After Panama Papers: Firms Should Add Pen Testing to Due Diligence Process
An analysis by Wired shows that the Panama firm Mossack and Fonseca did a poor job managing its public facing systems, all the while promising clients security.
A massive trove of data stolen from the Panamanian law firm Mossack Fonseca and leaked to the media has sent shockwaves through governments and the ranks of the world’s wealthy.
Information gleaned from more than two and a half terabytes of data – 11.5 million documents – first came to light over the weekend with exposes from the publication Sueddeutsche Zeitung and the International Consortium of Investigative Journalists (ICIJ). Those reports expose the workings of Mossack Fonseca, which is a facilitator of offshore corporate entities and shell companies. The leaked internal files contain information on 214,488 offshore entities connected to people in more than 200 countries and territories, the ICIJ reported.
Already, the leak has prompted reactions from around the globe. In Iceland, Prime Minister Sigmundur Gunnlaugsson resigned after his name and that of his wife turned up on documents leaked from the firm in connection with shell companies. In China, the Communist government has stepped up filtering and blocking of information related to the leak, which exposed family members of high ranking Communist Party officials.
As we wrote last week, law firms are frequent sources of targeted attacks by cybercriminal or state sponsored groups looking for information on everything from planned mergers and acquisitions to political dissidents. As the designated intermediaries for all kinds of sensitive matters, and the keepers of documents related to those matters, law firms make perfect targets.
And, as the Mossack Fonseca hack illustrates, law firms often fall short in making their information security practices commensurate with the sensitivity of data they manage.
In the case of the Panama firm, Internet facing resources that allowed Mossack Fonseca’s customers to remotely manage their corporate information appears to have been woefully insecure. This report by Wired calls attention to the fact that the Client Information Portal at Mossack Fonseca was running a version of the Drupal content management software that was more than two years out of date and that contained “at least 25 vulnerabilities, including a high-risk SQL injection vulnerability” that would have allowed a remote attacker to execute malicious commands on the server.
The firm failed to secure sensitive parts of the Client Information Portal back end server, which could be accessed simply by guessing the URL structure of the site, an anonymous security researcher told Wired.
Apparently, the poor security hygiene extended to Mossack Fonseca’s email server as well. The company’s installation of Outlook Web Access hadn’t been updated since 2009 and email was not encrypted. The firm’s main web page, which runs Wordpress, was three months out of date.
The firm has not said specifically how it was hacked. And, given the apparent plethora of vulnerabilities within its environment, it may never be possible to say exactly how bad guys got their hands on the firm’s data. Mossack Fonseca’s public statements on the hack have been more concerned with justifying the firm’s work on behalf of clients.
“Our industry is not particularly well understood by the public, and unfortunately this series of articles will only serve to deepen that confusion,” the firm said in a statement.
For Mossack’s customers, however, the question is likely about why a firm engaged in sensitive and confidential matters had such a poor handle on the security of its information technology assets, particularly those that were public facing.
For companies or individuals looking to engage the services of a firm, this incident and others like it suggest that it is no longer enough to simply assess the reputation of a firm or the pedigree of its attorneys. A thorough assessment of a firm’s information security practices and hygiene – preferably by a trained professional – should now be considered a part of due diligence before you even consider transferring sensitive files or data to a third party – law firm, business partner or contractor. Organizations that fail to take such considerations into question risk the fate of Mossack Fonseca’s clients: having their most sensitive information and details of their private and financial lives laid bare for all to see.
Paul F. Roberts is the Editor in Chief of The Security Ledger and Founder of The Security of Things Forum.
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business