yahoo-data-leakBy Joey Campione, Managing Director of Opticca Security

Recent confirmations regarding millions of compromised accounts dating back to a data breach from two years ago is a great opportunity for us to rethink the importance of Risk Management, as well as the importance of implementing forward-thinking security controls into our businesses and our personal lives.

Yahoo Chief Information Security Officer Bob Lord confirmed in a statement on Yahoo’s Tumblr site that the company had been victim of a hacker intrusion in late 2014, which accessed at least 500 million accounts including user names, email addresses, telephone numbers, dates of birth, encrypted and un-encrypted passwords, security questions and answers that may have not been protected. Although portions of the stolen data were fully encrypted, history will dictate that the criminal minds could definitely have the ability to decrypt and further exploit the victim’s information for financial gain.

The objective for this message is not to position products or services that could have addressed this issue better than the strategy and solutions Yahoo had implemented. I would rather focus on some underlying issues with how a very good portion of small, mid, and large organizations are preparing, planning and managing their security strategies today.

“Prevention” is not the silver bullet

Traditional security measures are failing time and time again. We as a society have been completely mislead that prevention or “Locking people out” will keep us safe. Similar to the locks and alarms on our car doors, houses and windows, there is a great purpose for these controls however, we cannot continue to operate under the notion that if our “doors are locked” nobody can get to our valuable assets. From a business perspective we continue to implement firewall protection, endpoint security controls, malware detection and mitigation, encryption solutions, etc.. And, for the most part, we must continue to manage and stay current with the numerous solutions available in the market, we just need to get our heads out of the sand and recognize that “prevention” alone is no longer a sufficient and sustainable information security strategy.

“We are not Yahoo, Twitter, Anthem, LinkedIn…”

The perception that you will not be targeted because your company is not globally recognized or a major corporate brand in today’s world of commerce is a very scary false sense of security. Our firm stresses the importance of awareness, understanding the realities and the current threat landscape. If we think about this logically, the smaller, less budgeted and less sophisticated organizations need to be even wearier because they don’t have the same resources, skills, budgets, threat intelligence as the more recognizable ones most likely do. To make matters even worse, some of the largest Telcos, Financial Institutions, and Tech giants around the globe are still losing the battle with all the tools, ammunition and skill they have at their disposal.

“Believing you have found THE solution”

Business and security leaders are continuously being solicited and approached by every solution vendor under the sun. Although our firm may contribute to the overall madness we like to refer to as “The Wild, Wild, West”, it doesn’t alleviate from the fact that Information Security is an evolution not a set-it and forget-it type of approach. Way too often we encounter business and security leaders who genuinely believe they have finally purchased THE solution and will be adequately protected moving forward. We recommend implementing a framework that is logical, and could be supported / adopted by your team. Manage metrics and continuous improvement based on whatever performance indicators make sense for your business. In addition, in order to maximize your security investments, think about distribution between:

  • Prevention
  • Detection
  • Response

The three categories listed above should be applied to the multiple layers of the IT and corporate environment, with a significant focus on staff, training, applications, mobile devices and data. In addition, we recommend continuous management of the tools, technology and your staff to help ensure optimal results.

Conclusion

We are all at risk! From the mom & pop shops to some of the largest most sophisticated organizations. We need to come to terms with this as a first step. Organizations need to embrace today’s realities and make corporate security part of their DNA, across the organization and adopted by staff from all departments to increase the likelihood of sustainable long term success.