What Ashley Madison tells us about corporate security

Profile picture for user pwainewright By Phil Wainewright August 19, 2015
Summary:
Looking beyond the prurient headlines, there are important lessons for corporate security to be learnt from the Ashley Madison data breach

Woman's face examining data pattern © forkART – Fotolia.com
There's one happy outcome from the Ashley Madison data breach: at last I can shut down my account.

Piqued by curiosity — it's my job to be curious about Internet phenomena, and no, I didn't use my work email — I signed up for the adulterous matchmaking site a year or two back, only to discover when I went to close down the account that the provider wanted a $19 payment to erase my details. Unwilling to pay this blatant protection money, I left the account open but (needless to say) never made any active use of it.

In the wake of last month's threat by hackers to publish Ashley Madison's entire database online — a threat that has been fulfilled this week, already with apparently devastating consequences for some users — the provider has lifted the fee, although questions have since been raised about whether users' data was ever completely erased, even for those who did pay (and from whom the company made some $1.7m last year alone, according to internal company documents released in the hack).

Those whose email addresses turn up in the database have plausible deniability on their side, in that Ashley Madison never formally verified many of the emails used (a defense already cited by a newly elected British MP, and indeed also applicable to one tblair@labour.gov.uk, an email address that doesn't even exist).

Registrants obfuscated or falsified many personal details, such as dates of birth — which along with the poor verification and erasure fee makes a mockery of the site's frequent claims to be an accurate measure of social behavior, let alone the user metrics that would have been a key part of its planned pitch for an IPO this year (plans that are now inevitably and irrevocably scuppered).

The problem for those users who were active is that all their messages and interactions have been exposed to examination — assuming the data is indeed faithful to the original source, and it's important to emphasize that Ashley Madison has not yet confirmed the veracity of the stolen data — by anyone with the necessary skills to access the material on the 'dark web'. The more detail there is, the less deniable it all becomes. The repercussions of this huge breach of data privacy will be devastating for many lives.

But looking beyond the prurient exposure of marriage cheats and others seeking hidden sexual liaisons, there are important lessons from the Ashley Madison data breach for enterprises everywhere.

Trust no network, not even your own

Largely overlooked in the acres of coverage of this story is the alleged release of HR information on staff along with many other confidential files and data among the total of more than 9 GB that was put online. As in last year's Sony Pictures hack and the several breaches revealed at the US Office of Personnel Management (OPM), Ashley Madison apparently failed to encrypt data within its network infrastructure, relying on perimeter security as its main defense. My conclusions on the OPM hack are equally valid here:

[Its] discomfort is well deserved but no one should be smirking at it, as almost every enterprise is making exactly the same lazy and self-deluded assumptions about the rigors of its own security regime.

In that article I recommended emulating Google's approach to security, which provides access based on user credentials:

Today, everyone is connected wherever they are and via multiple devices. The old-fashioned, on-premise method of enforcing security by assuming that certain areas are safe from intrusion is a delusion. You cannot firewall the perimeter or trust those inside it because in a digitally connected world all perimeters are porous.

In a business as dependent as Ashley Madison was on unimpeachable security for its continued commercial viability, a technology such ZScaler's is also needed to monitor the data being accessed by trusted users and prevent unauthorized downloads of sensitive material.

Trust no provider, especially not pre-IPO

The hacked documents appear to reveal that Ashley Madison's management were aware how critical their network security was, and yet they still failed to get a full grip on it. This kind of attitude is regrettably very common among fast-growing, venture-funded startups, especially when they're run by dashing young entrepreneurs who pride themselves on their risk-taking prowess.

It's really important therefore for enterprises (and for the professionals they employ) to take a deep interest in the security measures in use at startups and other businesses they may deal with. Not, I hasten to add, by insisting that they uselessly invest in perimeter protection (see above) but by making sure that they have a robust security infrastructure and policy regime in place.

There's also a judgement that has to be made. Don't rely only on the assurances built into the contract — by the time you have to sue, the damage has already been done. You can tell a lot about a company's commitment to follow through on its responsibilities by the statements and behavior of its leadership. If they seem inconsistent and cavalier, those values are likely endemic in the organization.

Trust no user, not even your employees

Enterprises have to step up their education of employees to be far more aware of security risks. Don't take it for granted that they're not using their corporate email and password to sign up for external sites — make it a matter of corporate policy that they must not.

Ensure that they never use public wi-fi without hotspot VPN protection. Encourage them to keep anti-malware protection up to date on their personal devices and to use 2-factor authentication for their email accounts to reduce the risk of their being compromised.

Remember that you often have contractors and contingent workers on your premises working alongside permanent employees. Don't forget to impress these policies on them with the same rigor as you do on your permanent staff.

Finally, the Ashley Madison episode shows that certain individuals have secrets that potentially open them to blackmail or exposure. In today's digital society, people increasingly share those secrets with online services that may one day be subject to a privacy breach.

How we deal with this threat, both within an enterprise and in our wider society, is an ethical question that has to be confronted. Do we perhaps introduce tougher penalties for passing on private data from breaches, thus placing more value on privacy but potentially at the expense of freedom of speech?

Or does the increased transparency of our digital lives mean that our society will ultimately have to become more tolerant of those who live their lives differently than the norm, and of the imperfections and transgressions of those around us?

Perhaps we have to rethink not only who we trust, but also our capacity to forgive.

Image credit: Woman's face examining data pattern © forkART – Fotolia.com.