The Ashley Madison hack is a wakeup call not only for many individuals but for every single business, as well — many of which are still not paying enough attention to data security.
The hack, which revealed the email addresses, personal information and sexual preferences of the site’s 36 million users, is devastating on many levels.
For starters, Ashley Madison — whose slogan is “Life is short. Have an affair.`” — will likely be the first high-profile company ever to go out of business as a direct result of a cyber attack.
After all, it’s hard to see Ashley Madison regaining the trust of its customers, much less surviving the wave of legal action that’s now building. Two Canadian law firms were the first to file, with a $578 million class-action lawsuit in late August.
On the customer end, the impact on many families has already been devastating. Site users are getting divorced, children are being teased, jobs and livelihoods are in jeopardy. Police in Toronto say they have unconfirmed reports of two people who committed suicide linked to the leak of Ashley Madison account information.
It now seems likely that the perpetrator of the hack was an insider, probably a third-party contractor. The CEO of Ashley Madison has suggested that he knows who it is.
The hacker was able to get into every system and extract massive amounts of information, including the CEO’s emails, the customer database, source code to the website — everything. If indeed the culprit was a contractor, the company failed in a fundamental way to limit that person’s access to sensitive data.
To me, this hack comes down to poor privilege-management practices that granted the hacker far too much access. And it’s not just Ashley Madison.
Many recent hacks can be blamed on privileged accounts that give the bad guys the proverbial keys to the kingdom via root access. In fact, Verizon’s 2015 Data Breach Investigations Report shows that the most vulnerable point in any organisation is privileged identities that have root, admin or read/write access privileges to critical infrastructure, apps and data.
These privileged identities are necessary — users like database administrators and CIOs do need extensive access to computers, networks and applications — but privileged identities come with risk. Ashley Madison is just the latest and most sensational example of that risk’s enormity.
There are so many privileged accounts in large organidations that many of them don’t even know where all of their privileged accounts reside or who has access to them.
And it’s not just IT people with privileged access anymore. Nowadays, many of the regular folks in the enterprise are granted privileged access — marketing, for example. If marketing people want to update the corporate Twitter or Facebook account, they don’t call IT to do it, they just do it themselves — and the door opens wider.
This is how pro-ISIS cyber vandals hijacked the social media accounts of the U.S. military.
So, how can companies protect themselves from hackers, including malicious insiders, who can wreak havoc via privileged accounts? First, they must be smart.
One of the most important steps they can take is to adopt the principle of least privilege. Limit access to the minimum level necessary for normal functioning. IT should assume that networks will be breached and bad guys will get in. But when they do get in, IT can contain and minimise the damage if it has implemented the practice of least privilege.
Least privilege means giving people only the degree of privilege they absolutely need and access to the data they absolutely must have. It means auditing activity, especially on the most sensitive systems, looking for suspicious behaviour, and generating alerts if something out of the ordinary is happening. It also means implementing two-factor authentication to verify that people really are who they say they are.
The good news is that organisations are waking up to the threats posed by privileged user accounts.
In the aftermath of breaches like Ashley Madison, there is a growing recognition that almost every cyber attack these days involves some kind of compromised credential and privilege escalation.
Once a hacker or malicious insider gets their hands on a vulnerable credential, they have the means to launch a large-scale attack. By putting in place systems that can secure identities and monitor privilege access, companies can better shield themselves from cyber attacks once and for all.
About Tom Kemp
Tom Kemp is co-founder and CEO of Centrify Corporation, a software and cloud security provider that delivers solutions that centrally control, secure and audit access to on-premise and cloud-based systems, applications and devices for both end and privileged users. Under his leadership, Centrify has become one of the fastest-growing security vendors in the industry, named one of the hottest enterprise cloud companies by a number of respected industry analysts and publications, and has amassed more than 5,000 customers including more than 50 per cent of the Fortune 50. Reach him @ThomasRKemp.
For the latest proof that passwords are passé, just look at the 4Chan nude celebrity photo uproar.
Allegedly hacked from online storage services such as iCloud, intimate photos of stars including actress Jennifer Lawrence and model Kate Upton were posted anonymously on the 4Chan website.
Apple protests that its iCloud systems weren’t compromised, suggesting that hackers managed to gain illegal access by figuring out passwords and the answers to personal security questions. That sounds like a compromise to me.
Which brings us to the nub of the problem of basing protection on passwords - using a password that is readily memorable means it is also more easily hackable. When we require dozens, if not hundreds, of passwords to protect our identities online, the questionable effectiveness of passwords becomes completely degraded.
As I’ve written previously, the obvious solution is to get rid of most passwords.
The Heartbleed bug has generated a lot of catastrophic commentary and reverberating repercussions since it was publicly disclosed on April 7.
‘Catastrophic’ is the right word,” wrote Internet security expert Bruce Schneier on his blog. “On the scale of 1 to 10, this is an 11.”
That intensity of reaction is not surprising given estimates that around half a million of the Internet's secure web servers (some 17 per cent) were believed to be vulnerable to attack due to Heartbleed, in addition to countless embedded devices such as firewalls and routers.
An avalanche of media coverage means anyone affected has likely heard of the problem. Does that mean Heartbleed is yesterday’s story?
Absolutely not. Heartbleed remains very much a live issue and one that will not be fixed quickly.