As the details of the Yahoo data breach have come to light, the hack itself seems eerily similar to other such cyber-attacks.
Yet, while the shock of this large-scale data breach feels oddly familiar as it is by now widely accepted that no company is immune, the precise details of the Yahoo case stand out as being notable.
According to news reports, what is known is that the account information for a minimum of 500 million Yahoo users was stolen, possibly by state-sponsored hackers, in what was believed to be the largest known breach of a single company’s computer network. What’s worse is that the heist of this treasure trove of names, phone numbers, passwords, and even security questions didn’t just happen. It occurred 2 years ago and was just discovered last week in the midst of the company’s pending acquisition for $4.8 billion by Verizon.
Two years is a long time and it’s possible that accounts have been abandoned or had names and passwords changed during that period, but industry watchers point out that if the same details are used for other accounts, their security too could be compromised.
According to the 2016 Verizon Data Breach Investigations Report (DBIR) executive summary, “Cyber-criminals can break in and steal (exfiltrate) data in a matter of minutes. In 93% of cases where data was stolen, systems were compromised in minutes or less. And exfiltration happened within minutes in 28% of cases. But even where exfiltration took days, the criminals didn’t need to worry. In 83% of cases, victims didn’t find out they’d been breached for weeks or more.” The longer it takes an organization to discover a breach, the longer that criminals have to find the data they’re looking for and disrupt business which is why, the report says, detection and remediation systems and processes are needed to fight attacks and limit the possible damage.
Data Breaches: All Too Common
“At last report, Yahoo is blaming a ‘state-sponsored actor,’ which is very difficult to protect against, but it’s disturbing that a large web company with tremendous resources and technology was subject to an incident of this magnitude,” noted Unisphere Research lead analyst Joe McKendrick. “Plus, it appears management was not taking the issue seriously enough. It is reported that Yahoo's former security head had tried to get Yahoo management to actthat manager left last year to assume a similar role at Facebook. Now, Yahoo's pending acquisition by Verizon may potentially be soured.”
While the intrusion is disturbing, “it’s just another example of the state of the world we live in today,” commented business and technology advisor Michael Corey. “A world in which cyberterrorism—either state-sponsored or by some rogue individuals—is the new norm. It’s not a matter of if your personal data will get breached, assume it already has been. The real question is when you will find out about it. In the case of Yahoo, it was 2 years later. Now the bad guys have your birthday, your answers to common security questions and even the password you used. “
What Users Need to Know
Attacks motivated by espionage and carried out by state-affiliated actors are often looking for intellectual property, according to the Verizon security report.
For users with high profiles, such as enterprise executives, the use of free email services may be particularly problematic. According to Brian Stafford, CEO of Diligent, a provider of secure executive collaboration, more than 30% of U.S. board members are using a free email service provider. For example, Stafford said, Google is used by 44% of U.S. board members, AOL by 17%, Yahoo by 9%, followed by Comcast at 7% and others that are used by the remaining 23%. “This practice, especially in light of such a massive breach, rings a bell to executives and corporations to be on high alert and revisit security practices,” he noted.
Restating advice that has been issued by many, Stephen Gates, chief research intelligence analyst at NSFOCUS, observed that Yahoo users who have not changed their passwords “really need to do so now” and if users have implemented the same user name and password combination on any other online accounts, they’re at risk there as well.
Knowing that their data may have been exposed on the dark web, millions of Yahoo users now have to take steps to protect themselves. “Once this data falls into the hands of these would-be criminals, users may worryingly find themselves as the victims of identity fraud or threats of ransom,” said Peter Galvin, VP of Strategy at Thales e-Security.
More Such Attacks
There is not much optimism for the future in terms of stopping perpetrators from attempting to steal data, and so an emphasis on greater vigilance and tighter security measures is advocated by data management experts.
“Today, organizations of all sizes are taking measures to ensure a breach does not happen to them. Unfortunately, it has not stopped hackers from succeeding on a global scale. Hackers understand how to erode your defenses, consume your resources, control your systems, and eventually steal your data,” said Gates.
The ramifications of this particular event will be more attacks, observed Chase Cunningham of A10 Networks. The breach will have a domino effect with more compromises on other corporate systems where people use the same passwords and user names, but there are simple technologies such as two-factor authentication and biometrics that companies can embrace, he noted.
Cost of a Breach
A recent study found that the average cost of a data breach for companies has grown to $4 million, representing a 29% increase since 2013. According to the study, sponsored by IBM Security, companies lose $158 per compromised record.
Breaches in highly regulated industries were even more costly, with healthcare reaching $355 per record—a full $100 more than in 2013. Companies that had predefined business continuity management processes in place found and contained breaches more quickly, discovering breaches 52 days earlier and containing them 36 days faster than companies without such processes.
To avoid the financial impact and fallout that a data breach can bring about, Cunningham said, organizations need to look for “advanced security features to shield applications, users and infrastructure from attacks and uncover hidden risks. This includes inspecting network traffic, authentication of users and their devices and most importantly, education, training, awareness and reinforcement of security policies to your employees.”
“If the past 2 years have taught us anything, it’s that businesses should understand that being attacked and/or breached is a when, not an if,” added Leon Adato, head geek at SolarWinds. “Beyond how this affects each of us as individual consumers, the lessons that can be learned are bigger and broader for enterprises: If you build a service that encourages users to link other accounts, you may be vulnerable to their security gaffes. That means you should offer ways to create accounts without that external service; offer ways to un-link external accounts without losing valuable user data; and, if a breach is big enough, consider a solution to mass-disconnect accounts, either temporarily or permanently."
Also, said Adato, "know that despite some recent eye-catching headlines, it isn’t cheaper to just take the hack than to buy good security solutions and staff. It’s a lot like buying a burial plot—it will never be cheaper to buy than right now, and it’s a sure thing you’ll need it." The same is true for security, he noted. "The cheapest time to secure your systems is right now, which is preferably before it has gone into production, but even if it has, right now is still cheaper than later. The cost in terms of loss—lost revenue; lost court cases; lost productivity; lost opportunity, including, in this case, potential delays to an acquisition; lost customers—far outweighs most of the normal, standard, reasonable security actions you could take."
Companies Bear Responsibility but So Do Customers
With breaches by now all too common, individuals themselves must accept some responsibility for the safety of their own information, executives point out.
“To survive in today’s cyber-terrorism world we need to do things differently. No longer can we use the same pass word for every account. Doing so is just begging for someone to steal your bank account,” Corey said. “Just as you have a lock on the door to your house, everyone should be using a password manager. A good one can be had for $12 a year. For this $12 a year, each and every account can have a different 16-character password randomly selected by the computer and the password manager will even change the password for you each month. At a minimum, this has to be done. That way, if a breach occurs, they only have access to one of your accounts not all of them.”
Repeating the old adage that it is better to be safe than sorry, Corey said, individuals should assume a breach is going to happen. “Just make sure when it does they only have the keys to one account not all of them.”
And, for organizations and executives, as data breaches of this scale continue to hit the headlines, it is critical that they understand that "they must change the way they think about data protection, and broaden their mindset beyond the classic definition of what data is considered to be sensitive,” Galvin said. “It’s never been more critical for businesses to extend robust encryption policies to cover all personally identifiable information of customers so that the data is rendered unreadable and worthless to those with malicious intent.”
The bottom line, said McKendrick, is that data security needs to be elevated to the boardroom. “It is that important.”