Canals, Law Firms and InfoSec – Lessons learned from the Mossack Fonseca data breach

Another day, another leak.

This time the victim of the leak is Mossack Fonseca, a Panama Law firm which has been exposed for facilitating shady tax arrangements. The size of the breach is enormous, the volume alone could displace what Panama is traditionally known for, the canal.

Naturally, findings from the breach would never see the light of day but speculation is always fun so…what could we learn from this breach?

1. Trust is king otherwise use identity management and access control

The locks in the canal serve to direct water to the right places.

No one knows if this was an inside job but one thing is certain, ‘John Doe’ who conducted the breach had the motivation to carry out the leak. If this was an inside job, this person would have had a lot of access within the organisation. Identity management, separation of duties and access control limit the amount of data any one individual has access to. In any organisation handling sensitive data, all of this is very important to limit the potential loss of data from a disgruntled employee.

2. Don’t forget physical access

A hole in the lock allows water to seep through where it’s not supposed to.

John Doe could have access to backups, tapes, systems, USB ports, you get the idea.

3. Are you looking – Egress points

If no one is inspecting the locks for leaks, how do you know if there is a problem?

Süddeutsche Zeitung, the newspaper organisation reporting the breach acquired about 2.6 terabytes of data. Let’s assume for a second that the person doing the leak was not an insider who stole mirrored drives from Mossack Fonseca servers or copied the data to a USB hard drive, how did the 2.6 terabytes of data get out?

If it was done remotely, that’s 2.6 terabytes over the wire. If you had a SOC/NOC in a law firm, one thing that you should be keeping an eye out for is mass exfiltration, out of hours transfers and any other anomalous activity. Sure, John Doe could have been drip feeding but with 2.6 TB of data, that would take an excruciatingly long time. If your NOC is not talking to your security team, well, that too is a problem.

4. Data loss protection is not a silver bullet

Just stopping blue coloured liquid will not stop leaks.

Süddeutsche Zeitung reports that the haul consisted of e-mails, pdf files, photo files, and excerpts of an internal Mossack Fonseca database. A quick review of the leaked documents shows that Mossack Fonseca was handling both structured and unstructured data. Documents derived from a predefined template eg: official company letterhead form structured data. Passports, share certificates and other documents that do not adhere to MF’s document management standards is classified as unstructured data. Documents could also be tagged specifically for DLP. DLP works by detecting structured or tagged documents ‘moved’ to an ‘unauthorised’ location where DLP would then block the movement or trigger an alert for further action.

Doing DLP right, MF would have to identify all critical/sensitive documents, tag or convert documents to a standard format before it could be picked up by DLP. This requires a lot of work and failure to do so means that data could slip right under the watchful eye of DLP. Not to mention that there are ways to circumvent DLP which, segways nicely into our final point.

5. Security is like an onion

A failure in one lock should not prevent the entire system from failing.

The hot topic of encryption makes another entrance. Encrypted data makes life hard for inspection based systems such as DLP and that’s assuming that inspection based systems can detect and decrypt the encryption in the first place. A tagged document could be encrypted in a password protected ZIP/RAR/<insert favourite exfiltration format here> and if you’re lucky, inspection based systems may only log the activity. In this scenario, you will need all of the above to reduce the risk of the data breach from occurring.

There may be other lessons learnt from this breach, feel free to share below.

Sources:
http://panamapapers.sueddeutsche.de/articles/56febff0a1bb8d3c3495adf4/
https://www.documentcloud.org/public/search/Source:%20%22Internal%20documents%20from%20Mossack%20Fonseca%20%28Panama%20Papers%29%22

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s