web and mobile fraud
The Panama Papers - a gross security failure
by Mark Johnson, CEO, The Risk Management Group (TRMG)
While the eyes of most are focused on the revelations of the tax affairs of prominent individuals, including several world leaders, as exposed by some of the 11 million documents included in the recently disclosed ‘Panama Papers’, another very important facet of this story has been largely overlooked. How did this confidential information come to be exposed in the first place, and what does this event tell us about the security of sensitive information in general?
A number of leading ethical security testers and information security experts took a close interest in the Panamanian law firm at the centre of the scandal, almost as soon as the story broke. What their independent analysis and investigations revealed was shocking to some, but sadly familiar to many. Professor Alan Woodward, a computer security expert from Surrey University, has described the law firm’s web front end system as horribly out of date. “I can't understand this,” said Woodward. “They seem to have been caught in a time warp. If I were a client of theirs I'd be very concerned."
The law firm is described as having shown an "astonishing disregard for security” by failing to update its outlook web access login since 2009 or its client login portal since 2013.
If this is true of the financial records belonging to several Presidents and Prime Ministers, what does that say about the security of the rest of us?
Other tests are reported to have identified at least 25 vulnerabilities in the law firm’s systems, including a high-risk SQL ‘code injection’ vulnerability that could allow attackers to remotely execute malicious commands. Another vulnerability makes it possible to access files uploaded to the backend of the website by guessing the URLs for pages that would normally be blocked for unauthorised users.
To make matters worse, it seems that the firm’s emails are not encrypted, according to privacy expert Christopher Soghoian. Meanwhile, Angela Sasse, professor of human-centred technology at University College London, remarked that, "Given the business they're in, I find it quite surprising that they haven't thought about securing their emails better.”
All in all, this data breach, the largest in history (to-date), demonstrates very clearly the risks that arise from living in an interconnected world. If the Internet was a road network, every user would be required to have training, a licence to operate, and identity papers of some kind. But the super information highway we now depend on as the technical foundation of the global economy is allowed to operate as though it were a small town in bandit country. It is clearly time to appoint a sheriff.
Until that happens, it’s a case of every man for himself. Organisations and individuals need to develop (and keep updated!) a set of security standards that includes, at a minimum, the following controls:
• Governance and employee awareness
• Data segmentation and encryption
• Network security
• Systems security
• Patching
• Anti-malware and spam filtering
• Privilege and access control
• Removable media controls
• Cloud, BYOD and remote working practices
• Safe social media practices
TRMG and ORIS Media have partnered to deliver a cyber-crime and security awareness open course workshop for non-technical managerial and supervisory staff.
This workshop has already been hugely successful and this is now being offered as an in-house workshop.
The workshop can also be delivered in short form as a senior management session, or as a 30 minute ‘canteen talk’ for line staff. For further information, contact info@orismedia.eu