Soon-To-Be Ex-CEOs: Lose Data In Hacks, Get The Axe.

The aftermath of the Ashley Madison hack that aired the details of its 37 million users has been anything but pretty. News of divorces, lawsuits, and even suicide relating to the hack are being reported on a daily basis, and in a completely understandable move, Ashley Madison’s parent company CEO no longer holds his title.

Noel Biderman, the Founder of Ashley Madison, stepped down on August 28. Although the press release states that he left the company in a ‘mutual agreement’, it’s a statement that really leaves you wondering if that’s how it really went down.

One thing’s for certain: if not for the hack, Noel would still be running the company he founded, which reported a $115 million profit last year.

Regardless of what kind of business Ashley Madison is, Biderman clearly put a great deal of effort into making the company what it is today. For more than 14 years, it has been a company that he literally created from the ground up. And then, he witnessed how quickly hard work can come crashing down based on over less than 30 gigabytes of information leaked.

And he’s far from being the only one.

Noel-Biderman

Ashley Madison’s ex-CEO, Noel Biderman

As many have seen or heard many times over, Target’s ex-CEO, Gregg Steinhafel, resigned shortly after the notorious Target data breach that has cost the company $148 million, and counting.

Ten years ago, such a thing would have been unheard of. Punishment for a breach would go right over the heads of the executive management, and strike at the hearts of their IT security teams.

Today, whilst IT security team members still get the axe when things turn to custard, the ultimate sacrifice must be made by the people where the buck stops — the CEO and the executive team.

The lesson for all CEOs and founders: Allowing a huge data breach happen is now a big enough of a mistake to cost you your job, even if you’re the one who started the company to begin with.

The general public will light their torches and brandish their pitchforks at your castle gates. Your supporters will dwindle in number, and soon you will be forced to make a decision — leave the company with some of your dignity intact, or wait for your board members to hit the eject button.

What’s Changed?

So why have data breaches become a blunder worth punishing the head of a company for? The biggest reason is the scale of breaches have grown exponentially- losing millions of records has become commonplace, and if a million people lose their personal information thanks to a mistake made by your company, that’s a million of your customers you just aggravated.

Another reason is the amount of attention hacking receives from the media. For weeks prior, the Ashley Madison story was making headlines all around the world, and once the leak went public it was covered endlessly by every news source. Its not as easy to brush the issue under the carpet like it was many years ago.

 

An 'Ashley Madison' google search now shows a flood of news stories surrounding the hack, to the point where it's hard to find a link to the actual website.

An ‘Ashley Madison’ google search now shows a flood of news stories surrounding the hack, to the point where it’s hard to find a link to the actual website.

 

How to Avoid Being Next

The obvious solution is to simply avoid losing data. However, it’s really not as easy as it sounds. Many companies see thousands of inbound attacks daily- you can defend as much as you want, but the sad truth that it only takes one attacker to break in to bring your entire fortress crashing down.

The less obvious but much more critical solution is to avoid, as far as possible, storing any information worth stealing. In Ashley Madison’s case, accounts that should have been deleted, as well as email logs from years prior had no place on their systems. The more sensitive data you hold on to, the more you stand to lose in a data breach.

Today’s Security professionals are promoting a new strategy: If you don’t need it, don’t store it. Because if  an outsider does find a way into your IT network (and statistically speaking, they will find a way), then your valuable data assets in storage will be reduced to a bare minimum. Furthermore, if your security team have taken the right steps and focussed on protecting what remaining information you do need to store with Encryption, or other obfuscation technologies, there’s hopefully little to zero data left that’s easy to steal.

So our message to all you CEO’s out there — listen to your security guys. They too have a vested interest in your longevity.

But if you don’t and the worst case happens, they can always leave and get another job. You on the other hand won’t be able to escape being seen as ultimately responsible for a very public data breach, regardless of who internally was at fault.

If you’re wondering how much easily stealable data you have right now, Try Enterprise Recon out for free, and get started on cleaning up your systems.
(Image sources: 1, 2)

US Companies, Are You Ready For Even More Brutal Data Breach Consequences?

In May, IBM and Ponemon Institute released a study on the cost of a data breach, and found startling statistics:

  • Average cost per lost record is $217.
  • Average total cost of a data breach is $6.5 million.

And, as if the one-two punch of monetary and reputation loss a data breach hits you with is not enough, the Federal Trade Commission (FTC) is now ready to pounce on you with a vicious (but much needed) body blow if you have poor cybersecurity.

For example, the FTC filed a complaint in 2012 against Wyndham Hotels for failure to protect the consumer information of more than 600,000 of its guests.

The result? The U.S. Court of Appeals has spoken: the FTC is given regulatory power to punish companies that do not act in accordance with safe data security practices.

