Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Tuesday, 6 June, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Letter to the Editor: The Panama Papers

by The Gurus
April 7, 2016
in Opinions & Analysis
Share on FacebookShare on Twitter

Dear Editor,
The Panama Papers leak may have been the work of an insider or an external hacker; news reported today suggests it could have been an external hacker. But in either case, this massive leak represents three major IT security trends that every enterprise needs to be aware of.
It shows the perils of digitisation of sensitive data without adequate controls over who can access it. This is a common vulnerability that has been exploited by hackers in every major data breach over the last three years, from Target, to Sony, to the US Federal Government personnel office.
It is the latest and largest example of a third-party being targeted to go after a different victim. In this case, a law firm was targeted for the information it held about other important companies and people. This leak is also part of a major trend of law firms around the world being targeted by hackers or malicious insiders because of the sensitive financial and insider corporate data they hold.
The top attack vector in the wide range of data breaches over the past three years has focused on exploiting third-party targets, the services companies who work for the primary enterprise data breach targets. The legal sector is particularly vulnerable in these attacks. Enterprises in all sectors have digitised their critical business processes and documents for easy sharing and collaboration across a range of networks inside and outside the enterprise. The idea is to become a “frictionless” enterprise, to streamline processes and get work done much more efficiently.
But what this also does is increase the enterprise’s “attack surface” which describes how vulnerable an enterprise’s sensitive data and systems are to unauthorised access. Many enterprises are extending networked applications and sharing digitised information with partners, contractors and other external third parties. So, for example, members of the supply chain might be given access to an application to manage orders or billing. A contractor might be responsible for processing their own work orders. Professional services firms routinely receive and send digitised information related to the most sensitive of enterprise operations. These external parties now gain access to sensitive information that previously was probably kept on paper in someone’s filing cabinet.
That’s where legal firms come in. An enterprise’s legal firm will possess a treasure trove of the most sensitive data related to that enterprise. For example, a legal firm will often be working on the details of intellectual property, legal proceedings, mergers, financial results or other sensitive matters that are not yet public. The IT security issue is that this information is digitised and shared on email or via file transfer, in collaboration applications and many other forms.
Hackers know all this. So they go after legal firms and other professional services firms as third-party or “proxy” targets, when the real primary targets are the enterprises whose data these law firms are handling. Industry researchers have documented that professional services firms rank among the top targets in cyber-espionage attacks, which are attacks that go after intellectual property or similar data, as opposed to data that has value in and of itself (like a credit card number). An external partner like a legal firm also represents a path into the IT systems of the main enterprise target itself, if the legal firm is granted access to internal applications and then the firm’s credentials are compromised.
In this environment, the basic security requirements for legal firms are two-fold:

  1. Plan for the worst and assume that your systems will be penetrated. How do you isolate applications and control user access in order to contain the scope of hacker access and limit breach damage?
  2. Ensure your clients are using strong cryptography for shared applications and enterprise information, and that access controls and credentials are carefully managed. If one of your firm’s employees falls prey to a phishing attack and loses log-in credentials to a hacker, you do not want that credential to be part of the vector for breaching your enterprise client.

This major data leak shows that there is so much work to do be done. How many more breaches of this scale will it take for organisations to make changes?
Adam Boone, CMO, Certes Networks

FacebookTweetLinkedIn
ShareTweet
Previous Post

ESET Warns Facebook Users of Viral Ad Scam

Next Post

Top five tips for protecting customer documents

Recent News

A Roadmap for Becoming a Penetration Tester in 2023

A Roadmap for Becoming a Penetration Tester in 2023

May 31, 2023
Electronic tablet with social media icons, hands holding screen.

Research Reveals UK Firms Plan to Embrace New Era of Digital Identity

June 1, 2023
AWS and Salt

Salt Security Attains AWS Security Competency Status 

May 31, 2023
Purple spiral circle. Text reads "Centripetal", san-serif.

Centripetal Extends Innovative CleanINTERNET® Technology to the Cloud

May 31, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information