'Panama Papers' - 6 Security TakeawaysEncryption, Access Controls and Network Monitoring Remain Essential
The fallout from the so-called "Panama Papers" leak continues.
So far, the leak of 11.5 million records - emails, databases, images - allegedly from Panama-based law firm Mossack Fonseca has led to difficult questions for politicians and public figures, including Russian President Vladimir Putin and the government of Pakistan. On April 5, it even triggered the resignation of Iceland Prime Minister Sigmundur David Gunnlaugsson after his name appeared in the leaked documents, tied to a previously undeclared shell company.
From an information security standpoint, however, experts say the breach highlights how one law firm apparently failed to have the right defenses in place. Essentials, security experts say, include encrypting sensitive data, using access controls as well as monitoring access patterns for signs of data exfiltration.
Here are six security takeaways from the massive data leak:
1. Law Firms: Wake Up
The Panama Papers should be a wake-up call for all law firms, says Brian Honan, who heads Dublin-based information security consultancy BH Consulting.
"All law firms should review where their critical data is located, be that on servers, laptops, phones, portable devices and even paper, to determine how best to secure it," says Honan, who's also an adviser to Europol, which is the EU's law enforcement intelligence agency. "They should look at the various security risks that are posed to the data wherever it is located and look to implement proper security controls as a result."
2. Prepare to Be Breached
The FBI has long warned law firms that they're at risk of being hacked, but it's unclear how many firms take that threat seriously. Last week, meanwhile, The Wall Street Journal reported that both Cravath Swaine and Weil Gotshal, law firms that represent Wall Street and Fortune 500 firms for everything from lawsuits to merger deals worth billions of dollars, have recently been breached.
Such breaches are a concern because the information law firms handle could be used to give an organization the upper hand in negotiation. Or it could be used for insider trading (see Feds Charge 9 with $30M Insider Trading, Hacking Scheme).
While Weil Gotshal declined to comment to the newspaper, Cravath confirmed that it had suffered a "limited breach" last summer and that the firm is "not aware that any of the information that may have been accessed has been used improperly." Both the Manhattan U.S. attorney's office and FBI have reportedly been probing the breaches since last year.
These incidents show that all organizations - not just law firms - must assume they will be breached, says Itzik Kotler, CTO of Israeli cybersecurity startup firm SafeBreach. "Hackers getting in - it's a given. They will find a way, by using social engineering or an exploit," he says. "Stopping them from getting access to a server, or taking information from a server - exfiltration - is the key here."
3. Beware Insiders
It's not yet clear when Mossack Fonseca first discovered that sensitive information had been exfiltrated. An anonymous source first approached German newspaper Süddeutsche Zeitung at the end of 2014, it says, offering to provide data. The newspaper says the leaks continued until this spring.
"All this time, [the firm] had a chance to do damage control," Kotler says, but apparently failed, despite the vast amount of information that was being stolen.
On April 1, the firm alerted clients that it was investigating "an unauthorized breach of our email server," according to a copy of the message posted by whistleblowing site WikiLeaks.
The scale of the breach has led some security experts to suggest that an insider leaked the data, given the vast quantity of data that had to be copied, as well as the timeframe. For now, however, the insider angle remains conjecture.
Meanwhile, the founding partner of Mossack Fonseca on April 5 claimed that his firm was a victim of a hack from outside the company, Reuters reports.
4. Don't Miss Breach Warning Signs
It's also not yet clear whether Mossack Fonseca's April 1 warning had anything to do with the exfiltration that allowed someone to walk away with 2.6 terabytes of corporate information.
"Similar to the Sony Entertainment breach, a huge amount of data has been compromised," Honan says (see Will Sony Settle Cyber-Attack Lawsuit?). "We are yet unclear as to how this happened. However, one would expect that if appropriate security monitoring mechanisms were in place this large exfiltration of data should have been detected earlier."
5. Cull Data
Too many organizations retain too much data, despite the security risks. "In our experience people working in office environments tend to hoard data, very often the only justification being 'in case we need it again,'" Honan says. "However, if you keep information you then have to secure it."
Otherwise, stored data becomes a target for attackers, and a liability to organizations, as last year's Ashley Madison data dump demonstrated. In that case, the online dating service retained former subscribers' data, including their email addresses and GPS coordinates (see The 2 Worst Breaches of 2015).
If firms choose to - or must - retain information in either digital or physical form, they shouldn't underestimate the challenges associated with keeping it secure, Honan says. Barring any legal, regulatory or contractual obligations, "the safest way to secure it is to destroy it in a secure manner," he says.
6. Keep Reviewing Access Permissions
For any data that an organization chooses to retain, security managers must review who has access to that information and then keep reviewing it. The goal is to keep information compartmentalized and thus lower the chance that an attacker - or malicious insider - could execute a data breach of catastrophic, or "Panama Papers," proportions.
"Companies should regularly review their access controls to see who has access to what information and whether or not that access is still relevant to peoples' roles," Honan says. "Appropriate monitoring of access to key data stores and detection of data being moved from a secure location should also be in place."