SBA

Yet Another Cyber Leak

In January last year I wrote “The Isle of Man, in common with other so-called tax havens, is a prime target for professional information theft. Switzerland, Jersey, Luxembourg and the BVIs are amongst those recently targeted for the theft of customer data from banks and CSPs, so imagining that it probably won’t happen here is delusional”. Well now we can add Panama to the list of victims. I’m sure the board of Mossack Fonseca have been busily managing their crisis and ensuring that the door is more firmly bolted. At the time of writing I’ve no idea how this leak happened, suggestions seem to be that an email server was exploited but the scope and scale of the documents exposed would indicate that there’s far more to it than this - apparently the leak is of around 2.6 terabytes of data, that’s 2,858,730,232,217 bytes, encompassing c. 11,500,000 documents.  

As with the Sony hack which I wrote about at the beginning of 2015, this was not a quick operation. If somebody penetrated Mossack Fonseca’s network and extracted the data remotely it would have taken some time, certainly months, to steal without being noticed. It may of course have been an inside job, a disgruntled employee, but stealing such a wide range and large volume of data is still difficult and risky. The easiest way of obtaining such a quantity of data would probably be to steal a recent set of backup tapes but this doesn’t seem to have been a one-off theft. We know from the Suddeutche Zeitung newspaper, which was the original recipient of the leaked data, that the leak started at the beginning of 2015 and continued into Spring 2016, so it was ongoing for over a year. However you look at it, whoever supplied the journalists has pulled off quite a difficult task.

Which brings me to the point of this article. Cyber theft is not usually a quick affair, it takes time and planning. We often think of hacking as being a quick in and out job, but that only applies to the most trivial violations. Cyber theft on this massive scale is generally a slow, systematic and very covert job, gradually exfiltrating the target’s information assets so discreetly as to not be noticed - this is not smash and grab robbery, it’s more along the lines of a long running accounting fraud. And as such it should have been detectable and preventable. There may have been IT systems failings at MossFon - we don’t know, but there were evidently data governance and cyber security failings.

If it was a hacker, or an employee at one of MossFon’s IT suppliers, extracting the data remotely there would have been regular evidence of data leaving the company’s network, which should have aroused suspicions if anyone had bothered to look. If the exfiltration of data took a year then that would be an average of over 7 gigabytes per day, every day. It would be difficult for a systems administrator to not notice that amount of traffic on the corporate Internet connections if they were watching.

If it were an inside job, an employee copying data from the network onto USB sticks Monday to Friday, they would need to be copying twelve one-gigabyte USB sticks every day. I think such activity would be noticed in most security conscious businesses, and of course many businesses have their PCs “locked-down” to prevent such theft.

Bluntly, however you look at the problem, somebody got away with a data theft of such huge volume that it should have been blindingly obvious, under the noses of company for over a year.

At a guess, a major part of the leak has been data from MossFon’s document management system - the archive of documents, written communications and KYC that almost all regulated finance sector firms keep both for their operational records and to fulfil regulatory requirements and protect themselves.

As I wrote last year, company boards need to ask three questions of themselves and their IT professionals:

• Have we done all that can reasonably be done to prevent unauthorised access to our systems?

• Have we done all that we reasonably can to prevent data being taken out of our systems?

• Are we watching all the time to see if anyone is trying to steal data from us?

That last question is key. No security is foolproof, assuming that one’s defences are impenetrable is simply naive; so do you know who is accessing what data? A large proportion of staff in MossFon or any similar business are entitled to, and need to, access the company’s customer records - how else can they provide customer service? It may be that a busy customer service agent needs to access up to a couple of hundred documents a day - at such a rate it would take them over 250 years to access the 11.5 million documents stolen from MossFon. To steal the 11.5 million documents in a year an employee would need to access around 50,000 documents each working day.

Preventing this scale of theft is in general remarkably easy - log all access to data files, check those logs, and the massive and uncharacteristic demands of the thief will be immediately exposed. Monitor the network traffic leaving the company and it will soon be apparent that large volumes of data are inexplicably being shipped outside. These are large scale activity logs, but small in comparison with the volume of data held in the systems. Thefts like this should be detected on day one because they necessitate behaviour which is totally uncharacteristic of a normal worker.

Having dealt with the normal workers and the hackers, all that is left is the abnormal workers - the IT specialists. IT staff are the only people who should ever have a need to access such large volumes of data, and with the exception of the data backup processes even the IT systems administrators should rarely need to work with data in these volumes. Of course in most organisations IT security is in the hands of the IT specialists, leading to the age-old question Quis custodiet ipsos custodes? The logical answer is to give security responsibility to someone who cannot themselves access the company’s crown jewels, and have them monitor the activity logs. A dishonest IT systems admin who is also a thief will be ably to falsify most standard system logs to cover their own tracks, however an honest systems admin can usually devise methods to ensure that even if the standard systems logs are tampered with there is still an independent secure record held on another system.

What it all comes down to is mindset. Most of us, when building systems and processes, both in IT and in the business, are focused on delivering the business functionality we need at a reasonable cost. We don’t think hard about security, and we don’t relish spending a lot of cash and effort on it. The state of mind which prioritises security as equal to business functionality is rare; commercial pressure on everyone from the CEO down is to do business and make profit. Which is why Cyber Risk must be a board issue - only the board can reasonably demand that profit is sacrificed in return for security. If the board has one job it is to make the judgement of balance between risk and reward.

Cyber risk needs to be on your board agenda, especially if you’re in the finance, legal or fiduciary sectors. The questions asked need to be more than passively seeking assurance of the executive and IT, they need to be imaginative “what if” enquiries made with a high-level understanding of the company’s IT. “You say our systems are all protected by robust firewalls, but what if someone did manage to access our email system, how would you detect them and how long would it take?” etc. Only then will you start to expose the weaknesses in your security and hear the excuses as to why better security is unaffordable or impractical.

Three things I am sure of; the MossFon leak was preventable, the cost of prevention would have been minor in the context of the damage to the firm, and the Isle of Man is on the hit list for a similar leak.