Yahoo!’s latest revelation that more than one billion user accounts may have succumb to a cyber-attack in 2013 has been announced. Find below commentary on the breach.
Oliver Pinson-Roxburgh, EMEA director at Alert Logic:
“The most critical part of an incident response process is lessons learnt. Organisations need to question how far the rabbit hole goes in all cases. As things are detected during an incident, work streams should be started to question where else data resides and how can it be accessed from the systems hacked. The lessons learnt is second only to how you respond to an incident in the first place to an incident. How to respond relies on what information you have, getting pertinent information when under extreme pressure is tough when you in this position.
“It seems that in this case the investigators are still uncovering information, which again supports the fact that on average an attacker will be in 205 days or more before detection. It also supports the fact that, in many cases, organisations are unable to self-detect. An over reliance on blocking technologies and the lack of expertise, as well as the lack of focus on detection coverage across the kill chain, is often the biggest challenge for organisations. In many cases for larger organisations the challenge of getting visibility is compounded by complexity, the fact the investigation is ongoing suggests that complexity is hampering them.”
David Gibson, VP of strategy and market development at Varonis:
“The fact that this is the second Yahoo! breach that has been disclosed in the last 3 months just goes to show how deep some of these major data breaches go. Many organisations are breached just as severely as Yahoo!, but may never know as they are not actively investigating.
“Bob Lord, Yahoo!’s CISO, said that steps have been taken to secure the accounts that have been breached. I am always sceptical of statements like this. How do you know? What if the remaining accounts were breached without any evidence left behind? We don’t know what we don’t know. You almost have to concede the worst: the entirety of our data has been compromised. Perhaps more worrying is that, according to a former security engineer, Yahoo! installed a backdoor that allowed the NSA to read ALL user’s emails behind their security teams backs. The thing about backdoors is that bad guys can find them too.
“However, organisations also have a responsibility to their partners, customers and employees to protect sensitive information and disclose breach activity. Quite often breaches are confirmed, not by an organisation’s security teams, but by discovery and confirmation of leaked data on the Dark Web.
“Organisations should be taking steps to, not only safeguard data, but also provide forensic evidence when the worst happens. The first step in a data security strategy should be to instrument your environment to be able to a.) see who is accessing data, when, and how b.) profile normal behaviour, and c.) alert on abuse. Step two should be to identify sensitive data and ensure that only the right people have access (i.e., the principle of least privilege). Step three is to implement automated processes and human checkpoints to verify that controls put in place stay in place so you don’t backslide to an insecure state.
“Interestingly, if Yahoo! hadn’t instrumented their environment to detect evidence of intrusion, they may never have “officially” discovered the recent two data breaches, which have been devastating to their brand and may have ultimately cost them their sale to Verizon.
“The upcoming breach notification requirements will also place a new burden on data controllers like Yahoo!. Under the GDPR, the IT security mantra is “always be monitoring”. You’ll need to spot unusual access patterns against files containing personal information, and promptly report an exposure to the local data authority. Failure to do so can lead to enormous fines, particularly for multinationals with large global revenues just like Yahoo!.
“Passwords leaked were hashed with a VERY weak algorithm (unsalted MD5), however, if users changed their password after the last reported breach, they should be safe since this one happened in 2013. Interestingly, when I attempt to change my Yahoo! account password via 1Password using a random 32 character string, I get a vague error message. Yet it lets me use “thisismypassword”