3 Lessons for Security Professionals from the Massive Yahoo Breach

...

Joseph Steinberg

Published on December 20, 2016


  • 289 Views

As I reported in my Inc. column this past week, hackers have stolen data from more than one billion Yahoo user accounts. This is the second breach announcement from Yahoo since the Fall (both announcements were about data that was stolen several years ago, but whose theft was not discovered until more recently), raising questions about whether Verizon will actually purchase the company as originally announced during the summer, or whether the communication giant will demand a hefty discounted price due to the breaches. Clearly one important lesson from the Yahoo breaches is simply that:

Cybersecurity failures can heave serious business consequences.

In addition to that “big picture” message, here are some important lessons for security professionals:

1. Do not use challenge questions for authentication

Challenge passwords are hardly an ideal form of authentication. In many cases they are nothing more than requests for extremely weak passwords where a clue is even provided to everyone about the password. In September, Yahoo noted after its prior breach that the firm had "invalidated unencrypted security questions and answers so they cannot be used to access an account" and recommended to impacted parties to "Change your password and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account." The current breach also involved the leak of challenge answers – many of which might have been also used on websites other than Yahoo. This creates a serious risk for innocent people, and an amazing opportunity for criminals. People cannot reset their mothers’ maiden names. They cannot change their mothers’ birthdays. And they cannot retroactively change the color of their first cars, or the locations at which they first met their spouses. Once the answers to challenge questions are compromised – they are ruined, often forever. While it is true that people can memorize and utilize phony answers to challenge questions - doing so simply transforms the challenge question into a demand for a second password with a confusing and misleading password prompt. The bottom line: When you need to secure access to a system accessible over the Internet, use multi-factor authentication, not challenge questions. Let's hope that the Yahoo breaches serve as a catalyst for more organizations to make this transition as quickly as possible.

2. Investigate suspicious activity

The newly announced breach was not discovered by Yahoo; Yahoo was notified by law enforcement officials in the United States that they had obtained data files that appeared to be from Yahoo – which Yahoo confirmed were not only authentic, but also represented leaks related to over a billion accounts. It seems incredulous that a billion accounts’ worth of data was stolen without creating some sort of anomalous activity that could have been detected with proper tools. Layer security countermeasures – and look for anomalous activity by users or computers.  Likewise it may be wise to scan the dark web for sales of data that may have come from your organization – if a seller appears to have something that might be real the matter should be considered highly suspicious and looked into. One possible consequence of Yahoo not detecting the pilfering of the data is that as of this past week neither Yahoo, nor law enforcement, had any idea who actually stole the data – and, being that the actual theft is  believed to have taken place over three years ago, this crime is likely to remain unsolved. Could real-time detection have helped US law enforcement (such as the FBI) identify and catch the perpetrator? It is certainly possible.

3. Hostile parties want your data

As I mentioned in an article earlier this year, today's criminals are often more interested in stealing a business’s data than accessing its bank account – fraudulent transactions are often detected by banks’ anti-fraud teams, and can be reversed, but it is often difficult to detect that someone has copied data (especially since many firms do not have technology that scans for anomalous activity), and once information leaks it cannot be “unleaked.” Criminals can easily sell your data on the dark web to unscrupulous competitors, or use it to gain advantages in making equity transactions (i.e., for insider trading). Nation states and other parties may want your data for reconnaissance purposes, or to help identify good candidates for recruitment as spies. So, while you must adequately secure access to all financial systems, do not consider those to be your only highly-targeted systems; make sure you also adequately protect data.

About the Author

The author is the CEO of SecureMySocial, a renowned cyber security thought leader, and author of several books on the topic, including (ISC)2’s official study guide for the CISSP-ISSMP exam. Recognized by Onalytica as one of the top cyber-security influencers in the world, he is also the inventor of several IT Security technologies widely-used today; his work is cited in over 100 published US patent filings. He is also one of only 28 people worldwide to hold the suite of advanced information-security certifications, CISSP, ISSAP, ISSMP, and CSSLP, indicating that he possesses a rare, robust knowledge of information security that is both broad and deep.


{{detail.h1_tag}}

{{detail.display_name}}
... ...

{{author.author_name}}

{{detail.full_name}}

Published on {{detail.created_at| date}} {{detail.duration}}

  • {{detail.date}}
  • Views {{detail.downloads}}
  • {{detail.time}} {{detail.time_zone_code}}

Registrants:{{detail.downloads}}

Downloaded:{{detail.downloads}}

About the On-Demand Webinar

About the Webinar

Hosted By

...

{{author.author_name}}

{{author.author_name}}

{{author.about_author}}

About the E-book

View On-Demand Webinar

Register Now!

First Name*
Last Name*
Email*
Company*
Phone Number*

View On-Demand Webinar

Register Now!

Webinar Expired

Download the Ebook

Email
{{ queryPhoneCode }}
Phone Number {{ detail.getCourseAgree?'*':'(optional)'}}

Show full article video

About the Author

{{detail.author_biography}}

About the Author

{{author.about_author}}