April 2017 Digital Edition

Click Here

March 2017 Digital Edition

Click Here

Feb. 2017 Digital Edition

Click Here

January 2017 Digital Edition

Click Here

Nov/Dec 2016 Digital Edition

Click Here

Oct 2016 Digital Edition

Click Here

Technology Sectors

Market Sectors

Certes’ Adam Boone: ‘Panama Papers’ show much more needed to be done to protect against hackers

By Adam Boone, CMO, Certes Networks

The Panama Papers leak may have been the work of an insider or an external hacker; news reported today suggests it could have been an external hacker. But in either case, this massive leak represents three major IT security trends that every enterprise needs to be aware of. 

 It shows the perils of digitisation of sensitive data without adequate controls over who can access it. This is a common vulnerability that has been exploited by hackers in every major data breach over the last three years, from Target, to Sony, to the US Federal Government personnel office.

It is the latest and largest example of a third-party being targeted to go after a different victim. In this case, a law firm was targeted for the information it held about other important companies and people. This leak is also part of a major trend of law firms around the world being targeted by hackers or malicious insiders because of the sensitive financial and insider corporate data they hold.

The top attack vector in the wide range of data breaches over the past three years has focused on exploiting third-party targets, the services companies who work for the primary enterprise data breach targets. The legal sector is particularly vulnerable in these attacks. Enterprises in all sectors have digitised their critical business processes and documents for easy sharing and collaboration across a range of networks inside and outside the enterprise. The idea is to become a “frictionless” enterprise, to streamline processes and get work done much more efficiently.

But what this also does is increase the enterprise’s “attack surface” which describes how vulnerable an enterprise’s sensitive data and systems are to unauthorised access. Many enterprises are extending networked applications and sharing digitised information with partners, contractors and other external third parties. So, for example, members of the supply chain might be given access to an application to manage orders or billing. A contractor might be responsible for processing their own work orders. Professional services firms routinely receive and send digitised information related to the most sensitive of enterprise operations. These external parties now gain access to sensitive information that previously was probably kept on paper in someone’s filing cabinet.

That’s where legal firms come in. An enterprise’s legal firm will possess a treasure trove of the most sensitive data related to that enterprise. For example, a legal firm will often be working on the details of intellectual property, legal proceedings, mergers, financial results or other sensitive matters that are not yet public. The IT security issue is that this information is digitised and shared on email or via file transfer, in collaboration applications and many other forms. 

Hackers know all this. So they go after legal firms and other professional services firms as third-party or “proxy” targets, when the real primary targets are the enterprises whose data these law firms are handling. Industry researchers have documented that professional services firms rank among the top targets in cyber-espionage attacks, which are attacks that go after intellectual property or similar data, as opposed to data that has value in and of itself (like a credit card number). An external partner like a legal firm also represents a path into the IT systems of the main enterprise target itself, if the legal firm is granted access to internal applications and then the firm’s credentials are compromised.

In this environment, the basic security requirements for legal firms are two-fold:

1. Plan for the worst and assume that your systems will be penetrated. How do you isolate applications and control user access in order to contain the scope of hacker access and limit breach damage?

2. Ensure your clients are using strong cryptography for shared applications and enterprise information, and that access controls and credentials are carefully managed. If one of your firm’s employees falls prey to a phishing attack and loses log-in credentials to a hacker, you do not want that credential to be part of the vector for breaching your enterprise client.

This major data leak shows that there is so much work to do be done. How many more breaches of this scale will it take for organizations to make changes?

 

Recent Videos

HID Global is opening the door to a new era of security and convenience.  Powered by Seos technology, the HID Mobile Access solution delivers a more secure and convenient way to open doors and gates, access networks and services, and make cashless payments using phones and other mobile devices. ...
Mobile device forensics can make a difference in many investigations, but you need training that teaches you how to get the most out of your mobile forensics hardware and software, and certifies you to testify in court. Read this white paper to learn how to evaluate mobile forensics training...
PureTech Systems is a software company that develops and markets PureActiv, its geospatial analytics solution designed to protect critical perimeters and infrastructure.  Its patented video analytics leverage thermal cameras, radars and other perimeter sensors to detect, geo-locate, classify, and...
PureTech Systems is a technology leader in the use of geospatial video, focusing on perimeter security.  When combining geospatial capabilities with video analytics and PTZ camera control, managers of critical facilities can benefit by allowing the video management system to aid them in the process...