Complex Made Simple

Why it took 700 days to discover Yahoo accounts hacking?

By Eric Eifert


On Thursday, September 22, 2016, Yahoo confirmed that hackers stole the personal data associated with at least 500 million Yahoo accounts. Details including names, passwords, email addresses, phone numbers and security questions were taken from the company’s network in late 2014 by what is believed to be a state-sponsored hacking group.


The company is investigating the breach with law enforcement but currently believes that credit card or bank details were not included in the stolen data.


Yahoo has invalidated affected users’ security questions so that they can’t be used to access accounts.


Earlier this summer Yahoo announced it was investigating a data breach, but at the time thought just 200 million user accounts were affected.


 Cyber Security Life-Cycle

In the immediate aftermath of this reported breach, I advise Yahoo users to review their online accounts for suspicious activity and to change their password and security questions and answers for any other accounts on which they utilise the same or similar information used for their Yahoo account.


What is the most troubling aspect of this incident beyond the fact that personal details of hundreds of millions of users were compromised, is news that the breach in fact occurred in 2014, and yet the public is only learning details of it now. It can be presumed that Yahoo itself was unaware of the breach for many hundreds of days, which allowed the malicious party access to confidential data for an extended period, as it operated undetected within Yahoo’s networks.


The risk of the breach occurring, or at the very least going undetected for such a length of time, could have been limited had Yahoo followed the Cyber Security Life-Cycle, which incorporates planning, detection, protection, and recovery of digital information.


In order to adhere to the Life-Cycle, Yahoo would have needed to understand its risk profile before initiating a cyber security management and mitigation exercise, which would have provided it with an understanding of all its digital assets, the full range of threats it may face and the vulnerabilities, and how best to protect itself from them.


Threat assessment is often best done by an experienced third-party, which is likely to have a much clearer perspective of the risk landscape. Vulnerabilities may arise from a number of different areas including technology, processes and people, though once the cyber security function of a company has a firm handle on its risk profile, it can then move to take appropriate mitigation measures.


Mitigation is a three-part process encompassing visibility, intelligence and integration.


Visibility means truly understanding the configuration of a company’s network and most importantly who has access to it. It’s a simple truth that one can’t protect what one doesn’t understand; a thorough audit is vital at the start of any mitigation process. Sophisticated mapping software can certainly accelerate this process, but ultimately a comprehensive audit requires people on the ground to ask the right questions and find the location of servers and access rights.


Intelligence relates a system’s characteristics to the known threats and its vulnerabilities in relation to them; it takes the threat intelligence gathered in the risk assessment process and relates it to the specifics of the company’s system.


Integration aggregates the information found in the first two phases, and displays it in a format that can be readily understood by decision makers to enable them to act quickly. In particular, attacks should be logged and diagnosed in a systematic fashion.


I recommend that companies such as Yahoo adopt a pro-active approach to cyber security in which they assume a state of breach in order to have the defences and mitigation mechanisms in place to detect and minimise possible disruption caused by any cyber security incident as it occurs.


Eric Eifert is Senior Vice President of Managed Security Services at DarkMatter.  He has built, operated, and managed Security Operations Centres in multiple geographies including for the U.S. Department of Justice, U.S. Federal Bureau of Investigations, U.S. Department of Agricultural, and U.S. House of Representatives. Eric was also previously Programme Manager for the U.S. Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) programme.


(The views expressed in this article are the author’s own and do not necessarily reflect AMEinfo’s editorial policy)