Friday, 23 September 2016
Yahoo Megabreach Industry Analysis
Today I received several interesting cyber security expert views on the Yahoo breach following my blog post yesterday - Yahoo, The Largest Data Breach in History...so far,
Broken Security Model?
Paul German, VP EMEA at Certes, a specialist in cyber security and encryption, believes the Yahoo hackers were able to steal such vast amounts of account data due to a problem with the cyber security model of 'Protect, Detect and React'. Specifically the time in detecting the protection had been overcome. In Yahoo's case this time lag appears to be months and possibly even years, which allowed the hackers plenty of time to scout around the inside network undetected and extract such huge amounts of data out. To counter this lag, Paul suggests any potential hacker access to the data should be contained, I'm guessing by cranking down on data access control. Here's his full comments below.
“The problem lies in the face that once hackers cross a company’s carefully laid out cyber defences, the network, and the treasure trove of data within it, is their oyster. Moving laterally, they are able to siphon off huge swathes of valuable information difficulty until they are detected, often months after the initial breach.
“The problem lies in the current cyber security model which takes a, ‘protect’, ‘detect’, ‘react’ approach. There is a significant lag between the protection being sidestepped and the criminal being detected. Currently this leaves a hacker free rummage through a company’s most sensitive data, wreaking havoc. There is a fundamental step missing – at whatever point a hacker enters a network they must be contained, restricting the data they can access and the damage they can inflict before they are detected.
“Most businesses now see a security breach as a ‘when’ rather than an ‘if’ situation, and it is vital that they take steps limit the damage and protect the data of thousands, if not millions of consumers.” Paul German, VP EMEA at Certes.
I think Paul raises a fair point on breach containment, but that is easier said than done in reality, as information is typically a lifeblood of business services, so needs flow and be accessible by the business systems and customers, so can be difficult to restrict within its trusted zone. I do agree Paul's view that a security breach should be regarded as a 'when' not an 'if', business should have a proven incident management plan which reflects that.
In better detecting security breaches, businesses should invest more in a combination of technology, business management processes (i.e. risk & cyber threat assessments) and staff awareness to improve breach detection capabilities. In addition investing in an external cyber threat intelligence service adds another string to the data breach detect bow, with such services able to spot when cyber criminals peddle stolen company data on the dark web. Remember it is believed Yahoo first learnt of their data breach following reports of a hacker trying to sell 200M Yahoo accounts on the dark web, which is said to have sparked their investigations.
Jamie Graves Ph.D, co- founder and CEO of Cyber Security company, ZoneFox.com, focused on the sophistication of the attack, given Yahoo's claim that it was compromised by a nation state.
A National State Attack?
“Yahoo claims that it was compromised be a nation state, which means that a hacking team with the resources of a government had penetrated their defences. This type of attack is often difficult to defend against, and a number of other well defended organisations have fallen victim to this type of attack."
“Although the size of the breach is staggering, what has stunned the industry most is the fact that it has taken Yahoo 2 years to disclose. In this time, a great deal of additional harm will have occurred to the comprised accounts ranging from account hijacking through to identity theft and fraud.
“The Yahoo attack highlights the reason why good detection capabilities, aligned with laws that force this form of disclosure in a short period, such as the GDPR, are crucial to help protect personal information. Furthermore, organisations must not only have rigorous Cyber Security measures in place but also a disaster recovery plan to respond immediately to a breach if the, sometimes, inevitable occurs.” Jamie Graves Ph.D, co- founder and CEO of Cyber Security company, ZoneFox.com.
I am yet to be convinced this data theft was conducted by a nation state, and here's why. Nation state email account attacks tend to be targetted to email accounts, not entire email accounts on mass, and the fact that a large chunk of the Yahoo stolen email account data was attempted to be sold on the dark web doesn't fit the nation state MO either, but hacker(s) trying to monetise from the attack.
There have been countless occasions where companies blamed data breaches on highly cyber sophisticated attacks by teams of super hackers, for it to be later confirmed as being conducted by a schoolkid script kiddie taking advantage of 12 year SQL injection vulnerability. The TalkTalk breach PR comes to mind in this regard. I have no reason to think Yahoo's security posture is poor, but without them explaining the attack methodology and presenting evidence to back up their nation-state attack claim, and there should always be evidence if they are decent at security, I will remain highly sceptical of the nation state claim.