Vulnerabilities / Threats

4/5/2016
09:15 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

7 Lessons From The Panama Papers Leak

Hopefully your organization isn't hiding as many dark secrets as Mossack Fonseca, but the incident still brings helpful hints about data security, breach response, and breach impact.

Although many people are rejoicing in the Panama Papers outing of illegal and unethical activity by rich and powerful individuals and companies across the globe, information security professionals can also take the opportunity to learn a few lessons.  

The International Consortium of Investigative Journalists (ICIJ), Monday, published a report based upon a yearlong study into an enormous store of 11.5 million documents -- 2.6 TB of data, mostly emails -- leaked from Panamanian law firm Mossack Fonseca. The leaked data reveals secret information about the offshore holdings of political leaders and crime lords alike, and has exposed illegal practices used to hide wealth, disguise sources of wealth, and evade taxes. 

A separate report last week revealed that hackers have also been attacking law firms and banks in the United States, and the FBI is investigating to see if the attacks have resulted in insider trading. 

With that in mind, here are a few things all organizations, and perhaps law firms in particular, should keep in mind.

1. Know what information is most valuable -- to you, to your customers, to the public, and to attackers -- and protect it accordingly. "Valuable" is in the eye of the beholder, and the definition won't always be the same. Identify what sort of information that would cause critical damage to your business if it fell into the wrong hands (causing legal liability, IP theft, lost customers). Then secure it in any format in which it might exist, whether that be a spreadsheet or a conversation.

"In the case of Mossack Fonseca, a key business asset would be the case files and private details of their clients," says Senior Security Consultant Zak Maples of MWR InfoSecurity. "This would be mapped to numerous key IT assets, one of which would be the E-mail server due to the large number of e-mails containing this sensitive data."

2. Monitor outgoing traffic. "Whilst there is no silver bullet in security," says Maples, "in this specific case it has been reported that 2.6TB of data was exfiltrated from the organization. Detective controls that look for large spikes in data being transferred out of the organization and other Data Loss Prevention (DLP) controls could have helped to prevent the data being exfiltrated or being widely disseminated."

Details about how the leak occurred at Mossack Fonseca remain unclear, so it is impossible to say whether this data was exfiltrated all at once in a 2.6-terabyte package that would surely raise alarms, or if it was snuck out piece by piece in small batches over a long period of time. Nevertheless, strange exfiltrations of data -- "strange" because of the size, time, number, age, or confidentiality of those data -- are something every organization should always be watching for. 

3. Don't put all your eggs in one basket. A lot of secrets can be sunk into 2.6 terabytes of e-mail. Depending on the nature of your business, you might need to retain deep files on all customers and detailed records on all of your employees' conversations. So simply reducing your risk footprint by deleting the data isn't an option. However, segmenting the data, and applying different layers of security and access control to each segment could limit the damage when an attacker cracks into one asset, or a privileged insider decides to leak what they have.

Tom Patterson, chief trust officer for Unisys, says many organizations leave themselves open to similar attacks "by relying on old style networks and defenses to defend new style enterprises and attacks. Addressing the technical debt of infrastructure and security countermeasures with modern approaches like cloud, mobile, and micro segmentation are cheaper and more risk effective than dragging forward solutions from another era. It just takes strong leadership.”

4. E-discovery technology can be used to divine your darkest secrets. The ICIJ and journalists from 100 media organizations dug through and researched the data in the 11.5 TB data dump for a year before publishing their report. Their analysis was aided by the same e-discovery technology often used to gather information subpoenaed for court purposes.

According to Eddie Sheehy, CEO of Nuix, the e-discovery product, used by ICIJ: “This is a huge trove of data by investigative journalism standards—around 10 times the data volume and five times the number of documents of ICIJ’s Offshore Leaks investigation in 2013. At the same time, this is only a medium-sized document set in the worlds of eDiscovery or regulatory investigations—some of our customers handle similar volumes of data every day."

5. Your data breach can have immediate, devastating effects on customers. Today, Sigmundur David Gunnlaugsson, Prime Minister of Iceland, stepped down from his office "for an unspecified amount of time" after he was named among Mossack Fonseca's customers following dubious practices and found to have, as Prime Minister, brokered deals between banks and claimants after the financial crisis of 2008 despite having undisclosed conflicts of interest.

