As the turmoil around the Panama Papers leak wanes, our attention gradually starts to drift to other headlines. People of power and privilege were engaging in tax avoidance schemes? Has it ever been thus?
What surprised me, though, was how little attention was paid to the ‘how this happened’, in addition to the ‘what happened’. How was the largest data breach, in terms of data volume, enacted? Or are we now so inured to these events that one more is no longer newsworthy?
I think, though, that it’s worth focussing again on what occurred, and what lessons can be learned.
Reports in the media, such as The Register, suggest that it was either Mossack Fonseca’s email server, or their WordPress and Drupal sites that were compromised. And not by some highly sophisticated hack, using botnets or phishing scam or social engineering. But because their public facing servers were not patched correctly. Patching. Again!
Keeping your servers patched to the latest level is ‘security 101’. It’s the first lesson in any infrastructure seminar, course or class. And considering the sensitivity of the ‘Panama Papers’, you would have thought MF would have been all over this like a rash. But then, the SQL Injection that brought Talk Talk into the news in November 2015, wasn’t a new exploit either, but a technique developed over 10 years ago.
Any public facing server, and WordPress in particular considering its prevalence, is a favoured target specifically because this most basic of duties, patching, is still not built in to the standard processes of whoever is charged with its maintenance.
Before the Panama Papers went stratospheric, Mossack Fonseca’s website declared that it’s servers were protected using the latest firewall technologies, and made the point that these were located in its own offices. The suggestion being firstly, that firewalls provide enough protection of and by themselves. And secondly that in-house is the best place to host your most sensitive data. Wrong and Wrong.
Firewalls are merely part of a security system. It is no longer the case that everything outside the firewall is bad, and everything inside is good. There are many ways to compromise a network, not just by targeting the firewall. Also, unless you have the resources to provide the necessary protections in your own network to properly manage your data & systems, perhaps you should put those critical assets in a place where better all-round security is afforded. Often times, that means using cloud providers. Microsoft and others have dedicated teams, 24×7, doing all the things we in user-land can’t or won’t. It is unlikely you’ll find an unpatched server within Googles SaaS offering, or an errant firewall rule in Microsoft’s. Their reputations rely on it. Come to think of it, so do ours, but for some reason we assign less importance.
So unless you have the resources to provide the necessary protections in your own network to properly manage your data & systems, perhaps you should put those critical assets in a place where better all-round security is afforded. Often times, that means using cloud providers. Microsoft and others have dedicated teams, 24×7, doing all the things we in user-land can’t or won’t. It is unlikely you’ll find an unpatched server within Googles SaaS offering, or an errant firewall rule in Microsoft’s. Their reputations rely on it. Come to think of it, so do ours, but for some reason we assign less importance.
Security is a holistic practice, requiring layers of protection, demarcation of data, constant monitoring, the correct use of encryption, and a management culture that says not ‘if’ but ‘when’; Assume the worst, hope for the best.
So whilst the UK’s prime minister, David Cameron’s finances were interesting, the Icelandic’s premier, Sigmundur David Gunnlaugsson, revealed him to be less than transparent, it’s also another tragic tale of basic security measures not being taken. Yes, it was wrong to steal the data , but we have now to assume the worst; these things will happen. We have to assume not ‘if’, but ‘when’ our systems will be compromised, and our data illegally accessed, and put all practical measures in place to protect those assets.
You may think that this couldn’t possibly happen to you. Even ignoring the ‘when-not-if’ mantra just for a moment, what do you have that could be of interest to others. Apart from your competitors, of course. Or even, you are much too small a target to be found amongst the millions of other online targets out there.
Cyber-crime is happening on an industrial scale, and as with most things industrial, automation & mechanisation is the name of the game. Scanning for vulnerable targets is scripted, using already compromised servers. This gives the attacker enormous capabilities to harvest information from unprotected systems no matter where they are or who they belong to. And using the same tools deployed in data collation and analytics, prioritise which targets are worthy of further exploration. There is no such thing as security through obscurity in this sphere. And all information is useful, to someone. This could be financial information, personal details, credentials, IP, credit card details, or bank account details. It will have a price tag.
So, deal with basics. None look so foolish as those who willingly leave the front door unlocked. And examine again how cloud services can improve your data security posture.