The FTC’s Chairwoman, Edith Ramirez, issued this firm statement after the ruling:

“Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”

How exactly the FTC intends to punish companies at this point is unclear. But, it could be anything from heavy fines to a probational period of intensive audits.

While some may feel that the FTC is kicking companies that are already down, it’s clear that more penalties are required for companies that do not make an effort to protect the private information of their consumers.

Are you protecting your customers?

While the fines and penalties for data breaches can easily cripple or even shut down a small to mid-sized business, some larger organizations can not only bear the brunt of a data breach, but shrug it off and resume business as usual.

And because they do not feel anything more than a prick from a data breach, they see no reason to work harder at securing their networks.

Some companies even think it’s cheaper and simpler to just get hacked, claim on insurance and move on.

These companies fail to see the impact that breaches have on their customer’s personal lives, who are at risk of having their personal details leaked. As seen in the recent Ashley Madison hack, in extreme cases, data breaches can affect individuals on a deep enough level to cause them to take their own lives.

Hopefully the penalties to be dealt out by the FTC will give companies the extra incentive they need to work hard at keeping their networks secure.

ashley madison hack

Everything You Need to Know About the Ashley Madison Hack

On July 19, well-known security blogger Brian Krebs reported that the online cheating site AshleyMadison.com had been compromised. A group known as The Impact Team released a cache of data stolen from Avid Life Media (ALM), the parent company of Ashley Madison and two other hookup sites, Cougar Life and Established Men.

The data released includes snippets of account details from ALM’s users, maps of internal company servers, employee network account information, company bank account data, and salary information.

The Impact Team released the information in protest of ALM’s “lies” regarding it’s full delete function. Users were told that they could completely wipe their profiles and information from the ALM databases at the cost of $19. However, when Impact Team compromised ALM servers and inspected looked into their databases, they found that the information was not being deleted even after the delete fee had been charged.

The Impact Team’s demands were simple- either shut down Ashley Madison and Established Men, or have the full information of all 37 million users leaked. Needless to say, this was a cause of great stress for many of its users- Krebs reported that he receives a frequent stream of emails from Ashley Madison users who were afraid that the leak was going to go through.

Unfortunately for them, it just did. The Wired reported earlier today that a 9.7gb data dump was posted to the dark web containing the account details and log-ins for 32 million of the sites users, along with seven years worth of credit card and other payment transaction details.

 

AshleyMadisonDatabase

The leak statement posted by The Impact Team

 

A short while later, Krebs posted again to his blog, questioning the credibility of the leaked data. Raja Bhatia, Ashley Madison’s original founding Chief Technology Officer, told Krebs that there had been a slew of fake data dumps popping up, and there was no reason to believe that this one was legitimate.

Bhatia examined the data, and concluded that the data from the original release was real, but everything else was nothing more than generic and fake SQL files. He also said that “There’s definitely not credit card information, because we don’t store that. We use transaction IDs, just like every other PCI compliant merchant processor.”

However, Krebs has recently edited his original post with this new information:

“I’ve now spoken with three vouched sources who all have reported finding their information and last four digits of their credit card numbers in the leaked database. Also, it occurs to me that it’s been almost exactly 30 days since the original hack. Finally, all of the accounts created at Bugmenot.com for Ashleymadison.com prior to the original breach appear to be in the leaked data set as well. I’m sure there are millions of AshleyMadison users who wish it weren’t so, but there is every indication this dump is the real deal.”

So it would seem, at least for now, that the leaked data is indeed legitimate.

 

romney_ashley_madison

A cheeky billboard put up in Boston by Ashley Madison

 

From a data security standpoint, what’s interesting is that The Impact Team managed to acquire credit card data from a database that was allegedly not storing credit card information. Since multiple sources have confirmed that their credit card information was found in the leaked data, we can only conclude that ALM was storing credit card information- they just didn’t know it.

This is a common problem that many companies are alarmingly unaware of.

We have worked with many CSOs and IT compliance managers who have assured us that there was no cardholder data to be found in their systems. In one particular incident, Ground Labs software found over 100 million cardholder data records that were being backed up on a partition they didn’t even know existed, and this is one of many examples.

The entire situation highlights, once again, the importance of understanding your data. The larger your environment, the more data you’ll have, and the more locations you’ll have to store it. In today’s data-driven workplace, it’s impertinent that every company understand what it is that hackers want, and how to keep it away from them.

As of now, the dumped data is making its rounds on the web, with sites like checkashleymadison.com going up (and getting taken down by a cease and desist by ALM) to make the information more accessible for the everyday spouse.

Play It Safe

The situation at Ashley Madison is still developing, but regardless of how it plays out for ALM, The Impact Team, or the gentlemen involved in the hack, this incident is but one of many examples of why having a strong data security system in place is integral for any modern-day business.  

