Aneil Singh, Igloo's VP of IT and Data Centre Operations gives a brief overview on a few of the security lessons organizations can learn from the recent Panama Papers scandal.
Up until last week, few people had heard of a little known law firm in Panama, Mossack Fonseca, which is now at the heart of the Panama Papers scandal. We've since learned that it's relatively easy to steal the entirety of an organization's confidential data and upload it to the cloud for distribution. All 2.6 terabytes of data — including millions of emails, database format files, PDFs, images, and text documents — is now out in the open.
Putting the obvious scandalous details aside for a moment, let's take a look at some key lessons the Panama Papers can teach us about securing client data.
Use open source platforms at your own risk
Mossack Fonseca was running old versions of WordPress and Drupal for its site and client portal. Both of these open source platforms are widely used but have also have a reputation as being very insecure and requiring almost constant security patching to keep up to date. As Thomas Fox-Brewster explains in Forbes:
"Its portal used by customers to access sensitive data was most likely run on a three-year-old version of Drupal, 7.23. That platform has at least 25 known vulnerabilities at the time of writing, two of which could have been used by a hacker to upload their own code to the server and start hoovering up data."
The lesson here is relatively simple. If you intend on using open source to protect your client data, you need to have stringent IT policies in place to update and maintain those platforms, and adhere to a rigorous and proactive regimen of patching and testing for vulnerabilities, which takes significant IT resources to accomplish. You should also at very least preferably work with an MSSP and implement an IDS system to alert on potential threats and attacks.
A cloud platform can do the work for you
While choosing an open source platform might have seemed like it was saving Mossack Fonseca money upfront, when you take into account the catastrophic consequences, it would have been far more cost-effective and efficient to choose a cloud platform instead.
Cloud platforms are great because they are scalable and reactive. If there is a new security protocol, your cloud provider can push it out anytime — leaving your security one step ahead of possible attackers.
Make sure your provider is using TLS (SSL alone is not good enough anymore) and SHA-2 certificates and be sure to test them. You can use widely known tools like QUALYS SSL LABS. Ideally, the company would have an A+ (like we do, here at Igloo) but an A is good too. Ask your provider if they remove ciphers which are considered weak — do they also order the ciphers most secure at the top so the supported browsers use the most secure cipher possible?
Installing an IPS and a WAF will also help to keep out the bad boys. These type of solutions can stop the attacker dead in their tracks and block their access. They can become costly, so it makes sense to look at trusted SaaS providers to maximize value.
Utilizing MSSPs can be extremely helpful if you’re a small organization and can’t employ your own full security team. Even if you do have a security team, the large MSSP will have hundreds to thousands of security experts that will come in and audit your environment for you and provide a report in which you can execute and improve potential security risks you may have.
You need to use encryption. Always.
Mossack Fonseca's email was not encrypted, leaving another attack vector out in the open. They were not using TLS security to encrypt email communication. Incredible mistake. You should always be using full TLS based encryption to keep data secure. Emails and any notifications sent need to be encrypted to ensure total privacy and security. Put simply, if you're not encrypting your email communications, you shouldn't be surprised to see them published online at some point, especially if you're a high value target.
Encrypting data at rest is equally important — that is, making sure data on a disk is encrypted at all times to effectively guard against unauthorized access. Without the proper decryption key, the data is undecipherable and of no value. This protects against unauthorized access while supporting granular encryption and user access controls.
A very simple thing every company connected to the internet (so almost every company) should do is to have a vulnerability test performed. This test will tell you from the internet perspective into your organization what security flaws and risks your organization is open to.
The perimeter is your first defense. Think of a house with a fence around it. Then you have a whole bunch of broken boards with big openings, and when someone climbs through the broken section of the fence, they see an open window that isn't too high up, so they can climb up and get in. You locked your front door and your gate on the fence but since there are other openings, there is still access into your home and files.
Of course there are so many means to protect your data, like enabling local server firewalls, having anti-virus and malware detection running, keeping up with operating system patches, and having password change policies with complex password requirements. What happened to Mossack Fonseca was virtual, but you also have the potential of physical theft. This is where implementing data at rest encryption using key management together with storage encryption is a good way to keep data secure. Securing data encryption keys on a Federal Information Processing Standard (FIPS) 140-2 Level 3 hardware security module is a good idea.
Ultimately, if you decide to run your systems yourself and keep your customers’ information secure, you need to keep up with the latest security measures — if you don’t, you can pretty much guaranteed that someone who’s looking to break-in will find a way.
And to all my technical peers and above, this is obviously not a list of the only ways to secure and protect data -- there are so many layers that we could go into. And for the record, I love open source and use it as well. Feel free to share some other ideas in the comments section.