DTX Manchester DTX Manchester
  • About Us
Thursday, 21 January, 2021
IT Security Guru
CTX Manchester 2020 banner ad
  • Home
  • Features
  • Insight
  • Events
    • Women in Cyber 2020
    • Women in Cyber 2020 [SPONSORS]
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Women in Cyber 2020
    • Women in Cyber 2020 [SPONSORS]
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Letter to the Editor: The Panama Papers

by The Gurus
April 7, 2016
in Opinions & Analysis
Share on FacebookShare on Twitter

Dear Editor,
The Panama Papers leak may have been the work of an insider or an external hacker; news reported today suggests it could have been an external hacker. But in either case, this massive leak represents three major IT security trends that every enterprise needs to be aware of.
It shows the perils of digitisation of sensitive data without adequate controls over who can access it. This is a common vulnerability that has been exploited by hackers in every major data breach over the last three years, from Target, to Sony, to the US Federal Government personnel office.
It is the latest and largest example of a third-party being targeted to go after a different victim. In this case, a law firm was targeted for the information it held about other important companies and people. This leak is also part of a major trend of law firms around the world being targeted by hackers or malicious insiders because of the sensitive financial and insider corporate data they hold.
The top attack vector in the wide range of data breaches over the past three years has focused on exploiting third-party targets, the services companies who work for the primary enterprise data breach targets. The legal sector is particularly vulnerable in these attacks. Enterprises in all sectors have digitised their critical business processes and documents for easy sharing and collaboration across a range of networks inside and outside the enterprise. The idea is to become a “frictionless” enterprise, to streamline processes and get work done much more efficiently.
But what this also does is increase the enterprise’s “attack surface” which describes how vulnerable an enterprise’s sensitive data and systems are to unauthorised access. Many enterprises are extending networked applications and sharing digitised information with partners, contractors and other external third parties. So, for example, members of the supply chain might be given access to an application to manage orders or billing. A contractor might be responsible for processing their own work orders. Professional services firms routinely receive and send digitised information related to the most sensitive of enterprise operations. These external parties now gain access to sensitive information that previously was probably kept on paper in someone’s filing cabinet.
That’s where legal firms come in. An enterprise’s legal firm will possess a treasure trove of the most sensitive data related to that enterprise. For example, a legal firm will often be working on the details of intellectual property, legal proceedings, mergers, financial results or other sensitive matters that are not yet public. The IT security issue is that this information is digitised and shared on email or via file transfer, in collaboration applications and many other forms.
Hackers know all this. So they go after legal firms and other professional services firms as third-party or “proxy” targets, when the real primary targets are the enterprises whose data these law firms are handling. Industry researchers have documented that professional services firms rank among the top targets in cyber-espionage attacks, which are attacks that go after intellectual property or similar data, as opposed to data that has value in and of itself (like a credit card number). An external partner like a legal firm also represents a path into the IT systems of the main enterprise target itself, if the legal firm is granted access to internal applications and then the firm’s credentials are compromised.
In this environment, the basic security requirements for legal firms are two-fold:

  1. Plan for the worst and assume that your systems will be penetrated. How do you isolate applications and control user access in order to contain the scope of hacker access and limit breach damage?
  2. Ensure your clients are using strong cryptography for shared applications and enterprise information, and that access controls and credentials are carefully managed. If one of your firm’s employees falls prey to a phishing attack and loses log-in credentials to a hacker, you do not want that credential to be part of the vector for breaching your enterprise client.

This major data leak shows that there is so much work to do be done. How many more breaches of this scale will it take for organisations to make changes?
Adam Boone, CMO, Certes Networks

0 0 vote
Article Rating
FacebookTweetLinkedIn
ShareTweetShare
Previous Post

ESET Warns Facebook Users of Viral Ad Scam

Next Post

Top five tips for protecting customer documents

Subscribe
Notify of
guest
guest
0 Comments
Inline Feedbacks
View all comments

Recent News

Instagram notification symbol in neon lights, with a white heart and a white 0 next to it

Social Media Fails to Monitor Extremist Content

January 21, 2021
The purpose of this image is to portray security through a key attached to what looks like a memory card.

Biden Administration to put Stronger Emphasis on Cyber Security

January 21, 2021
scrabble letters spelling out "Scam Alert"

Phishing Scam Exposes Stolen Passwords

January 21, 2021
Close up image of the sun/a star.

How did SolarWind Hackers evade Detection?

January 21, 2021

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Women in Cyber 2020
    • Women in Cyber 2020 [SPONSORS]
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

More information
wpDiscuz
0
0
Would love your thoughts, please comment.x
()
x
| Reply
Privacy Settings / PENDINGGDPR Compliance

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Accept