That the Panamanian law firm Mossack Fonseca was breached should in many ways come as little surprise to those with an information security background. Whether intentional or not, the data breach that led to the massive Panama Papers scandal currently rocking the political and business worlds teaches us lessons about basic information security best practices and guidelines.
“Security Through Obscurity” Is Dead: The old “security through obscurity” notion fell by the wayside years ago if you ask anyone in the information security community. The ability for bad guys to rapidly scale (to run scans of enormous breadth, to “poke” around in infrastructure they wouldn’t have previously thought accessible, and the continued drop in costs associated with denial-of-service, phishing, and other mayhem) make it so that an adversary has a constantly growing range of targets. This will only continue to be an issue. If you are a small business, credit union, law firm, or other agency, you need to employ at least some rudimentary procedures and processes to prevent these types of attacks.
A Growing Attack Surface: As most firms offer new products and services, they typically think about security implications as an afterthought. While this is changing on both ends of the scale (from Fortune 100 to small start-ups), for the most part this is a very accurate depiction of how mid-sized and legacy firms operate. Every new supplier agreement, website, mobile app, and portal access opens up holes in a system that need to be identified, understood, and then prioritized. Some of the most basic questions in security risk management need to be asked (for each and every one of these scenarios) and they include: Should this new system/service have appropriate security controls? What type? For how long? When should we revisit this decision? And the list goes on…
Mediocre Risk Management: Risk management is a discipline. It’s like exercising and flossing your teeth. Everyone knows they need to do it, but few do it well … even fewer do it reliably and consistently over long periods of time. Initial reports are that Mossack Fonseca had some glaring vulnerabilities and thereby was very susceptible to being attacked by an outsider. This should not come as a surprise. Legal and accounting firms have been warned about such issues for a long time.
The Internal Threat: The ease with which disgruntled or poorly-paid employees, partners, suppliers, and others have internal access to sensitive systems and data remains an enormous problem. The rapid digitization of the business world in the past 10 years has out-paced most firms’ abilities to keep track of the most fundamental authorization rights and access privileges, perimeter security (if such a thing even truly exists anymore), and strong authentication. As a result, if one of the constituencies above is determined to steal data, the chances are in their favor that they will be able to do so if they are persistent enough. In addition to this, the rapid growth in spear-phishing brings with it the growing possibility of the “inadvertent internal threat” in the form of a CFO being targeted or an IT Administrator with credentials to a critical system being tricked through social engineering. Education, training, and even sometimes monitoring are good tactics to employ around such specific individuals who are most likely to be targeted.
Most of the initial Panama Papers media coverage addressed numerous implications on policy, tax evasion, corruption, and politics; this makes sense and is justified based on the trove of data that has been released. Yet this scandal also has relevance to the information security community and to those interested in understanding how a scandal of this magnitude might have occurred in the first place. Law, accounting and financial advisory firms, please take special note.