How did the breach happen?
In late July 2015 Avid Media Life Inc. the entity that owns the Ashley Madison web property announced in a press release that the site had been compromised. The press release was more about damage control than anything else. Other than briefly mentioning “Avid Life Media being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies” it had little else to say.
The Impact Team, the group who announced the breach on a Tor website, had threatened to release millions of records from the Ashley Madison website's database if Avid Media Life Inc. did not close the website. Avid Media Life didn't close the website and about a month later, a huge data dump landed on the Internet and people started panicking.
Information security is a process
The specifics of the attack are not publicly known yet. This breach resulted in the leak of data related to more than 30 million accounts. This now publicly posted data about its subscribers represents a fertile database for spear phishers trying to attack business networks. When it comes to data breaches, there is no single silver bullet that can stop them. As has been said before: information security is not a product but a process, it's never over.
Data Breaches Lead To Reputational Damage for Brands.
Not a month goes by without similar breaches happening. Whether it is the OPM breach, the Target breach or even smaller breaches that are not as well publicized, data breaches seem to happen at regular enough intervals that most businesses are not wondering anymore if they will be hacked but when? Information security professionals tend to agree on the fact that most businesses have already been breached, but might not be aware of it. Threat actors vary in size, motivations and capabilities.
Target is still battling reputational damage as a result of its breach. The breach has had a lingering negative impact on its customer service and reputation scores. I’m not sure what Ashley Madisons reputation was like before the breach but I’m sure people will be less likely to subscribe to their services in the future.
The next time you are about to store sensitive information on-line, stop, and ask yourself the following questions...
- Would I be affected if this information became public?
- Could I recover from such a breach?
- Do I really need / want to use this service?
Analyzing risk - develop your company’s version of risk analysis
Risk management looks at each security threat separately. First, it assigns an annualized rate of occurrence (ARO) to the threat - the likelihood that it occurs within a year. The risk is the monetary loss expected from the threat occurring. This is called the single loss expectancy (SLE). Multiplying the ARO and the SLE yields the annual loss expectancy (ALE) for each threat. Given this figure, management can decide to do one or a combination of the following to handle the associated risk:
1. Risk avoidance – Policy precludes any activities that lead to the threat. Most threats are not easily avoided. For example, barring access to your website would instantly increase your security posture, but no web presence is simply not an option in today’s business world.
2. Risk transference – You can share some of the burden of the risk with someone else such as an insurance company.
3. Risk mitigation - This is by far the largest category. It includes most of the measures that we think of as “up-front security”, including firewalls, spam filtering, antivirus software, content filters and educating users about possible threats.
4. Risk deterrence – An example of this are the legal disclaimers on login banners that promise prosecution if access is not appropriate.
5. Risk acceptance –This category cannot include a risk that the management does not know exists; it has to be an identified risk for which those involved understand the potential cost/damage and agree to accept.
Lessons...
Stop blindly trusting on-line services! No website can guarantee complete privacy of your details. If a company's computer gets hacked, then it’s open season. According to Sean Doherty, Head of Research & Development at TitanHQ ‘the notion of having "perfect security" is ludicrous. Security is difficult. Against a sufficiently skilled, motivated and funded attacker, all networks will be vulnerable. You’ve just got to make it sufficiently difficult, so that it’s much costlier, and riskier of been caught that it’s not worth their while. Against less skilled attackers, then good security may be close enough to perfect security’.