One of the biggest stories of the past few weeks is the recent breach of affair-oriented dating site Ashley Madison. Hackers released the personal information of more than 37 million users, which has led to embarrassment, blackmail, and government investigations.
Regardless of the moral position of a company like this, this kind of breach is an unprecedented disaster for any organization hosting sensitive information. Its entire business was built on the notion of secrecy; in the eyes of the public, it has failed miserably in that regard.
Other than not having signed up for the site in the first place, there was little for Ashley Madison’s end users to do to protect their information. This was beyond their control. The base expectation for online businesses and ecommerce sites that require private customer information is that that information is secure and privacy is maintained.
Data is the currency of the digital age, and any kind of data is valuable. As much as you can point to Ashley Madison as a target, it can happen to anyone, anywhere, anytime. Consider that most attacks today are initiated through botnets (a network of hacked and compromised computers) that systematically scan a broad range of sites. This method allows hackers to attack the sites that show vulnerabilities. These botnets look for weaknesses in coding, application stack, or infrastructure. Basic and advanced attacks can be linked to unprofessional coding, missing patches, and other similar site elements.
Attacks exploiting human behavior, known as social engineering, are not as sophisticated, but are just as prevalent and dangerous. A prime example is the cross-site scripting breach eBay suffered in 2014. eBay users trying to access the site were taken to a “spoofed” (or fake) login page, where they were prompted to hand over login credentials. Of course with a user’s eBay login, hackers had access to a devastating range of private information including credit card, address, and PayPal details. The promise of a large “inheritance” by foreign dignitaries is another version of these email scams. The sad truth is that these scam emails continue to be sent because they work on unsuspecting people who do not have their guard up.
In the world of retail, a worrisome trend emerged in 2013 and 2014 with a string of hacks hitting some of the largest retailers including Home Depot, Staples and Target, attacking their point-of-sale systems with malware. These attacks allowed hackers to collect credit card numbers and secret pin security codes belonging to millions of shoppers.
A hacker’s goal is to get as much data as possible; sometimes, hackers can hack an organization for months on end without detection. Hackers rely on the notion that online businesses will typically have fewer resources to take on a full security portfolio, thus turning those businesses into prime targets.
Thankfully, advice and information regarding the security of coding is plentiful. A bit of research and remediation can make significant improvement in site security. To understand how to protect yourself, you have to understand the attackers, how they’re doing it, and what you can do about it.
Attackers come in all shapes and sizes: everyone from script kiddies, to politically motivated organizations, to foreign intelligence agencies, to competitors, to people with malicious intent. Several nations and nation-states are believed to have the capability of launching massive, sophisticated cyber intrusions. Each has one reason or another to attack a site. They go after the soft points in the chain of security:
- Exposed information
What can be done to mitigate threats on these levels?
- Software and code security concerns can be best addressed through vigilance, process, and testing. An otherwise hardened application or site can be taken down in seconds by forgetting to do something like escaping database.
- The human factor is next in line; keep an eye out for social engineering efforts that dupe people in to giving up credentials, make changes to an account, or introduce malicious software on computers or in applications. Organizations need to bake fool-proof authentication into their support and sales processes. The other soft underbelly that is most overlooked is the inside threat: employees maliciously leaking sensitive data and information. By some reports, as much as 60 percent of data breaches originated in some fashion inside the castle walls.
- Process refers to the need to review software features and their interactions with other business systems; overlooking this step presents an easy target for hackers to exploit. This includes things like changing system defaults, using advanced protection like two-factor authentication, and regularly auditing security-related processes and procedures for all systems.
- Exposed information stems from the careless exposure of sensitive information, such as a critical password on a sticky note or dumping old software backups without properly destroying the data.
A Focus on Software: What can a business do about security?
Not all businesses handle the secret lives of the public, personal details, and account histories. However, they all have a responsibility to secure private data.
An organization should:
- Conduct regular assessments of its sites, as well as any flaws that need revisions or a managed approach. It is very easy to lose sight of everything that’s been added to a website. Track everything!
- Implement a secure process that validates code as it is revised and implemented. Change control, revision control, and roles-based access are all important principles to become familiar with.
- Utilize outside resources and expertise when required to conduct security reviews. Penetration testers and code review are valuable in helping validate a site (and environment) and discover flaws.
- Integrate security principles in the development of new site code. Within the lifecycle of site code development, make sure to integrate testing, updating, and tracking.
- Broaden its routine security spectrum to big data, messaging and financial applications. All points of presence should be in scope of security review, whether it is an application, database stack, or clustering software.
- Ensure that its content management systems (CMS) like WordPress or Joomla are up to date. CMS applications consist of content, database, account systems, and plugins. They all need the same scrutiny, and all require vigilance.
- Ensure that effective security infrastructure is in place. The most familiar of security constructs include firewall, intrusion detection systems, auditing, anti-malware, and more.
