In the wake of the Yahoo attack late last year, where the theft of more than 500 million user account from 2014 was discovered, Yahoo CEO Marissa Mayer has decided to waive her 2016 bonus after an investigation into the attack by the board. Yahoo’s top Lawyer, Ronald S. Bell, has also resigned for his part in the mishandling of the security breaches.
Below are the thoughts of cyber security leaders on this news.
Brian Laing, VP of Business Development at Lastline:
“It’s admirable that Yahoo reallocated executive compensation towards employees to demonstrate its recognition of the seriousness of the data breach. Too often executives seem to be above it all as customers suffer. The attack itself again demonstrates the creativity and ingenuity of cyber criminals, and again, with the right technology the resulting data breach could have been minimised if not prevented. The exfiltration of customer data likely resulted in anomalous network traffic, and the spear phishing attacks against 26 Yahoo execs (who should know better) provided further clues into the attack. But signature-based security solutions would have missed both of these techniques. Monitoring behaviour, inside of files and across networks, will detect malicious intent and provide security teams with insight into how to disrupt attacks.“
Paul Calatayud – CTO at FireMon
“Cyber security is an evolving field and most companies have a CISO or are planning to hire one. If companies feel this newly placed CISO is a great fall person, they are misunderstanding the role and where accountability falls. As a two-time CISO myself, I ended up realising that the CISO’s main function is to identify risks to the company and effectively facilitate decisions on whether or not the business shall act. The result of this dynamic is that accountability ends up at the top levels of the company and with the board of directors.
“Within Yahoo, there has been reports that Yahoo leadership limiting the cyber security program by opting for the ability to perform inspection on its customers mail boxes / Analytics. As a CISO, my role would be to advocate and educate leadership on the risks of not encrypting these mailboxes; but if leadership decides to ignore this in the end, then the overall risk posture should be clearly documented and presented to the board.
“When Yahoo’s CEO decided not to take her bonus, she accepted responsibility for failures from the breach. Some CEOs have been fired and it will be more common place for CEO to be held accountable for breaches, especially if the CISO is smart enough to understand their true role within the organisation.”
Chris Doman, Security Engineer at AlienVault:
“We have to be careful to avoid victim blaming – all large tech companies have been victims of sophisticated attacks. (Eg; https://arstechnica.co.uk/security/2015/07/meet-the-hackers-who-break-into-microsoft-and-apple-to-steal-insider-info/ & https://en.wikipedia.org/wiki/Operation_Aurora ).
What is different here is that Yahoo’s response has been criticised heavily – both by its own board and by US senators. There was a multi-year delay in investigating and disclosing a number of attacks against their users.
Despite all the attacks in the news, in many organisations there has been only a slow move to prioritise cyber-risks. The very public loss of Marissa Meyer’s earnings may go some way towards making senior staff focus on the issue.
The reports of state-sponsored attackers using stolen Yahoo source code to gain access to Yahoo mail users are technically interesting. However, simple phishing techniques are more of a risk to most Yahoo mail users (Eg.; http://pwc.blogs.com/cyber_security_updates/2014/12/apt28-sofacy-so-funny.html ).
If you are a Yahoo mail user and wish to continue using it, the best first step in securing your account should be to enable two-factor authentication.”
Terry Ray, Chief Product Strategist at Imperva:
“It’s easy to villainize a company or an executive for having a data leak, but it’s worth noting that many companies would have been unable to prevent a forged cookie. The sad unfortunate truth about web applications is that most of them are not patched when they should be. Almost all of them have components that rarely if ever get patched and cookie attacks don’t get the same level attention as more common attacks like SQL injection and cross site scripting. I don’t know what security controls Yahoo had in place protecting their web applications beyond standard coding practices, but they should have at least had a web application firewall capable of detecting cookie injection, unknown cookies and cookie tampering (forged cookies). If they didn’t have web application firewalls in place or if they had them installed, but didn’t have them actively enforcing good behaviour, this was probably due to budgetary or corporate strategic decisions made at high levels.
Cookie protections require the ability to track all cookies being used on a website, know which ones are set or applied to each individual user and recognize when those cookies are used by someone else within a period time or know when those cookies change without appropriate instructions to do so. This is a bit more advanced than simply looking for known bad patterns of traffic arriving at a website, which is why not all web application firewalls have effective mechanisms to prevent these attacks. They are fairly easy attacks to attempt, though not as common as those you hear more often like SQL injection and cross-site scripting.”
Paul Edon, Director at Tripwire:
“This sets an interesting precedent for CEO’s taking responsibility for data breaches and the impact they can have on customer’s confidence and shareholder value. It seems that cyber security has finally made it on to the board’s agenda, with data breaches increasingly impacting company’s reputations and financial standing – in this case, potentially affecting the Verizon deal. Whether or not this is a well orchestrated PR stunt from Mayer, it shows that data breaches are a problem that the board needs to be responsible for fixing. This case also underlines the importance of involving the CISO in board-level discussions because their proximity to the internal challenges and understanding of the associated business risks can help the board to appreciate the impact any future breach could have. Clearly, Mayer wants her customers to know that she takes protecting their data seriously – hopefully this will be proved by implementing more stringent security measures.”