Are you cheating on your spouse? Then, you might be highly concerned of your privacy getting compromised, or your partner obtaining information about your escapades. Ashley Madison, an online dating site with the tag line “Life is short, have an affair”, catering to individuals wanting to have an affair, recently found their database security breached and considerable user data stolen by a group of self-styled hackers by name, the Impact Team.
The reason for this appears to be a vengeance on part of the Impact Team. Avid Life Media, the company which owns Ashely Madison offered a profile deletion service at $19. However, Impact Team alleged that this was a scam, wherein Avid Life Media (ALM) did not actually delete the user details completely after getting the money. The demand on Avid Life Media by the hackers is to completely bring down or deactivate Ashley Madison and another site by name Established Men owned by ALM. If not, they would reveal the user accounts, causing lot of embarrassment to users and the company.
If you are an avid internet user, it is likely that your personal data is with a number of organizations with whom such data has earlier been shared. Therefore, the question comes up – is your data secure on the internet? Are companies that have your data cheating you and sharing your information without your knowledge? What would you do if your data is compromised?
From an Enterprise IT & Security professionals’ perspective, these questions are critical and need to be addressed. All organizations are vulnerable to attacks so far as data security is concerned, however their vulnerability levels are different. The attacker may have already entered the company network and planning to attack any time, and the Enterprise IT is not aware of and that poses considerable danger. The intent of the attacker may vary – from doing it for compromising accounts for financial gains to extortion, as in the case of Ashley Madison.
Extortion for ransom is a huge risk which enterprises need to plan for. On the one hand, if they pay, they would be not sure whether the hackers would agree to what they had committed or whether they would not extort them a second time. If the companies do not pay, they expose themselves to the risk of facing the wrath of the hackers’ threat.
Mitigation of extortion related risks would involve understanding the hackers’ motivation and taking appropriate remedial steps. Enterprise IT need to understand what assets would the hackers be interested in and how much effort is required or how much difficult is for them to get those assets. Answer to the first question would ideally involve understanding the hackers’ mindsets, which could involve items having monetary value like credit card numbers. If there are political motivations, the organizations have to be cautious and preempt such moves with a risk response strategy.
In contrast, the Impact Team do not seem to have an inclination for financial gains, nor do they have any political ambitions. Instead, they are driven by a moral outrage.
Another lesson from this hacking experience for users and the organizations would be that they must protect all their sensitive data, whether they are relevant to financial considerations or not. Today, companies usually know to protect the personal information, passwords, keys or accesses and any secrets related to Intellectual Property (IP). A hacker who is an extortionist would crave for all kinds of confidential information, besides financial data as they would essentially want to embarrass the organization.
The traditional approach of administering security is not effective. In case of Ashley Madison, it seems that a privilege has been compromised from inside, rather than an access from the periphery. The insider’s role in breaching security is an ongoing challenge and the data security could be often infiltrated if the roles and definitions for the users are not properly designed or tasks appropriately distributed considering information security appropriately. With more and more organizations moving to cloud infrastructure, it is of relevance to review the security the vendor or the provider of the cloud provides.
Considerations like have the provider obtained and renewed the Information Security Infrastructure certification? Have they recently conducted all kinds of Security Assessments like Vulnerability Assessment or Penetration Testing and what are their findings? How is the Infrastructure secured from a Physical perspective, what kind of access is available needs to be validated. Are the user ID, password and all relevant information encrypted before storing in the database? What are the provisions for backup of data and is there a plan and experience on performing Business Continuity Planning (BCP)? If there is a disaster, how would the company react? Will there be any data loss in case of disaster?
The hack at Ashley Madison has taught a lesson to protect one’s network infrastructure, physical infrastructure, and user accesses thoroughly. However, would all these activities really help to prevent networks and sites from being hacked?
As in a comic book by name “The Private Eye”, a future event to occur is an “Apocalyptic Flood” – the flood due to the leakage of everything on the internet. Are we going to make our internet more secure or await the flood of private data to deluge us completely?