When a trusted and established organisation like Yahoo gets breached, the rest of us need to start worrying. The company suffered two isolated breaches, that were disclosed separately from one another but totaled an impact of almost 1.5 billion users. As a result, the tech giant’s reputation took a hit; so much so that Yahoo’s sale to Verizon is now slated to close even later in the year.
Yahoo is not the only organisation suffering the wrath of skilled and well-funded cyber attackers. According to the Australian Cyber Security Centre, there have been 1,095 cyber security incidents on systems in government agencies.
Given that it seems similar incidents are happening at an alarming rate, almost daily, the question should no longer be, “How can I avoid the breach?” but rather, “How can I protect myself and minimise the damage quickly and efficiently?”
According to the 2016 Verizon Data Breach survey, 63% of confirmed data breaches involved weak, default or stolen passwords. Although staggering, this number should come as no surprise to anyone, especially in light of these two Yahoo breaches. The company publicly stated that user account information, which may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers, was exposed. What also compounds the impact of this (or any other) breach is the fact that users consistently leverage similar or even the same passwords for multiple online accounts.
In a world that could benefit from a little simplicity, end-users are logging into their Yahoo, iTunes, Facebook and even online banking accounts with the same password. Plus, with “social login” users can leverage their Yahoo account to log into other portals. While these practices might make life easier, the potential security risks associated with this kind of behavior is too high to avoid.
It’s important to bear in mind that if the hackers involved in both Yahoo breaches stole usernames and passwords, they could leverage this information with social engineering tactics to access additional, much more sensitive online identities.
This poses the question of what can we do to protect ourselves? The first and most obvious is to stop using the same and/or similar passwords for online accounts. Unfortunately, as mentioned earlier, this is a lot easier said than done when it comes to wanting simplicity. Second, users should never allow a website to save a password for access. This best practice may add a small amount of inconvenience, but truly yields significant security gains. The third practice is to incorporate two-factor authentication wherever possible.
Two-factor authentication is the practice of requiring additional assurance that a user is who they say they are when logging on. A password (the first factor) is something a user knows, while the second factor would be something a user has -- the methodology behind this practice is similar to an ATM card and a PIN code. The most common, and easiest way to implement this type of two-factor authentication is called the one-time password (OTP). With OTP, after entering a password, the resource a user is trying to access will be asked for the second factor – a random six or eight digit number that is generated by a hardware or software token in the user’s possession. The addition of the random number is the one-time password making it very difficult to hack into the account at a later date. Even if the hacker has the username and password, they cannot get in without OTP.
These precautions are not simply intended for the user, but for the enterprise, as well. Wide-scale, impactful breaches have an enormous affect not only on the reputation of the organisation but also to the bottom line. The latest breach disclosure by Yahoo is already impacting considerations made by Verizon Communications -- as the breach had materially diminished the value of Yahoo, Verizon requested a renegotiation of the terms of the contract in which they agreed to buy Yahoo for $4.8 billion, and more recently, reported that the close has been pushed to later in the year than expected.
The anatomy of a breach is simple: compromised passwords are used to gain initial access, thereafter through escalation techniques, the hacker elevates privileges until they can use administrator credentials to gain access to the sought-after sensitive data. Securing greater control over logging in (via two-factor authentication), and the increased monitoring of privileged accounts can help to mitigate risk and reduce the attack surface. Eliminating the sharing of privileged accounts, monitoring what administrators do with those credentials, and implementing a “least privilege” model where admins are only issued the rights necessary to do their job – are best practices that every security administrator must consider, nothing more, nothing less.
While there is not enough information about the Yahoo breaches to determine if two-factor authentication could have stopped the attack or if weak privileged account management was at fault, there is no question that these technologies and practices certainly have, and could help, in similar future breaches.
Last chance to register | CSO Perspectives Roadshow 2017 in a city near you...
View our amazing speaker lineup today- Don't Miss Out
- Is your organisation ready for the new data breach notification legislation?
- Consequence-Based Security Underpinned by Threat Intelligence
- Office 365 Deployment: Do you have what it takes?
- Mandatory breach notification laws crucial to new age of knowledge sharing
- CSO Perspectives – Security readiness is the key to effective response
- AusCERT 2017 - Identity is the new perimeter