Chris Russell, CTO, Swivel Secure
In November 2014, Ashley Madison, a notorious website that facilitates extramarital affairs, boldly claimed that it was ‘the last truly secure space on the internet’.
In July 2015, a group of hackers announced that it had obtained the account details of 32 million users and demanded that the website, and its parent company Avid Life Media, immediately cease trading. Avid Life Media did not comply, and in August, the hackers released over 20GB of deeply personal, compromising data.
Three months down the line, the fallout from the leak still continues to rumble on. It may not be the largest of data breaches, but the nature of the website means that it has been one of the most damaging.
The whole affair, to pardon the pun, is such an omnishambles that it is hard to know where to even begin. Put it like this, if Ashley Madison was the last truly secure space on the internet, we all might as well go home.
The central failing by Avid Life Media was the fact that cybersecurity simply was not taken seriously enough. Senior executives recognized that a data breach would be catastrophic, and were concerned about a ‘lack of security awareness across the organisation’. Yet, security was seen as ‘an afterthought’ to business concerns. One employee recommended utilising encrypted messaging. The response? ‘What’s the business opportunity?’ Data breaches suffered by other similar sites, were not taken as wake-up calls, but rather as PR opportunities to boast ‘how much better our site’s ratio of men to women is’.
At best, this laissez-faire attitude implies a fundamental misunderstanding of the need to take a risk-based approach to security. At worst it suggests that the firm wilfully chose to ignore ‘risk’ entirely.
Taking a risk-based approach isn’t rocket science. It involves assessing the risk associated with a particular threat, working out how much damage it could cause the business and applying strict policies that are commensurate with its potential to damage the firm. In this case, the risk was clearly high, given that hackers had already attacked other dating sites, so surely Ashley Madison recognised that a breach would be catastrophic, yet it did nothing to mitigate the chances of a breach.
There are exceptions to the rule, but this isn’t one of them. Occasionally there is a place for a risk based decision not to apply mitigations to a high risk threat – if there are bona-fide business reasons not to do so, for example. This circumstance is rare, however, and should never apply to a high risk threat where the potential outcome is ‘catastrophic’.
What Ashley Madison did do was follow several poor internal policies. A striking fact about the breach is that although users’ passwords were encrypted (that this was done badly is for another blog on another day), other tantalisingly incriminating details such as names, addresses, credit card details and sexual preferences were all stored in plain-text on the company database.
On a website as compromising as Ashley Madison, it seems inconceivable that nobody recognised that the personal details of its users should also be encrypted, never mind that it also fails to be PCI-DSS compliant. Even the hackers admitted said they couldn’t believe their luck. This inability to recognise the value of its own data is indicative of an organisation that had no considered cybersecurity strategy.
Don’t get caught with your trousers down
So, what can we learn from the Ashley Madison hack?
At the heart of the issue is the fact that the value of data is inherently contextual. In may be tempting to assume that the data’s main value is financial. So that, for example, credit card details are more important than names and addresses. In this case, however, it’s a fairly safe bet that Ashley Madison’s customers valued the confidentiality of their names and addresses over their credit card details. As a consequence, a one-size-fits-all approach to cybersecurity is simply no longer adequate.
It is imperative, therefore, that IT and IS departments take a holistic view of their entire enterprise, assess what is ‘business-critical’ and then apply risk assessments and strict policies that must be adhered to at all levels. This will enable them to implement measures that work best for their individual business structure, rather than hoping that a generic approach will be sufficient. Because one thing is for sure; it won’t be.