Page 12 - GS170101
P. 12
News
Yahoo breaches analysts said these measures are insufficient and that
analyzed nothing short of a wholesale overhaul of Yahoo's security
infrastructure will protect the company and its account
A number of security analysts believe Yahoo users from further criminal activities.
Inc.'s recently disclosed data breaches consti-
tute yet another wake-up call to the security "An outdated security technique is in use or technologies
community, which is tasked with keeping our have not been updated to the latest standards, and
payments infrastructure safe from persistent and escalat- then they're compromised when system access is
ing attacks on the part of skilled criminals. gained," Knight said. "Therefore, a formal vulnerability
management program is essential, as are application
In September 2016, Yahoo stated a security breach had development processes that make security best practices
occurred in 2014 that affected an estimated 500 million programmatic."
account holders. In December 2016, the company revealed
an earlier event in 2013 had potentially affected 1 billion Vaystikh concurred, adding, "In too many organizations,
users. The breaches are said to be the largest ever recorded. threat detection still involves chasing after alerts and
investigating them in a very limited way, detached from
"As news of the new Yahoo! breach started pouring in, the bigger picture. Even when they chase down what they
the first bit of information that really stood out is that believe to be the threat, there is no indication of where and
the breach occurred in 2013, before the breach that was how long ago the incident actually began."
reported last September, which had taken place in 2014,"
said Alex Vaystikh, Chief Technology Officer of advanced Public, private repercussions
threat detection firm SecBI. "The severity of this incident
cannot be overlooked. Not only was the intrusion itself not In addition to criticism for late disclosure of data breaches
detected in 2013, but no signs of it were discovered during and lax security measures, Yahoo is facing several lawsuits
the investigation of the 2014 breach." and a congressional investigation. The data breaches may
have also impacted the planned acquisition of Yahoo by
Alex Knight, Director of Security Product Strategy at Verizon Communications Inc. Financial analysts expect
ControlScan Inc., added, "Yahoo's reported oversights are Verizon to renegotiate its former $4.8 billion bid for
shocking to the security community as well as the general Yahoo's assets.
public because the mistakes are just so fundamental.
People are asking, 'Why was Yahoo wandering around "Litigation and other problems will stem from Yahoo's
in the dark for so long?' And they were. Reports suggest data breach, and Verizon needs to assess the potential
a failure in the basic vulnerability and threat-detection financial hit from those headaches and whether they hurt
processes that enable a business to actively identify and Yahoo's already shaky financial results," wrote Bloomberg
address security holes before hackers can exploit them." Gadfly columnist Shira Ovide. "Odds are that Verizon will
proceed with its Yahoo deal, but under the circumstances
Protecting cardholder data it is justified in seeking a [cyber-uncertainty] discount on
the toy it plucked from the remainders bin."
Early reports indicated the 2013 attack occurred outside
Yahoo's cardholder data environment, making it unlikely Verizon, a leading provider of managed security systems,
that any credit card account numbers were stolen. "The has worked with the government and private sector on
investigation indicates that the stolen information did a range of security initiatives, routinely publishing its
not include passwords in clear text, payment card data findings in a series of reports. The company's 2016 Data
or bank account information," Yahoo representatives Breach Investigations Report (DBIR) analyzed over 100,000
stated. However, hackers had access to a treasure trove incidents that occurred in 2015, including 3,141 confirmed
of personal account data, including names, physical and data breaches.
email addresses, phone numbers, date of birth, hashed
passwords and security questions and answers. The company's IT specialists recommend implementing
multilayered security schemes, including spam protection,
Investigators familiar with the 2014 breach said hackers list blocking, email header/attachment/URL analysis
manufactured web cookies to pose as legitimate account and reporting suspicious emails, to protect against
holders, which enabled them to falsify login credentials phishing scams and other forms of malicious attacks.
and access accounts without using passwords. Yahoo The DBIR advised companies to authenticate, segment
has recently tightened security in the aftermath of the and monitor all devices, apps and personnel connected
episodes, invalidating unencrypted security questions to their networks. While Yahoo reportedly has more than
and requiring users to reset their passwords. Security 1 billion users worldwide, the company has lost market
share to competing Internet service providers. A growing
chorus of experts believe the Yahoo breaches may have
precipitated a tipping point in the security community.
12
