Don’t look now!

(Source: Stockfresh)

18 October 2016

Paul HearnsWhat’s worse than discovering a data breach? Someone telling you that you’ve been breached!

What’s worse than even that? Well, how about being the victim of the largest data breach in history?

Yahoo has confirmed that a 2014 data breach saw some 500 million user details stolen. These details are thought to have included names, email addresses, telephone numbers, and hashed passwords, Yahoo said.

“One can only imagine what that discovery conversation was like. To suspect that you were hit for 200 million records, only to discover a more recent breach that is more than double must surely have been quite the report to make!”

The bombshell came as various commentators, including well known security bloggers, touted rumours of an imminent announcement ahead of Yahoo’s official confirmation.

However, after looking past the initial shock of sheer volume of data stolen, what emerges is even worse.

Touted booty
Yahoo began an investigation after it became aware of a hacker calling himself peace_of_mind touting a cache of some 200 million Yahoo user details on the black market. On investigation, it appeared to have been a haul from a hack in 2012. But the investigation revealed that a hack in late 2014 had yielded the 500 million user records.

One can only imagine what that discovery conversation was like. To suspect that you were hit for 200 million records, only to discover a more recent breach that is more than double must surely have been quite the report to make!

While some may be incredulous that these two breaches, which may yet be entirely unconnected, occurred at all, the pattern is, unfortunately, all too familiar.

The Verizon Data Breach reports have, year on year, built a picture of how breaches are discovered, by whom and, critically, how long they take to execute and discover.

The results are sobering to say the least.

In the 2016 report, covering incidents in 2015, 84% of breaches took mere days from initial probe to compromise, while many were measured in minutes. However, of those incidents, only 22% had a time to discovery that was measurable in days, and the trend for both metrics is worrying too. The former is rising sharply; the latter is rising only slowly.

Though the metric is not stated in the same way, in the 2015 report referring to 2014 incidents, the median number of days hackers were in a system before discovery was 205. This was down from 243 in 2012 and 229 in 2013.

In terms of discovery agents for 2015, law enforcement was the most common, at 40%, followed by third parties (35%) and fraud detection systems at around 15%. Internal discovery ranked at just 10%! So, well done Yahoo for beating the odds there.

In terms of vectors for ingress, hackers are still targeting servers (38%), but this is falling significantly. The major upward trends are in user device hacking (35%) and person hacking (22%).

The clear implication for all of this is that hackers are not only finding ways in to get at data, they are spending significant amounts of time there, are more than likely only found out after the fact and more often than not, are not found out at all by the victim.

As we are documenting in our feature this month on adaptive security, old ideas of security are simply not commensurate with the current capabilities of hackers.

Hackers, once inside a system, seem to be able to roam about freely and unfettered, gathering data like mushrooms in field.

As was the case in the Target breach, proper network segregation would prevent such freebooting, denying access to the crown jewels. The days of allowing all network traffic, back and forth between all areas is long gone. Segregation and the notion of only what is needed is an absolute must. Also, internal firewalls, not just network configuration, are needed to enforce this.

East-west traffic monitoring is a necessity, not just north south. By being able to monitor and track traffic between network segments, it gives admins the ability to track anomalous or malicious traffic within the network. Whether it is a compromised machine trying to infect others, or a payload trying to exfiltrate your critical data, the fact remains if it isn’t being monitored, it isn’t being mitigated.

But the monitoring is not the same as might have been used in the past. This is not simple SNMP or heartbeat tracking. New solutions are emerging to listen and learn to develop a reference framework for “normal”. Once this is established, anything anomalous, unusual or suspicious can be easily identified, tracked and stopped before it can do damage.

In fact, there is also an interesting new product from company called Terium Labs. Its MatchLight product creates ashes or fingerprints of your critical data and then scans the Web for data that creates similar hashes to determine if your crown jewels have been half-inched (pinched) and touted on the Internet. While this may be a stable door and bolted horse situation, it still gives organisations an important leg up to know if data has been lifted, rather than wait for that call from law enforcement or a customer to tell you the terrible news.

Going back to the Yahoo situation, this breach could have serious implications. Not only has the share price taken a bit of hammering, from a $44.71 peak in early September, to a current low of $42.23, there are also fears that the proposed Verizon bid of $4.8 billion (€4.28 billion) for its core internet business could be stalled by the revelation.

Financial outlet Fortune has speculated that Verizon could cite irreparable damage to the brand as a means of getting out of the agreement to buy the Yahoo business. At the very least, Verizon could use the disclosure to renegotiate elements of the deal, including the price. There is also speculation that Yahoo knew about the breach for some time before it informed Verizon, despite the agreement being in place.

The lessons from all of this are clear. Know what your major risks are, both for your sector, company size and market. Know your vulnerabilities in terms of your systems, platforms and usages. Have the appropriate systems in place to properly segregate and monitor network traffic. Protect against the most likely threats and be at least aware of the others, but know that the hackers will get in if they really want to. But most of all, be prepared for what happens afterward as even the biggest and best can be hit, hacked and hung out to dry, even at the most inopportune times.

Read More:

Back to Top ↑