Panama Papers

Week 2 and 4 Cybersecurity Risk Management

Week 2 Data versus information.
The newspapers have a clear understanding about information and
data. Information and data can both be fake (I create fake data to
trap hackers) but data is more solid.
Information is subjective. The same sequence of facts may be
perceived differently by different subjects because the subject
perception capability is different.
https://fortune.com/2019/06/12/deepfake-mark-zuckerberg/

Panama Papers: The

Cybersecurity Risk
Perspective
MELISSA STEVENS | APRIL 19, 2016

Touted as “history’s biggest data leak”—with over 2.6 terabytes of

information compromised—the “Panama Papers” is one recent data breach
that has drawn a great deal of press over the past few weeks. Over 11
million documents were leaked from a renowned Panamanian law firm,
Mossack Fonseca, which specializes in offshore holdings. The firm claims
their email server was breached, which compromised the files. The papers
were obtained by a German newspaper, shared with International
Consortium of Investigative Journalists (ICIJ), and revealed over 200,000
offshore companies. It is not yet clear how many of these holdings are
facilitating illegal or unlawful activity.

The big question many are asking is, “How did this happen?”

Recent reports show that the law firm’s website was running an outdated
WordPress plugin, as well as a vulnerable version of Drupal, but there are
still investigations about the matter happening around the globe.

Below, we’ve laid out three of the most common ways nearly every recent
data breach has taken place and provided some tips on mitigating these
risks.

Breach Technique #1: Data is

compromised because of an
insider.

This is typically an employee (or former employee) who either intentionally

or unintentionally removes sensitive documents or data, which ends up in
the wrong hands. This can be a vindictive act, an act of whistleblowing, or
something as simple as losing a company laptop or USB drive with
sensitive information.

To mitigate this risk: monitor the percentage of employees with “super

user” access.
Your goal should be to only provide employees with the level of network
access they absolutely need  to complete their daily tasks. The majority of
employees at most organizations will not need access to the whole
network—so it’s very important to pay attention to who has this kind of
access and whether it’s necessary. Reducing unnecessary privileges is a
great way to reduce risk.

“Yes” or “no” questions won’t help you better

understand your vendors’ (or your) cybersecurity
posture—but actionable metrics will.

Breach Technique #2: Data is

compromised due to an external
threat.
This is when a malicious actor exploits a vulnerability in the network and is
able to access data. For example, a bad actor could send a spear-phishing
email that contains malicious code buried in the attachment. If an
employee opens the attachment and downloads the malware onto their
system, the bad actor is able to escalate his privileges and bury himself
deeper inside the organization to gain the sensitive data he’s looking for.

To mitigate this risk: monitor the number of unpatched known

vulnerabilities.

Some bad actors will focus on one particular known vulnerability—whether

it’s Heartbleed, LogJam, Freak Attack, or another—and work very hard to
exploit it wherever they are able. Therefore, it’s extremely important to
patch these network vulnerabilities as quickly as you know about them so
you’re less susceptible to these types of attacks. Due to the reports of
Mossack Fonseca’s website vulnerabilities, it is likely their data breach falls
in this category.
Breach Technique #3: Data is
compromised because of an attack
targeting your contractor or supply
chain.
This is when a bad actor has been able to break into a third party in any
way—say, through a spear-phishing email or an insider—and gain access to
your data sitting on their network. Often, the first-party organization is
unaware that their information has been compromised until months into
the hack.

To mitigate this risk: keep track of how many of your critical vendors are
continuously monitored.

There are a number of important steps you need to comprise

a comprehensive vendor risk management policy, including questionnaires,
audits, penetration tests, and vulnerability scans. But these practices don’t
give you any insight into what is going on with your third parties each and
every day of the year. In today’s risk landscape, the mantra is (and always
should be) “Trust, but verify.” Continuous monitoring solutions give you the
tools you need to make data-informed cybersecurity decisions.

https://www.bitsight.com/blog/recent-data-breach-panama-papers

https://www.secdata.com/panama-papers-leak/

The Panama Papers is a good case study for cybersecurity. The email server or website was attacked
and a very very large amount of data was downloaded. When the company realised the hack even
the emails about the hack were being intercepted.

https://www.youtube.com/watch?v=X6buI6UC3jI

https://www.youtube.com/watch?v=X5AG7qQRJ98

The background to the story is below

https://panamapapers.sueddeutsche.de/articles/56febff0a1bb8d3c3495adf4/

The technical story is here

https://hackernoon.com/happy-osint-hacking-fun-with-the-panama-papers-law-firm-mossack-
fonseca-post-breach-89698c39f256

https://sprydigital.com/blog/security/cybersecurity-fails-created-panama-papers/