If you have the Internet, which presumably you must if you’re reading this, you’ve no doubt run across stories about the Panama Papers leak: the revelation that an estimated 2.6-terabyte leak of data given to the press may have you cheering the downfall of the politicians wailing for changes in tax policies.
This situation is unfolding because data was stolen.
As days pass, Mossack Fonseca is likely being poked and prodded by hackers and white hat curiosity seekers to see what they can find. As detailed in their post, occupytheweb calls out some fairly basic security issues like not updating Outlook (since 2009) or Drupal which hosts their website (since 2013). If Mossack Fonseca, the fourth-largest “asset protection” law firm in the world, isn’t keeping up with security, what is the likelihood that other firms are taking appropriate steps to protect sensitive client data?
A 2015 Bloomberg Businessweek story reports that 80% of US law firms have been hacked since 2011.
For one, the type of data they hold makes them a target. Imagine what could be done with patent details, merger and acquisition intelligence, and pending litigation information. Add that to the fact that legal firms see security as a technology issue rather than a business issue, spending as little as possible on precautionary measures. But when (not if) a firm is breached the outcome will have devastating consequences.
It all comes down to this: if you have sensitive data, you need to protect it. If you’re not sure how to protect it, or where you may be vulnerable to outside attackers, it’s time to look at what you have and how it can be used against you. One of the most eye-opening ways to do this is through a red team engagement.
A goal-based adversarial testing process, red teaming evaluates the ability of an organization’s people, processes, and technologies to withstand a targeted attack.