Consider the Panama Papers breach a warning
- 08 April, 2016 20:00
An MIT conference this week about the Internet of Things was fun until the topic of security came up. The audience stilled and focused at the mention.
Sanjay Sarma, a professor of mechanical engineering at MIT, told this mostly startup crowd that he expects "a few disasters." Power plants will be taken down, as will a chemical plant. "I'm terrified of this," he said, about the cybersecurity risk.
This week's hack of Panamanian law firm Mossack Fonseca is an illustration of how much damage can be caused by a breach. Law firms are valuable and vulnerable targets, and they attract people interested in making money.
For example, a scheme at Simpson Thacher & Bartlett LLP, a U.S. law firm, yielded insider-trading net profits of more than $US5.6 million, said the FBI in announcing a guilty plea of a New York man, a former employee of the law firm, last November.
The employee's technique was simple. He searched the computer system for keywords such as "merger agreement" and "bid letter." Remarkably, it lasted five years.
For its part, the Mossack Fonseca "Panama Papers" breach, exposing offshore accounts of the rich and politically powerful, is remarkable as well. The firm said it was an external hack that used an email exploit, but that doesn't say much. Were the law firm's systems patched and up-to-date?
How did 11.5 million documents, or 2.6TB of data, leave the firm's network undetected? At 100 Mbps, it would take about two days to download 2TB of data.
Whatever the intrusion technique, "the large amounts of data alone heading out from a company's networks should have raised alarms - and yet it didn't," said Erka Koivunen, cyber security advisor for software vendor F-Secure.
There isn't much sympathy for the world leaders whose offshore financial dealings have been exposed by the Panama Papers. But in the IT security community, there isn't sympathy for anyone who lets such a breach happen, either.
"Regardless of what we think of the ethics of the law firm in question, this kind of failure in defending and monitoring one's 'kingdom' is absolutely unacceptable," said Koivunen.
IT managers with concerns about the security practices of their outside legal counsel providers can ask those providers some questions, said Philip Lieberman, president and CEO, Lieberman Software, another security-software firm.
Specifically, Lieberman recommends asking law firms about their penetration testing, physical and IT security, and whether they are running 'war games' against their systems to check defenses.
The American Bar Association (ABA) said unauthorized access to sensitive client data -- the most serious breach -- was 3% for law firms overall, and 7% for firms with more than 500 attorneys. These are low numbers, but release of any client data can be a "major disaster" for any law firm, notes the ABA.
Hacks that result in the release of large amounts of information to the public, via the news media, are not common. The data breach by Edward Snowden was against his own organization.
The "John Doe" attack on Mossack Fonseca was different, according to Jeremy Bergsman, IT practice leader at CEB, a consulting firm. The key motivation for that attack was "reputational damage" -- a relatively new motive, he said.
"The onset of such 'folk heroism' type of attacks indicates that the number of security incidents facing companies will likely increase," said Bergsman.
Alex Pezold, CEO of TokenEx, a security firm, believes the Panama Papers breach will have far-reaching impact on law firms. Law firms have long been considered an "underserved market" on security. "We haven't seen anything like this to date."
What the Mossack Fonseca hack does point out, said John Pescatore, director of emerging security trends at SANS, a security organization, is that professional services such as law firms and investment advisers are often not sufficiently protecting sensitive information.
"People and businesses need to be a lot more careful who they trust with such information," said Pescatore.