Most CISOs like a challenge. Matthew Maglieri faced more than a challenge when he agreed to become the chief information security officer for Ruby Life Inc., parent of the Toronto-based Ashley Madison and other dating sites which in 2015 saw hackers release records of some 36 million members, plus application code and corporate email.
Even Maglieri says the company suffered a “tremendous loss of consumer trust,” and “users relied on discretion using the service, and that discretion was violated.”
When he tried recruiting security staff this year a number balked when hearing who their employer would be.
In fact, he admitted Wednesday at the monthly meeting of the Toronto Area Security Klatch (TASK), a group of infosec pros and students, that a headhunter he consulted flatly told him to decline the offer.
“Absolutely not, your personal brand is at stake,” he recalled being told.
And that’s why he said yes.
“I thought about it ‘If I don’t do this there isn’t going to be anybody fighting for the users,” he said. “I wanted to dive in and take on the challenge.”
Now the company is recovering, Maglieri says, because it is signing up 550,000 users a month. He didn’t say if the overall number of users is down from the breach, which captured headlines around the world. The Ashley Madison site claims over 56 million members have joined since 2002.
Maglieri explained over some 60 minutes how Ruby Life has tried to build a leading data privacy and information security program to regain trust.
That includes having a full-time red team for penetration testing, building a “hypersegmented network,” extensive use of multi-factor authentication on the corporate servers to limit outside access by stolen credentials, decentralized and segmented directory services for employee login, controls to prevent lateral movement through the network, advanced threat detection and an around-the-clock security operations centre run by a consulting firm.
Former federal interim privacy commissioner Chantal Bernier was hired at the end of 2016 as special privacy advisor to guide the privacy remediation program “to the next level.”
It also includes a mission statement Maglieri drafted, saying his goal is “to build a leading intelligence-led threat-based program capable of defending against the most advanced threats.”
Asked in an interview if after nine months that has been achieved, he replied, “The thing about mission statements is they’re objectives, and as a security professional [would say], it’s a journey. It’s about risk management and I think we’re doing some things we’re proud of, we’re making significant progress, and we’re continuously pushing forward.”
Attackers come up with new techniques, he added, and his team has to get better as defenders. “It’s a constant process.”
While he wants a resilient secure environment “to prevent something like this happening again,”
he admitted that as a company that runs several dating sites, we “will remain a very high profile target.”
The company wants to take privacy “to the next level,” Maglieri says. While there is no obligation for users to register with their real names or occupations he did describe the alleged occupations of users and why the company will continue to be a target, particularly for nation states looking for evidence for blackmail.
”The Ashley Madison user base spans a cross-section of society – there’s police, military, government, research, medical, corporate, education — you name it, those people are in there. These are people that could be targets, and data that could be used to target those individuals.”
As a result, he said, the company now has “zero risk tolerance” for security and privacy problems.
The revelation of the June 2015 hack by a group (or individual) calling itself The Impact Team, which justified the attack by complaining Ashley Madison charged $19 to fully remove members profile information, and that it and a companion site, Established Men, encouraged sexual cheating. The attackers demanded they be shut down, or compromising personal and corporate data would be released.
The parent company at the time, Avid Life Media, refused to comply and on Aug. 20, 2015, 20 GB of data including a significant portion of the production database was released including personal identifiable information, source code, and company emails.
Although members didn’t have to use their real names, ages or marital status to join, many did. That lead to news reports that several people had committed suicide as a result of the data leaked, and that criminals had used the published database to email people on the list and threaten them with exposure unless they paid up.
Regulators were outraged. A report by the combined privacy officers of Canada and Australia lashed the company for poor data security, concluding the company violated privacy acts of both countries.
“Although (Avid Life Media) had a range of personal information security protections in place, it did not have an adequate overarching information security framework within which it assessed the adequacy of its information security,” said the report. “Certain security safeguards in some areas were insufficient or absent at the time of the data breach.”
Among the violations: Placing a fictitious “Trusted Security Award” logo on a website “to deliberately foster a false general impression among prospective users that the organization’s information security practices had been reviewed and deemed high quality by an independent third party.”
It isn’t exactly clear how the company was breached. Maglieri didn’t offer any detail. The privacy commissioners’ report says the attacker accessed the VPN network via a proxy service that allowed it to ‘spoof’ a Toronto IP address.
As part of a compliance agreement with the two commissioners, Ruby agreed to augment its information security framework to an appropriate level. It also agreed to pay $1.6 million USD to the U.S. government and a number of states to settle charges users were deceived and for failure to protect their accounts. The full settlement is $17.5 million USD but Ruby was to pay less because it didn’t have the money.
In addition, the U.S. court ordered that every two years for the next 20 years it must undergo an independent audit on the efficacy of its security program.
Meanwhile, the mess cost CEO Noel Biderman and other executives their jobs. Avid Life was rebranded Ruby Life, and Ashley Madison’s saucy image of appearing to encourage extramarital affairs was temporarily downplayed. However, now it’s logo “Life is short, Have an affair” is prominent.
Maglieri came from the Toronto office of Mandiant, where he’d mainly been on the company’s penetration team. He said by the time he started in January the Ruby network had been redesigned, although trying to comply with the regulators and some 43 standards and compliance documents was burdensome. He reduced them to four.
More importantly, he wanted to build a resilient secure environment “to prevent something like this happening again.”
The 12-month roadmap has been built around the U.S. National Institute for Standards and Technology’s (NIST) cyber security framework – implemented in three months – and a risk management program based on Mandiant’s ‘kill chain.’ (Initial reconnaissance, initial compromise, establish a foothold, escalate privileges, internal recon including lateral movement and completing the mission).
For each, there’s a series of controls, ranging from policies and awareness training to multi-factor authentication.
The consulting firm EY has verified Ruby has created “a comprehensive information security program that is reasonably designed to protect the security of personal identifiable information.”
Privacy is said to be ensured by using the principles of Privacy By Design (PbD) throughout the organization’s data handling, including encrypting certain customer data for Ruby’s data scientists. Ultimately, he said, all data will be anonymized for the analysts.
This summer the privacy program was certified by Ryerson University’s privacy centre of excellence.
Still coming is a new platform for the websites built on a micro-services architecture with security baked in.
Asked what per cent of Ruby’s budget is spent on security, Maglieri, replied, “I don’t know, but in general we get what we want.”
“Our journey is just beginning,” he concluded. “we have to continuously improve.”
As for regaining the trust of consumers, he says “I don’t know if we’ve done any of this yet.”
