Breach Response , Data Breach , Risk Management

Verizon is reportedly awaiting the full results of a digital forensic investigation into the record-setting Yahoo data breach to ascertain whether it will revise its $4.8 billion bid to buy the search firm (see Verizon Reportedly Demands $1B Yahoo Discount After Breach).

See Also: Disrupt Attack Campaigns with Network Traffic Security Analytics

But Verizon CEO Lowell McAdam said that in this era of mega-breaches, he was "not that shocked" to learn of the hack attack against Yahoo, given the ease with which attackers operate today, The Wall Street Journal reported.

Speaking Oct. 10 at the Internet Association's Virtuous Cycle conference in Menlo Park, Calif., McAdam emphasized that proper defenses must be in place, but said it's nearly impossible to avoid getting breached (see Verizon Confirms Breach Affecting Business Customers).

"We all live in an internet world; it's not a question of if you're going to get hacked but when you are going to get hacked," McAdam said, according to the news report.

McAdam also dismissed a recent report in the New York Post that Verizon was demanding a $1 billion discount on the price for acquiring Yahoo in light of the breach, which came to light after it made its bid for the company. "That is just total speculation - we still see a real value to the asset there," McAdam said, according to CNBC. "But in fairness, we're still understanding what was going on, to define whether it's a material impact to the business or not. But the industrial logic of doing this merger still makes a lot of sense ... I'm hoping we can get through all this stuff and get to the [deal's] close."

The "material impact" phrase is telling. That's a reference to U.S. Securities and Exchange Commission guidelines that require a company's management team to "consider financial, operational and other information known to the company" to identify - and detail - "trends and uncertainties that will have, or are reasonably likely to have, a material impact on a company's liquidity, capital resources or results of operations," according to an analysis published by Harvard Law School's Forum on Corporate Governance and Financial Regulation.

McAdam added that the investigation into the Yahoo breach - and presumably what senior managers knew and when - is at least halfway done. So for full results on any potential "material impact" that the breach may have had on Yahoo's value, stay tuned.

No Titanic Turn

For any Yahoo users looking for justice over so many details having been stolen and the delay in the details coming to light, however, don't hold your breath. Just once, it might be nice if corporate America had its data breach "Titanic" moment and a firm sank after suffering a hack attack, thus offering a cautionary lesson about the perils of under-investing in cybersecurity defenses or ignoring your security team's advice, as Yahoo CEO Marissa Mayer reportedly did when it came to the company complying - as well as how it complied - last year with a secret U.S. government directive requiring it to scan emails.

But aside from some breached cybersecurity firms and cryptocurrency exchanges, data breaches have rarely been fatal, and firms typically rebound, seeing no long-term effect on their stock prices, said developer Troy Hunt, who runs the free Have I Been Pwned? breach-alert service, at the Oct. 6 ScotSoft conference in Edinburgh, Scotland.

Having a Target Moment

But that's not the full breach story. "This premise that there's no long-term impact is right, but it overlooks that there can be some very pronounced short-term effects," Hunt said.

For starters, a company's stock price may take a short-term hit, and its reputation can get dragged through the mud, as happened to Target and TalkTalk as their CEOs were respectively grilled by Congress and Parliament.

Eventually, however, the inquiries and related furor usually dies down, perhaps replaced by a new focus on yet another big data breach that's just been discovered elsewhere.

Yahoo is now having its Target moment. Of course, Yahoo's plight is more complicated - it's in the midst of negotiations on its sale to Verizon.

But using past breaches as a guide, it's unlikely that Yahoo's record-setting data breach will derail the Verizon deal, or lead to a re-evaluation of the company or its prospects that results in any appreciable "material impact."

For anyone who cares about cybersecurity and breach prevention, it's a depressing reality: To the list of life certainties that you can't do anything about - death and taxes - just add data breaches.

Business Continuity/Disaster Recovery , Cybersecurity , Governance

Nine technology companies—Uber, Docker, Dropbox, Palantir, Twitter, Square, Atlassian, GoDaddy, and Airbnb—have recently founded the Vendor Security Alliance (VSA), an independent, non-profit coalition that aims to help member companies evaluate or assess the security and privacy of third-party providers whom they heavily rely on and even entrust their users most important data with. They also have taken upon themselves to standardize and create a benchmark of acceptable cybersecurity practices vendors need to comply with.

If you may recall, criminals are able to compromise companies they're eyeing on by breaking into systems of third-party providers or subcontractors first. Such has been the case with the Target breach.

