Ashley Madison and Morrisons: lessons learned
When a group calling itself the Impact Team decided to release all customer records, including profiles of the 37 million users of the adultery-themed dating site Ashley Madison, they raised some very serious questions not simply about adultery, but about security for online sites and the retention of personal data.
The company’s Chief Executive Noel Biderman, believed the breach to have been an ‘inside job’ and not the fault of the company’s inbuilt website security. Yet, as the dust settles on the debacle, some uncomfortable truths have been revealed; and not just about Ashley Madison, but about how many websites have taken and continue to take a casual attitude toward the security of personal data, including payment card details.
The Ashley Madison site was engineered and arranged like dozens of other modern web sites, and by following those rules, the company could be said to have made a breach like this inevitable. An example of this is Ashley Madison’s password reset feature. It works just like dozens of other password resets: enter an email address, and if you’re on their database, they issue a link to create a new password. This is standard web practice but that does not mean that it is secure or indeed wise.
Nor is it the only example. Similar points could be made about data retention, SQL databases or a dozen other back-end features.
For far too long, this is how web development has worked: copying features that work on other sites, giving developers a Codebase to work from and users a head start in negotiating their way around. But these features were never built with privacy in mind. The password reset feature, for example, was fine for services like Amazon or Gmail, where privacy is rarely an issue, but for an ostensibly private service like Ashley Madison, it was a disaster waiting to happen.
As the dust settles on the whole debacle, and casting aside any moral or ethical issues about its service, from a website design point of view there were built in errors that had made the site vulnerable from the outset. For example, the fact that the site kept users’ real names and addresses on file. While it is standard practice for many online businesses, making billing easier, it builds in a degree of risk that few users routinely comprehended.
Receiving significantly less publicity was a breach within the Morrison supermarket organisation. Again, this was triggered by an ‘insider’ who held a grudge. The man, who worked as an internal auditor, took advantage of the easy availability of data and leaked sensitive, personal data relating to almost 100,000 Morrisons supermarket staff online. The data breach is thought to have cost the Bradford-based company more than £2m to rectify.
In both the Ashley Madison and the Morrisons case, there was no overt technical failure to blame for the breach, but there was a serious data management problem from the outset, centering on the retention of sensitive personal information.
It is too simplistic to claim that companies should simply stop storing personal data. But it is perfectly reasonable for customers to expect that data is not retained unnecessarily nor in a way that makes it vulnerable to breach. It is not just those with secrets to hide who need data security to be built into the very heart of online business.
27001:2013 An outline
Ian Armstrong briefly outlines the facts about the new ISMS standard 27001:2013
What is it?
27001:2013 27001:2013 is the updated information security management system (ISMS) standard which was published on the 25th September 2013 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27. It replaces ISO/IEC 27001:2005 which will no longer be valid after 1 October 2015.
Organisations which meet the new standard will gain an official certification issued by an independent and accredited certification body on successful completion of a formal audit process.
What does it do?
27001:2013 has ten short clauses covering the scope of the standard; through planning an information security management system to risk assessment and corrective action. An additional annex (Annex A) lists the controls and their objectives. The structure mirrors the structure of other new management standard, such as ISO 22301 (business continuity management) which helps organisations who wish to improve their IT from different perspectives by complying with multiple standards.
How is it different to ISO/IEC 27001:2005?
The new standard puts greater emphasis on measurement and evaluation to gauge how well an organisation is performing. It also emphasises objectives, monitoring performance and metrics.
In addition, there is now a section on outsourcing in recognition of the fact that many organisations rely on third parties to provide some aspects of their IT. It also pays more attention to the organisational context of a company’s information security and the terms of risk assessment have changed. Risk assessments are now aligned with BS ISO 31000.
New controls have been introduced which reflect changes to technology which affect many organisations; for example, the Cloud. Controls in Annex A have also been modified to reflect changing threats, remove duplication and have a more logical grouping. Specific controls have been added around cryptography and security in supplier relationships. Yet the new standard in fact has fewer controls than its predecessor with 114 controls divided into 14 groups compared to 133 controls in 11 groups.
Implementing ISO 27001:2013
Businesses wishing to take on the new standard will be expected to complete a Statement of Applicability which should be near completion at the time of the first audit. To make a start on an application, the key areas to focus on are:
• Establish management-approved information security objectives and assign specific security roles to key personnel;
• Agree an internal audit timetable to make sure that relevant audits are completed and schedule risk assessments and risk treatments so that they are completed in a timely manner;
• Communicate an information security policy to everyone who needs to be aware of it and have a communications plan which details how employees are kept up to date;
• Hold a minimum of one management review per year to establish these protocols and ensure that minutes of that meeting are available.
• Start collecting any evidence that is required as early as possible for the relevant controls. This will include things like evidence of relevant compliance from third parties: clients, suppliers and end users.
• ISO 27001 defines a comprehensive set of controls to provide the tools to assess and therefore reduce the information security risk of a company’s assets.
• It offers an integrated approach to information security to assist in building a system that takes into account all of the many possible information security risks that cover process, people and technology.
• It sets out the applicable controls and processes that need to be chosen to ensure that all information security risk is managed appropriately.
Ian Armstrong (PCI QSA, CISM, CRISC, PG Dio Inf Sec)
The advantages of P2PE V2
by Paul Brennecker
Merchants can enhance data protection and simplify compliance efforts by adopting the PCI-approved point-to-point (P2PE) Standard v 2. Simpler to adhere to than the original version, the P2PE Standard v2 not only cryptographically protects account data from the moment the merchant accepts a payment but also brings greater flexibility for integration.
The PCI Security Standards Council describes the benefits of P2PE as providing ‘the strongest encryption protection’ for businesses while also stating that PCI-listed P2PE solutions ‘reduce where and how PCI DSS requirements apply’.
For merchants, P2PE solutions reduce where and how PCI DSS requirements apply, saving time and money in overall compliance without sacrificing security. As well as making account data unreadable by unauthorised parties it ‘de-values’ account data so that it cannot be abused if data is stolen.
The new P2PE Self-Assessment Questionnaire now includes only 26 PCI DSS requirements helping merchants to simplify compliance efforts. And with a recent upgrading of the P2PE standard in the PCI’s Version 2, the PCI has also made P2PE not only simpler but also more flexible. Version 2 still ensures that account data is protected but provides many more options for merchants and solution providers to work with.
For solution providers, the new flexibility of P2PE v2 is key, particularly when it comes to providing components for integration with P2PE solutions.
To ensure best adoption of the new standard, contact us.