3 Lessons for Security Professionals from the Massive Yahoo Breach
As I reported in my Inc. column this past week, hackers have stolen data from more than one billion Yahoo user accounts. This is the second breach announcement from Yahoo since the Fall (both announcements were about data that was stolen several years ago, but whose theft was not discovered until more recently), raising questions about whether Verizon will actually purchase the company as originally announced during the summer, or whether the communication giant will demand a hefty discounted price due to the breaches. Clearly one important lesson from the Yahoo breaches is simply that:
Cybersecurity failures can heave serious business consequences.
In addition to that “big picture” message, here are some important lessons for security professionals:
1. Do not use challenge questions for authentication
Challenge passwords are hardly an ideal form of authentication. In many cases they are nothing more than requests for extremely weak passwords where a clue is even provided to everyone about the password. In September, Yahoo noted after its prior breach that the firm had "invalidated unencrypted security questions and answers so they cannot be used to access an account" and recommended to impacted parties to "Change your password and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account." The current breach also involved the leak of challenge answers – many of which might have been also used on websites other than Yahoo. This creates a serious risk for innocent people, and an amazing opportunity for criminals. People cannot reset their mothers’ maiden names. They cannot change their mothers’ birthdays. And they cannot retroactively change the color of their first cars, or the locations at which they first met their spouses. Once the answers to challenge questions are compromised – they are ruined, often forever. While it is true that people can memorize and utilize phony answers to challenge questions - doing so simply transforms the challenge question into a demand for a second password with a confusing and misleading password prompt. The bottom line: When you need to secure access to a system accessible over the Internet, use multi-factor authentication, not challenge questions. Let's hope that the Yahoo breaches serve as a catalyst for more organizations to make this transition as quickly as possible.
2. Investigate suspicious activity
The newly announced breach was not discovered by Yahoo; Yahoo was notified by law enforcement officials in the United States that they had obtained data files that appeared to be from Yahoo – which Yahoo confirmed were not only authentic, but also represented leaks related to over a billion accounts. It seems incredulous that a billion accounts’ worth of data was stolen without creating some sort of anomalous activity that could have been detected with proper tools. Layer security countermeasures – and look for anomalous activity by users or computers. Likewise it may be wise to scan the dark web for sales of data that may have come from your organization – if a seller appears to have something that might be real the matter should be considered highly suspicious and looked into. One possible consequence of Yahoo not detecting the pilfering of the data is that as of this past week neither Yahoo, nor law enforcement, had any idea who actually stole the data – and, being that the actual theft is believed to have taken place over three years ago, this crime is likely to remain unsolved. Could real-time detection have helped US law enforcement (such as the FBI) identify and catch the perpetrator? It is certainly possible.
3. Hostile parties want your data
As I mentioned in an article earlier this year, today's criminals are often more interested in stealing a business’s data than accessing its bank account – fraudulent transactions are often detected by banks’ anti-fraud teams, and can be reversed, but it is often difficult to detect that someone has copied data (especially since many firms do not have technology that scans for anomalous activity), and once information leaks it cannot be “unleaked.” Criminals can easily sell your data on the dark web to unscrupulous competitors, or use it to gain advantages in making equity transactions (i.e., for insider trading). Nation states and other parties may want your data for reconnaissance purposes, or to help identify good candidates for recruitment as spies. So, while you must adequately secure access to all financial systems, do not consider those to be your only highly-targeted systems; make sure you also adequately protect data.
About the On-Demand Webinar
About the Webinar