Several lessons can be learned from the spotlight that has been turned on Mossack Fonseca. For those of you just coming up to speed on “The Panama Papers”, Mossack Fonseca became a victim of a massive data breach. I use the term victim with a grain of salt as what the papers actually revealed about the global rich, privileged, and powerful is up for discussion. The lessons learned span two key areas of how the breach occurred and what could have been done to prevent the breach.
How did the breach occur and what was actually leaked?
The debate will continue for years as to if the attack was an inside job or one orchestrated from outside. 2.6 terabytes of data and 11.5 million documents were leaked in the breach. This is a staggering figure given the sheer amount of data. Think about how long it would take to transfer 2.6 terabytes of data over the internet. Some believe that an insider at Mossack Fonseca had a privileged account with complete access to systems and databases. Others point out egregious system vulnerabilities throughout the company’s infrastructure. The main points to consider are that application and web servers were on the same network, not protected by a firewall, and had various WordPress vulnerabilities that allowed for a land and expand attack. The vulnerabilities, coupled with software being seven years old and unpatched may have been the company’s ultimate undoing.
What could have been done to prevent the attack?
Since no one really knows for sure if the breach originated from inside the organization or from outside, we will look at both. The insider scenario could have been prevented with several basic best practices for information technology.
First, the company should have implemented a tool like StealthAUDIT by STEALTHbits to discover and inventory all systems on the network.
The scans would have revealed current patch status, applications installed, privileged accounts, sensitive data, and effective access.
Second, patch all systems and applications to a current state for security.
Operating system vendors and application vendors provide security and performance patching on a consistent basis. This patching is essential to prevent exploits of known vulnerabilities.
Third, upgrade software that is business critical and customer facing
Beyond patching, software upgrades become critical for security. Software upgrades promote increased availability, integrity, and confidentiality of data.
Fourth, establish real-time monitoring including UEBA
Real-time monitoring quickly identifies when systems and accounts deviate from normal behavior. Think of a user accessing information they have never accessed before and getting a real-time alert. UEBA takes us one step further by establishing patterns of behavior for entities and accounts. Identifying outliers that are truly anomalous is some of the best breach protection and prevention available.
Fifth, undergo routine penetration testing
Penetration testing helps to find holes in defenses before real attackers do. Knowing your deficiencies will give your organization focus in patching discovered vulnerabilities.
Sixth, establish a continuous life cycle for systems, applications, and networking
Think of systems, applications, and networking like software development. You must:
The external attack is a little easier to assess because of how much information is available about how wide open the Mossack Fonseca network was. The two main issues involved systems being on the same network and not having an external firewall or an east/west traffic firewall. Web applications that were in use were also vulnerable to multiple exploits because of an absence of patching. A particular Word Press exploit has been called out as a likely attack vector as it allowed for remote code execution that could have granted lateral movement throughout the environment. Keep in mind that the remediation for an external attack mimics that of internal attack. The fundamentals of security remain constant regardless of the way an attack originates. An attacker is still trying to exploit a system.
Mossack Fonseca experienced a breach on a scale seldom experienced. The sheer volume of data streaming out of the environment alone should have tipped someone off that something wasn’t right. The breach appears to have been a perfect storm. Systems were vulnerable to multiple exploits because of a lack of basic security principles being followed. The network didn’t appear to be properly segmented and software was out of date by nearly a decade in some instances. The main thing that everyone should be thinking about isn’t so much what the company itself was involved in. Instead, take this breach as a lesson for your own environments. How do you currently compare and are you following the best practices to possibly prevent a breach of your own?
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Brad Bussie is an award winning fifteen year veteran of the information security industry. He holds an undergraduate degree in information systems security and an MBA in technology management. Brad possesses premier certifications from multiple vendors, including the CISSP from ISC2. He has a deep background architecting solutions for identity management, governance, recovery, migration, audit, and compliance. Brad has spoken at industry events around the globe and has helped commercial, federal, intelligence, and DoD customers solve complex security issues.