Dear Editor,
The Panama Papers leak may have been the work of an insider or an external hacker; news reported today suggests it could have been an external hacker. But in either case, this massive leak represents three major IT security trends that every enterprise needs to be aware of.
It shows the perils of digitisation of sensitive data without adequate controls over who can access it. This is a common vulnerability that has been exploited by hackers in every major data breach over the last three years, from Target, to Sony, to the US Federal Government personnel office.
It is the latest and largest example of a third-party being targeted to go after a different victim. In this case, a law firm was targeted for the information it held about other important companies and people. This leak is also part of a major trend of law firms around the world being targeted by hackers or malicious insiders because of the sensitive financial and insider corporate data they hold.
The top attack vector in the wide range of data breaches over the past three years has focused on exploiting third-party targets, the services companies who work for the primary enterprise data breach targets. The legal sector is particularly vulnerable in these attacks. Enterprises in all sectors have digitised their critical business processes and documents for easy sharing and collaboration across a range of networks inside and outside the enterprise. The idea is to become a “frictionless” enterprise, to streamline processes and get work done much more efficiently.
But what this also does is increase the enterprise’s “attack surface” which describes how vulnerable an enterprise’s sensitive data and systems are to unauthorised access. Many enterprises are extending networked applications and sharing digitised information with partners, contractors and other external third parties. So, for example, members of the supply chain might be given access to an application to manage orders or billing. A contractor might be responsible for processing their own work orders. Professional services firms routinely receive and send digitised information related to the most sensitive of enterprise operations. These external parties now gain access to sensitive information that previously was probably kept on paper in someone’s filing cabinet.
That’s where legal firms come in. An enterprise’s legal firm will possess a treasure trove of the most sensitive data related to that enterprise. For example, a legal firm will often be working on the details of intellectual property, legal proceedings, mergers, financial results or other sensitive matters that are not yet public. The IT security issue is that this information is digitised and shared on email or via file transfer, in collaboration applications and many other forms.
Hackers know all this. So they go after legal firms and other professional services firms as third-party or “proxy” targets, when the real primary targets are the enterprises whose data these law firms are handling. Industry researchers have documented that professional services firms rank among the top targets in cyber-espionage attacks, which are attacks that go after intellectual property or similar data, as opposed to data that has value in and of itself (like a credit card number). An external partner like a legal firm also represents a path into the IT systems of the main enterprise target itself, if the legal firm is granted access to internal applications and then the firm’s credentials are compromised.
In this environment, the basic security requirements for legal firms are two-fold:
- Plan for the worst and assume that your systems will be penetrated. How do you isolate applications and control user access in order to contain the scope of hacker access and limit breach damage?
- Ensure your clients are using strong cryptography for shared applications and enterprise information, and that access controls and credentials are carefully managed. If one of your firm’s employees falls prey to a phishing attack and loses log-in credentials to a hacker, you do not want that credential to be part of the vector for breaching your enterprise client.
This major data leak shows that there is so much work to do be done. How many more breaches of this scale will it take for organisations to make changes?
Adam Boone, CMO, Certes Networks