The fundamentals of secure sites live in the code. There is a constant stream of vulnerabilities, cross-site scripting, directory traversal attacks, and more that can be isolated to code flaws and implementation. A security process should be followed, and a validating security scan should be performed from the initial baseline through every time a change is made in any code on a page. One valuable tool to use in the scanning for vulnerabilities is the Acunetix Web Vulnerability Scanner. Alternatively, installing a rootkit checker, like RKHunter or chkrootkit, can help discover any vulnerabilities on a server. Also, it’s worth noting that the underlying libraries and engines that drive websites should be regularly updated in a sandbox (non-production) environment wherever possible, then scanned, and only then brought into production.
Big Data and Applications
The modern web page is technically an application; however, applications on the web have moved far beyond simple pages with the advent of big data, messaging, financial systems, and more. Web application hacks can take down the underpinnings of an online database system, intercept keys and data, and gain command over an entire infrastructure. Losing the ability to use data can be just as bad as losing the data. Data is often the lifeblood of a business.
Part of Ashley Madison’s password database was encrypted with a bcrypt algorithm, which has thus far protected this portion of the information well. The passwords protected within are a potential goldmine for hackers due to the fact that we tend to re-use passwords on other accounts. An important lesson can be learned here: sensitive data should be as secure as possible and striated into levels of protection. Encryption typically adds some computational and transactional overhead, so having a custom environment that can support this at scale is a good principle to hold. Locking down access to critical systems using IPSec VPNs adds another layer of security.
The challenge of protection from outside threats is significant. At the same time, businesses must also be vigilant in mitigating internal threats. In the case of Ashley Madison, there have been indications that the data leak may have originated internally. The data is voluminous with a wide scope, which suggests centralized, privileged access. A business can protect against the loss of data by implementing two-factor authentication, roles-based access control, auditing, and data exfiltration prevention tools. By controlling data at the source, risks can be greatly reduced and damage can be quickly assessed.
The journey toward adopting two-factor authentication into tools, applications, and websites has increased in recent years. A recent mandate was set in the European Union in response to data breaches, which puts two-factor authentication at the center of security for all corporations. Two-factor authentication combines tokens (something you have) with passwords (something you know) for enhanced authentication. As industry continues to explore two-factor authentication on the web, it faces questions of expense, complexity, and impact.
The benefits, however, far outweigh the risks, and adoption rates are skyrocketing. Look no further than banking websites, social media sites, and other industry leaders that now require a phone number for account logins and recovery. While two-factor authentication likely would not have prevented the Ashley Madison breach, it can prevent the interception of administrative tools, which have overarching access to everything.
Too Good to Be True?
If things appear on the surface too good to be true, they probably are. This Ashley Madison breach is a stark reminder of that. Hackers prey on gullible people to steal their data. In a way, Ashley Madison showed us how gullible people are in giving up their credentials online. Just look at the numbers behind Ashley Madison: only 5.5 million of the site’s 37 million registered users were women, but only 1,492 of those women actually checked their messages – meaning those other 5 million female accounts weren’t legitimate but in fact were fake accounts! That left 31 million men vying for less than 1,500 women – a pipe dream at best and a scam at worst.
Content Management Systems
Content Management Systems (CMS) have revolutionized web publishing in many ways by making it easy to update information to an audience. It’s important to note that the technologies that make up these systems – which includes WordPress, Joomla, Drupal, and others – are dependent on underlying code and technologies. The introduction of plugins, themes, editing systems, and photos can also come with unwanted vulnerabilities in the big picture. The principles of reviewing, testing, and monitoring the code that goes into these elements is as critical here as it is anywhere else on any page. Keeping things up to date is a great principle to have, but keep aware of what each piece does, and make sure to constantly validate the secured state of your website.
Defense in Depth
A hardened application is a good first step, but things don’t end there. Firewalls and hardened network systems are familiar to many, yet as infrastructures and applications become increasingly more complex, the evolution of security infrastructure must also keep pace. It’s critical to build security into every layer of your environment, not just locking your front door. There is a constant barrage of new security products emerging at any given time, which is great; however, security isn’t defined by new products alone. Some of the largest data breaches ever took place in data centers with cutting-edge products. The question then is: What happened?
In case after case, the security industry is quick to point out that constant strategy, reporting, and process are the unsung heroes of the security ecosystem. You will find that flashy security appliances can’t do the job alone; it’s how security products are utilized that makes all the difference.
It is lapses in security like Ashley Madison’s breach that remind us that our information is never truly safe. Everything that’s stored digitally is ripe for the taking. No company is 100% bulletproof, as we’ve seen in breach after breach, but creating and following smart security measures, and having a constantly aware security posture in your organization, and the organizations you depend on, will go a long way to protecting your data – and your brand.