Are you interested in finding rogue data in your network? Take a free trial of Data Recon and find out if the same unknown risk exists within your environment.

 

Verizon Data Breach Incident Report 2015 Summary

 

The Verizon DBIR is one of the annual scriptures read by data security enthusiasts worldwide, and this year’s offering is no different.

The report is packed full with meticulously-gathered, mind-blowing statistics, and yet presented in a light-hearted tone with pop culture references ranging from gangster rap to Disney musicals.

Here are a few highlights from the DBIR we found to be the most interesting.

Phishing

While phishing is nothing new or unfamiliar, some findings released in the DBIR were interesting, to say the least.

To further evade detection, phishing campaigns have evolved to incorporate installation of malware as the second stage of the attack.

Just how well does phishing work?

Today, a glaring 23% of phishing email recipients open phishing messages, and 11% of them click on attachments. Of the 23% who opened the emails, half of them did it within an hour of receiving the email.

A campaign of just 10 e-mails yields a greater than 90% chance that at least one person will fall victim to the scam.

Not only do phishing emails work well, they work fast. The median time it takes for the first click to come through is 1 minute, 22 seconds.

Can Phishing Emails Be Stopped?
verizon3In light of such discouraging statistics, it’s hard to see the point in investing in data security.

Why should you spend large amounts of money on antiviruses and firewalls, if it’s so incredibly likely that one negligent employee making one false click is going to bring your walls crashing down?

The good news is, there are a few ways to help prevent the risk of getting hooked. The DBIR recommends better email filtering, to help filter out phishing emails that make it into user in-boxes. Also encouraged is acquiring improved detection and response capabilities.

However, the most effective way cited is through awareness and training, which can reduce the number of people that fall victim to a phish to (potentially) less than 5%.

Common Vulnerabilities and Exposures (CVEs)

In late 2013, a list of the 500 most common vulnerabilities and exposures was made. Looking back on that list, 99.9% of the exploited vulnerabilities were compromised more than a year after the CVE was published.

Worse still, hackers are exploiting vulnerabilities from as far back as 1999, which shows that they are aware that these old exploits are still an easy way into many systems.

Patch Hard, Patch Fast

There is a clear need for all organisations to patch vulnerabilities as they come, and to do so quickly.

While it’s true that some vulnerabilities are more high-priority than others (97% of the exploits observed in 2014 were caused by just ten of the 500 CVEs listed), you cannot call your network secure unless you are certain it has zero vulnerabilities to exploit.

Make sure that your company has in its employ someone to stay on top of what the latest vulnerabilities and threats are, and is able to quickly apply patches when necessary.

Aside from phishing attacks, vulnerability exploits are some of the easiest ways for hackers to gain access to your systems. To quote the DBIR directly: “[there is a] need for all those stinking patches on all your stinking systems.”

Miscellaneous Tidbits

  • 5 malware events occur every second.
  • Mobile devices are not as at risk as we thought- only 0.03% of mobile devices are infected with truly malicious exploits.
  • Verizon seems to have given up on trying to figure out the cost per record in data breaches. Instead they have developed this table which gives a rough estimate on how much you can expect to spend on a data breach based on the number of records you lost:

verizon1

Another Year, Another Great Report

This year’s DBIR, as usual, did not disappoint. A lot of the findings have been game changing- IT security professionals are going to be less likely to bring up the cost per record in a data breach, or talk about the dire need for mobile data security.

But regardless of how such statistics may change, good data security practices remains a constant. In other words: keep up to date with the latest trends, and understanding your data.

While we did pick out our favorite parts of the Verizon DBIR, pretty much all of it is interesting and worth a read, which you may do so here.

(Image sources: 1, 2)

Why We Need Better Data Security Education in Schools

A middle schooler in Florida has been charged with offense against a computer system and unauthorized access (a felony charge).

What the middle schooler did sounds akin to a hacker infiltrating his school’s extremely secure network by executing a high-level brute force attack. Following that, he conducted an ideologically driven cyberattack designed to inflict trauma on his victim.

However, in reality, the kid used a weak system password to log on to a teacher’s computer. He then changed its desktop background to an image of two men kissing. He reportedly did so because he wanted to annoy the teacher, whom he didn’t like.

School of Hard Knocks

This story sparked a huge internet-wide debate over the weekend. One Reddit thread hit almost 2,000 comments, with users discussing the apparent disproportion of the charge against the crime committed.

While the computers he accessed had sensitive data like FCAT exam questions stored on it, he didn’t view or tamper with those files.

What seems to irk most people is this statement made by the town’s sheriff: “Even though some might say this is just a teenage prank, who knows what this teenager might have done.”

Based on that logic, shouldn’t every single one of us be behind bars? It’s absurd to even imagine arresting people based on the potential of what they could do, when they haven’t actually done anything.

