Editorial coverage based on the Panama Papers, a leaked cache of 11.5 million confidential documents from the law firm Mossack Fonseca, have captured attention around the globe in April 2016, and led to political protests and controversy. From these articles, there are three important lessons we can learn about cybersecurity. But first, a recap of the incident:
Mossack Fonseca provides services such as establishing and administering international business entities. According to the Süddeutsche Zeitung—the German newspaper that initially received the leak—an anonymous source obtained data from the firm. Feeling the information documented crimes that should be exposed, this anonymous source shared it with the newspaper. In collaboration with hundreds of other journalists worldwide, Süddeutsche Zeitung researched the data and started publishing stories in early April.
According to the news articles, the Panama Papers reveal how wealthy individuals, including government officials, use offshore banking to keep their assets secret for purposes such as tax evasion. In the wake of the leak, the prime minister of Iceland resigned when his connection to an offshore company was revealed. Many other dramatic scandals have occurred such as the Swiss police raid of the offices of UEFA, Europe's top soccer association, in response to the Panama Papers' revelations.
Although the Süddeutsche Zeitung editor-in-chief wrote that he does not know how his source obtained the data, two pieces of evidence point to a hack. First, Ramon Fonseca, cofounder of Mossack Fonseca, ruled out an “inside job” and said hackers outside Panama were responsible. Second, a leaked message that Mossack Fonseca sent clients refers to an “unauthorized breach” of its email server. However, companies are not always aware of all the details of what has happened in a compromise, so they may be limited in what they tell the public due to legal or other concerns.
It's been identified that Mossack Fonseca did not encrypt its emails with Transport Layer Security (TLS) protocols, and that may explain why so much of the Panama Papers cache consists of email messages. Because so many records were taken—2.6 terabytes' worth—it appears the hacker may have broken into the organization's email server, increased security privileges, and used those privileges to access data without restrictions.
Lesson #1: Updates Are Crucial
Companies should be sure to use up-to-date security tools and technologies. Security researchers looking at the Panama firm's security in the aftermath of the attack have found plenty of flaws, showing the organization had not updated its systems to the newest versions available. For example, Mossack Fonseca had neglected to update its client login portal since 2013 and its Outlook Web Access login since 2009. In fact, the version of Drupal the firm has been using for its client portal suffers from more than 25 vulnerabilities.
It's not enough for companies to merely “patch and pray." They need to adopt a proactive stance and use vulnerability management. This technology scans an organization's systems for security flaws and assists in remediating the weaknesses before hackers can exploit them.
Lesson #2: Network Security Monitoring is Crucial
Network security monitoring watches computer networks for unusual traffic patterns and raises red flags if suspicious activities are taking place. That way, IT teams can take appropriate action.
Network security monitoring would have been useful during the theft of all the data. The hacker had to download a great deal of information: 4.8 million emails; 3 million database format files; 1.1 million images; 320,000 text documents; and 2.2 million PDFs. That is not typical network traffic. Network security monitoring would spot such an anomaly right away, and enable a hacked organization to defend itself.
Lesson #3: Law Firms are a New Target
More law firms will likely make the headlines as cyber attack victims. Hackers who've heard about the Panama Papers leak might imitate the Mossack Fonseca intrusion, just as how the ransomware attack on a California hospital may have inspired similar subsequent hits on several other hospitals. Law practices handle many important private documents that could be repurposed for creating scandals, insider trading, and more—this can serve as an incentive for cyber criminals.
To protect themselves against potential attacks, businesses and government agencies can use network security monitoring and managed security services. A proactive approach can ensure that private information stays secure.
Is Your Organization Ready to Battle Cyber Attacks?
Find out with EiQ’s free, 10-question cyber security readiness assessment! Sign up now to see how prepared you are to identify threats and vulnerabilities, mitigate risks, and enable compliance.
Photo: Nevodka / Shutterstock.com