You’ve probably heard this already, but the Yahoo breach is back in the news, and not in a good way. The original breach involved 500 million users. Now comes news of a separate breach that involved more than a billion accounts. This breach happened in August 2013. Let that sink in a moment. If you have an account with Yahoo servers, your information has likely been floating out there for more than three years without you knowing.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=iAnd there’s more, eSecurity Planet reported:
"Separately, Yahoo previously disclosed that its outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users' accounts without a password," the company stated. "Based on the ongoing investigation, the company believes an unauthorized third party accessed the company's proprietary code to learn how to forge cookies."
We shouldn’t be surprised by the news, Peter Nguyen, director of technical services with LightCyber, told me in an email comment. Data breaches tend to end up worse than we expected because hackers have, on average, five months to do whatever they want before they are discovered. It isn’t until the investigation is in full swing that we truly know the extent of the damage, Nguyen added:
It’s a pure reflection of the most daunting problem for security: most organizations lack the effective means of detecting an active attacker on their network. Security is geared to prevent intrusions or to identify or block an initial intrusion. Today, the reality is a motivated attacker will gain a foothold in a network. That is a certainty.
Chris Roberts of Acalvio summed up my feelings well when he told me via email that the biggest frustration looking at this from the outside with the knowledge we have is simply ‘how the heck did they miss it?’ I’ll add to that – not only how did they miss it, but how did they miss it for so long? These are questions that may never be answered, but Roberts thinks that if there is an answer out there, it should be shared so we can all learn from the mistakes that have clearly been made.
It is doubtful that a breach of this magnitude will be a one-time thing. I’ve spent the past week reading hundreds of security predictions for 2017, and none of them has me thinking that things are going to get better in cybersecurity. No, we should expect it to get worse as the criminals get smarter and our security systems and response can’t keep up. But that shouldn’t mean we give up, of course. One action that we can take, the Sophos security team told me in an email, is this:
Knowing your network baseline and being able to spot abnormal activity is crucial in detecting and preventing data loss. This is also where restricted account privilege, comprehensive auditing, network segregation and aggressive network filtering can play a role. When executed properly, the aforementioned controls should make it exceedingly difficult for an intruder to access and exfiltrate stolen data. Not only do networks need to be difficult to intrude but they also need to be resilient against exfiltration. That means organizations need both preventative controls and comprehensive monitoring.
One final note, this might be my favorite piece of advice on steps to take to prevent being a victim of identity theft and data theft, courtesy of Lucian Constantin at PC World:
Don’t save emails you don’t need: Because space is no longer a problem with most email services, users tend to never delete emails. While that’s extremely convenient, it’s not a very good idea, because it allows hackers to easily discover what other online accounts are tied to that address by searching for sign-up or notification emails from various online service providers.
I’m an email hoarder. My new New Year’s resolution is stop that habit and clean out my inboxes. After all, who knows when we’ll get Round Three of the Yahoo breach.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba