Ashley Madison - Could Cloud Have Saved PII and the IPO? // Theo's Two Minute Tech Talk #1

My first question to customers used to be “what do you do in the event of a disaster?” I lived through Y2K, 9/11, Katrina, Sandy and the hanging chads of the 2004 election. I thought I had seen it all. However, With the very public and extremely messy cyber hacking or “cyjacking” (1) of Ashley Madison I feel that it is necessary due diligence to ask the simple question “What are your steps to prevent a data breach?”     

By now quite a few more people have heard about the Ashley Madison hacking (Wired has a great online article with a timeline, see link) and the subsequent web release of millions of their customers’ data. The company has been around since 2001, so they are not new kids on the block to controversy or making headlines. Now it is no longer the service Ashley Madison provides that makes it infamous. This former potential $200M IPO is now the name synonymous with a total violation of the release and publishing of Personally Identifiable Information (PII) (2).

Interestingly, and scarily, the folks at Ashley Madison actually went by the book to protect their customer data. Research, along with support from solid online sources such as the blog, Errata, break down some of the statistics and encryption hacked by the perpetrators of the data leak. It appears that the security to protect the PII was BCRYPT (3). This encryption utility is in use by thousands of on-premise customers. One of BCRYPT’s many attributes is the masking of parts of credit card numbers. It however, was not enough. With millions of customers’ data being held hostage and then maliciously released, it is patently clear that “good enough” isn’t even close to being sufficient. Especially when a determined hacker can easily gain access to emails, GPS coordinates, and multiple pieces of PII so that, when combined, clearly can map back to a specific individual.

All that came to mind was “If cloud security guidelines were in place could the exposure have been significantly reduced?” I started to rattle off in my head cloud training on security. So many items, so many steps. Detect, defend, protect, and prevent…or something like that. Yes, I know that sounded ridiculous but this is big, even bigger than the    ILOVEYOU virus (if you remember that one, then you are officially “that old”!)

But seriously, both NIST (SP 800-122) and CSA (Domain 8 §2.1.2) advocate PII protection with basic steps such as:
1) Incident planning. (Don’t wing it)
2) Segregation of duties. (Never let one group/dba/entity hold all the keys to the PII kingdom)
3) Prevention. Have multiple layers of security. (it looks like Ashley Madison had the minimal, if even bare bones password protection and very little in the way of encryption that the cloud so heavily relies on)

The implications of a threat like this are an industry game changer. It leaves so many companies that are trying to do the right thing for themselves, and their customers, open to cyber terrorism as well as extortion. Cyber security will be a  $170B dollar business within the next few years! This is not doomsday, apocalyptic, conspiracy theory chatter to work people up. This is the reality of 2015. The reality is that the PII of over 30M customers (give or take a few million false profiles) is now left open on the web for everyone to see and data mine. This is the reality of a $200M IPO that has failed because of cyber hacking. And the harshest reality of it all, that it can and most likely will, happen again.

Today I shy away from asking trite and worn phrases such as "What is your pain?" I now pull together all of my contacts including Chief Security Officers, Chief Information Officers, Chief Architects along with their IT teams to roll up our sleeves and ask “What do we do to prevent a data security breach? And how do we design systems in the cloud or on-premise to protect your businesses?”

*sighing heavily and remembering the good old days when losing my 3 1/2" floppy disk was a security risk…*

Credits/Images:
1) Header Photo: screen cap from Impact Team on Ashley Madison homepage.
2) All links reflect original authors. Any omissions are unintentional.

Glossary:
1. CyberJacking

2. PII (Personally Identifiable Information)

3. BCRYPT

Cyber Security Guidance/Regulations for Protecting Data:
1) Congressional Act to Protect Against Cyber Terrorism- Cyber Intelligence and Sharing Protection Act (CISPA )
2) NIST (National Institute of Standards and Technology) Guide to Protecting PII (see above)
3) CSA (Cloud Security Alliance)-Domain 8, Section 2.1.2 (see above)

Related Trivia and Info-Links:
1. Top Baby Names in 2001 - Ashley and Madison...
2. Amy Schumer Interviewed CEO of Ashley Madison 2 months before hacking
3. Toronto Public Transit Nixes Ashley Madison
4. Tiger Woods was offered $5M by Ashley Madison