HiddenText Ltd

Why Compliance is not Security

/

Today we learned about Mossack Fonseca being a law firm that acted for companies wishing to handle finances in a given way.

However, take the ethics out of the equation and let us look at what has just happened… It was a data breach.

Someone took that data and handed it out… who ?

So, having never heard of them, I started to look into the company – just by browsing their website to see who they were – why does one law firm hold all the data for everyone doing this kind of financial dealing?

It then struck me – they are a law firm so should understand compliance etc, let’s go look and see what compliance they list. I am unsure of the requirements in Panama, but I am sure there is some kind of ‘best practice.’

Sure enough, there is a link to their ISO certificates :

http://www.mossfon.com/about-service/awards-achievements/

Are you suitably impressed ? ISO9001:2008 … except that this accreditation only says that they have some idea of their business processes and NOT that they have any form of security position around those processes namely ISO27001:2013.

As @TroyHunt quipped on Twitter – but the logo does have a tick in it !

Troy Hunt : https://twitter.com/troyhunt/status/716947619201683457

I also wonder – will Mossack Fonseca have this breach listed as a Corrective Action ? one for the auditor to have asked in February for their re-certification ?

http://www.mossfon.com/wp-content/uploads/2014/02/certificados-ISO-Anab-y-Ukas-2013_2016.pdf

Did they have any data security ? Well yes, there is a whole page dedicated to it :

http://www.mossfon.com/about_service/data-security/

Mossack Fonseca's Data Security page
Mossack Fonseca’s Data Security page

 

 

 

 

And here-in lies the problem. As is now being found out, they do indeed use SSL, but, it appears to be not from Verisign but from another provider, and apparently was just renewed (during the window when the breach happened) :

https://twitter.com/Sp1l/status/716960015144337408/photo/1?ref_src=twsrc%5Etfw

So the big question is – was the data secured ?

The adage goes :

Compliance does not equal security, and,
Security does not equal secured.

They were certainly compliant – they hit the minimum required to reach the given standard, in this case ISO9001. This does not mean that fully effective measures were put in place to protect themselves – they could have taken on-board other ISO accreditations etc. However, financial and resource pressures normally put this so low down on the to-do list of importance that it rarely happens.

They also demonstrated security – i.e. the act of looking at how to secure data and information. However, for them, the least cost model appears to be in place and it looks at the moment like they went for a simple SSL certificate to protect themselves. This however does not mean the data was secured. Secured means that appropriate controls are in place to keep the integrity of the data in place, confidential to all but those required to see it, and appropriately available. This, and I am fairly sure of, does not appear to be in place here.

It’s too late for them, but when you next see a breach, think to yourself :

  • Do you hold your data in a secure way ?
  • What security are you using ?
  • How do you know it is effective ?
  • Does it go far enough ?
  • Do you comply with the relevant standards ?
  • Can you be more secure ?
  • Can the c-suite help any further to put appropriate resources in place to make you more secure ?

 

Thanks all, and I wish the IT and compliance guys at Mossack Fonseca good luck in sorting this out.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.