In November last year, the Ashley Madison website boldly claimed that it was ‘the last truly secure space on the Internet’, states Chris Russell. Come July this year, a group of hackers announced that it had obtained the account details of 32 million users and demanded that the website – and its parent company Avid Life Media – immediately cease trading. Avid Life Media didn’t comply with that request and, in August, the hackers duly released over 20 GB of deeply personal and potentially compromising data.
Three months down the line, the fall-out from the data leak continues to rumble on. This episode may not represent the largest of data breaches, but the nature of the website attacked means that it has undoubtedly been one of the most damaging.
The whole affair could be labelled an omni-shambles so it’s hard to know where to even begin an assessment. Put it like this. If Ashley Madison was indeed ‘the last truly secure space on the Internet’ then all of us might as well pack up and head for home.
Observing events from the outside, the central failing by Avid Life Media would appear to be that the subject of cyber security simply wasn’t taken seriously enough. Senior executives recognised that any data breach would be catastrophic, and were actively concerned about a ‘lack of security awareness’ across the organisation, yet security was seemingly viewed as something of an ‘afterthought’ in terms of business concerns.
One employee apparently recommended using encrypted messaging. The response? “What’s the business opportunity?” Data breaches suffered by similar websites don’t appear to have been taken as wake-up calls, but rather as PR opportunities to boast ‘how much better our site’s ratio of men to women is’.*
At best, the adoption of such a laissez-faire attitude would seem to imply a fundamental misunderstanding of the need to take a risk-based approach towards security. At worst, it might suggest to some that the company wilfully chose to ignore the topic of ‘risk’ entirely.
Risk-based approach to security
Taking a risk-based approach to security isn’t rocket science. It involves assessing the risk associated with a particular threat, working out how much damage this could cause the business and applying strict policies that are commensurate with that threat’s potential to damage the company.
In this case, the risk was clearly high, given that hackers had already focused their efforts on other dating-based websites. Surely Ashley Madison recognised that any breach would be seismic? Yet it would appear nothing was done to mitigate the chances of such a breach occurring.
There are exceptions to the rule, but this isn’t one of them. Occasionally, there’s a place for a risk-based decision not to apply mitigations to a high risk threat – if there are bona fide business reasons not to do so, for example.
Such a circumstance is rare, however, and should never apply to a high risk threat where the potential outcome is ‘catastrophic’.
Commentators might suggest that what Ashley Madison did do was follow several poor internal policies. A striking fact about the breach is that although users’ passwords were encrypted (that this process appears to have been badly carried out is the subject matter for another blog on another day), other tantalisingly incriminating details such as names, addresses and credit card details were, it seems, all stored in plain text on the company’s database.
On a website as potentially compromising as Ashley Madison, it seems inconceivable that nobody recognised the personal details of its users should also be encrypted, never mind any potential failures around PCI DSS 3.0 compliance. Even the hackers admitted they couldn’t believe their luck.
Any inability to recognise the value of its own data is indicative of an organisation that, from the outside world’s perspective, hasn’t fully considered cyber security strategy.
Lessons to be learned
What, then, can we learn from the Ashley Madison hack?
At the heart of the issue is the fact that the value of data is inherently contextual. It may well be tempting to assume that the data’s main value is financial such that, for example, credit card details are more important than names and addresses. In this case, however, it’s a fairly safe bet to assume that Ashley Madison’s customers value the confidentiality of their names and addresses over their credit card details.
As a direct consequence, a ‘one-size-fits-all’ approach to cyber security is simply no longer adequate.
It’s imperative that Information Technology and Internet Security Departments adopt an holistic view of their entire enterprise, assess what elements of the operation are ‘business-critical’ and then apply risk assessments and strict policies that must be adhered to at all levels and at all times.
This course of action will enable them to implement measures that work best for their individual business structures rather than merely hoping that a generic approach will be sufficient. One thing is for sure – it will not be.
Chris Russell is CTO at Swivel Secure