The Panama Papers: Security Basics 101

There has, unsurprisingly, been a vast amount of speculation as to the origins of the Panama Papers data leak. Initially it was thought to be an insider job, however a partner at Mossack Fonseca has now claimed they were the victim of hack, specifically a ‘spear phishing’ email attack.

So far, so ordinary. Spear phishing attacks take place every day, across every sector. Staff training and awareness can go a long way towards limiting their success, but the attackers are getting more sophisticated all the time. Only this month, employees at the BBC received spear phishing emails that were so personalized that they included their recipients’ home addresses.

Laying the blame

We’re not, therefore, going to berate an employee at Mossack Fonseca for falling victim to what was potentially an extremely sophisticated and personal form of attack, no matter how senior they were. It happens. It’s what appears to have happened next that should serve as a warning for every organization.

As eWeek commented, the volumes of data that have been extracted from Mossack Fonseca are truly enormous, and extremely varied. The article points out that even if someone walked through the doors of the law firm with a portable hard drive and started copying files, transferring this amount of information would have taken hours. Transferring it surreptitiously over the internet would have taken weeks or more.

The fact that this was possible, seemingly without anybody noticing, via a single point of access into the corporate network, suggests that the company hadn’t followed some simple best practice security guidelines and this case should serve as a warning to other businesses to ensure they are following them.

What was missing?

• Network Segmentation: The quantity and quality of data exfiltrated suggests that the network simply wasn’t segmented, and therefore hackers were able to move laterally across the network, seeking out confidential information on the financial shenanigans of the rich and famous as they went. Having a strong network segmentation strategy would have significantly limited or even prevented the hack.
• Egress Filtering: most companies tend to be more concerned about the threats from outside their network. This is understandable but it overlooks the fact that what’s leaving a network is just as important. Being able to monitor and if necessary restrict outbound traffic, or in many cases funnel the outbound network traffic through egress points, is just as important and will make it more difficult for malicious attackers to exfiltrate data. The scale of the Panama breach strongly suggests such measures weren’t in place – more information on how to do this effectively can be found here.
• Access Rights: Too often, organizations have very permissive security policies, which can leave their networks exposed to threats. Organizations need to think about who really needs access to what resources, and apply the principle of least privilege, giving employees only the degree of access they need to do their jobs. If one lower-level employee’s credentials are compromised in a spear phishing attack, the attacker should not get carte blanche to access all the data held by a company. But applying the principle of ‘least privilege’ organisations will help reduce the risk of falling foul of an attack.

Of course, not every corporate data leak hits the world’s headlines and unseats heads of government. But the Mossack Fonseca attack has clear lessons for all organizations – whatever their business.