The Ashley Madison hack is a wake up call not only for many individuals but for every single business, as well — many of which are still not paying enough attention to data security.
The hack, which revealed the email addresses, personal information and sexual preferences of the site’s 36 million users, is devastating on many levels. For starters, Ashley Madison — whose slogan is “Life is short. Have an affair.” — will likely be the first high-profile company ever to go out of business as a direct result of a cyberattack. After all, it’s hard to see Ashley Madison regaining the trust of its customers, much less surviving the wave of legal action that’s now building. Two Canadian law firms were the first to file, with a $578 million class-action lawsuit in late August.
On the customer end, the impact on many families has already been devastating. Site users are getting divorced, children are being teased, jobs and livelihoods are in jeopardy. Police in Toronto say they have unconfirmed reports of two people who committed suicide linked to the leak of Ashley Madison account information.
It now seems likely that the perpetrator of the hack was an insider, probably a third-party contractor. The CEO of Ashley Madison has suggested that he knows who it is. The hacker was able to get into every system and extract massive amounts of information, including the CEO’s emails, the customer database, source code to the website — everything. If indeed the culprit was a contractor, the company failed in a fundamental way to limit that person’s access to sensitive data.
To me, this hack comes down to poor privilege-management practices that granted the hacker far too much access. And it’s not just Ashley Madison. Many recent hacks can be blamed on privileged accounts that give the bad guys the proverbial keys to the kingdom via root access. In fact, Verizon’s 2015 Data Breach Investigations Report shows that the most vulnerable point in any organization is privileged identities that have root, admin or read/write access privileges to critical infrastructure, apps and data.
These privileged identities are necessary — users like database administrators and CIOs do need extensive access to computers, networks and applications — but privileged identities come with risk. Ashley Madison is just the latest and most sensational example of that risk’s enormity.
There are so many privileged accounts in large organizations that many of them don’t even know where all of their privileged accounts reside or who has access to them. And it’s not just IT people with privileged access anymore. Nowadays, many of the regular folks in the enterprise are granted privileged access — marketing, for example. If marketing people want to update the corporate Twitter or Facebook account, they don’t call IT to do it, they just do it themselves — and the door opens wider. This is how pro-ISIS cyber vandals hijacked the social media accounts of the U.S. military.
So, how can companies protect themselves from hackers, including malicious insiders, who can wreak havoc via privileged accounts? First, they must be smart. One of the most important steps they can take is to adopt the principle of least privilege. Limit access to the minimum level necessary for normal functioning. IT should assume that networks will be breached and bad guys will get in. But when they do get in, IT can contain and minimize the damage if it has implemented the practice of least privilege.
Least privilege means giving people only the degree of privilege they absolutely need and access to the data they absolutely must have. It means auditing activity, especially on the most sensitive systems, looking for suspicious behavior, and generating alerts if something out of the ordinary is happening. It also means implementing two-factor authentication to verify that people really are who they say they are.
The good news is that organizations are waking up to the threats posed by privileged user accounts. In the aftermath of breaches like Ashley Madison, there is a growing recognition that almost every cyberattack these days involves some kind of compromised credential and privilege escalation. Once a hacker or malicious insider gets their hands on a vulnerable credential, they have the means to launch a large-scale attack. By putting in place systems that can secure identities and monitor privilege access, companies can better shield themselves from cyber attacks once and for all.