It all began in June 2015: An anonymous tip off leading to the investigation of transactions worth billions of dollars from the Japanese Yakusa mafia, Russia Mafia, Sicilia Mafia, weapons and drug dealers on one side to prominent people like the prime minister of Iceland, Movie star – Jackie Chan on the other side of the divide in another historic data breach.
Come April 2016, approximately 2.6TB of data showing 11.5 million documents from about 240,000 companies came to light exposing companies like BHP Billiton, Wilsons security and over 800 individuals in Australia alone, Of course, Africa was not left out of the story, with expected names like: James Ibori of Nigeria, José Maria Botelho de Vasconcelos of Angola, Clive Khulubuse Zuma of South Africa and some other dozen names being implicated in the scandal.
Whilst this breach sits well within the right moral compass, it further shows yet another example of how vulnerabilities in Applications/devices can be exploited to literally bring down an organization to its knees by hackers. The occurrence begets the question: How real are the threats out there and what should organizations be doing to prevent this from happening to them?
Whilst this Leak is seen as a job well-done on the part of investigative journalism as perhaps a good tale of the secrets of the super corrupt and rich, I would like to twist the perspective slightly so that we can see it as another tale of how vulnerabilities was exploited to bring down a top notch legal firm in Panama – Mossack Fonseca. This write tries to shy away from moral obligations of Mossack Fonseca (whether, they were well within moral rights to transact the way they did or not is totally a dynamic subject of conversation), but, rather tries to examine what they should have done OR be doing to safeguard their almost 2.6TB of data.
Like the controversial law firm, Mossack Fonseca, many organizations continue to live in negligence of the fact that vulnerabilities are discovered every day, infact the number of vulnerabilities continue to grow at an exponential proportion to the information assets generated within the aggregated landscape. These vulnerabilities go ahead to thrive within applications either Open Source Applications or even worse: Business critical applications like SAP, PeopleSoft as well as other devices/infrastructure used to achieve and maintain businesses process excellence. More often than not, many other organizations even choose to live in the oblivion that Africa does not experience cyber-attacks and therefore need not worry about anything significant.
History will have it that in 2014, the American Bar Association (ABA) legal technology published a report on cybercrime and warned legal firms of potential hacks, but as events will turn out, Mossack Fonesca did nothing! A trend that is common to most corporates in Africa.
Alas, organizations are aware that they ought to update and patch all software applications and servers within their landscape but they do not. Some reasons owed to a lack of capability/knowledge in doing so, others owing to fear of kernel issues after patch exercise, and many others out of naive trust in the manual process of doing things thereby skipping the vitals and unfortunately exposing themselves. The question then is: what can be done to help the case beyond patching? in some respect, I would say forward thinking organizations can do the following:
- Institute a responsive Cyber Incidence Response Team (CIRT) that has the capability, methodology and executive support to react to both internal tip offs as well as external tip offs on their vulnerable infrastructures. This CIRT should report directly into dual offices of the CISO and CFO from a process perspective.
- The CIRT can develop a workable framework or leverage on existing frameworks that helps to report Vulnerability findings to organizations. In our experience, External tip offs are often met with resistance as the moment reports of vulnerabilities to an organization is made, half the time, the whistle blower is automatically tagged as being in the wrong. This practice will only further lead to silence on the part of the external tip offs which organizations could leverage on to make their organizations security posture formidable.
- In the absence of a responsible disclosure framework, the CISO/CIO should be open minded enough to receiving both external and internal information on the organizations cyber security posture.
- Above all, make efforts to be proactive and continuously monitor the state of your security especially at the Applications layer especially for business critical applications like SAP, PeopleSoft or even if built on Open Source.
These 4 pointers cannot be over-emphasised, I welcome your thoughts to this end. We should always bear in mind that the “bad guys” will never report the vulnerability to you. In order to win this cybersecurity war, organizations – corporates and software vendors alike need to keep a collaborative and open mind towards security researchers in order to combat security challenges within their organization.
In conclusion, the story of the Panama papers highlights on one hand: the use of cyber techniques to aid investigative journalism and on the other hand also a hard lesson for organizations who automate their processes by depending on IT but miss out on continuously monitoring their cyber security risk by doing nothing until a breach occurs.