Picks of the Week: What the Panama Paper Breach Means for Your Organization Cybersecurity

Cybersecurity Lessons Learned From ‘Panama Papers’ Breach | Forbes

What the Panama Paper Hack Means for Worldwide Cybersecurity | Massive Media

The Panama Papers Wake Up Call | Security Week

In the wake of the revelations from the so-called “Panama Papers,” the world of the rich and powerful has been reeling. A single cyber attack against Mossack Fonseca—a Panamanian law firm that was virtually unknown to the public—has sent a tsunami around the world, already toppling one world leader with more turbulence likely to come.

The attacker absconded with such a vast trove of confidential, attorney-client information—including over 4.8 million emails, 2.2 million PDFs, and 2.6 terabytes of information—that journalists and other investigators have been reviewing it for more than a year. The resulting leak was the largest data security breach in history, and has made previous revelations by WikiLeaks and Edward Snowden look small and limited by comparison.

The leaked information allegedly details the ways some of the world’s most powerful figures, including presidents, kings, prime ministers, their relatives, and close associates in more than 40 countries from Europe, Asia, the Middle East, Africa, and Americas, have used offshore companies to hide income and avoid paying taxes. Some of the information dated back almost 40 years to a period before the Internet even existed.

The identity of the attacker(s), however, remains a mystery. Perhaps it was a company insider with access to the relevant passwords and files? Or maybe a skilled attacker, well-versed in the intricacies of cyber espionage?

Experts believe that neither profile is accurate, because the Mossack Fonseca cyber attack was actually quite simple. So simple, in fact, that even a script kiddie with limited hacking knowledge could have done it. The leak stemmed from known vulnerabilities in older versions of popular open source web server software Drupal and WordPress that had not been updated and that can easily be exploited. In fact, outdated versions of software that organizations haven’t properly patched is the most common cybersecurity vulnerability today. In addition, Mossack Fonseca’s web server was not behind a firewall and wasn’t separated from their mail servers, and they did not encrypt their emails, which is particularly egregious given the sensitivity of their clients’ information. In other words, Mossack Fonseca failed to take even the most rudimentary steps to protect their confidential client data. And, even if it had put their web server behind a firewall and separated it from their mail servers, hackers would have still been able to exploit their unpatched vulnerabilities to access data on internal systems—it would simply have taken them a bit longer.

In addition, some of the security mistakes Mossack Fonseca made were violations of common cyber hygiene.

So, what can your organization learn from this latest hack and do to prevent a similar breach?

  • Patch, patch, patch—ensure that admins have applied all security patches to all software, not just the software that faces the Internet. Your patching regimen should be prompt and thorough – but never count on all software to be properly patched.
  • Train your employees on password protection (and don’t store passwords in a file called passwords!)—require regular changing of passwords (at least quarterly). If you don’t already have a policy in place governing the creation, use, and sharing of passwords for your organization, establish one. Encourage employees to create complex passwords, never to share them, and to implement additional layers of security, such as dual-factor authentication, adding fingerprint locks on computers, single use codes, etc.
  • Train your employees on recognizing phishing emails—fraudulent emails are still a major attack vector. Cyber criminals obtain organization-wide data from just one employee falling for a false email request. Include in your policy what work can be done on personal devices (such as smartphones and tablets), and what work must be done on workplace computers protected by a strong firewall and good virus software.
  • Do not give everybody access to everything—put your eggs in multiple baskets, classify your documents, and segment your networks. Too many organizations have grown their networks with maximum convenience in mind, effectively giving access to everything to everyone. Unfortunately, that means access to outsiders as well if there is even a small chink in your cyber-defenses.
  • Do not store data beyond what you need—if your organization collects some Personally Identifiable Information (PII), such as social security numbers and credit card information, do not store more than you actually need and are willing to protect.
  • Do not use email for sensitive communications—the biggest lesson already learned from the Sony Corporation hack should have been to avoid writing anything that could potentially incriminate or embarrass you or your business. A casual insult, side comment, inappropriate joke or any similar communication, taken in the context of the intended audience, may not offend; however, written data should be considered permanent and available to a broad audience.
  • Do not ignore warning signs and risks—if something seems wrong, don’t ignore it. Take a screenshot, write down the error message, call support, run an antivirus scan. Sometimes it turns out to be nothing, or even a new feature you didn’t know about. Other times it means you are under attack.
  • Do not go another day without an incident response plan—there are only two types of organizations: those that have been breached, and those who don’t know that they have been breached. Any responsible organization should be prepared to respond, mitigate, and remediate a cyber attacks, and this should start by having a clearly-defined and well-exercised incident response plan.

– Francesca Spidalieri, Senior Fellow

Leave a Reply

Your email address will not be published. Required fields are marked *