Ashley Madison. I’m pretty sure by now everyone is aware that I’m referring to a company and not an actual person. This recent hack attack has been all over the news. Naturally, the tabloids are itching for more celebrity and high profile names to be leaked. But we are more interested in sharing yet another important case of lessons learned in cyber security that can span any industry.
Security experts are taking advantage of this high-profile situation to weigh in on advice for all sectors. Highlights from Information Security Media Group’s six lessons learned from this most recent data breach are as follows:
1. Identify, Safeguard Sensitive Data
It might seem obvious, yet experts say it bears repeating: One takeaway from the breach is the sheer importance of knowing which information is mission-critical and sensitive, and then devoting the lion’s share of resources to ensuring that it remains secure.
2. Secure Passwords
Australian data security expert Troy Hunt says one fact that deserves more attention is that Ashley Madison – unlike so many other breached businesses in recent years – did get its password security right. Hunt says Ashley Madison succeeded at password security by not just selecting the bcrypt password hash algorithm, which is a good tool for the job, but also by using it correctly.
3. Store Less Data
But Ashley Madison executives also made what appear to have been a number of poor technology and business decisions. For example, Hunt says the leaked data includes many members’ credit-card billing addresses and related first and last names, IP addresses, email addresses, as well as their latitude and longitude, logged down to five decimal places, which means they’re accurate to a range of about 1 meter (3.3 feet).
So even though the company got its password security right, and the leaked credit card data appears to have been scrambled, except for the last four digits of each card, the other information gathered by the company has now been leaked, reportedly enabling many people to be identified, including by their spouses and members of the public.
4. Honor Promises
Ashley Madison offered a $19 “full delete” service to remove all traces that a person had ever used the website, and after the breach, announced in July, began offering that service for free. But multiple full-delete users have reported that their personal details, including the aforementioned payment-related information, were in fact in the leaked data, according to news media reports. The full-delete service highlights the importance for organizations to simply “do what you promise.” A number of related lawsuits could now put Ashley Madison officials on the spot, when it comes to asking how they attempted to fulfill those promises.
5. Secure the Supply Chain
Every business partner that’s granted access to an organization’s network and applications is a potential security risk. Indeed, as numerous breaches have highlighted – including attacks against Target, which was hacked via a connection it provided to one of its contractors, and the U.S. Office of Personnel Management, which was reportedly breached using legitimate credentials stolen from a private contractor is uses – hackers can use anyone’s valid access credentials to gain access to their target.
6. Talk to Customers
Security experts say another promise that Ashley Madison has not been keeping is its home page’s still-present claim that the site has “over 39,645,000 anonymous members.” The vast majority of those members, of course, are no longer anonymous.
Regardless of the moral issues raised by a site like Ashley Madison, the take home message as it relates to cyber security is to make sure your company is protected from data breaches. The experts at Corporate Technologies Group can help your business determine if your network and IT security is up to par and ready for an attack.