Yahoo Inc, which disclosed two massive data breaches last year, said on Wednesday that about 32 million user accounts were accessed by intruders in the last two years using forged cookies. Yahoo CEO Marissa Mayer has asked that her bonus worth $2m be cut over the data breaches. IT security experts from AlienVault, Imperva, Tripwire, FireMon, STEALTHbits Technologies, Inc., Lastline and Balabit commented below.
Chris Doman, Security Engineer at AlienVault:
“We have to be careful to avoid victim blaming – all large tech companies have been victims of sophisticated attacks. (Eg; https://arstechnica.co.uk/security/2015/07/meet-the-hackers-who-break-into-microsoft-and-apple-to-steal-insider-info/ & https://en.wikipedia.org/wiki/Operation_Aurora ).
What is different here is that Yahoo’s response has been criticised heavily – both by its own board and by US senators. There was a multi-year delay in investigating and disclosing a number of attacks against their users.
Despite all the attacks in the news, in many organisations there has been only a slow move to prioritise cyber-risks. The very public loss of Marissa Meyer’s earnings may go some way towards making senior staff focus on the issue.
The reports of state-sponsored attackers using stolen Yahoo source code to gain access to Yahoo mail users are technically interesting. However, simple phishing techniques are more of a risk to most Yahoo mail users (Eg.; http://pwc.blogs.com/cyber_security_updates/2014/12/apt28-sofacy-so-funny.html ).
If you are a Yahoo mail user and wish to continue using it, the best first step in securing your account should be to enable two-factor authentication.”
Terry Ray, Chief Product Strategist at Imperva:
“It’s easy to villainize a company or an executive for having a data leak, but it’s worth noting that many companies would have been unable to prevent a forged cookie. The sad unfortunate truth about web applications is that most of them are not patched when they should be. Almost all of them have components that rarely if ever get patched and cookie attacks don’t get the same level attention as more common attacks like SQL injection and cross site scripting. I don’t know what security controls Yahoo had in place protecting their web applications beyond standard coding practices, but they should have at least had a web application firewall capable of detecting cookie injection, unknown cookies and cookie tampering (forged cookies). If they didn’t have web application firewalls in place or if they had them installed, but didn’t have them actively enforcing good behaviour, this was probably due to budgetary or corporate strategic decisions made at high levels.
Cookie protections require the ability to track all cookies being used on a website, know which ones are set or applied to each individual user and recognize when those cookies are used by someone else within a period time or know when those cookies change without appropriate instructions to do so. This is a bit more advanced than simply looking for known bad patterns of traffic arriving at a website, which is why not all web application firewalls have effective mechanisms to prevent these attacks. They are fairly easy attacks to attempt, though not as common as those you hear more often like SQL injection and cross-site scripting.”
Paul Edon, Director at Tripwire:
“This sets an interesting precedent for CEO’s taking responsibility for data breaches and the impact they can have on customer’s confidence and shareholder value. It seems that cyber security has finally made it on to the board’s agenda, with data breaches increasingly impacting company’s reputations and financial standing – in this case, potentially affecting the Verizon deal. Whether or not this is a well orchestrated PR stunt from Mayer, it shows that data breaches are a problem that the board needs to be responsible for fixing. This case also underlines the importance of involving the CISO in board-level discussions because their proximity to the internal challenges and understanding of the associated business risks can help the board to appreciate the impact any future breach could have. Clearly, Mayer wants her customers to know that she takes protecting their data seriously – hopefully this will be proved by implementing more stringent security measures.”
Paul Calatayud, Chief Technology Officer at FireMon:
“Cyber security is an evolving field and most companies have a CISO or are planning to hire one. If companies feel this newly placed CISO is a great fall person, they are misunderstanding the role and where accountability falls. As a two-time CISO myself, I ended up realizing that the CISO’s main function is to identify risks to the company and effectively facilitate decisions on whether or not the business shall act. The result of this dynamic is that accountability ends up at the top levels of the company and with the board of directors.
Within Yahoo, there has been reports that Yahoo leadership limiting the cyber security program by opting for the ability to perform inspection on its customers’ mail boxes. As a CISO, my role would be to advocate and educate leadership on the risks of not encrypting these mailboxes; but if leadership decides to ignore this in the end, then the overall risk posture should be clearly documented and presented to the board.
When Yahoo’s CEO decided not to take her bonus, she accepted responsibility for failures from the breach. Some CEOs have been fired and it will be more common place for CEO to be held accountable for breaches, especially if the CISO is smart enough to understand their true role within the organization.”
Brad Bussie, CISSP, Director of Product Management at STEALTHbits Technologies, Inc.:
“The Yahoo saga continues. Clear signs back in 2014 and 2015 were apparent that something was amiss with corporate security. Hindsight is 20/20, but by looking back at several actions, we can help prevent similar breaches in the future.
First and foremost, when a CISO resigns due to battles with the CEO about security policies and procedures, we need to stand up and take notice. When a CISO position vacates this should immediately trigger a full independent audit of policies and systems. Perhaps this simple action would help mitigate the “revolving chair” stigma the CISO job now carries with it.
Second, cyber incidents need to be disclosed to the board when they occur, not years later. Think of this scenario like change management. We don’t make changes without approval because of the potential impact a change can have on a business. The same goes for security. How can you properly handle a vulnerability or breach without all hands on deck? You can’t, and Yahoo and others have proven it.
The bottom line is we should treat the repeated breaches as valuable lessons. The media will continue to talk about how those still left at Yahoo are being disciplined and losing bonuses/equity. In my mind, this is a bit like punishing a puppy for chewing on the furniture three years after it happened; the puppy doesn’t even know why they are being disciplined anymore.”
Brian Laing, VP of Business Development at Lastline:
“It’s admirable that Yahoo reallocated executive compensation towards employees to demonstrate its recognition of the seriousness of the data breach. Too often executives seem to be above it all as customers suffer. The attack itself again demonstrates the creativity and ingenuity of cyber criminals, and again, with the right technology the resulting data breach could have been minimised if not prevented. The exfiltration of customer data likely resulted in anomalous network traffic, and the spear phishing attacks against 26 Yahoo execs (who should know better) provided further clues into the attack. But signature-based security solutions would have missed both of these techniques. Monitoring behaviour, inside of files and across networks, will detect malicious intent and provide security teams with insight into how to disrupt attacks.”
James Luby of Balabit (www.balabit.com):
“The consequences for Yahoo executives illustrate the very real stakes for business directors when it comes to cybersecurity. Cyberattacks aren’t an IT Security problem; they are a business problem and business leaders who fail to act or recognize the size of the threat are suffering the consequences. In both cases, sophisticated attacks, thought to be by state-sponsored actors are believed to the result of unauthorized third party access to one of the Company’s most valuable assets, its proprietary code. Failure to protect this asset enabled hackers to learn how to forge certain cookies facilitating the theft of account details on a massive scale. This brings into sharp relief the necessity to monitor access to critical assets whether they are infrastructure, financial data, or intellectual property.”