[BreachExchange] You Can Prevent a ‘Panama Papers’ Scandal at Your Law Firm

Tue May 3 21:20:47 EDT 2016

http://www.huffingtonpost.com/lou-shipley/you-can-prevent-a-panama_b_9831322.html

The data breach at the law firm of Mossack Fonseca in Panama sent shock
waves around the world recently with the prime minister of Iceland stepping
aside, Swiss authorities raiding the headquarters of the Union of European
Football Associations, and relatives of the president of China linked to
offshore companies. The size of the breach was also shocking with 2.6
terabytes of data leaked. That’s 30 times bigger than the WikiLeaks release
or the Edward Snowden materials. However, the most shocking part of the
“Panama Papers” story is that the breach and exploit of the popular open
source project Drupal was totally preventable.

Everyone knows that law firms manage large amounts of highly sensitive
information. Whether the data involves an individual’s estate plan, a
startup’s patent application, or a high-profile merger and acquisition,
clients expect their information to be secure. Indeed, lawyers are required
to keep this information both confidential and secure. Yet, despite the
very high level of security owed this information, many firms lack an IT
staff and outsource the creation and maintenance of their data management
and security services. Once outsourced, there is an assumption that someone
else will effectively manage the data and ensure its security.

This is many firms’ first mistake. Even if they aren’t managing their own
IT, law firms still have an obligation to make sure that data is properly
secured. This means asking frequent questions about security and ensuring
that the vendor is implementing reasonable security measures.

This level of diligence is critical today, as law firms are increasingly
under threat of attack. In March, the international firms Weil Gotshal &
Mangers and Cravath, Swaine & Moore reported data breaches, highlighting
the risks for law firms and their clients. With the amount of confidential
information retained by firms about business deals and strategies, there is
an expectation of future attacks. Confirming this is a 2015 Citigroup Cyber
Intelligence Center report cautioning big firms about the threat of attacks
on their networks and websites.

Implementing reasonable security measures means continuously monitoring
both proprietary and open source code for vulnerabilities. This is a notion
that lawyers should be familiar with. In most M&A deals many lawyers advise
clients to run security scan of the codebase to understand the code
integrity and surface any vulnerabilities.

This is a particularly important M&A exercise for open source usage as much
open source is not supported in same way proprietary software is — through
automated updates and patches that are pushed out proactively. Still, open
source code is the way software applications are built today and open
source makes up 35 percent to 50 percent of the average code base so
managing and securing it is vital. It is widely incorporated into programs
used by law firms around the world. Open source tends to be high quality
and offers powerful tools. However, you can’t reap the benefits of open
source programs without managing their risks.

When a security vulnerability is identified in open source, it is publicly
announced along with ways that the vulnerability can be exploited.
Sometimes there is even a sample code or YouTube video giving
cybercriminals a recipe for hacking. However, security updates and patches
are usually made available too. Because the process is not automated, these
announcements should be monitored and the patches installed promptly to
ensure the security of data.

Sometimes this is easier said than done. Even when firms know open source
software is used in their codebase, it can be difficult to know exactly
where it exists. Without that visibility into what open source they’re
using and where, the patches aren’t of much use. This is why it’s critical
for law firms to identify all open source code in use, inventory it, and
map it to a known vulnerability database. When a vulnerability is
announced, the firm can decide from a business standpoint if it’s material
and requires action. When it’s deemed material, the stakes can be extremely
high so scanning the code should be a regular compliance process.

Whether law firms have IT departments or outsource to a service provider,
they should use products that automate the inventory process, monitor the
software, and send automatic alerts when a security vulnerability is
identified. It’s not difficult to secure data when the right products are
in place.

If Mossack Fonseca had such a procedure in place, the Panama Papers scandal
never would have happened. The version of the open source project used,
Drupal, had 25 or more known security vulnerabilities. They were publicly
announced as far back as 2013. If anyone at the firm was paying attention,
it could have implemented the security patches. When the patches weren’t
applied, it was open season for hackers.

The Panama Papers scandal illustrates the dangers of being lax about the
security of client information. It also shows how law firms that take
security seriously have a competitive advantage. As more data breaches are
sure to come to light, law firms have an opportunity to differentiate
themselves with a higher level of service. Those that don’t could be the
next hacking victim — or already are and just don’t know it yet.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160503/0b81549b/attachment.html>