Ashley Madison breach

Ashley Madison self-assessments highlight security fears and failures

Internal assessments highlight core concerns for company executives

ashley madison
Credit: REUTERS/Chris Wattie

Last June, executives and business leaders at Avid Life Media (ALM) responded to an internal Q&A addressing their strengths and fears. This assessment was leaked as part of the documents released by Impact Team this week, and offers a unique insight into how their executives think.

In July, the group demanded that ALM halt operations on the Ashley Madison and Established Men websites, warning the company that failure to do so would result in the release of more than 30GB of compromised records. On Tuesday, Impact Team made good on their threat.

The questions below are from a document titled Critical Success Factors. The author of the assessment form is unknown, but the questions asked were answered by each of the company's top executives.

Spoiler alert: They think like a typical executive that's dealing with day-to-day operations at a large company. Security, while important, wasn't the top concern. The larger, operational issues were the priority. This isn't a shocking revelation. After all, security usually becomes a major factor for most organizations only after an incident has occurred.

However, there was a note in the document, with no name attached to it, that referenced an interesting set of problems the company faces. This suggests that on some levels the lack of security was understood, but based on the assessment form, there was a problem with resourcing.

"Notes: Large lack  security awareness here. Password management. Tenuous level of review on partnerships. Lack of review on security measures."

Again, the questions below are from the self-assessment form shown to Salted Hash earlier today. The answers listed were provided by the named executive. Instead of reproducing the entire form, which we're unable to do, Salted Hash has produced the answers most related to IT/InfoSec.

Will you please tell me, in whatever order they come to mind, those things that you see as critical success factors in your job at this time?

Chris Western, QA Manager, ALM: Having enough skilled people to do test effectively. Need QA specialists who love automation (technically focused), enthusiastic about quality and QA. Half of QA staff wants to move to Dev, the other half lacking technical skills to do automation. Our ability to turn asks around and execute quickly (fluid QA process).

Trevor Sykes, CTO, ALM: Protection of personal information. Because we're a private company, endear our resources to us. Risk of turnover/business continuity. Disgruntlement in teams, need to be careful. More audit capabilities might mitigate this. Traceability. Retention/Motivation/Security concern (bad internal actors). Formalize process of continuous improvement. Heroics still a big factor, codifying full SDLC.

Knowledge sharing across the organization (not doing well enough). Transparency to the business. Meaningful information (not noise) so that the business can have confidence and know what they are paying for.

Disconnects on strategic alignments at times,  opportunities are sometimes assumed to be absorbed without impact to commitments. Commitments sometimes made without discussion to the groups executing on the asks. Understanding of what is being displaced.

Noel Biderman, CEO, ALM: People. To execute on our vision, we're going to need to continue growth and talent acquisition/retention.

Keeping up with the jones.(sic) We've been really good as a company at building brand and marketing, I don't know that we've been the best at some of our technology (billing/mobile/etc). I think we need to balance this a bit, don't necessarily need to be the best but certainly keep up with the space.

We should put any and all efforts forward to defend against any security issues that can put our brand and 15 years of hard work at risk.

Amit Jethani, Director of Product Management, ALM: Smooth business process between product and technology management. As long as infidelity is taboo, we have a unique product. If it becomes acceptable/understood then our product will cease to be unique, then we'll be left with just a brand. Brand protection is very important.

Payment processors are small, and they have customer data. Fear of data leak outside our walls. No review process on security policy of our partners.

Legal action taken against us, for our team it's not a big concern. There is a risk that the products we design and techniques we use might be patented. Sometimes we may be aware of these patents, but we do not have any process in place to have situational awareness around patent issues. We try to avoid pure cloning, but it's not robust. We try to be loosely cognizant.

In what one, two or three areas would failure to perform well hurt you the most?

Amit Jethani, Director of Product Management, ALM: Smooth business process. Confidentiality and availability of sensitive data.

Trevor Sykes, CTO, ALM: Interpreting strategic objectives. If followed verbatim, we probably might have many more failures. The technology intuition that often gets rolled into the execution of business asks has been critical. These initiatives are often invisible to the business, yet have enabled our success. (eg: UTF-8, DDoS mitigation).

No official mandate on these tech initiatives, so there's friction. Implicitly expected but when competing initiatives come into play (or additional ad-hoc load). I am a single point of failure here, keep the path level and looking strategically at long term growth. Agility and good execution (seeing beyond the ask).

In what area would you hate to see something go wrong?

Trevor Sykes, CTO, ALM: Security. I would hate to see our systems hacked and/or the leak of personal information.

Noel Biderman, CEO, ALM: Data exfiltration, confidentiality of the data. An insider data breach would be very harmful. Have we done good enough a job vetting everyone, are we on top of it.

Kevin MacCall, VP Operations, ALM: Had trouble maintaining our production environment. If the cause was deemed to be actions/lack of actions on someone in operations, ball being dropped on something that we should have been responsible for. Underestimate technical impacts of changes from the business. There's a lack of security awareness across the organization.

What are your most critical goals and objectives?

Kevin MacCall, VP Operations, ALM: Security has become more critical. Everything we're doing is repeatable, automation, monitoring for visibility. Measurements of these goals subjective.

Trevor Sykes, CTO, ALM: Execute most critical impacts. Security (protecting everything we have), executing well. Process improvements on getting business asks done, increasing transparency and achieving shared understanding of how to get things done.

What are your three greatest business problems or obstacles?

Trevor Sykes, CTO, ALM: Flexibility. Hard to build 12-24 month horizon when the business needs/wants the flexibility the change their minds. Awareness of impacts of changing our minds.

Chris Western, QA Manager, ALM: Staffing. You can't build a quality QA team if they are just doing exploratory manual testing. No engagement. For some of the QA, the only reason they are here because they don't feel they can get a job somewhere else, their skill set has aged out. Fighting with the environments. Information silos.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.