Tuesday, April 5, 2016

E-mail security and risk assessment

TL;DR : If you are running shady any business that could cause heavy worldwide negative impact when leaked: use something else than email for communicating.

The colossal data leak of Panamanian law firm Mossack Fonseca raises more than just eye brows. It raises the question why "top secret" claimed data is transferred on email.

If the leaked data is truly from the mail server (which I do not believe) it shows how little the law firm and their clients are either informed of email insecurity or they could not care less. If the firm and their clients are running shady business they screwed the risk assessment pretty well.

My thoughts are based on these conditions:

  • Avoiding taxes or laundering money 
    • do not get caught
  • Using email for customer communications 
    • emails are liable to be exposed
  • A large amount of customer data in email server 
    • you are going to lose them all at once
  • Losing a large amount of tax avoiding customers' communication at once 
    • you have a problem
  • If you have a problem for losing "only emails"
    • your emails were enough to sink you 

The risk score is usually calculated as follows: likelihood * impact. This is quite simplified, but the most common way to do it. You have to have a solid asset management done before risk assessment.

The assets

If the leak consists only emails and attachment then the law firm and it's clients did not understand what is the value of their emails. Or they did not understand the potential negative value.

Even without the attachments the email exposes the both counterparts of communication, time, location and the content of the message. And even if the content is encrypted the other data (meta data) is exposed. Only the meta data of large amount of messages itself gives you a pretty good understanding what is your business, who are your counterparts, when and how often you interact. And when you map this data with public available financial or political data it would be quite easy to make causal relationships.

Let's open the impact in this case. 

We can estimate the amount of the impact in reverse order because it is noticeable from news all over the world. The people and companies that were involved are evading the negative impact payload with varying success.

 Sigmundur Davíð Gunnlaugsson
will remain as the leader of his Progressive party,
and early elections are a possibility.
Photograph: Birgir Por Hardarson/EPA
 Source: The Guardian
The prime minister of Iceland resigned due the revelation of his family business in tax haven. A resignation from the prime minister's position is such impact that it should hit the top rank in the
impact score. Negative impact score.
Analyst's recommendation:

Well, I guess the prime minister:
a) did  not  make a risk analysis or
b) failed in impact analysis or
c) took the risk of trying his luck against the likelihood.

My academic estimate is that he ruined both his political and business career soundly. This is the materialized impact.

The law firm impact:
If the law firm is helping it's clients to cover their shady business the law firm can run that business as long as it is kept out of the newspapers. In other way round: "we are out of business if we or our clients get caught". Well they did. If one of your client gets caught you might have a problem. If you lose them all ..  Any law firm should understand it's role and provide secure manners for it's clients, otherwise the law firm wouldn't be trustworthy -> game over.
A regular recommend for a risk analysis conclusions of getting out of business: AVOID IN ALL CIRCUMSTANCES. 

The law firm:
a) did  not  make a risk analysis or
b) failed in impact analysis or
c) took the risk of trying their luck against the likelihood.

If both the law firm and their clients did share the risk impact shouldn't they do something about it? Usually if the company or the client sees that the other part could cause a top scale damage it would be at least twenty four page of juristic jargon in the contract.

And then the likelihood

It would be quite hindsight to say that the likelihood in this case should be at the top also. Let's find even a little more analytic approach. If the client data was sitting in the email server database it was exploitable. And if it was exploitable it was only a matter of time to be milked out.

One of the biggest failures of having an email server as a container of classified customer data is that it is connected to the internet. It has a connection even it has multiple security layers. It is the nature of email over internet. The boundary protection is mostly adequate for regular companies, but if the profit of hacking is high enough, then all the firewall-antivirus-SIEM-systems are only a hindrance.

The likelihood rises with a very varied client security culture. Sometimes it needs only one weak spot, and all other countermeasures are useless. And usually the weakest link is the human. I wouldn't bet that all of the law firm's clients have state of the art security systems. Not even 1% of these:

Such information that could cause huge scale damage when exposed should be classified. And the classification should cause additional security measures according to the damage size. For instance NATO CONFIDENTIAL documents are kept in a totally separated systems. No attack surface - no public exposure. This is how the governments usually do it. But the businesses seldom do because extra security costs and will cut your share. 

It is said that running a business is a risk - this is one of them.


I used to be a security consultant and some of my clients were FORTUNE500-businesses. Mostly only the government clients were concerned what kind of information I store into my laptop and how do I protect the email. It is sadly common that email is widely used for transferring company strategic data. 

If you store customer data, protect it better than yours. If you release your data to a service provider, demand that it protects it better than you can.

If you store confidential data of your customer, be sure that a  hack into your own system does not expose your client data. Be sure that if you fail to protect one customer's data do not let all other customers' data leak at the same time.

Be sure.