Individualized Assessment
Beauty is in the eye of the beholder. And so is the sensitivity of data – at least in terms of which data are worthy of security measures more rigorous than the minimum required. (Those minimum requirements might be set by statute or regulation, by contract or by established industry standard.) At AshleyMadison.com, the company apparently considered passwords and credit card numbers sensitive enough to warrant additional protection. Passwords were encrypted (although not effectively; more on that below). And credit card numbers were truncated, so the database stored only the last four digits. But remarkably, given the website’s purpose, the company did not believe that its users’ names and contact information merited such additional protection. Nor did it take any extra steps to safeguard the highly personal, soul-baring content of its members’ profiles.
Every organization possesses sensitive data of some kind. But what’s highly sensitive to one company might be ho-hum to another. Would volunteers registered with Habitat for Humanity be outraged if the charity’s IT systems were breached, and their names, along with information about the types of home-building projects they prefer to work on, were released to the public? Of course there would be cause for concern over the fact of a breach, but I doubt any of those volunteers would lose sleep because they were associated publicly with a respected charitable organization. But in that same hypothetical, what if the breach revealed the names and financial status of low-income families helped by the charity? Those families certainly would expect the organization to secure that information more zealously.
Every organization should conduct its own individualized risk assessment to identify its most sensitive data and create a triage-based system for protecting information. A company can’t take every conceivable measure to protect every piece of data – principles of proportionality come into play, and risk mitigation must be balanced with cost and efficiency of business processes.
Protect-in-Place Strategies
In today’s environment, it’s not a matter of if a company experiences a data breach, it’s a matter of when. Traditional data security measures, which rely on physical infrastructure and process controls to prevent breaches, are not enough anymore. Because those measures leave organizations vulnerable to attack, other types of protection should be incorporated into a robust data security program. One such solution is a protect-in-place strategy, also referred to as a data-centric approach. Using this approach, data are masked, encrypted or tokenized, so even if hackers gain access, the information is unreadable and therefore useless.
AshleyMadison.com tried to employ a protect-in-place strategy for its password data using data hashes. The company masked passwords using the bcrypt hashing system, implemented with a cost factor of 12, which would have been a highly secure, virtually unbreakable authentication check method. However, a subset of the passwords and logins were processed using the far less secure MD5 hash method before being passed through the bcrypt system. Once the stolen data were released to the web, data security experts (and some hobbyists) set out to break the password encryption. It didn’t take long for them to crack the MD5-hashed process, and once that happened, the decrypted passwords essentially provided a key to unlock the bcrypt encryption. The end result? Most of those encrypted passwords have now been decrypted.
So even a protect-in-place strategy isn’t enough if it’s not deployed correctly. A recent blog post at Ars Technica about the password decryption aptly observed, “a single misstep can undermine an otherwise flawless execution.” Companies need true experts to help design and implement data security measures, and those measures should be revisited frequently to ensure that they remain state-of-the-art. And as noted above, the efficacy of these protections must be weighed against their business cost. Not only can these tools be expensive, but they also impact business operations by slowing down the flow of data and the speed of transactions and by restricting access to information. Companies face tough choices about which data are sensitive enough to merit additional protection – and which are not.
Keep Your Promises
AshleyMadison.com faced criticism for more than just the fact of the breach. The company made promises to its users and the broader Internet community that apparently it failed to honor, resulting in a blow to its reputation – and a flurry of lawsuits.
First, there was the hubris. According to Robert Scoble, a technology evangelist currently working as the futurist at Rackspace, a representative of AshleyMadison.com reached out to him looking to set up an interview with its president and CEO, Noel Biderman (who later stepped down in the wake of the hack). The purpose of the interview? To explain how AshleyMadison.com had become “the last truly secure space on the Internet” and why “companies need to take every measure to ensure the security of their customers' data.” Oh, the irony. Here’s a look at the message to Scoble:
Published October 14, 2015.