But let’s forget about who’s right and wrong for a second and look at this story from a data security perspective.

Protecting sensitive data is the responsibility of any organization, regardless of whether you’re a bank, a retailer, or even a school.

There were huge security flaws in Paul R. Smith Middle School’s network.

For starters, the teacher used last name as a password.

Secondly, according to the report, many students had previously gained access into the school computer systems using the same password, and the faculty members were aware of the flaw. Yet, even after multiple breaches, the passwords were not changed.

Given the amount of sensitive data in the school’s network, if a real hacker had wanted to do some real damage, the school would have been in some serious trouble.

4chanhack

One hacker gained access to a classroom CCTV, and proceeded to livestream himself playing disturbing music and sound effects through the CCTV’s speakers, perturbing a class of impressionable young teens

 

A Nationwide Problem

It’s quite certain that Paul R. Smith Middle School is not the only school in America with shoddy data security practices. Going even further, it’s not a stretch to say that many organizations still have gaping vulnerabilities in their systems.

For example, this video shows how a hacker was able to break into a school’s CCTV system, where he was essentially able to spy on the students as well as play vulgar music through speakers. (Warning: NSFW audio)

Fundamentally, it was the middle school’s job to secure their systems. Ironically, it was also their job to educate their students on the importance of data security, such as what constitutes unauthorized access.

What the student did was of course incorrect, but in all likelihood he did not understand the gravity of the situation. And given how he was merely slapped on the wrist for previous infractions, neither did any of school’s regular faculty (he was reported by a substitute teacher).

And it’s not just them, either- there is an epidemic of obliviousness to the threat of data breaches all across the world.

Learning is Fun

This is why data security education is so important. There is no point setting up a million-dollar security system if an employee who doesn’t know any better lets hackers in through the front door.

Technology is growing at a rapid pace, and we’re getting more interconnected by the minute. However, unless we learn to deal with the responsibility that comes along with all of the power, we’re going to find ourselves charging more 14 year-olds with felonies.

(Image source)

 

Call to Confession: Companies Who Have Been Hacked, But Aren’t Telling

Data breaches are happening every day. Companies worldwide are losing large amounts of sensitive data to hackers, who can turn a pretty penny selling credit card numbers and healthcare information on the black market.

The problem here is, many of these companies are trying to keep their hacks out of the evening news, and this comes with major negative consequences for consumers.

When a company reports on a hack, the gears of remediation begin to turn. Associating banks will reissue credit cards to all those affected, and breach victims will be sent letters warning them to watch for any unusual activity on their accounts.

By not reporting on hacks, companies are basically denying their customers the right to defend themselves from credit card fraud.

Many companies are afraid to report on hacks, because they believe that what comes next is a drop in reputation, and a potential spending millions of dollars in remediation.

On the other hand, though, if they get caught not reporting a breach, it spells even more trouble. The media will drag their names through the mud and shame them publicly. And on top of the usual remediation costs, those companies will have to fork out even more moolah to cover the inevitable onslaught of lawsuits and fines.

Now, you might be thinking that you simply have to avoid getting caught, but staying off the radar isn’t as easy as you might think. Once the banks are able to determine your company was a common denominator for hack victims, a thorough investigation will be conducted, and your mismanagement will be brought to light.

"And I would have gotten away with it too, if it hadn't been for all those meddling banks and individuals noticing unusual activity on credit card spends!

“And I would have gotten away with it too, if it hadn’t been for all those meddling banks and individuals noticing unusual activity on credit card spends!

Simply put: the best solution for everyone involved is for you to notify the authorities as soon as you discover a breach.

Somehow, unfortunately, all of this is not enough to convince many organisations to come clean once they’re hacked, which has lead the US to introduce strict data breach notification laws, stricter than anywhere else in the world.

The US accounts for the most reported data breaches in the entire world.

Coincidence? I think not.

While many countries like Australia and Singapore have guidelines for data breach notifications, they don’t have any concrete laws making it compulsory to do so.

This makes it hard to get a read on just how bad the state of cybersecurity is in those countries. The situation might seem good on the surface, but for all we know, data breaches may be a rampant problem that needs to be addressed urgently.

Don’t Wait, Call Now

One way to think about the whole issue is that getting hacked is just one half of a problem. Many cybersecurity experts believe that all companies are at risk of getting breached, and it’s just a matter of time till yours is too.

The second half of the problem starts when you don’t report on a breach. You’re basically aiding the hackers in selling the data they steal, which will be used by other criminals to commit easy credit card fraud.

Don’t be the person who fails to report a breach. On top of the multitude of business-related reasons listed to report a breach, you owe it to your customers that they be given a head start in securing their sensitive data, before the threat of fraud comes around.

(Image sources: 1, 2)