It has only been a few short months since Yahoo announced the largest data breach to date of, at the time, over 500 million accounts. Since then, forensics experts have been combing through scores of data and logs at Yahoo and discovered 1.5 billion accounts were compromised in 2013. Pause to let that soak in for a minute. Billion… This by far is the most staggering breach in history - not just because of its scale, but also because of the fact that it took three years to identify the threat, and was really only discovered because of the push for Yahoo to dig into the incident after the last breach (according to a post by BeyondTrust, a provider of account management and vulnerability management solutions).
Yahoo has suffered immeasurable consequences and aftershocks for its negligence, but there are lasting negative side effects for customers as well. The data that was stolen and compromised in the breach could potentially be used in future attacks. So, the whole thing sparks an even bigger question - what are we as mere mortals supposed to do in the face of such dismal odds?
Scott Carlson, technical fellow at BeyondTrust, offers a few points of insight and a few simple but prudent tips for businesses and consumers alike. “Now more than ever companies need to protect themselves when other companies are compromised,” says Carlson. “We all know users reuse passwords and we can almost guarantee that the answers to user’s internal secret questions are the same as their personal secret questions.”
Carlson goes on to explain more about why users should never reuse passwords, and how this “lazy” factor is a glaringly obvious crack in the security wall. He states that for the vast majority of users, convenience will always trump security. This is just one example, of course, but massive incidents like the Yahoo breach just underscore the importance of having a bulletproof data privacy and security strategy in place.
According to a recent survey by HyTrust, a cloud and virtual workload security provider, 28 percent of organizations do not encrypt their data in a public cloud. In addition, and perhaps even more jaw-dropping, is that HyTrust’s latest government cloud survey reveals that 20 percent of government agencies do not encrypt data in a public cloud environment. A breach as significant as the Yahoo hack should be a wake up call, prompting organizations to evaluate that the right technology and policies are in place - in either a private or public cloud - to ensure that critical data is protected from getting into the wrong hands unknowingly.
So, what are the best practices partners need to remind their customers of in the wake of this nightmare? Here are a few pointers from our pals at BeyondTrust:
- Do not re-use passwords for work, home, banks or social media accounts. If one password is compromised (i.e. Yahoo), it can be used at other web sites to compromise you integrity. Use unique passwords for everything and never the same ones for work and home.
- Avoid social media games that ask personal questions. Facebook games and posts that ask you to share what city where you born in and what is your first car was are a dead ringer for common security questions. If you answer them, you potentially are sharing your security questions with everyone. These can be used to reset passwords and just generally wreak havoc.
- Turn on two factor authentication for signing into websites from new devices. If the web service offers to send you a code via email or even text to validate a new logon, do it While SMS texting isn’t exactly recommended by security experts, it still provides a better security layer than just a traditional username and password. Two factor authentication is of course ideal, but this extra step can stop a hacker from re-using compromised credentials.
- Vigilance. While financial records are the obvious goal of most attacks, medical records, and other sources of data can be just as valuable, as evidenced by some of the major recent healthcare attacks. Fraudulent billing and phishing attacks can result from compromised data. Keep an eye on all your financial accounts, medical records and bills, and suspicious emails.
Sort of in the same vein, we now take a dive into several statistics regarding the perception of Americans towards cyber-attacks. Following the Yahoo announcement and the news that Russian hackers allegedly aided Donald Trump in the presidential election, you’d think we’d all be scurrying around implementing every security trick and tactic in the book. Not exactly.
According to findings from a recent survey conducted by ReportLinker, Americans don’t seem particularly concerned with cyber-attacks. In fact, 55 percent of us say that we feel our data is safe from hackers. However, two-thirds of the survey participants agree that cyber-attacks are more of a threat now than they were five years ago. Wait a second…
There are certainly plenty of factors out there that are likely skewing perceptions. For example, awareness is on the rise largely because of the high-profile corporate data breaches of well-known companies. Obviously it’s not just corporate servers that are at risk, but again, it comes back to perception. Americans may feel less vulnerable to attacks and threatened by hackers because they think they’re too small a target - especially when stacked up against a Yahoo or Dynamic Network Services (DNS). More than a third of survey respondents believe hackers mostly target the government. Forty-six percent of 45-54 year olds and 39 percent of folks 65 and older believe corporations are the primary targets for hackers.
Regardless of perception, Americans are going to need to shift their way of thinking, and quickly. Whether we like it or not, with more and more information in the cloud and the rapid expansion of the Internet of Things (IoT), privacy is becoming a heck of a lot more unsteady and uncharted. Clearly, we desperately need to do more to protect ourselves.
This poses an interesting threat to the channel as well. Stu Sjouwerman, CEO of KnowBe4, elaborates on these and other types of security challenges moving forward. “Channel partners will play a more critical role and be relied upon by many organizations to add extra layers of security to prevent [these sorts of attacks],” states Sjouwerman. “As company executives are being held accountable for security breaches, channel partners security chops will be given more focus as cybercrime continues to escalate. Defense-in-depth capability will become standard and used to determine which partner to do business with.”
To wrap up the week, The Information Security Forum (ISF) recently came out with their picks for the top four global security threats that businesses will face in the coming year. They are:
- The Internet of Things (IoT) Adds Unmanaged Risks
- Crime Syndicates Take a Quantum Leap
- Government and Regulators Won’t Do It For You
- The Role of the End User – the Weakest or Strongest Link in the Security Chain
Not a terribly surprising list, eh? “The pace and scale of information security threats continues to accelerate, endangering the integrity and reputation of trusted organizations,” said Steve Durbin, Managing Director of the ISF, in an article by Security Magazine. “In 2017, we will see increased sophistication in the threat landscape with threats being tailored to their target’s weak spots or threats mutating to take account of defenses that have been put in place. Cyberspace is the land of opportunity for hacktivists, terrorists, and criminals motivated to wreak havoc, commit fraud, steal information, or take down corporations and governments.”
Durbin’s solution? Prepare for the unknown, but do so with an informed threat outlook. “Better preparation will provide organizations of all sizes with the flexibility to withstand unexpected, high impact security events.” The ISF’s top four threats are not standalone points, they can combine to create “even greater threat profiles.” The list makes a lot of excellent points, but a lot of it boils down to “stop and think” behavior, which can be applied across all facets - from enterprise titans to some guy named Steve at a Starbucks in South Dakota. From the business and channel side of things in particular, “instead of merely making people aware of their information security responsibilities, and how they should respond, the answer for businesses is to embed positive information security behaviors that will result in habits that become part of an organization’s information security culture.”