The Ashley Madison Data Breach again highlights insider threats:
2015 must surely now be officially designated as the year of the data breach. With the news that client data at Ashley Madison, the dating site, compromised there must be a lot of very worried people wondering where their lost data will turn up.
There are many interesting issues with this data breach story – why was data not encrypted? Why was there only single factor authentication to the site? And most importantly why did subscribers need to pay to have their details removed? Of course, also running through the story is a massive dose of schadenfreude – the pleasure we feel that that the subscribers misfortune is in some senses justifiable given what they were up to; the hack then becomes a real Robin Hood crime. But just imagine for a moment that it was your medical or financial records and the story is a little darker.
As a regular data breach watcher there was one thing that struck me about this that was unusual. The first was that Ashley Madison were owning up to the fact that it was an insider “I’ve got their profile right in front of me“ said their CEO. In the past it’s always more convenient to portray the threat as being external. Companies prefer the idea of the evil genius hacker, to the trusted employee gone rogue. In this case it seems to have been a temporary or contractor who had access. But you have to ask – why did they have access and who was checking it?
Here at Idax we hold the view that managers are capable of managing their staff’s access but they need a little help from analytics to do so. Did the Ashley Madison contractor really have the least privilege required to do their job. If that least privilege enabled them to dump the entire database, there’s a bigger problem. But as we’ve seen over the last couple of years, a lot of companies have poor controls over internal access, don’t do recertification well, and onboard new staff by asking them what they think they need.
Estimates from the Open Source Foundation indicate that the average cost of a data breach is $5.5m per organisation at an average of $194 per compromised record. One suspects that in the case of Ashley Madison the cost may be their whole business model. Against that cost, why wouldn’t you use all the tools at your disposal – analytic and operational – to safeguard your most important asset, your customers’ data?
As a follow up, Read this interesting point of view from another provider, Sailpoint, here
Since this blog was originally posted, Sailpoint Technologies have published an interesting white paper entitled the “7 Tenets of Successful IAM” – read this here