The Panama Papers, a collection of 11.5 million files leaked from Panama-based law firm Mossack Fonseca, have gone live online. The documents show in blistering detail just how exactly the world’s 1 percent – including Russian president Vladimir Putin – manipulate secretive offshore wealth. Here to comment on this news is cyber security expert Philip Lieberman, President of Lieberman Software.
Philip Lieberman, President of Lieberman Software:
“Irrespective of the data itself and its implications, we have seen a general increase in the cyber defense readiness of many law firms in the USA. Outside the USA there has been little interest by foreign law firms in investing in cyber security and for mounting competent cyber defense capabilities. This fact is of great value to many criminal and nation state activities in the exploitation of weak security within law firms. One should ask the value of confidentiality with a law firm if a hacker or nation state penetrates their perimeter and has full administrator access to all of the systems within a company. Further, how could a law firm make a client whole or even provide for their own defense if the breach was caused by their neglect, incompetence and greed?
Clearly we have seen in many cases of cyber-attacks, that the force majeure defense (unanticipated and impossible to protect from event (act of God)) only applies in a very tiny fraction of companies that have excellent cyber defense capabilities. As lawyers are gleeful to explain: ignorance of the law is no defense, but this case provides a new maxim: ignorance of competent cyber defense processes and technology is no excuse for allowing outside criminals and nation states access to your clients’ data.
The implications of law firm breaches are mind boggling since parties within lawsuits provide full disclosure of their chosen law firms as a matter of public record. It is a simple step for a criminal to move on to attacking an appropriate law firm to harvest their files. For a criminal this could mean the ability to manipulate stocks, access the personal records of principals within the companies, and provide a way to blackmail person based on information not publicly known.
In the case of foreign or illegal transactions, the files of law firms may contain account numbers, pin codes, passwords and other elements of accounts that may be exploited by an attacker. Many clients rely on the sanctity of confidentiality to keep their business secret, avoid taxes and potential incarceration.
The lesson that clients should learn here is that it is up to the client to inspect the cyber warfare capabilities of their law firm and if there is little to show, then they should consider their confidentiality blown. Clients should not be comfortable with assurances that everything is fine or that the law firm has passed their audits. Audits do not test the ability of a law firm to sustain its security when attacked.
Clients should ask their firms about whether they are regularly penetration tested by different firms, have segregated networks, use multiple levels of cryptography, use air gapped networks, use automated privileged access and privileged identity management system to rotate all sensitive passwords on every system every 2-24 hours worldwide.
There are some law firms with excellent automated and adaptive cyber defense capabilities, but many are stuck in the dark ages of wigs, candles to read by, and quill pens to write with. Clients deserve modern and properly funded cyber defense capabilities from their law firms – they are certainly paying more than enough to law firms for them to have proper defenses.
It is inevitable that there will be a law firm breach that will result in the bankruptcy of one or more law firms for gross incompetence, negligence, and malpractice as a result of a cyber-attack. In the future, law firm partner disbarment could occur as a result of a lack of fundamental law firm security as the courts evaluate what normal and reasonable care should be for attorneys that use Internet connected systems.”
[su_box title=”About Lieberman Software Corporation” style=”noise” box_color=”#336588″][short_info id=”60323″ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.