The old saying “one person’s problem can be another person’s opportunity” could be adapted in cyber security to “one person’s incident could be another person’s learning opportunity”. This is particularly relevant to the recent hack against various celebrities exposing their most private photographs, including nude selfies. Many may wonder how a consumer related security incident can impact enterprise security. However, incidents like this should be looked upon from a number of angles to determine how best to secure your organization’s security.
Firstly, there is the issue of staff using their own personal devices for work, otherwise known as Bring Your Own Device (BYOD). If criminals can access the online services used by celebrities to store their photographs then it is a good bet those criminals could also access other sensitive data stored on those devices or the cloud. Indeed, a number of people have speculated that by compromising the online services of some celebrities and then accessing their contacts list, the criminals were able to target other celebrities. So if your staff are storing data on their personal devices and perhaps inadvertently onto their personal cloud services, how confident can you be for that information to be kept secure?
A common theory as to how the criminals hacked into the celebrity accounts was not through a weakness in the security online services they were using, but rather by using insecure passwords. Looking at this issue again from an enterprise point of view, are we able to ensure that our staff are using secure passwords? How confident can you be that users are not reusing the same password for their own personal online services to access corporate systems? Many of the recent hacks of online services, such as LinkedIn, highlighted that many providers are not storing passwords securely. If your users are reusing their passwords across multiple systems then how comfortable are you in relying on those service providers to store passwords, some of which may be used to access your systems securely?
Despite some of the compromised cloud services providing two factor authentication for their users, the celebrity hack resulted from those celebrities not enabling the 2FA feature on their account. Are there extra security features on your key systems that you could enable to make them more secure? If not, then now may be the time to introduce and implement them.
Another factor in the exposure of the leaked photographs was a lack of monitoring and alerting to unusual devices accessing the accounts for the compromised celebrities. A lack of monitoring and reacting to alerts have been at the heart of many security breaches such as the celebrity hack and other breaches such as Target. Use these breaches as prime motivations to review how effective your own security monitoring is.
The hack of the celebrity accounts is also a great opportunity to get information security on the agenda with senior management and with staff. The mainstream media stories covering the breach will ensure that people are aware of the issue and this is an opportunity to leverage that awareness and highlight some key projects needed to improve the security of your systems.
As October is also National Cyber Security Awareness Month this is also an excellent opportunity to raise awareness among staff on how to select and use secure passwords and how to use mobile devices in a secure way.
Good practice regarding security incidents is to ensure lessons have been learned from the breach. There is no rule saying the security incident has to be one directly affecting your systems. It is worth reviewing high profile incidents, such as the celebrity nudie hack, to see how you can better protect.
CEO, BH Consulting
Brian Honan is an independent security consultant based in Dublin, Ireland, and is also the founder and head of IRISSCERT, Ireland's first CERT. He is a Spec...