In a blog post, George Totev of Atlassian gives their readers a bird's eye view of how the group will be performing their duties:

We believe trust begins with transparency and accountability, and having an independent entity [to] manage this process for all its members will provide an efficient, common, and credible way of evaluating the vendors we all use. [For example] Each cloud company will be evaluated, audited, and scored based on a set of common criteria that measures cybersecurity risk, policies, procedures, privacy, vulnerability management, and data security.

Each year, VSA will be creating and pushing out a security and compliance questionnaire that companies can use to assess vendor risks based on a set of predetermined criteria (Note that only members of VSA can go through an independent auditing of vendors). Once scored, vendors can then use their VSA rating when offering their services, effectively skipping the process of verification done by prospective businesses.

VSA will make the first questionnaire available to the public on the 1st of October 2016.

Companies belonging to the VSA can draw on the collective expertise across the industry, gaining trust and verification of vendors' security practices. The VSA will also enable companies to save time and money through the use of a standardized cybersecurity evaluation with real-time answers. The current way of evaluating cybersecurity risks and approving vendors can take several months - the new VSA process cuts the process down to minutes.

It's important to mention that VSA is only one of several created security groups we have now that aim to address one part—particularly, third-party security compliance and risks—of a whole complicated cybersecurity problem we all face.

In March of 2009, eBay and ING announced the formation of the Cloud Security Alliance in order to promote best practices to assure secure cloud computing. Then in September of 2015, AirWatchformed the Mobile Security Alliance together with 10 other companies, aiming to mitigate the growing threat within the mobile threat landscape.

Audit , Governance , Insider Threat

"Unacceptable vulnerabilities" exist in the U.S. Secret Service's information technology, leaving systems susceptible to potential unauthorized employee access, the Department of Homeland Security inspector general says.

See Also: API vs. Proxy: Understanding How to Get the Best Protection from Your CASB

An IG audit uncovered numerous problems with Secret Service's IT management, including inadequate system security plans; systems with expired authorities to operate; inadequate access and audit controls; noncompliance with logical access requirements; inadequate privacy protections; and over-retention of records.

The IG contends that Secret Service's IT management is ineffective because it has historically not given it priority. According to the audit, the Secret Service CIO's office lacks authority for all IT resources and is not effectively positioned to provide necessary oversight. In addition, agency gives inadequate attention to updating IT policies and Secret Service personnel are not receiving adequate training regarding IT security and privacy. The IG made 11 recommendations, and the Secret Service agreed to take the recommended corrective actions.

The investigative report, made public Oct. 14, follows an earlier IG audit into Secret Service employees improperly accessing and disclosing information about Rep. Jason Chaffetz, the Utah Republican who chairs the House Oversight and Government Reform Committee, which monitors Secret Service operations.

Insider Breach Remains Possible

"Today's report reveals unacceptable vulnerabilities in Secret Service's systems," DHS Inspector General John Roth says. "While Secret Service initiated IT improvements late last year, until those changes are fully made and today's recommendations implemented, the potential for another incident like that involving Chairman Chaffetz' personal information remains."

The Secret Service is a unit within DHS.

In September 2015, the IG issued a partially redacted report that said 45 agents accessed Chaffetz' 2003 application to be a Secret Service agent - he wasn't hired - though only four of them had an "arguable legitimate need to access the data." (See IG Reopens Probe Into Secret Service Agents Spying on Chaffetz Files.) The first unauthorized query of Chaffetz' name in the Secret Service database, made by a senior Secret Service agent, occurred 18 minutes after Chaffetz convened a March 24, 2015, hearing on the Secret Service concerning allegations that two agency supervisors breached a crime scene and may have been drunk. Chaffetz was elected to Congress in 2008.

Chaffetz issued a statement characterizing the latest audit issued Oct. 14 as "alarming."

Unaccountable Leadership

"The Secret Service believes they have a core mission to protect the nation's financial infrastructure from cyber-related crimes, yet can't keep their own systems secure," Chaffetz says. "Despite past warnings, USSS is still unable to assure us their IT systems are safe. The loss or theft of law enforcement sensitive information is disastrous and jeopardizes witnesses involved in criminal cases or the identities of undercover officers, or worse. USSS's cyber-related responsibilities should be moved elsewhere. They lack the right personnel to do the job and senior leadership isn't accountable."

That lack of leadership was raised last year with the earlier audit.

A year ago, the IG's office said it reopened the investigation into the agency's IT management because Secret Service Director Joseph Clancy had a different "recollection of the events in question" than what he told the IG when interviewed on July 17, 2015. Clancy was unaware of the unauthorized access until shortly before the media published accounts of it, according to the IG report. Clancy served 27 years in the Secret Service until retiring in 2011. President Obama appointed Clancy the agency's director in February 2015.

