Vulnerabilities / Threats

4/5/2016
09:15 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

7 Lessons From The Panama Papers Leak

Hopefully your organization isn't hiding as many dark secrets as Mossack Fonseca, but the incident still brings helpful hints about data security, breach response, and breach impact.

Although many people are rejoicing in the Panama Papers outing of illegal and unethical activity by rich and powerful individuals and companies across the globe, information security professionals can also take the opportunity to learn a few lessons.  

The International Consortium of Investigative Journalists (ICIJ), Monday, published a report based upon a yearlong study into an enormous store of 11.5 million documents -- 2.6 TB of data, mostly emails -- leaked from Panamanian law firm Mossack Fonseca. The leaked data reveals secret information about the offshore holdings of political leaders and crime lords alike, and has exposed illegal practices used to hide wealth, disguise sources of wealth, and evade taxes. 

A separate report last week revealed that hackers have also been attacking law firms and banks in the United States, and the FBI is investigating to see if the attacks have resulted in insider trading. 

With that in mind, here are a few things all organizations, and perhaps law firms in particular, should keep in mind.

1. Know what information is most valuable -- to you, to your customers, to the public, and to attackers -- and protect it accordingly. "Valuable" is in the eye of the beholder, and the definition won't always be the same. Identify what sort of information that would cause critical damage to your business if it fell into the wrong hands (causing legal liability, IP theft, lost customers). Then secure it in any format in which it might exist, whether that be a spreadsheet or a conversation.

"In the case of Mossack Fonseca, a key business asset would be the case files and private details of their clients," says Senior Security Consultant Zak Maples of MWR InfoSecurity. "This would be mapped to numerous key IT assets, one of which would be the E-mail server due to the large number of e-mails containing this sensitive data."

2. Monitor outgoing traffic. "Whilst there is no silver bullet in security," says Maples, "in this specific case it has been reported that 2.6TB of data was exfiltrated from the organization. Detective controls that look for large spikes in data being transferred out of the organization and other Data Loss Prevention (DLP) controls could have helped to prevent the data being exfiltrated or being widely disseminated."

Details about how the leak occurred at Mossack Fonseca remain unclear, so it is impossible to say whether this data was exfiltrated all at once in a 2.6-terabyte package that would surely raise alarms, or if it was snuck out piece by piece in small batches over a long period of time. Nevertheless, strange exfiltrations of data -- "strange" because of the size, time, number, age, or confidentiality of those data -- are something every organization should always be watching for. 

3. Don't put all your eggs in one basket. A lot of secrets can be sunk into 2.6 terabytes of e-mail. Depending on the nature of your business, you might need to retain deep files on all customers and detailed records on all of your employees' conversations. So simply reducing your risk footprint by deleting the data isn't an option. However, segmenting the data, and applying different layers of security and access control to each segment could limit the damage when an attacker cracks into one asset, or a privileged insider decides to leak what they have.

Tom Patterson, chief trust officer for Unisys, says many organizations leave themselves open to similar attacks "by relying on old style networks and defenses to defend new style enterprises and attacks. Addressing the technical debt of infrastructure and security countermeasures with modern approaches like cloud, mobile, and micro segmentation are cheaper and more risk effective than dragging forward solutions from another era. It just takes strong leadership.”

4. E-discovery technology can be used to divine your darkest secrets. The ICIJ and journalists from 100 media organizations dug through and researched the data in the 11.5 TB data dump for a year before publishing their report. Their analysis was aided by the same e-discovery technology often used to gather information subpoenaed for court purposes.

According to Eddie Sheehy, CEO of Nuix, the e-discovery product, used by ICIJ: “This is a huge trove of data by investigative journalism standards—around 10 times the data volume and five times the number of documents of ICIJ’s Offshore Leaks investigation in 2013. At the same time, this is only a medium-sized document set in the worlds of eDiscovery or regulatory investigations—some of our customers handle similar volumes of data every day."

5. Your data breach can have immediate, devastating effects on customers. Today, Sigmundur David Gunnlaugsson, Prime Minister of Iceland, stepped down from his office "for an unspecified amount of time" after he was named among Mossack Fonseca's customers following dubious practices and found to have, as Prime Minister, brokered deals between banks and claimants after the financial crisis of 2008 despite having undisclosed conflicts of interest.

The Panama Papers have unearthed information related to many political leaders and their family members -- including in Ukraine, the United Kingdom, China, and Russia -- and have caused the topic of financial regulation to be brought up again in the United States because of its more conspicious absence of significant players on the list. As one economist told the New York Times, American companies "really don't need to go to Panama" because "we have an onshore haven industry in the U.S. that is just as secretive as any." 

6. Your breach could embroil you in more international privacy complications. After the brother-in-law of China's President Xi Jinping and other members of the Chinese elite were discovered among Mossack Fonseca's customer list, the Great Firewall of China apparently set to work trying to contain the public relations damage. Posts on social networks WeChat and Sina Weibo about the topic have begun to be deleted. Most organizations' end users and customer base will not be able to squash their exposed secrets with such powerful tools at their disposal. However, they may at least have privacy laws on their side that you may have fallen afoul of.

7. If you're going to destroy evidence, don't forget to destroy the evidence of you destroying that evidence. According to the ICIJ, Mossack Fonseca actively destroyed information that would implicate it in a U.S. Justice Department investigation of its Nevada office. However, some of its plans to destroy the information survived in email exchanges, which were subsequently leaked. ICIJ writes:

One email from 2014, for instance, instructs that any link between Mossack Fonseca’s central computing system in Panama and the Nevada office “has to be obscure to the investigators.” Other emails report that IT operatives working via remote control from Panama “tried to clean the logs of the PC’s in the Nevada office” and planned to run a “remote session to eliminate the traces of direct access to our CIS” — the firm’s computer information system.

 We provide this last piece of advice with tongues firmly in cheek. 

Related Stories:

   

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
honey143
50%
50%
honey143,
User Rank: Apprentice
5/26/2016 | 2:34:12 AM
greetings!!
Nice post
Bronchae
50%
50%
Bronchae,
User Rank: Apprentice
4/8/2016 | 6:00:19 PM
More Liability for Data Breaches
If there is an increase is the liability for damages resulting from data breaches companies would be more cicrumspect about data security. I realize getting legislation passed would be difficult and that there would be financial pain in the early days, but as President Kennedy said about going to the moon "We choose to go to the Moon in this decade and do the other things,[7]not because they are easy, but because they are hard;"

It is time to take on the challenge of truly improving data security and personal privacy protection.
Whoopty
100%
0%
Whoopty,
User Rank: Ninja
4/6/2016 | 8:05:25 AM
Hypocrisy vs lack of understanding
The most amazing part of all of this, is that if this information had been encrypted, using standards that politicians have been attacking and privacy campaigners have been championing, this sort of information may never have come to light. 

The fact that the UK's Prime Minister is now calling his involvement a "private matter," shows that either these politicians don't understand what they're saying when they try to ban private communications and encryption, or that they just think privacy should apply to them.

Either way, they shouldn't be in positions of affecting policy related to it.
CISOs' No. 1 Concern in 2018: The Talent Gap
Dawn Kawamoto, Associate Editor, Dark Reading,  1/10/2018
How to Attract More Women Into Cybersecurity - Now
Dawn Kawamoto, Associate Editor, Dark Reading,  1/12/2018
AI in Cybersecurity: Where We Stand & Where We Need to Go
Raffael Marty, VP Security Analytics, Sophos,  1/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.