and supporting each other, so that removing one piece in the bottom layer doesn’t cause the entire thing to collapse.  That last part is important.  They interlock and reinforce each other.

Which brings up the other fun part of the policy game. Who has ever performed a red team analysis of policy? Nobody, other than Liticode. We’re the only company that will look at your documentation and game it with our legal teams and provide you a risk analysis of your policy structure and documentation. And that’s just as important as your penetration testing of your network. The evil hackers might get your database, but the lawsuits that come after are what’s going to destroy the company and careers. We help you prepare with our policy analysis, but we want you first and foremost to have people that grasp the concept of the policy structure and how it is critical to your corporate defense.  Defense in depth includes the legal activities side.  Most (all?) risk assessments simplistically check off boxes indicating policy is present, but don’t evaluate the content.  That will get you blindsided, and we can help avoid that.

So enjoy building policy. Call us if you’re short handed or want an additional set of eyes. Call us later if you want to test it and see if you have any unexplored risks in your structure. Our staff has the skill and experience to turn your house of cards into a fortress.

Security, Cycles, and Management

Organizations frequently have some sort of cyclical systems improvement program in place, yet when we assist with incident response,  we routinely see gaps where different departments have isolated some or all of their systems from the overall picture.

Big picture thinking and management is difficult, so it is easy for these lapses in judgement to creep in. But without a unified systems view of the organization, it is impossible to properly manage risk, and at some point that will create a problem. For example, the IT department may have air-tight policy and practices, but if HR is letting the business hire criminals, those policies won’t matter.

Every department and all business aspects are tied together. The business is a unit, it is not silo’s of independent compliance. That’s why we have the “unified scorecard” approach.  So when we see compliance programs that assign responsibility downward, we know where to start looking for gaps. All the process improvement in the world won’t help if you don’t have a unified model and consistent performance across the business. We like to engage with clients and help them knit together a unified program so that they are better protected and fully risk aware. Nobody wants to find a blind spot hiding in plain site. Our development of management models to provide this unified front is what helps our clients avoid surprises, so they can go about their business without needing our incident response services.

Cycles, frameworks, metrics, scorecards, visibility.  These are things that keep an organization healthy and incident free.  No matter which approach you take, make sure its unified.

If you want to stop having unmitigated incidents, call us for a free evaluation.  We want to help your business be incident free.

Enterprise Architecture

The concept of architecture, building systems in a rational manner for long term consideration with a complete picture of the landscape, is essential for enterprise clients with large investments in resources. Here at Liticode, we’ve been engaged in architecture in many business areas. We’ve engaged clients with software, security, and business architecture projects. If you could use a hand in planning for the future while competing in the present, give us a call. We provide TOGAF methodology as well as custom.


Passwords are not going anyplace, but they are getting bolt-on improvements. Things like two factor tokens and text message codes. But passwords still need to be strong enough to match the application they are used for.

You don’t need to change them every 30 or 90 days. Let’s get that out of the way. If you need to change a password that often, either you’re a spy, and there’s better options, or your system is broken and needs a good consultant makeover (call us).

Passwords do need to be long and complicated. The password complexity needs to match the security requirements of your system, which is found through risk analysis. That’s a topic for another day. For now, just think in terms of how much you value what it is tied to. Money, privacy, family photos, your job. If it’s valuable to you, make a good password.

A good password is long, complex, and memorable. It contains numbers, letters, and symbols. People think symbols make it too difficult, but call it punctuation instead, and it’s much easier to work with. That last sentence contains 4 symbols. It’s also how we generally want to make passwords, out of words strung together that we can remember, with numbers and symbols.

This is 1 SUPER-STRONG Password!

That’s an example, but please don’t use it, it is now in every attack dictionary the bad guys have. And don’t use phrases from movies or songs! All the lines and all the lyrics are in all the bad guys dictionaries. You can’t even change it and use it, for example, saying “2 be or NOT 2 be? That is the ?” It’s in the dictionary. Seriously. Use random words.

But how long should it be?

Depends on how long it will take you to find out if someone is trying to break in. Some companies alert you to failed attempts, others don’t. If you don’t get alerts and it doesn’t have a two factor security setting, you should think twice about using it for valuable things.

If it does alert you, or there is a two factor piece, you can use a relatively short password. 20 characters or so, three words or more.

If it doesn’t alert you and you value the service, pick a long password. Six words.

Use a different password on every site, app, and account. Wait! It’s not hard! Because you’re also going to use Lastpass.

You can do it. You kind of have to.

Now you don’t have to change your password from Sportsteam3 to Sportsteam4 next month, and the bad guys won’t steal your money.

How Liticode Helps Clients with the Yates Memo

The Yates memo, if you haven’t heard by now, is instruction from the DoJ about holding business executives feet to the fire in legal matters where the business may be at fault. Liticode provides several service offerings, from Litigation Preparedness Evaluations to process auditing and litigation evidence assistance to help clients address these issues.

The biggest takeaway for executives is that they need to know how things stand in their area of two possibility so they aren’t blind sided by litigation.

Have your in-house counsel call us for an evaluation. Before they need to call us for litigation assistance. It’s well worth the cost to ensure your house is in order, so a business problem doesn’t become a personal problem.