Bringing Sexy Back to Security, ok maybe not back maybe making security sexy for the first time is more appropriate. Thanks to the recent Ashley Madison hack folks are actually equating sex and security more than ever. Thank goodness for that because security really needs to be viewed in a better light even if it is a red light.
Queue someone singing Roxanne.
While full details haven’t been exposed as to how Impact Team were able to so easily crack into Ashley Madison’s network and PWN them harder than a teenage Modern Warfare team playing against a group of kindergarteners. What was explained was that once they were in there was no security internally everything was easily exposed. Evidentially once in the hackers could VPN to every server in the environment with user name root and password of Pass1234. That’s the kind of password an idiot would have on their luggage.
If the importance of this last bit doesn’t immediately jump out at you it’s not that the breach happened, because they too often do. It’s that people suck at security. People are our biggest vulnerability in any environment.
I have had so many conversations with folks regarding security policies and whether they actually make organizations more secure. Odds are no, the policies most likely do not secure the environment. Instead the policies act as a way to set guardrails for users. This helps to curb behavior and drives users in the direction the company wants them to go. It’s like herding cats.
The same who argue against using ridiculous policies, and believe me I have been privy to some really bad security policies, say that what we really need is better training for the employees. Here is where I call BS, SUPER DUPER MAJOR BS. How many of you have to do quarterly or annual training? How many of you then actually do it vs. hit play on some video recording and go to lunch? Hell I have been guilty of that when the training doesn’t actually apply to me but I have to do it anyway. Training doesn’t help either if a breach actually happens or there are regulatory violations that result in fines either, “Oh but we trained our people” doesn’t really get you out of the fines.
So how then does anyone operate securely, is it just replacing the humans with robots?
Look I am not trying to stand on a soapbox and say that I have the answers, what I am saying is security is about risk management. You manage risk in three ways, accept it, mitigate it, or avoid it. Accepting risk means that you get that there is an issue but since nothing can be done you take the risk anyway because the reward outweighs the potential problems. Mitigation means you take as many precautions as possible to eliminate the risk, it’s not fool proof and there will still be breaches but you do your due diligence to protect yourself. Avoidance is a matter of assessing the risk and determining the reward doesn’t outweigh the risks and thus you move away from the risk.
The Ashley Madison hack is hilarious in the irony of the situation because not only was the very business of it a giant risk (cheating on your spouse), but it appears little to no risk assessment was done either from the regulatory controls of PII or the infrastructure for that matter. Step away from the business issues and the lack of security awareness and over to the user side and you see thousands of government employees signed up for the service with their government email addresses. Hello, McFly! What are they thinking how about a little OpSec and the fact that there are free email services all over the interwebs? These people just accepted the risk and pressed on.
Despite all of this stupidity the search for sex led these poor ignorant souls to a poorly managed risk accepting service for what should have been a risk adverse user population. Hopefully now the sexiness of how this could have been avoided can be applied and more companies and users can understand why security and risk management matter so much.