[BreachExchange] How enterprise security lapses led to the Panama Papers leak

Audrey McNeil audrey at riskbasedsecurity.com
Thu Jun 9 19:58:34 EDT 2016


http://community.hpe.com/t5/HPE-Business-Insights/How-enterprise-security-lapses-led-to-the-Panama-Papers-leak/ba-p/6867680#.V1m9UeYoSV4

The revelations contained in the Panama Papers shocked the world, but
equally shocking—and more relevant to enterprise security—are the failures
that allowed this entirely avoidable leak.



The security flaw led to the leak of 3 million database files, 4.8 million
emails, and 1.1 million images, covering 40 years of sensitive information
housed by law firm Mossack Fonseca. The leak, its size, and the resulting
damage revealed a more pervasive problem that should frighten any
enterprise charged with protecting sensitive, valuable, or vulnerable data:
The execution of security inside many enterprises is not only haphazard but
also low priority.

Hacking is a lucrative business: Cybercriminals profit financially from the
sale of stolen data, and personally from the notoriety that comes from the
theft. To get their hands on sensitive data requires only a moderate amount
of diligence and cleverness when security isn't a prime concern for an
enterprise.

Making it easy for thieves

Mossack Fonseca's haphazard approach to security was nothing short of
negligent, according to a Wired report. Patching and updating software are
two critical yet low-impact steps every business should take to protect
applications, but Mossack Fonseca had not updated its Outlook Web Access
login since 2009 or its client login portal since 2013. That client portal,
which ran on Drupal, contained 25 vulnerabilities known to both the
security and hacking communities. "If I were a client of theirs," Alan
Woodward, computer security expert from Surrey University, told Wired, "I'd
be very concerned that they were communicating using such outdated
technology."

The firm's website and portal management were outsourced to a third party.
If you're going to outsource, you need assurances that the vendor is
competent, and their security practices are clear. The contract should
outline remedies if they don't meet those standards—although, if you're in
a position to seek remedies, the damage has likely been done.

4 security measures that can stop leaks

Information is an asset that needs to be protected and secured just as
firmly as you protect your bank accounts, perimeter, and company name,
which means making security part of the entire enterprise culture, even
beyond IT. The following are four critical steps toward protecting your
enterprise data.

1. Control the information life span. Collect only information you need for
a specific business purpose and keep it only as long as there is a
legitimate business need. Once that time has passed, the information should
be securely destroyed. Data isn't stagnant—it often moves from repository
to repository inside a business and should be encrypted and protected
during transmission and storage. With a data-centric security approach,
data is protected across its life span, from the moment it is captured,
throughout its travels, and as it is accessed.
2. Control access to the data. Decide what roles truly need access to data.
According to CIO, two of the top risks to enterprise security are
disgruntled and uninformed and/or careless employees. To mitigate the
risks, data access should be strictly monitored and controlled, and
employees should be trained on security best practices.
3. Enforce security at every access point. This includes on-premise
security as well as mobile and remote access. Require strong passwords and
protect them as though they are company assets. Regularly test for security
flaws, set up firewalls between networks, and use intrusion detection and
prevention tools. Security breaches at large enterprises through
third-party vendors is a growing problem; get their security practices in
writing and test their practices before committing to their services.
4. Start security planning at the development stage. When creating internal
products, make sure your team masters secure coding and knows best
practices. For any app or tool you create, know how it will be used and
understand the standards. This white paper from the SANS Institute reviews
the current state of application security and the gaps that exist between
those who create applications and those who defend them.

   1.
   2.
   3.
   4.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160609/de0d8428/attachment.html>


More information about the BreachExchange mailing list