Eskenzi PR Eskenzi PR
  • About Us
Tuesday, 20 April, 2021
IT Security Guru
Eskenzi PR
  • Home
  • Features
  • Insight
  • Events
    • Women in Cyber 2020
    • Women in Cyber 2020 [SPONSORS]
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Women in Cyber 2020
    • Women in Cyber 2020 [SPONSORS]
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Yahoo CEO Marissa Mayer waives 2016 bonus in wake of data breaches

by The Gurus
March 3, 2017
in Editor's News
Share on FacebookShare on Twitter

In the wake of the Yahoo attack late last year, where the theft of more than 500 million user account from 2014 was discovered, Yahoo CEO Marissa Mayer has decided to waive her 2016 bonus after an investigation into the attack by the board. Yahoo’s top Lawyer, Ronald S. Bell, has also resigned for his part in the mishandling of the security breaches.
Below are the thoughts of cyber security leaders on this news.
Brian Laing, VP of Business Development at Lastline:
“It’s admirable that Yahoo reallocated executive compensation towards employees to demonstrate its recognition of the seriousness of the data breach. Too often executives seem to be above it all as customers suffer. The attack itself again demonstrates the creativity and ingenuity of cyber criminals, and again, with the right technology the resulting data breach could have been minimised if not prevented. The exfiltration of customer data likely resulted in anomalous network traffic, and the spear phishing attacks against 26 Yahoo execs (who should know better) provided further clues into the attack. But signature-based security solutions would have missed both of these techniques. Monitoring behaviour, inside of files and across networks, will detect malicious intent and provide security teams with insight into how to disrupt attacks.“
Paul Calatayud – CTO at FireMon
“Cyber security is an evolving field and most companies have a CISO or are planning to hire one. If companies feel this newly placed CISO is a great fall person, they are misunderstanding the role and where accountability falls. As a two-time CISO myself, I ended up realising that the CISO’s main function is to identify risks to the company and effectively facilitate decisions on whether or not the business shall act. The result of this dynamic is that accountability ends up at the top levels of the company and with the board of directors. 
“Within Yahoo, there has been reports that Yahoo leadership limiting the cyber security program by opting for the ability to perform inspection on its customers mail boxes / Analytics. As a CISO, my role would be to advocate and educate leadership on the risks of not encrypting these mailboxes; but if leadership decides to ignore this in the end, then the overall risk posture should be clearly documented and presented to the board.
“When Yahoo’s CEO decided not to take her bonus, she accepted responsibility for failures from the breach. Some CEOs have been fired and it will be more common place for CEO to be held accountable for breaches, especially if the CISO is smart enough to understand their true role within the organisation.”
Chris Doman, Security Engineer at AlienVault:
“We have to be careful to avoid victim blaming – all large tech companies have been victims of sophisticated attacks. (Eg; https://arstechnica.co.uk/security/2015/07/meet-the-hackers-who-break-into-microsoft-and-apple-to-steal-insider-info/ &  https://en.wikipedia.org/wiki/Operation_Aurora ).
What is different here is that Yahoo’s response has been criticised heavily – both by its own board and by US senators. There was a multi-year delay in investigating and disclosing a number of attacks against their users.
Despite all the attacks in the news, in many organisations there has been only a slow move to prioritise cyber-risks. The very public loss of Marissa Meyer’s earnings may go some way towards making senior staff focus on the issue.
The reports of state-sponsored attackers using stolen Yahoo source code to gain access to Yahoo mail users are technically interesting. However, simple phishing techniques are more of a risk to most Yahoo mail users (Eg.; http://pwc.blogs.com/cyber_security_updates/2014/12/apt28-sofacy-so-funny.html ).  
If you are a Yahoo mail user and wish to continue using it, the best first step in securing your account should be to enable two-factor authentication.”
Terry Ray, Chief Product Strategist at Imperva:
“It’s easy to villainize a company or an executive for having a data leak, but it’s worth noting that many companies would have been unable to prevent a forged cookie.  The sad unfortunate truth about web applications is that most of them are not patched when they should be. Almost all of them have components that rarely if ever get patched and cookie attacks don’t get the same level attention as more common attacks like SQL injection and cross site scripting.  I don’t know what security controls Yahoo had in place protecting their web applications beyond standard coding practices, but they should have at least had a web application firewall capable of detecting cookie injection, unknown cookies and cookie tampering (forged cookies).  If they didn’t have web application firewalls in place or if they had them installed, but didn’t have them actively enforcing good behaviour, this was probably due to budgetary or corporate strategic decisions made at high levels. 
Cookie protections require the ability to track all cookies being used on a website, know which ones are set or applied to each individual user and recognize when those cookies are used by someone else within a period time or know when those cookies change without appropriate instructions to do so.  This is a bit more advanced than simply looking for known bad patterns of traffic arriving at a website, which is why not all web application firewalls have effective mechanisms to prevent these attacks.  They are fairly easy attacks to attempt, though not as common as those you hear more often like SQL injection and cross-site scripting.”
Paul Edon, Director at Tripwire:
“This sets an interesting precedent for CEO’s taking responsibility for data breaches and the impact they can have on customer’s confidence and shareholder value. It seems that cyber security has finally made it on to the board’s agenda, with data breaches increasingly impacting company’s reputations and financial standing – in this case, potentially affecting the Verizon deal. Whether or not this is a well orchestrated PR stunt from Mayer, it shows that data breaches are a problem that the board needs to be responsible for fixing.  This case also underlines the importance of involving the CISO in board-level discussions because their proximity to the internal challenges and understanding of the associated business risks can help the board to appreciate the impact any future breach could have. Clearly, Mayer wants her customers to know that she takes protecting their data seriously – hopefully this will be proved by implementing more stringent security measures.”

0 0 vote
Article Rating
FacebookTweetLinkedIn
Tags: Cyber Securitydata breachMarissa MayerYahoo
ShareTweetShare
Previous Post

Trustwave discovers hidden backdoor in Chinese IoT devices

Next Post

NEW FILELESS ATTACK USING DNS QUERIES TO CARRY OUT POWERSHELL COMMANDS

Subscribe
Notify of
guest
guest
0 Comments
Inline Feedbacks
View all comments

Recent News

AT&T Cybersecurity Launches New Managed Endpoint Security Solution with SentinelOne

AT&T Cybersecurity Launches New Managed Endpoint Security Solution with SentinelOne

April 19, 2021
Dominos pizza

Domino’s India suffers data breach

April 19, 2021
whatsapp icon

Vulnerabilities found in older version of WhatsApp

April 19, 2021
Data Breach Cyber attack code

University of Hertfordshire suffers system outage due to cyberattack 

April 15, 2021

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Women in Cyber 2020
    • Women in Cyber 2020 [SPONSORS]
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

More information
wpDiscuz
0
0
Would love your thoughts, please comment.x
()
x
| Reply
Privacy Settings / PENDINGGDPR Compliance

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Accept