Ashley Madison Not Alone at Failing to Monitor Sensitive Information Exposure
This summer’s Ashley Madison hack was one heard around the world due to the notorious nature of the business. Unfortunately, these hacks are becoming far too familiar due to botched company security and failure to properly protect and manage data in enterprise applications. These breaches are not simply from stealing a file or a document, but by exploiting legitimate application access to a database that contains large amounts of records. And what is unfathomable is that companies are unable to pinpoint real event information such as who was exposed to what sensitive information, when, and where.
According to the recently released Insider Threat Spotlight Report, “62 percent of security professionals say insider threats have become more frequent in the last 12 months.” Additionally, nearly half of respondents were unable to detect whether their organization experienced a breach from malicious insiders in the last year.
In the case of Ashley Madison, the company discovered the breach along with the rest of the world when the hackers, who call themselves the Impact Team, made the first data leak public on July 20. The Impact Team has since publicized that they lurked in the company’s infrastructure for years, collecting over 300 GB of sensitive data, though the actual file extraction appears to have happened during a 10-day period beginning July 1. The Impact Team said it was fairly easy to infiltrate due to lax security measures.
“62 percent of security professionals say insider threats have become more frequent in the last 12 months.”Insider Threat Spotlight Report
Joel Eriksson, CTO of Cycura, a company charged with investigating the hack, said, “There is no indication of any software vulnerability being exploited during this incident,” and suggested it may have been an insider job. However, there is a clear indication that the company was not aware that an unusual amount of data was being viewed and exfiltrated within its applications over the 10-day period. It is also apparent that Ashley Madison had no idea who extracted the files using what credentials, let alone what and how much was extracted at the time the breach was discovered.
But Ashley Madison is not alone. Much more reputable companies are just as vulnerable and unable to determine who, what, where, and when questions about a breach in real-time. At the end of 2014, Morgan Stanley only learned it was compromised after customers’ account information was posted online. A financial adviser was fired as a result for stealing 350,000 records of the firm’s wealth-management clients; none of whom were his.
In February, Anthem Blue Cross Blue Shield was hacked leaving approximately 80 million people’s personal information exposed. It’s suspected that hackers got in using malware to gain access to an employees login credentials. Had the company been notified of the unusual amount of data being accessed, which records were being accessed, and by what account, they may have been able to manage or eliminate the damage.
Current security solutions are falling short. Hackers and malicious insiders are targeting applications using legitimate privileges to steal and commit fraudulent activities. Network security is completely blind to these types of attacks, and often Security Operations Center is flooded with false positives, hiding the real threats. Sure, there are network sniffers and application logs, but they produce terabytes of clutter, and current UBA’s require lengthy amounts of time to learn normal user behavior, leaving the company vulnerable before actual detection is achievable.