[BreachExchange] The lessons you need to learn from the Yahoo data breach: Top four info security tips

Audrey McNeil audrey at riskbasedsecurity.com
Fri May 26 15:19:19 EDT 2017


The data breach stories continue to roll in this year. In the last few
weeks alone we’ve seen familiar brand names including Wonga and Debenhams
in the uncomfortable glare of the media spotlight as they reveal the loss
of customer data. But in terms of repeat offending, no organisation has yet
rivalled Yahoo. First, we heard in 2014 that the private details of some
500 million customers had been compromised. Then came news that the
previous year had in fact seen the company lose the personal information of
one billion customers; the largest recorded breach in history. So when the
company announced earlier this year that hackers may have been accessing
customer accounts since 2015, a lot of eyebrows were raised. One major
breach might be considered a misfortune, but this lack of diligence around
data security simply comes across as careless.

To make sure your company doesn’t find itself in the same position as the
global communications giant, it’s important to understand what went wrong.
Below I’ve highlighted two major mistakes Yahoo made and offer some
guidelines to help you avoid becoming the next victim.

Where Yahoo went wrong

• They didn’t heed the warning signs

Yahoo’s earliest reported attack was in fact in 2010, when suspected
state-sponsored hackers penetrated customer accounts of Yahoo, Google and
others. The way in which the companies responded to this was crucial.
Google proceeded to hire additional security engineers and invest heavily
in security infrastructure. Yahoo reacted less decisively. While some
additional security measures were put in place after the attack, its
priorities were elsewhere. When current CEO Marissa Mayer took over in
mid-2012, her focus was to prioritise developing new products and updating
the features of Yahoo mail instead of investing in security. According to
the New York Times, Yahoo’s security team were often marginalised and even
referred to internally as the ‘Paranoids’.  If the initial attack had been
taken sufficiently seriously, it’s likely that some or all of the
subsequent breaches might not have taken place.

 • They didn’t tell anyone

A major omission by Yahoo was to not disclose the hacks immediately when it
found out about them. When it emerged that senior executives had in fact
known about the breaches, the ire from investors, and the industry as a
whole, was greatly increased. By revealing the news piecemeal, the company
gave the impression that it was either attempting to avoid presenting the
entire story, or that it was trying to soften the blow. But most of all,
the Yahoo team came off looking like headless chickens, who were left
scrambling after the breaches, without knowing what to do or how to handle
the situation. A far more co-ordinated and measured response may have
actually inspired confidence that an incident response plan was in place
and that the company was genuinely taking the situation seriously.
Organisations that have been breached but handled the situation
proportionally and professionally include Adobe, Hilton Hotels, and Home
Depot; they all communicated promptly and notified potentially affected
customers, advised of what was being done and ultimately took

How to avoid becoming the next Yahoo

There are four practical steps that I’d advise CISOs or CIOs to take, to
avoid facing their own nightmare data breach scenario:

• Undertake regular ‘Red team/Blue team’ activities

Based on military principles, these exercises are core to good cyber
security practice and involve experts taking turns to attack and defend
their own IT estates. Whether you choose members of your own team or hire
in experts, the competitive nature of red team/blue team challenges makes
them an invaluable way to reveal vulnerabilities. You can then fine tune
your event management and breach alerting to provide more in depth defence

• Know your estate better than the hackers

Managing and maintaining a full inventory and version controlled manifest
of your entire IT estate means that when the latest CVEs are announced,
which are detailed notifications of the latest security vulnerabilities and
exposures, you can automatically flag and assess the risk. This will
provide a meaningful and early insight into what could actually be affected
on a day-to-day basis, and enables an informed response, prioritised on
potential risk.

• Bring in a ‘bug bounty programme’

Once systems have reached a level of security maturity, this is the time to
bring in a ‘bug bounty programme’, whereby you offer rewards to members of
the public who identify bugs or vulnerabilities in your systems in an
agreed and controlled manner. This is a great ‘prevention rather than cure’
approach, as it gives you fresh eyes on your current capability without
employing armies of ethical hackers who capitalise on their skills in their
spare time.

• Prepare for the worst

It could happen, and you need to be ready. This means implementing incident
response plans, running dummy breaches, communications plans for press,
police, and setting the tone for any investigations or subsequent

Possibly the most important message to emerge from the Yahoo breaches is
that complacency is fatal. It takes time to put in place the systems to
protect your company and once these have been implemented you need to
monitor and review them regularly. Remember that the hackers are constantly
developing new techniques, so don’t sit back and think that the job has
been done. Taking the measures outlined above, however, will go a long way
to making your organisation less attractive as a target and will help keep
your customers – and your reputation – safe.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170526/7af43afd/attachment.html>

More information about the BreachExchange mailing list