BreachExchange mailing list archives
Do consumer data breaches matter for the enterprise?
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 20 Nov 2015 13:45:50 -0700
http://www.information-age.com/technology/security/123460535/do-consumer-data-breaches-matter-enterprise Recently, the world was shocked by the embarrassing details released after the data breach at Ashley Madison. In addition to the site’s members being embarrassed, hackers also exposed the personal data of millions of users. This breach was ripe for the tabloids and became news for many water cooler discussions. At the same time, it provided a real-time example of how consumer breaches can and do impact corporate security and business operations (beyond the embarrassment). The first and most obvious lesson learned from this data breach is that if you use a weak password on a consumer website, even if that site employs good encryption technology (Ashley Madison used bcrypt to hash its users passwords), those passwords can still be cracked and exposed. In less than a week, more than 4,000 of the Ashley Madison passwords had been cracked. Worse, 1,191 of those passwords turned out to be unique values, and the hackers are likely working to identify additional user accounts related to those email addresses. So how does this apply to the enterprise? It illustrates that even a breach unrelated to a company can expose details that put the company at risk. Research shows that employees reuse passwords on both work and personal apps, creating an easy way for hackers to gain access to corporate apps when personal apps are breached. After the Ashley Madison breach, SailPoint did its own research around the exposed credentials, and realised that some of our customers had employee emails published. This was particularly concerning if those employees used the same password for work and personal apps, because then our customers’ systems could have been compromised by hackers. SailPoint was able to notify those organisations, which in turn forced automated password resets to be executed to mitigate their risk of exposure. In order to ensure that consumer-facing breaches don’t have corporate effects, it’s imperative to educate employees on the importance of not reusing passwords across multiple apps. And IAM solution can provide automated password reset capabilities and help to govern password usage as part of a larger identity governance strategy. The second lesson emphasises the importance of proper handling of personally identifiable information (PII). In Ashley Madison’s case, no information, apart from the password hashes, was encrypted. This resulted in user addresses and credit card payment information being published. Beyond the personal embarrassment, the company is now responsible for exposing all of its members to identity theft, or worse. Unlike the Target breach, in which the hackers stole the PII and did not publish it, the hackers dumped all of the data onto several well-known hacker data sharing sites. This opened the abuse vector to just about every script kiddie on the internet, vastly increasing the potential of future exposure and impact. The take away here for the enterprise is to always encrypt personal data. Had Ashley Madison used encryption for all personal data, things may not have turned out as badly as they have. Whether you’re storing social security numbers, banking details or other sensitive customer information, any PII should be encrypted. A final lesson from this breach is that every organisation needs to constantly evaluate their risk posture. Data breaches like Ashley Madison serve as an important reminder to educate employees through security awareness training and test internal response procedures in preparation for a potential data breach. Data breaches are here to stay, and enterprises must remain vigilant in how they prepare and respond, as well as how they protect their employees, data, infrastructure, and the data they manage on behalf of customers and partners.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Do consumer data breaches matter for the enterprise? Audrey McNeil (Nov 23)