Although many people are rejoicing in the Panama Papers outing of illegal and unethical activity by rich and powerful individuals and companies across the globe, information security professionals can also take the opportunity to learn a few lessons.
The International Consortium of Investigative Journalists (ICIJ), Monday, published a report based upon a yearlong study into an enormous store of 11.5 million documents -- 2.6 TB of data, mostly emails -- leaked from Panamanian law firm Mossack Fonseca. The leaked data reveals secret information about the offshore holdings of political leaders and crime lords alike, and has exposed illegal practices used to hide wealth, disguise sources of wealth, and evade taxes.
A separate report last week revealed that hackers have also been attacking law firms and banks in the United States, and the FBI is investigating to see if the attacks have resulted in insider trading.
With that in mind, here are a few things all organizations, and perhaps law firms in particular, should keep in mind.
1. Know what information is most valuable -- to you, to your customers, to the public, and to attackers -- and protect it accordingly. "Valuable" is in the eye of the beholder, and the definition won't always be the same. Identify what sort of information that would cause critical damage to your business if it fell into the wrong hands (causing legal liability, IP theft, lost customers). Then secure it in any format in which it might exist, whether that be a spreadsheet or a conversation.
"In the case of Mossack Fonseca, a key business asset would be the case files and private details of their clients," says Senior Security Consultant Zak Maples of MWR InfoSecurity. "This would be mapped to numerous key IT assets, one of which would be the E-mail server due to the large number of e-mails containing this sensitive data."
2. Monitor outgoing traffic. "Whilst there is no silver bullet in security," says Maples, "in this specific case it has been reported that 2.6TB of data was exfiltrated from the organization. Detective controls that look for large spikes in data being transferred out of the organization and other Data Loss Prevention (DLP) controls could have helped to prevent the data being exfiltrated or being widely disseminated."
Details about how the leak occurred at Mossack Fonseca remain unclear, so it is impossible to say whether this data was exfiltrated all at once in a 2.6-terabyte package that would surely raise alarms, or if it was snuck out piece by piece in small batches over a long period of time. Nevertheless, strange exfiltrations of data -- "strange" because of the size, time, number, age, or confidentiality of those data -- are something every organization should always be watching for.
3. Don't put all your eggs in one basket. A lot of secrets can be sunk into 2.6 terabytes of e-mail. Depending on the nature of your business, you might need to retain deep files on all customers and detailed records on all of your employees' conversations. So simply reducing your risk footprint by deleting the data isn't an option. However, segmenting the data, and applying different layers of security and access control to each segment could limit the damage when an attacker cracks into one asset, or a privileged insider decides to leak what they have.
Tom Patterson, chief trust officer for Unisys, says many organizations leave themselves open to similar attacks "by relying on old style networks and defenses to defend new style enterprises and attacks. Addressing the technical debt of infrastructure and security countermeasures with modern approaches like cloud, mobile, and micro segmentation are cheaper and more risk effective than dragging forward solutions from another era. It just takes strong leadership.”
4. E-discovery technology can be used to divine your darkest secrets. The ICIJ and journalists from 100 media organizations dug through and researched the data in the 11.5 TB data dump for a year before publishing their report. Their analysis was aided by the same e-discovery technology often used to gather information subpoenaed for court purposes.
According to Eddie Sheehy, CEO of Nuix, the e-discovery product, used by ICIJ: “This is a huge trove of data by investigative journalism standards—around 10 times the data volume and five times the number of documents of ICIJ’s Offshore Leaks investigation in 2013. At the same time, this is only a medium-sized document set in the worlds of eDiscovery or regulatory investigations—some of our customers handle similar volumes of data every day."
5. Your data breach can have immediate, devastating effects on customers. Today, Sigmundur David Gunnlaugsson, Prime Minister of Iceland, stepped down from his office "for an unspecified amount of time" after he was named among Mossack Fonseca's customers following dubious practices and found to have, as Prime Minister, brokered deals between banks and claimants after the financial crisis of 2008 despite having undisclosed conflicts of interest.
The Panama Papers have unearthed information related to many political leaders and their family members -- including in Ukraine, the United Kingdom, China, and Russia -- and have caused the topic of financial regulation to be brought up again in the United States because of its more conspicious absence of significant players on the list. As one economist told the New York Times, American companies "really don't need to go to Panama" because "we have an onshore haven industry in the U.S. that is just as secretive as any."
6. Your breach could embroil you in more international privacy complications. After the brother-in-law of China's President Xi Jinping and other members of the Chinese elite were discovered among Mossack Fonseca's customer list, the Great Firewall of China apparently set to work trying to contain the public relations damage. Posts on social networks WeChat and Sina Weibo about the topic have begun to be deleted. Most organizations' end users and customer base will not be able to squash their exposed secrets with such powerful tools at their disposal. However, they may at least have privacy laws on their side that you may have fallen afoul of.
7. If you're going to destroy evidence, don't forget to destroy the evidence of you destroying that evidence. According to the ICIJ, Mossack Fonseca actively destroyed information that would implicate it in a U.S. Justice Department investigation of its Nevada office. However, some of its plans to destroy the information survived in email exchanges, which were subsequently leaked. ICIJ writes:
One email from 2014, for instance, instructs that any link between Mossack Fonseca’s central computing system in Panama and the Nevada office “has to be obscure to the investigators.” Other emails report that IT operatives working via remote control from Panama “tried to clean the logs of the PC’s in the Nevada office” and planned to run a “remote session to eliminate the traces of direct access to our CIS” — the firm’s computer information system.
We provide this last piece of advice with tongues firmly in cheek.
- How NOT To Be The Next Sony: Defending Against Destructive Attacks
- Hackers Attack Major US Law Firms
- How Ionic Says It Makes Data Breaches Irrelevant