How to Increase Security Awareness after the Major Yahoo Breach.
Security Awareness Advice for 2017 – after Yahoo Breaches.
Yahoo’s systems have had so many security issues recently it is hard to even keep up with them. Here is a brief timeline:
September 2016: Yahoo announces a hack of data from 500 million + accounts. Important to note that the hack took place in 2014, and Yahoo only now was able to verify it took place.
December 2016: Yahoo announces another hack of data from as many as a billion user accounts, including MD5 hashed passwords, which took place in 2013.
December 2016: Yahoo announces a Cross-Site Scripting vulnerability in Yahoo Mail that would allow an attacker to spread viruses through the accounts of unsuspecting users (now patched).
To read more about this check out these links:
While some security bloggers have been demonizing Yahoo for the attacks I think that misses some of the most important aspects of these events.
Yahoo is not the only large cloud services vendor that has had data breeches, all of the major vendors have reported breaches and it is likely many more have happened that are unreported.
The myth that consumers, and even the IT industry seem to have fallen for is that security awareness and responsibly lies entirely with the product vendor.
That is false.
While it is true you should expect cloud vendors to protect the accounts and data they store for you, it is also true that you have security responsibilities that cannot be outsourced. The extent of that responsibility lies with what kind of services you are using in the cloud, but some basic commonalities are present across the board.
We can see from case studies of these Yahoo incidents and others that although point of authentication (user login) security awareness is more important than ever, that does not protect us from successful attacks directly into a cloud vendor. We can mitigate the damage from direct cloud vendor breeches but it requires new and up-to-date awareness of information flow and security responsibilities.
While no solution can be expected to be perfect, some reasonable steps can be taken to mitigate the kind of damage seen in not only the Yahoo breaches, but also in most of the major cloud breaches over the past few years. The core concepts in any good security awareness training is all that is needed to give organizations, as well as individual users, very good protection against the damage possible from such attacks.
Unfortunately, many organizations mistakenly see end users as too difficult or expensive to train. Many firms confuse outdated security policies handed down from the mainframe days along with outdated advice like “change your passwords often” as passable security practices, not realizing such practices are worse than none. Hackers with evil intent love when employees have not been trained in basic security, but they love it even more when users have been given outdated advice, as this gives users a false sense of security and opens up opportunities for social engineering attacks.
Security Awareness training that has been made part of an organization’s culture is a powerful tool and defense against not only social engineering attacks but also against data breeches in your cloud vendors. Myth-busting common security misconceptions such as “only IT users need to be trained in security awareness”, “end-users can’t learn security practices” and “security can be outsourced to a cloud vendor” is an excellent start to forming hack resistant teams, organizations and culture.