The Panama Papers have unearthed information related to many political leaders and their family members -- including in Ukraine, the United Kingdom, China, and Russia -- and have caused the topic of financial regulation to be brought up again in the United States because of its more conspicious absence of significant players on the list. As one economist told the New York Times, American companies "really don't need to go to Panama" because "we have an onshore haven industry in the U.S. that is just as secretive as any." 

6. Your breach could embroil you in more international privacy complications. After the brother-in-law of China's President Xi Jinping and other members of the Chinese elite were discovered among Mossack Fonseca's customer list, the Great Firewall of China apparently set to work trying to contain the public relations damage. Posts on social networks WeChat and Sina Weibo about the topic have begun to be deleted. Most organizations' end users and customer base will not be able to squash their exposed secrets with such powerful tools at their disposal. However, they may at least have privacy laws on their side that you may have fallen afoul of.

7. If you're going to destroy evidence, don't forget to destroy the evidence of you destroying that evidence. According to the ICIJ, Mossack Fonseca actively destroyed information that would implicate it in a U.S. Justice Department investigation of its Nevada office. However, some of its plans to destroy the information survived in email exchanges, which were subsequently leaked. ICIJ writes:

One email from 2014, for instance, instructs that any link between Mossack Fonseca’s central computing system in Panama and the Nevada office “has to be obscure to the investigators.” Other emails report that IT operatives working via remote control from Panama “tried to clean the logs of the PC’s in the Nevada office” and planned to run a “remote session to eliminate the traces of direct access to our CIS” — the firm’s computer information system.

 We provide this last piece of advice with tongues firmly in cheek. 

Related Stories:

   

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
honey143
50%
50%
honey143,
User Rank: Apprentice
5/26/2016 | 2:34:12 AM
greetings!!
Nice post
Bronchae
50%
50%
Bronchae,
User Rank: Apprentice
4/8/2016 | 6:00:19 PM
More Liability for Data Breaches
If there is an increase is the liability for damages resulting from data breaches companies would be more cicrumspect about data security. I realize getting legislation passed would be difficult and that there would be financial pain in the early days, but as President Kennedy said about going to the moon "We choose to go to the Moon in this decade and do the other things,[7]not because they are easy, but because they are hard;"

It is time to take on the challenge of truly improving data security and personal privacy protection.
Whoopty
100%
0%
Whoopty,
User Rank: Ninja
4/6/2016 | 8:05:25 AM
Hypocrisy vs lack of understanding
The most amazing part of all of this, is that if this information had been encrypted, using standards that politicians have been attacking and privacy campaigners have been championing, this sort of information may never have come to light. 

The fact that the UK's Prime Minister is now calling his involvement a "private matter," shows that either these politicians don't understand what they're saying when they try to ban private communications and encryption, or that they just think privacy should apply to them.

Either way, they shouldn't be in positions of affecting policy related to it.
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
Lessons from My Strange Journey into InfoSec
Lysa Myers, Security Researcher, ESET,  7/12/2018
What's Cooking With Caleb Sima
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14339
PUBLISHED: 2018-07-19
In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the MMSE dissector could go into an infinite loop. This was addressed in epan/proto.c by adding offset and length validation.
CVE-2018-14340
PUBLISHED: 2018-07-19
In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, dissectors that support zlib decompression could crash. This was addressed in epan/tvbuff_zlib.c by rejecting negative lengths to avoid a buffer over-read.
CVE-2018-14341
PUBLISHED: 2018-07-19
In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the DICOM dissector could go into a large or infinite loop. This was addressed in epan/dissectors/packet-dcm.c by preventing an offset overflow.
CVE-2018-14342
PUBLISHED: 2018-07-19
In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the BGP protocol dissector could go into a large loop. This was addressed in epan/dissectors/packet-bgp.c by validating Path Attribute lengths.
CVE-2018-14343
PUBLISHED: 2018-07-19
In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the ASN.1 BER dissector could crash. This was addressed in epan/dissectors/packet-ber.c by ensuring that length values do not exceed the maximum signed integer.