CS1701
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
yahoo! fallout<br />
uninhibited, accessing vast quantities of<br />
sensitive data and wreaking havoc. A single<br />
hack could be forgiven as unlucky, but twice<br />
smacks of a complete unwillingness to act<br />
and take the security of its customers'<br />
sensitive data seriously."<br />
As far as he is concerned, there is a<br />
fundamental step missing - damage<br />
limitation. "At whatever point a hacker enters<br />
a network, they must be contained,<br />
restricting the data they can access and the<br />
damage they can inflict before they are<br />
detected. This obvious step is missing from<br />
the cyber security strategies of some of the<br />
world's biggest organisations and is the<br />
reason we are seeing hacks that affect<br />
consumers on such a massive scale.<br />
However, by looking to approaches such as<br />
cryptographic segmentation to contain a<br />
threat, businesses can ensure a hacker<br />
cannot roam freely across its network,<br />
significantly limiting the impact of an attack."<br />
EASY ACCESS<br />
As Steven Malone, director of security<br />
management at email security firm<br />
Mimecast, is at pains to point out, email is<br />
one of the most vulnerable windows into an<br />
organisation - which makes it no surprise<br />
that 91% of cybercrime starts with an email.<br />
"Considering the inherent weaknesses of<br />
email, it is critical that organisations take<br />
proactive measures to secure themselves<br />
from simple phishing emails right through to<br />
impersonation and weaponised<br />
attachments. Nowadays, effective malware is<br />
easily bought online, meaning that criminals<br />
with little to no computer skills are free to<br />
send infected emails. It is also vital that<br />
organisations look to train employees, as<br />
they will always remain the gatekeepers into<br />
organisations. Some alertness can go a long<br />
way, spotting giveaways in the emails so<br />
perfectly crafted they could have be sent by<br />
a colleague or close friend."<br />
FORENSIC EVIDENCE<br />
David Gibson, VP of strategy and market<br />
development at Varonis, believes<br />
organisations should be taking steps not<br />
only to safeguard data, but also provide<br />
forensic evidence when the worst happens.<br />
"The first step in a data security strategy<br />
should be to instrument your environment to<br />
be able to: a) see who is accessing data,<br />
when, and how; b) profile normal behaviour;<br />
and c) alert on abuse. Step two should be to<br />
identify sensitive data and ensure that only<br />
the right people have access (ie, the principle<br />
of least privilege). Step three is to implement<br />
automated processes and human<br />
checkpoints to verify that controls put in<br />
place stay in place, so you don't backslide to<br />
an insecure state.<br />
"Interestingly, if Yahoo hadn't instrumented<br />
their environment to detect evidence of<br />
intrusion, they may never have 'officially'<br />
discovered the recent two data breaches….<br />
The upcoming breach notification<br />
requirements will also place a new burden<br />
on data controllers like Yahoo," Gibson adds.<br />
Under the General Data Protection<br />
Regulation (GDPR), the IT security mantra is<br />
clear: 'always be monitoring'.<br />
TOO LITTLE, TOO LATE<br />
Once the breach had been unearthed, Yahoo<br />
notified potentially affected users, asking<br />
them to promptly change their passwords<br />
and adopt alternate means of account<br />
verification - but that was very much<br />
slamming the barn door shut after the horse<br />
had well and truly bolted. The first breach,<br />
remember, took place in 2014, so whatever<br />
remedial action Yahoo has recommended<br />
since the discovery of the breach in October<br />
this year is all too little, too late. The damage<br />
has already been well and truly done. Yahoo<br />
ARE WE PASSING THE PASSWORD TEST?<br />
New online research commissioned by credit information provider Equifax reveals that how we manage our<br />
passwords could mean we are leaving an 'open door' for fraudsters. According to the responses of over<br />
2,000 people, more than a quarter (27%) change their online passwords less than once a year and 23%<br />
never change their passwords without being prompted. It appears the over 55s are the most lax - with 29%<br />
of them admitting to infrequently updating their passwords.<br />
Lisa Hardstaff, identity fraud expert at Equifax, believes the fact that people now have so many passwords to<br />
remember could be a reason why they don't regularly update their passwords. "Our research revealed that<br />
nearly a third of consumers (31%) have more than five passwords. This demonstrates that people in the UK<br />
are definitely doing the right thing in ensuring that, if a fraudster accesses one of their passwords, they can't<br />
access all their other accounts by using the same password. However, good practice is to ensure that you<br />
regularly change your passwords and, worryingly, over a quarter of Brits do that less than once a year."<br />
Lisa Hardstaff, Equifax.<br />
Passwords can be the first barrier that online criminals face when trying to access someone's personal details,<br />
she adds. "So, understanding what makes a password strong can help keep information safe."<br />
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2017 computing security<br />
19