[BreachExchange] Amid Yahoo hacks, a churn of security officers

[Audrey McNeil]

http://www.sfchronicle.com/business/article/Amid-Yahoo-
hacks-a-churn-of-security-officers-10814525.php

When Yahoo experienced the nation’s largest hacking attack, with
information stolen from more than 1 billion user accounts in August 2013,
it lacked a permanent information security chief.

The Sunnyvale company has struggled to retain top cybersecurity executives.
Since 2012, Yahoo has had three chief information security officers — a
role responsible for guarding against hacking threats and patching
weaknesses quickly. For roughly a year, the company was searching for
someone to permanently fill the position. That’s when the record-breaking
breach occurred.

Yahoo’s churn of security executives may seem rapid, but it is only
slightly faster than what’s considered normal among large companies. The
average tenure of chief information security officers is 2.1 years,
according to the Ponemon Institute, a research firm. Often those who serve
in these roles are heavily recruited by other firms, because executives
with the right skill set are scarce. But as massive data breaches become
more frequent, concern has mounted that the lack of continuity could cause
problems.

“If you have a person leaving every year in essence, I don’t know how you
have a continuum that is safe for people,” said Pam Dixon, executive
director of the World Privacy Forum, referring to the turnover of
information security chiefs at Yahoo. “The company gets hurt and consumers
get hurt,” she said.

Since 2012, the year CEO Marissa Mayer joined the company, Yahoo has
invested more than $250 million in security initiatives, according to the
company. In the past two years it has paid $2 million in cash to security
researchers as part of a program to catch bugs in its software.

“Today’s security landscape is complex and ever-evolving, but, at Yahoo, we
have a deep understanding of the threats facing our users and continuously
strive to stay ahead of these threats to keep our users and our platforms
secure,” Yahoo said in a statement. The company declined to make Bob Lord,
Yahoo’s chief information security officer since November 2015, available
for an interview.

During Mayer’s tenure, Yahoo experienced two enormous data breaches — the
one in August 2013 that affected more than 1 billion user accounts and a
separate incident in 2014 impacting at least 500 million accounts. The
company said it still does not know what caused the August 2013 breach and
believes a state-sponsored actor was behind the 2014 hack. Security experts
say it’s possible the hacks could have happened to any company, but Yahoo
could have taken additional steps to protect users. For example, some of
the data taken from users in 2013 were scrambling passwords using MD5,
which is considered an outdated technology because software tools can
uncover the actual passwords, experts said. (The company switched to a more
secure way of scrambling passwords in summer 2013.)

“(It’s) very easy to crack,” Apostolos Giannakidis, a lead security
engineer at Waratek, which specializes in application security, said of
MD5. “Yahoo should have made the effort to upgrade their infrastructure.”

Mayer was hired to turn the company around, with a focus on building and
revamping the company’s sites and apps to increase its users and generate
more advertising dollars. Yahoo spent more than $2.3 billion on acquiring
promising tech firms to bring new technology and talented people in to the
business. But her efforts had mixed results, and a push by activist
shareholdersresulted in Yahoo planning to sell its Internet properties to
Verizon, a $4.8 billion deal that could be in jeopardy because of the two
massive data breaches — which Yahoo did not disclose or apparently even
know about when it negotiated the original deal with Verizon.

As Yahoo focused on building products, security seems to have lagged.
Yahoo’s chief information officer in 2014 and 2015, Alex Stamos, suggested
end-to-end encryption for messages, meaning that only the people
corresponding with each other, not Yahoo, could read what was written. But
Jeff Bonforte, who oversees Mail, opposed that because “it would have hurt
Yahoo’s ability to index and search message data,” according to the New
York Times.

“I’m not particularly thrilled with building an apartment building which
has the biggest bars on every window,” Bonforte told the Times.

Yahoo says its Mail and security teams are collaborating on end-to-end
encryption.

Stamos, who is now Facebook’s chief security officer, declined through a
Facebook spokesman to be interviewed.

At many tech firms, the security team is often separate from the engineers
building products, analysts said. Sometimes security workers will make
suggestions that may slow down an app but increase protections.

“There is just a natural tension between those two, and undoubtedly Yahoo,
like a lot of groups, got caught in the middle,” said James Lee, chief
marketing officer at Waratek. “The people that are developing those apps
have security on their checklist, but they are focused on getting the app
in on time, on budget with the right features and functionality.”

Jeremiah Grossman, chief of security strategy at SentinelOne who worked at
Yahoo from 1999 to 2001, said there were times in that much earlier era
when the security team only learned of new products when the press release
came out, and it was a rush to try to fix vulnerabilities after they
launched.

“It’s like trying to change a tire when you’re going 50 miles (an hour),”
Grossman said. “It’s much easier when the car is stopped.”

Several factors play into why top cybersecurity executives move around so
much, but one of the most common issues is lack of funding for their
priorities, according to a Ponemon Institute survey of large companies’
chief information security officers.

“When you are in the middle of a financial crisis or challenge, naturally
you want to spend money on things (that) raise the top line or reduce the
bottom line,” said Michael Fey, Symantec’s chief operating officer and
president. “Cybersecurity is neither.”

The median compensation package for chief information security officers was
$308,880 in fiscal year 2015, according to executive compensation research
firm Equilar.

“For these type of people, it is less about compensation and benefits and
it’s more about the challenge,” said career counselor Nick Parham. “It’s
very frustrating for these men and women to see the problem or see a
possible fix and not gain C-level approval to fund it and fix it.”

More companies started hiring senior-level security officers seven or eight
years ago, as data breaches became more common, according to the Ponemon
Institute. But the position is still relatively new, with just 40 percent
of large companies having a fully dedicated chief information security
officer, the institute said in a 2014 presentation. That statistic has
since improved, but most companies still do not have a dedicated chief
information security officer, according to Larry Ponemon, the institute’s
founder.

By contrast, “you’re not going to find a company that doesn’t have a CFO
(chief financial officer),” Ponemon said during the 2014 presentation.

In the future, some analysts believe that more information technology
professionals will need to be trained on cybersecurity to increase the pool
of experts. Smaller firms may want to hire contractors of services
specialized in security.

Parsing candidates can be hard, since there isn’t a specific training or
certification program that cybersecurity executives need to go through. And
while security chiefs generally take the fall for data breaches, the mere
fact of a breach does not necessarily mean that the security chief — who
may be constrained by budgets or other factors — did a poor job.

“Just understanding who is great at their job and who’s not is sometimes
difficult,” Fey said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161223/568b159d/attachment.html>