Last week, Yahoo confirmed at least 500 million user accounts were compromised by a data breach in 2014.
The attack was the largest security breach ever disclosed to the public, revealing customers’ names, email addresses, phone numbers, birth dates and, in some cases, security questions and answers.
The extent of the damage is still not fully known. Already some customers are closing accounts out of anger and concern for their security. And there is concern the hack could disrupt Yahoo’s pending $4.8 billion sale to Verizon (News - Alert). Yahoo is also in hot water for speculation that the hack was not handled correctly internally. On Monday, Sen. Mark Warner, D-Va., asked the U.S. Securities and Exchange Commission to look into whether Yahoo properly notified investors and the public about the incident.
Countless other businesses could be impacted by the data breach. As CNET pointed out, many of AT&T’s (News - Alert) customers use Yahoo to manage their accounts.
Currently, the FBI is investigating the hack. Neither the party responsible nor the method of infiltration has been discovered to date. According to Yahoo, the hack was perpetrated by a “state-sponsored actor,” or someone acting on behalf of a government organization. The company has not yet offered any proof to support this allegation.
To many people, the accusation was puzzling.
One person who disagrees with Yahoo’s claim is cybersecurity expert Dr. Chase Cunningham (CPO USN Ret.), director of Cyber Operations at A10 Networks (News - Alert).
“There is a possibility that someone at Yahoo was a malicious insider, and a nation state actor,” Dr. Cunningham stated. “However, I’ve worked in intelligence for the better part of 15 years, and this does not ring like a state-sponsored attack—unless [the hack] was affiliated with Russian cybercrime or an intelligence service.”
As Dr. Cunningham pointed out, the information gleaned from this type of hack is typically of no interest to a nation-sponsored group. “Nation states are out to steal intellectual property,” he explained. “They are looking for really valuable information.”
So, if a state-sponsored actor is unlikely the source, then where did the hack originate? Was it someone with a hand in the Verizon deal, who wanted to disrupt the sale? Was it a rogue hacker, looking to disrupt Yahoo and uncover juicy information? Or, did the attack come from a sophisticated network of cybercriminals who were looking to turn a profit?
We may never discover the true source. The Yahoo hack could have originated from any person or group, for any number of reasons.
One thing is certain: The attack was successful. And it proves that the Internet is a vast and dangerous landscape where many different actors—like military groups, enterprises, criminal organizations and independent hackers—are all vying for control.
As Dr. Cunningham put it, the Internet today is a live battlefield. When you use cyberspace, you are sharing it with all of the above-mentioned parties—many with hostile purposes for being there.
Consequently, staying safe on this cyber battlefield is a trick and a half. Last year, 80 percent of organizations were victims of cyberattacks. In fact, there’s a good chance that hackers are already inside of your network, silently collecting data and looking for an opportunity to strike.
The threat landscape, in other words, is beyond control at this point.
“It’s very much like viral biology,” explained Dr. Cunningham. “Almost everyone is a carrier of a virus of some sort, whether or not they are affected by it. All of us have organisms in our bodies which are doing things they aren’t supposed to be doing. Likewise, just about every organization that touches the Internet is going to have some kind of infection in it.”
So what, then, is a business supposed to do? Give up and let cybercriminals have a field day with their private data?
“You can’t stop all of the attacks that come your way,” Dr. Cunningham explained. “You just have to protect yourself more than the company next to you.” Simple technologies like biometric security solutions and password managers can go a long way toward accomplishing that.
“It’s not difficult to make yourself a harder target than someone else,” he said. “If you are using a password manager and two-factor authentication, for instance, you’re going to have longer passwords and varied passwords for different accounts--as well as a second factor for authentication when someone tries to access a corporate resource. If you take these steps you can basically nullify the vast majority of threats.”
Dr. Cunningham added that implementing and using these technologies is not difficult.
“It’s not rocket science,” he said. “It just requires paying attention to the technologies that are available and using them in the way they are supposed to be used. If you do these things, you will gain a powerful presence online. And hackers will find an easier target to attack.”
Dr. Cunningham also offered some practical tips for Web safety:
Hold employees accountable: Make a list of cybersecurity best practices, and then enforce them.
“Government and military intelligence agencies are known for holding people accountable for digital security,” Dr. Cunningham pointed out. “It doesn’t matter if you are a one-star general or a three-star admiral. If you are the person in charge of a system and that system gets compromised, someone will burn for it. Everyone knows this, so they work extra hard to take care of their systems. They take it very seriously.”
Dr. Cunningham feels that one of the unfortunate things about the Yahoo hack is that punishment for any one particular individual or party is unlikely.
“Five hundred million accounts were compromised,” Dr. Cunningham lamented. “Who will be accountable for this? Nobody. It’s just one of those things that will be in the news but nothing will actually change.”
Know your assets: Understanding what is happening across all areas of the network is imperative to keeping hacks from occurring. “Shadow IT” is one of the biggest threats to corporate security. IT managers need to have 100 percent visibility into resources and assets across all departments.
Train your employees: Give your employees proper cybersecurity training—and make sure it’s comprehensive enough so that employees understand what’s actually at stake. A lot of the training material that is circulating today is old and unrealistic.
“For instance, don’t simply send someone a Power Point presentation on why ransomware is bad,” Dr. Cunningham said. “Use phishing exercises and show what happens when you lock a computer down with ransomware.”
Remember: You can’t prevent hackers from targeting your company. But you can deter them. And if you take the proper precautions, you could avoid the mess that Yahoo is in right now.