The Ashley Madison Data Breach
The recent Ashley Madison affair (excuse the pun) along with other recent high profile hacks and leaks (Sony, Apple i-Cloud, WH Smith, etc) has again focused attention on the reputational, financial and indeed personal consequences of such breaches. It is often hard to estimate what these breaches can cost as the damage done to the organisation can include:
- Large scale loss of customers and advertisers with immediate revenue implications
- Exposure to the threat and costs of legal action(s) for breach of privacy, data protection regulations, loss of intellectual property, etc.
- Costs associated with making good any damage and rebuilding confidence in the brand
- Consequential impact on company share price / value While there is no single solution to completely eliminate the chance of such an event, it would be a good idea to consider your own position and the risk of it happening to you.
While there is no single solution to completely eliminate the chance of such an event, it would be a good idea to consider your own position and the risk of it happening to you.
Understand the Risks
The Big Picture
Regardless of the source of a data leak, the first step to helping develop your own response procedure is to understand the scope of your network.
Managing an IT infrastructure is a complex task comprising servers, desktops and network infrastructure devices often spread across multiple locations. With the current growth of cloud services, mobile devices (including BYOD that can add extra headaches for security management) and other new technologies this can quickly grow in ways that need to be carefully managed.
It is therefore a key starting point to know exactly what devices are connected to your networks, who is responsible for their security and to ensure that there are procedures in place designed to stop things becoming an unmanageable mess!
Once you have an understanding of your systems then it is a good idea to divide them into externally accessible systems and internal systems. This should give you an idea of the external attack surface that outside attackers have access to. It is important to note that this might involve some unexpected devices or services that you might not have considered (such as portable devices that connect to external networks and cloud services not covered by your primary hosting arrangements – for example DropBox). All of these attack surfaces should be considered and secured so that only authorised actions are possible.
This review should also include an understanding of how external facing devices and internal systems are connected. A good security design should be like peeling back the layers of an onion. Instead of focusing solely on the external defences, a system should also be designed with the assumption that external defences might not always work. In that event the compromised devices should not give the attacker unrestricted access to the entire network. There should be multiple layers of defence that try to limit the amount of other sensitive data the attacker can access.
You should also remember that no security system is perfect! There are new types of attacks being uncovered daily and often it is the unannounced and undefended security holes (referred to as 0-day exploits in the industry) that attackers and security professionals are most interested in.
It is advisable to regularly review your network and update your security procedures, including having your defences tested by an external expert, to ensure that your system has been proven to work and that you are keeping up with recent changes that can quickly make older security systems insecure.
You may have taken precautions to secure against an attack from the outside; but you should also ask yourself what sort of exposure you have from internal sources.
Have you considered the risk of a breach of trust from an internal source such as disaffected employees or suppliers / sub contractors? Have you taken steps to secure your internal systems from this happening? Are you able to track what users do inside the network in order to verify they are only accessing systems they should? Do your internal systems triggering any alerting if unauthorised access occurs?
Internal systems often contain confidential customer data, financial information, personnel records and other sensitive data that should have restricted access. The Ashley Madison leak not only exposed website member lists, messages and photos, but reportedly also included credit card transactions, personnel records including salaries as well as staff emails. This is a wide ranging set of data that would suggest complete access to large parts of the internal company network. Similar levels of information were also part of the Sony leak.
Users should only have access to the systems they need to perform their job, but often internal security measures are significantly weaker than external ones to the point a single device can access an entire network. Sometimes this is the result of a small network that has grown exponentially over time and at other times it can stem from user resistance to implementing best practice that might mean a change in some working practices. Regardless of how the system has reached this point, having a network with limited internal security could mean that a compromise could expose a significant amount of data.
Understand the Responsibilities
The main responsibilities you should start with addressing are a combination of legal, commercial and ethical ones.
You should make sure that you understand your legal obligations around the holding of personal and sensitive information. This could include ensuring data is kept in secure systems, that access to these systems is restricted and whether data is only permitted to be retained for a limited time.
Commercial responsibilities can include any contractual restrictions on how data is stored, processed and maintained.
Ethical responsibilities are more difficult to express in exact terms. This is an element of how your company is perceived by the public. The Ashley Madison hack gives a good example of this… users were offered the ability to pay a fee to have their account details removed from the website. The leaked data has shown that this information was not a complete removal of data from systems but only included removing their email, full name and elements of their address (not including city, state or GPS location!). While charging a fee to delete this data likely falls foul of data protection regulations in the UK and offering the service would make this a contractual obligation in many countries, there is a wider ethical question involved. Users expect companies to deliver what they claim, so what amount of reputational damage will this cause?
Understand the Consequences
If you do experience a data leak, will you be able to manage the crisis?
You will first need to identify what data has been compromised, how it was accessed, whether the attacker still has access to your systems and identify who the attackers are.
Your first step will be to implement your data leak response plan. This will involve securing your systems, notifying any relevant authorities, partners and potentially clients of what has occurred and then starting working on the cleanup and fallout of the leak.
The longer term will involve identifying what data has been compromised and then analysing how that will affect your business, partners and customers.
Develop a Plan of Action
In short, a data leak can result in catastrophic consequences for a business. If you plan ahead and have an understanding of how different types of attacks or data leaks could affect you then you could both minimise the potential amount of data that could be compromised as well as have procedures in place to react should it happen to you.
The plan of action will stem from an understanding of your current systems. This will also help you to secure your systems beforehand to minimise the potential for attackers to extract multiple sets of data if they do manage to get into your network.
You will need to plan what your emergency steps are once a leak is suspected or identified along with procedures on who needs to be notified, how to secure the current systems and how to then to return your systems to normal usage with as little disruption to business as possible while not allowing any further unauthorised access.
Want to make sure you have all your bases covered…?
EMS has been helping organisations large and small better manage their networks for 15 years.
To discuss your requirements, please email us: firstname.lastname@example.org or complete the form below and we will get back to you shortly.