Unless you’ve been living under a rock, you’ve heard that Yahoo has been in serious hot water lately. Two isolated breaches, disclosed separately from one another but totaling an impact of almost 1.5 billion users has caused a major blow to the tech giant’s reputation; so much so that Yahoo’s sale to Verizon is now slated to close even later in the year.
Given that it seems similar incidents are happening at an alarming rate, almost daily, the question should no longer be, “How can I avoid the breach?” but rather, “How can I protect myself and minimize the damage quickly and efficiently?”
According to the 2016 Verizon Data Breach survey, 63% of confirmed data breaches involved weak, default or stolen passwords. Although staggering, this number should come as no surprise to anyone, especially in light of these two Yahoo breaches. The company publicly stated that user account information, which may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers, was exposed. What also compounds the impact of this (or any other) breach is the fact that users consistently leverage similar or even the same passwords for multiple online accounts. In a world that could benefit from a little simplicity, end-users are logging into their Yahoo, iTunes, Facebook and even online banking accounts with the same password. Plus, with “social login” users can leverage their Yahoo account to log into other portals. While these practices might make life easier, the potential security risk associated with this kind of behavior is too high to avoid. Just ask Yahoo!
It’s important to keep in mind that if the hackers involved in both Yahoo breaches stole usernames and passwords, they could leverage this information with social engineering tactics to access additional, much more sensitive online identities.
This poses the question of what can we do to protect ourselves? The first and most obvious is to stop using the same and/or similar passwords for online accounts. Unfortunately, as mentioned earlier, this is a lot easier said than done when it comes to wanting simplicity. Second, users should never allow a website to save a password for access. This best practice may add a small amount of inconvenience, but truly yields significant security gains. The third practice is to incorporate two-factor authentication wherever possible.
Two-factor authentication is the practice of requiring additional assurance that a user is who they say they are when logging on. A password (the first factor) is something a user knows, while the second factor would be something a user has — the methodology behind this practice is similar to an ATM card and a PIN code. The most common, and easiest to implement type of two-factor authentication is called the one-time password (OTP). With OTP, after entering a password, the resource a user is trying to access will ask for the second factor – a random six or eight digit number that is generated by a hardware or software token in the user’s possession. The addition of the random number is the one-time password making it very difficult to hack into the account at a later date. Even if the hacker has the username and password, they cannot get in without OTP.
These precautions are not simply intended for the user, but for the enterprise, as well. Wide-scale, impactful breaches have an enormous affect not only on the reputation of the organization but also to the bottom line. The latest breach disclosure by Yahoo is already impacting considerations made by Verizon Communications — as the breach had materially diminished the value of Yahoo, Verizon requested a renegotiation of the terms of the contract in which they agreed to buy Yahoo for $4.8 billion, and more recently, reported that the close has been pushed to later in the year than expected.
The anatomy of a breach is simple: compromised passwords are used to gain initial access, thereafter through escalation techniques, the hacker elevates privileges until they can use administrator credentials to gain access to the sought-after sensitive data. Securing greater control over logging in (via two-factor authentication), and the increased monitoring of privileged accounts can help to mitigate risk and reduce the attack surface. Eliminating the sharing of privileged accounts, monitoring what administrators do with those credentials, and implementing a “least privilege” model where admins are only issued the rights necessary to do their job – are best practices that every security administrator must consider, nothing more, nothing less.
While there is not enough information about the Yahoo breaches to determine if two-factor authentication could have stopped the attack or if weak privileged account management was at fault, there is no question that these technologies and practices certainly have, and could help, in similar future breaches.
I would urge organizations to look into two-factor authentication solutions and privileged account management. If you are not sure where to start you can watch this Randy Franklin Smith webinar that talks about the 9 technical requirements for doing two-factor authentication right the first time. In the meantime, Yahoo users can turn on 2 two-step verification for their accounts by following these instructions, and if you’re interested in learning whether or not your email address has been breached, you can get a quick answer from this site: https://haveibeenpwned.com/.