Describe the Report of News Analysis on Yahoo hack.
Data breaches are the major threats to the security of an information system and many of the security concerns can be associated with breaches such as hacktivism which involves stealing of data, malware incorporated by these breaches and criminal attacks by exploiting stolen data. Over the years, there have been many data breaches that have caused losses to organizations and threats to people who fall victim to cybercrime and thus, it is a very important area of study in the field of information security (STEWART, 2014).
The news article was about the latest security breach in which hackers stole personal information of over 500 million yahoo users. It is the largest data breach after the 500 million user data of Court Ventures including social security numbers, credit card data and bank account information was sold to an identity theft organization in Vietnam. Although, the state-sponsored attacker was not able to gain sensitive data including bank account or credit card information yet it was a data theft that was huge in numbers and has been going on since past 2 years without getting noticed. This data breach raises a concern over the capabilities of security engineers in securing networks against cyber criminals (Wood, Nahorney, Chandrasekar, Wallace, & Haley, 2014).
As the case presents a unique story of security breaches involving a state-sponsored agent attacking an already troubled organization that was in the process of being acquired by another organization and stealing personal data but not the sensitive accounts or financial data, and has affected the largest number of users in the history of data breaches, it made an interesting case for consideration in this report. Moreover, the incident was latest and was caused to a renowned organization; the news article on the subject was taken up for exploration in this report.
One of the major causes of the security breach as identified by Yahoo was use of invalidated and unencrypted security questions and answers by Yahoo users. Challenge questions are the weakest form of authentication. Another observation by Yahoo was that the passwords that were hacked were hashed with majority of them using bcrypt. Hackers used Brute force to crack these passwords. The bcrypt or Blowfish File Encryption is an algorithm that is designed for storing passwords. The method is actually considered as a very secure way to store passwords making the authentication system of yahoo secure with low probability of cracking. However, Yahoo itself stated that all passwords were not stored using bcrypt which could have been a probable reason for this huge number of hack (OECD, 2008).
A research experiment done on the use of word associations for security revealed that when family and friends were asked to guess answers to security questions of users and close to 50% of them could make a successful attempt. When attempting the experiment with complete strangers, it was found that that question and answers challenge was still not an efficient method for protection unless they are hashed (John Stringer, 2011).
A major non-technical cause was the use of commonly memorable or easy passwords for authentication by users and unwillingness to change passwords too often to avoid forgetting passwords. It was found that close to 5% of Yahoo users very frequently forget passwords. When passwords are created for the first time, Yahoo puts restrictions and compels users to create strong authentication passwords using letters, numbers and characters in combination. However, when the system goes through the forget password loop, even easy passwords can get accepted putting users to more risks. Further, users do not change passwords or update security questions often which make it easy for hackers to gain access to accounts. In the case of Yahoo data breach, the data stolen included several questions and answers information also..
In order to understand the severity of the damage caused by the security breach, breach level index methodology can be used. As per this methodology, this breach can be considered to have a breach level index of 7-8.9 as it gave a significant exposure to business, had regulatory impact as a result of hacking attempt by state official entity representative and a large amount of sensitive information was leaked. It also affected the public image of Yahoo causing tensions between Verizon and Yahoo over the deal in which Verizon was to take over Yahoo (Stiennon, 2013).
Further, the breach is expected to bring lawsuits that would be in addition to the costs that would be incurred for remediation of the breach. An average cost of such a remediation is $220 per stolen record and with over $500 million records stolen, the cost of remediation would be even larger than its Verizon deal amount.
Yahoo is already losing its users, its traffic and revenues and is unable to stand against the competing rivals like Google and Facebook which is why it was decided to be sold for $4.8 billion. Moreover, this mega breach can worsen the problems for Yahoo as its users are likely to lose trust on the brand.
Further, with credentials of so many people stolen, there could be an obvious risk for the users as their credentials could be misused by the hackers in various ways. The passwords and personal details obtained from accessing user accounts can be sold to third parties and this can include use names, passwords, birth dates, zip codes and email Ids. Some of the information could have already been used even before people decide to take a protective step as the breach had been going on for 2 years before it was disclosed by Yahoo in public (TrustSphere, 2012).
