With the Ashley Madison security breach entering stage two (release of data) the cyber security industry has been quick to offer opinion on what has happened and how it could be avoided.
The views of a former “penetration tester” naturally caught our editorial desks’ attention.
This is what Stephen Coty, chief security evangelist at Alert Logic has to say:
“With such diversity of individuals, whose information was compromised through the Ashley Madison hack, you have to wonder what the lasting impact of this breach can be.
“What are the implications to the companies these individuals work for? Will these individuals give in to blackmail to betray their employer, save their marriage or relationship? What can this data, plus the information from breaches like OPM, be used for to compromise our national security or trade secrets? These are all questions employers should be asking themselves.
“People will always be a risk to any company’s security strategy. When I was a penetration tester, I always relied on other people to gain access into an environment.
“I would commonly drop USB drives in parking lots, relying on someone to pick it up and plug it into their workstation just to see, out of curiosity, what was on the drive. 9 out of 10 times this would always grant me access into the customer’s environment.
“Now with this latest breach, we have an opportunity to use a similar tactic to show evidence of a individual’s infidelity to motivate them to give me the information that I want. Once I have this information, I can sell it on the underground to either a competitor or an overseas start-up for considerably more than I could ever get by simply blackmailing an individual.”
Should employers start locking down their internet and mail services to work functions only?
Should HR and Corporate Security policies be enforced with actual consequences?
These are all challenges that corporate security teams have been dealing with for years.
“Should we now start empowering our security teams to do their jobs efficiently? In order to do that job efficiently, companies need to invest in the people, process and technologies to build a comprehensive and effective security strategy. This also means investing in a threat research and intelligence function that will mine for lost and stolen data to understand and combat the risk that our employees introduce into our environments,” says Coty.
This is a sample of data to give you the extent of what individuals that used corporate accounts for their Ashley Madison account profiles.
Coty tried to randomly hit domains from different countries and different industries: