It’s not surprising that some Yahoo users have decided to sue the company for negligence over a 2014 breach that was only recently discovered and announced. But before we blame Yahoo for this, we need to understand how hackers accomplish such breaches — and what all of us should be doing better to prevent such breaches.
The reality is that all of us — individuals, businesses and policy makers — have a role to play in keeping us safe, whether it be engaging in better cyber safety, or passing regulations that ensure the public isnotified of breaches so we can respond in a timely fashion.
Hackers wage a sort of asymmetric warfare. Instead of trying to circumvent sophisticated organizational firewalls, most go after soft targets — the employees and customers of the organization. Many use simple spear phishing attacks with hyperlinks that launch spoofed web pages that directly solicit user logins or hide malware in email attachments that provide backdoor access into the organization’s networks. Such attacks are enormously successful, securing victimization rates of close to 30% in some cases — a sobering statistic when one considers that the hacker needs just one victim. Other attacks, such as the hack into the U.K.’s ISP TalkTalk — exploit weaknesses in web forms and access the databases that run behind web pages. Such access is even easier when the hacker has procured the website administrator’s login through spear phishing.
Making all this worse is that hackers using stolen credentials are hard to detect because they appear similar to an employee making legitimate requests. Many lurk in computer network for months, move laterally looking for weaknesses and slowly exfiltrate data to avoid detection. This is likely why it took Yahoo almost two years to discover the breach. And they are not alone. Unfortunately, it takes on average 200 or more days to discover a breach. And although companies are spending more on technological firewalls and employee training, most breaches continue to only be discovered accidentally, when an employee chances on something amiss or, as in the Yahoo case, when the hacker puts the data up for sale.
This gap also makes remediation challenging because knowledge of the breach comes long after the information has been used to victimize users. Meanwhile, organizations are reluctant to admit to breaches because of the negative media attention they receive.
And here’s where Yahoo could have done more: there is speculation they may have learned of the breach in early August. If we hope to stop this, we must begin by realizing that no single company or technological “silver-bullet” can stop a breach. Instead, all of us must work together.
What does that mean in practice?
First, organizations who are the targets of attacks must take the lead by adopting best practices that make it harder for a hacker to enter and move within networks. This need not mean complex, expensive fixes, but simple strategies like the ones outlined by the NSA in its recently published Methodology for Adversary Obstruction. These include policies such as ensuring that administrator accounts do not have Internet access so that sensitive credentials cannot be stolen through spear phishing; using different passwords for users and administrators so hackers cannot move across the network; enforcing multi-factor authentication, which means an additional PIN is sent to another device that needs to be entered and “salting” (adding random data) and encrypting all stored credentials so that passwords are uncrackable even when stolen.
But it is not just up to organizations — every one of us needs to do our bit. This must start with checking if our credentials have been compromised on sites like “Have I been Pwned,” which log stolen credentials, and changing those logins right away. Each of us must work on developing better cyber safety: learning to deal with spear phishing emails; enabling multi-factor authentication where available; using strong, unique passwords and using password-storage vaults; and learning to actively monitor our own devices for suspicious activity so that compromises cannot make their way from our devices to our organization’s.
Finally, policy makers must focus on improving the breach remediation processes. While most states have passed breach notification laws, policies on breach remediation remain open-ended. Simply notifying people or asking victims to change their passwords, as Yahoo just did, or providing people credit protection as Target and others did, does little to contain the damage to one’s reputation stemming from an information leak. Imagine the stigma if the health records of the 80 million victims of the Anthem breach were ever released. Once released, this information becomes available on searchable databases, victimizing people forever. Here, the EU has been more proactive and ruled in favor of a right to be forgotten online, making it possible for EU citizens to prohibit their personal information from appearing on online searches. Perhaps it’s time we considered this, too.