7/23/2015 @ 9:25AM
Do you cheat on our spouse? Then chances are, you’re sweating bullets over the recent Ashley Madison hack. However, if you’re in enterprise IT, you should be as distressed as any cheater, regardless of how faithful to your other half you actually happen to be.
Here are the facts: earlier this week, an anonymous group of hackers going by the name The Impact Team hacked the adultery website Ashley Madison. The hackers stole large caches of data, including information about users who paid Ashley Madison to delete their data.
Before you turn up your nose with schadenfreude or rush out to buy flowers for your mate in a desperate but futile damage control gesture, consider the important lessons for all enterprise cybersecurity – regardless of business model.
The first lesson, of course, is one you should have already learned: not only are all organizations vulnerable to attack, but they have already been attacked. You shouldn’t be asking when an attack might occur. You should be asking how long have the hackers been inside your network and how best to mitigate further damage.
The Ashley Madison attack, however, teaches a second, equally important lesson – one that cybersecurity professionals are less likely to have learned.
Hackers are usually thieves, looking for financial gain. Sometimes they are vandals, intent on destruction. But what if they be extortionists, looking to shut down your organization entirely?
Risk Mitigation and the Extortionist Hacker
Hacks for ransom are an important risk that enterprises must plan for. If a hacker presents a ransom demand, you want to be prepared ahead of time to make the critical decision: pay or not?
As with any ransom situation throughout history, if you pay then you still don’t know if the bad guy will go along with the deal, and paying encourages further extortion attempts. However, if you don’t pay, then the chance the hackers will make good on their threat is very high.
As a result, planning for an extortion attack is never easy, as it involves a choice among thoroughly unsavory alternatives.
Mitigating the extortion risk begins with the basics of understanding the hackers’ motivation. Beyond the actual consideration of your active security measures, all risk mitigation analyses must consider two key metrics: what assets do we have that hackers might be interested in, and how difficult is it for them to get those assets?
To answer the first question, you have to get in the hackers’ minds to consider what assets the hackers might want. The answer typically involves data that have monetary value, like credit card numbers. Public sector organizations in particular must also consider whether hackers have political motivations.
The Impact Team, in contrast, doesn’t appear to be interested in financial gain or to have a political agenda. Instead, their purported motivation is moral outrage. And regardless of whether you personally feel moral outrage at an adultery-driven business, moral outrage is a hacker motivation that every organization must plan for.
The bottom line: every organization, private or public sector, is susceptible to a moral outrage-motivated hack. It doesn’t matter how benign your products, how happy your customers, or how beloved your brand might be, you must still plan for this kind of ransom attack.
The reason this consideration of a hacker’s motivation is so important is because of the nature of the ransom demand. While traditional ransoms are financial, a moral outrage ransom could be anything – including the cessation of your business altogether, as in the case of the Ashley Madison attack.
If the extortionist’s threat is so damaging that paying the ransom means shutting down your business, then paying the ransom may simply be off the table. Are you willing to suffer the effects of not paying?
With Ashley Madison, the stated result of not paying the ransom is the exposure of sensitive information. Chances are, regardless of your business model, a similar exposure will also be the extortionist’s threat should you be in a corresponding situation.
Thus we come to the third important lesson of the Ashley Madison affair: you must protect all sensitive information, regardless of whether there be an intrinsic value in such information to a potential hacker.
Organizations already know to protect personal information of customers and employees, intellectual property secrets, passwords, private keys, and the like – information that a hacker seeking financial gain would covet. But an extortionist will be seeking confidential information that simply has the power to embarrass your organization, regardless of any potential financial value.
Due to the nature of Ashley Madison’s business, customer information itself is potentially deeply embarrassing – but your organization will likely (and thankfully) vary. What’s embarrassing to you might be unexpected. As you analyze the value of your data, therefore, be sure to consider the embarrassment value of such information.
The lesson for all of us users is also crystal clear – do whatever you can to avoid putting your own potentially embarrassing information online, and furthermore, don’t let any organization store such information in their computer systems, online or not. The last thing we consumers want is to be a pawn in some hacker’s moral outrage-driven extortion attack.
Intellyx advises companies on their digital transformation initiatives and helps vendors communicate their agility stories. As of the time of writing, none of the organizations mentioned in this article are Intellyx customers. Image credit: Lisa Brewster.