More potential impacts that the organization is likely to face in response to the data breach can include damage to brand, loss of its customers, loss of the competitive advantage in market, loss of the market share, legal actions and erosion of the shareholder value (E&Y, 2011).
To prevent brute force attacks, an organization should go beyond only password protection policies and use specific detection methods like login attempts rate limitations, logins from automated browsers, logins from unexpected locations, popular password data, and stolen credential information and so on.
If challenge questions are used as an authentication measure, a creation of hash in responses may be used. Even better would be to have multiple questions and answers such that a single hash tag is created by combing responses to multiple questions (Just & Aspinall, 2009).
The data protection principle suggests that security must be designed in organized in a way that it fits the nature of personal data that is being managed. It further commands establishing of right security measures and robust security policies. After data breach has already occurred, the only measure remains is remediation. However, a better way would be prevention of the problem as after data breaches, much less can be done (Engine Yard, Inc., 2014).
A data breach can be avoided in several ways such as by using strong authentication passwords, use of an appropriate granular data classification scheme, improved access control measures, assessment of traffic for identifying and understanding data loss vectors, compliance audit and so on. Risks can be reduced if the data usage is monitored and appropriate prevention measures are taken on the discovery of a potential threat to data (Xero, 2016).
A holistic way could be establishing of a layered technological approach to data protection using various security control measure like encryption, threat protection, data loss prevention and security compliance.
Encryption: A policy based encryption may be used for securing personal data. The file sharing feature can have its own encryption process to prevent data from getting lost or stolen in transit.
Threat Protection: Threat protection involves protection of user end points, web vectors and email accounts. For this, a service provider can build a capacity to detect malwares like viruses, Trojans, worms, spywares and any other suspicious files proactively. Antivirus, firewalls and application controls can be used for protecting user accounts.
Data Loss Prevention: Whenever sensitive information is transferred through an email, certain automatic rules may be established in advanced that are provoked at these times for preventing data loss. This can be done by using file matching that involves understanding of the file formats and content rule that contains some data definitions that can invoke certain specific actions.
Security Compliance: Methods for controlling activities happening over web space may be established by an email service provider or any organization providing services such that the policies have to be adhered to while using the account for ensuring protection (John Stringer, 2011).
Human factors are also important for consideration when user behaviour can actually have a great impact on the security of systems which was also the case with Yahoo (Ponemon Institute, 2012). A way would be to sufficiently educate users about the security threats, risky behaviour and protection measures. Certain precautions can be taken from the user end as well such as use of strong authentication passwords, using variations in passwords for different accounts, changing passwords often and so on.
Anderson, R. J. (1994). Liability and Computer Security: Nine Principles. CL.
E&Y. (2011). Data loss prevention : Keeping your sensitive data out of the public domain. Ernst & Young.
Engine Yard, Inc. (2014). Security, Risk, and Compliance. Engine Yard.
John Stringer. (2011). Protecting personally identifiable information:What data is at risk and what you can do about it. Sophos.
Just, M., & Aspinall, D. (2009). Challenging Challenge Questions. University of Edinburgh.
MYOB. (2016, September 13). Protecting your confidential information. Retrieved from MYOB: https://myob.com.au/myob/australia/myob-security-recommendations-1257829253909
OECD. (2008). Malicious Software (Malware): A security Threat to Internet Economy. OECD.
Ponemon Institute. (2012). The Human Factor in Data Protection. Trend Micro.
STEWART, J. N. (2014). Advanced Technologies/Tactics Techniques, Procedures: Closing the Attack Window, and Thresholds for Reporting and Containment. IOS Press.
Stiennon, R. (2013). Categorizing Data Breach Severity with a Breach Level Index. IT-Harvest LLC; SafeNet, Inc. .
TrustSphere. (2012). Advanced Security Methods for eFraud and Messaging. TrustSphere.
Wood, P., Nahorney, B., Chandrasekar, K., Wallace, S., & Haley, K. (2014). Internet Security Threat Report. Symantec Corporation.
Xero. (2016, September 13). Your data is safe with multiple layers of security. Retrieved from Xero: https://www.xero.com/accounting-software/security/