Aside from the numbers involved making the Yahoo! Mega breach of 500 million accounts the biggest of all time, the other reason it will stick in people's minds is because of the piecemeal disclosure involved. The breach itself took place two years ago in 2014 with some news stories surfacing in August about account details being up for sale, after which all went quiet until the story that Yahoo! was “expected to confirm a breach” preceded a formal confirmation a day later in late September.
The finer details have yet to emerge but there have been allegations that a hacker called Peace informed the company back in August that he intended to sell the data on the Real Deal dark website. According to reports, this then led to the discovery of probe attack and the wider breach almost as if it was discovered by chance. So why did Yahoo! not come clean at the time?
It's unclear whether this unorthodox partial disclosure was a bid to cushion the blow to the company reputation or limit the damage to the merger with Verizon, which is now liable to come under scrutiny from the SEC. But it certainly didn't impress either the half a billion customers affected or the IT industry who were left asking why the company had failed to detect the breach in the first place and why it was then so slow to disclose.
Of course, Yahoo! is not the first casualty of the mega breach. It joins the likes of TalkTalk, Target, and Ashley Madison, etc but there are some commonalities between these; lessons which we can all learn from and as a business you don't need to be a behemoth for these to resonate. So where did these corporations who built their livelihoods off of tech go wrong?
Firstly, there's the detection process itself. Many of these organisations simply weren't aware of what was happening on the network or with their data. Talktalk initially had trouble discerning the numbers involved (it originally quoted all four million customers could be affected but this was later revised to 157,000 users) and stated it was “too early to know exactly what data has been attacked”. Better data discovery and better communication would have allowed that information to have been almost instantly accessible, damage mitigated and the user base reliably informed.
Secondly, there's an overreliance upon defence rather than action. In the case of the Yahoo! breach, there seems to have been little evidence of intelligent threat detection. This would have spotted the anomalous behaviour associated with a probe attack and escalated it for attention. In addition, monitoring dark web sites in the deep web for evidence of Yahoo! user account details and credentials would have flagged the data being sold by Peace back in August, again raising the red flag.
Thirdly, there's the matter of security practises. Ashley Madison assured its customers their data was encrypted when in reality, of the 32 million accounts compromised, 15 million user accounts were crackable (a team calling itself CynoSure Prime reportedly cracked these in 10 days). Failing to adequately salt and hash passwords is therefore a real issue but it doesn't offer complete protection. Given enough time and resource even these can be compromised which is why, in the wake of the Yahoo! breach, Yahoo! BT and Sky users have all been urged to change their passwords.
Finally, and perhaps most critically, these mega breaches demonstrate a disregard for security as an integral part of the business. From Marissa Mayer allegedly knowing about the breach in August to Ashley Madison management refusing to acknowledge the threat posed by The Impact Team's intention to publish to Dido Harding's lack of understanding of the incident response process, there's still a clear disconnect between the board and the technical teams charged with overseeing the security of this data.
And that means the security industry itself is in some way culpable for failing to join up the two. We've perpetuated an isolationism that has failed to communicate the value of this data and the threat detection and monitoring techniques available for governing its safety. We're not helping these businesses implement the digital forensics they need and because of that there's a yawning chasm between detection and disclosure. So until we can create that process, and get the board onboard with security as a business process, mega breaches will keep on happening.
Contributed by James Henry, consulting practice manager, Auriga