Page 31 - Cyber Warnings December 2015
P. 31
employee makes one mistake. There are many low-tech ways to hack a system, including tricking
an employee into giving up a password through a fake email (phishing) or by phone (social
engineering).
Another recent breach sheds light on a true case of deceptive business practices. When online
dating service Ashley Madison ended up in the spotlight just a few months ago, the company’s “paid
delete” service suddenly came under intense scrutiny. By opting for this service, users paid Ashley
Madison $19 to fully delete all of their account information.
However, when user information made it into the public domain due to the breach, it suddenly
became very clear that not all of the user records were deleted. For a company that brokers in
intimately private matters like Ashley Madison, this is a very big deal indeed.
The lesson: Organizations must pay close attention to their marketing and business practices as
well as their defensive posture. A breach and subsequent press coverage will cost a company
millions of dollars but not just in the areas we typically attribute to cyber-attacks. It will open doors
that the company may have preferred to keep shut, shining a glaring light into the darkest corners of
every closet and potentially revealing some very damaging skeletons hidden within.
Lesson 2: The Uncertain Nature of “Reasonableness”
Reasonableness is a difficult concept to quantify, mainly because it is so open to interpretation.
When they are breached and ultimately end up in litigation, organizations need to prove that they
took reasonable measures to protect themselves and their customers’ information. I could go on for
pages on this topic alone, and that’s part of the problem—while an organization can argue that it
took what it believed to be reasonable measures to defend against an attack, an opposing counsel
can just as easily bring up all manner of other “reasonable” practices that the organization could
have followed. At that point, it becomes a battle of the experts.
The lesson: Many organizations prefer to handle all their security in-house. Ultimately, this puts
them behind the curve when it inevitably comes time to defend their actions after a breach.
Partnering with industry-recognized security experts can help organizations build a defensible
position upon which they can argue reasonableness when the time comes.
Lesson 3: Privileged Communications
I saved this point for last, because it raises two distinct points of concern. The Securus breach
includes a subset of telephone conversations between the inmates and their attorneys—
conservatively estimated at about 14,000 conversations—some of which are more than likely
confidential and privileged legal communications. These conversations should never have been
recorded and, in fact, Securus claimed that privileged calls were exempt from the recording and
monitoring service that they provided.
We’ve already covered the point about unfair or deceptive business practices, and from my
perspective this has every appearance of a deceptive practice. When a company says that it won’t
record calls that would violate constitutional protections, but records them anyway, the term
“deceptive business practices” is an understatement.
31 Cyber Warnings E-Magazine – December 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
