Consider the Panama Papers breach a warning

Hacks aimed at damaging reputations may rise in frequency

An MIT conference this week about the Internet of Things was fun until the topic of security came up. The audience stilled and focused at the mention.

Sanjay Sarma, a professor of mechanical engineering at MIT, told this mostly startup crowd that he expects "a few disasters." Power plants will be taken down, as will a chemical plant. "I'm terrified of this," he said, about the cybersecurity risk.

This week's hack of Panamanian law firm Mossack Fonseca is an illustration of how much damage can be caused by a breach. Law firms are valuable and vulnerable targets, and they attract people interested in making money.

panama papers icij internation consortium of investigative journalists web site ICIJ

For example, a scheme at Simpson Thacher & Bartlett LLP, a U.S. law firm, yielded insider-trading net profits of more than $US5.6 million, said the FBI in announcing a guilty plea of a New York man, a former employee of the law firm, last November.

The employee's technique was simple. He searched the computer system for keywords such as "merger agreement" and "bid letter." Remarkably, it lasted five years.

For its part, the Mossack Fonseca "Panama Papers" breach, exposing offshore accounts of the rich and politically powerful, is remarkable as well. The firm said it was an external hack that used an email exploit, but that doesn't say much. Were the law firm's systems patched and up-to-date?

How did 11.5 million documents, or 2.6TB of data, leave the firm's network undetected? At 100 Mbps, it would take about two days to download 2TB of data.

Whatever the intrusion technique, "the large amounts of data alone heading out from a company's networks should have raised alarms - and yet it didn't," said Erka Koivunen, cyber security advisor for software vendor F-Secure.

There isn't much sympathy for the world leaders whose offshore financial dealings have been exposed by the Panama Papers. But in the IT security community, there isn't sympathy for anyone who lets such a breach happen, either.

"Regardless of what we think of the ethics of the law firm in question, this kind of failure in defending and monitoring one's 'kingdom' is absolutely unacceptable," said Koivunen.

IT managers with concerns about the security practices of their outside legal counsel providers can ask those providers some questions, said Philip Lieberman, president and CEO, Lieberman Software, another security-software firm.

Specifically, Lieberman recommends asking law firms about their penetration testing, physical and IT security, and whether they are running 'war games' against their systems to check defenses.

The American Bar Association (ABA) said unauthorized access to sensitive client data -- the most serious breach -- was 3% for law firms overall, and 7% for firms with more than 500 attorneys. These are low numbers, but release of any client data can be a "major disaster" for any law firm, notes the ABA.

Hacks that result in the release of large amounts of information to the public, via the news media, are not common. The data breach by Edward Snowden was against his own organization.

The "John Doe" attack on Mossack Fonseca was different, according to Jeremy Bergsman, IT practice leader at CEB, a consulting firm. The key motivation for that attack was "reputational damage" -- a relatively new motive, he said.

"The onset of such 'folk heroism' type of attacks indicates that the number of security incidents facing companies will likely increase," said Bergsman.

Alex Pezold, CEO of TokenEx, a security firm, believes the Panama Papers breach will have far-reaching impact on law firms. Law firms have long been considered an "underserved market" on security. "We haven't seen anything like this to date."

What the Mossack Fonseca hack does point out, said John Pescatore, director of emerging security trends at SANS, a security organization, is that professional services such as law firms and investment advisers are often not sufficiently protecting sensitive information.

"People and businesses need to be a lot more careful who they trust with such information," said Pescatore.

Panama papers 2016 April Montgomery

Join the CSO newsletter!

Error: Please check your email address.

More about ABAFBIF-SecureLieberman SoftwareMIT

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Patrick Thibodeau

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place