Eliminating the Insider Risk

The new audit points out that the Secret Service must make IT a priority, including implementing an IT governance framework that addresses, at a minimum, the IT organizational and management deficiencies identified in this report. That, the IG report says, would require the Secret Service leadership to fully understand and address the potential for insider-threat risks, not only from system administrators and inadequately managed IT contractors, but also from employees and business partners.

Assistant Inspector General Sondra McCauley, writing in the report, says the Secret Service's new CIO - Kevin Nally - is aware of the severity of the issues and has begun to formulate a strategic plan to address long-standing IT deficiencies. "Time will tell how effective these efforts prove in changing the USSS culture so that a premium is placed on ensuring a holistic information security program with effective technical, operational and management controls," she says.

Endpoint Security , Risk Management , Technology

A long-known weakness in an authentication protocol shipped in millions of routers, surveillance devices and satellite antennae is being used in attempts to compromise accounts at popular web services, according to new research from Akamai.

See Also: Main Cyber Attack Destinations in 2016

The research findings add to concerns that hackers increasingly are using internet of things devices to stage attacks, a situation that experts say could be difficult or in some cases impossible to fix (see How an IT Pro Kicked Hackers Off Surveillance Cameras).

Akamai, which offers content delivery network services, says the equipment is being used as relays for "credential stuffing" attacks, where breached logins and passwords are used in an attempt to take over accounts. The IoT devices effectively act as proxies, masking the IP addresses from where the attacks actually originate.

The networking vendor cautioned that the technique is not a new vulnerability or attack, but that it has seen a dramatic rise in strikes against its customers.

"While this has been reported before, the vulnerability has resurfaced with the increase of connected devices," Akamai says in a 10-page technical report. "Our team is currently working with the most prevalent device vendors on a proposed plan of mitigation."

Although experts have warned that the increasing connectivity incorporated into devices will pose new security risks, the last couple of months have proved their predictions true. IoT devices are often poorly secured, ship with default login credentials and are never updated by manufacturers, making them more attractive targets than PCs, which are generally more secure.

In mid-September, devastating distributed denial-of-service attacks were launched that marshaled insecure devices. DDoS attacks flood online services with garbage data traffic, consuming resources and bandwidth with the goal of shutting services down (see Hacked IoT Devices Unleash Record DDoS Mayhem).

SSHowDowN

The situation described by Akamai doesn't involve DDoS attacks. The company began investigating a network video recorder that was sending suspicious traffic to its customers.

The device shipped with default passwords, which made it easy for attackers to take it over. Although users are encouraged to change default passwords, they're often left in place for as long as the devices lives.

Many IoT devices ship with OpenSSH, known as Secure Shell, which is a protocol that allows remote log in. This particular DVR wouldn't allow someone to gain access to SSH using the default credentials. But the SSH configuration does allow someone to use the device as a proxy and forward their attack traffic through the IoT device to another service.

This authentication bypass vulnerability, which can allow for what's called "port bouncing attack" has been known for at least 12 years. Although some devices can be fixed to eliminate the vulnerability, other IoT devices can't be fixed, writes Eric Kobrin, who is director of adversarial resistance at Akamai. The company nicknamed the attack SSHowDowN.

Some of the attack traffic came from routers made by Ruckus Wireless, which is now owned by Brocade Communications Systems. Ruckus issued an advisory and a patch in 2013.

"It was discovered that a malicious user could abuse the TCP tunneling feature of the SSH daemon on Ruckus devices to proxy random TCP streams," the advisory reads. "The user does not have to be authenticated to the Ruckus device for requesting and establishing such a tunnel. Once a tunnel is established, the user's TCP stream would be carried over SSH to the Ruckus device, which would forward the traffic to an IP and port of the user's choosing."

Akamai says it has seen attack traffic coming from CCTV cameras, NVRs, digital video recorders, routers, ASDL modems and network attached storage devices.

IoT Security Standards

Compromising IoT devices offers a layer of security for hackers. The services experiencing the attack see the IP address of the hacked device in their logs. The owner of the IoT unit invariably has no idea about the abuse.

ISPs can also detect attack traffic and alert customers whom they think may have an infected device on their network. But IoT devices, particularly older ones, may no longer be supported by manufacturers and receive no security updates. Users plug in the devices, and as long as they're functioning, forget them.

Efforts are underway to ensure that future generations of devices can't be compromised so easily. The Open Connectivity Foundation has developed a security framework that is designed to allow IoT devices to communicate securely. The group is aiming to develop standards as well as a certification program that can be used across the industry.

And there is a sense of urgency: Gartner predicts that by 2020, some 20.8 billion IoT devices will be in use, up from about 6.4 billion this year, adding to a massive pool of already insecure devices - which could cause headaches for years to come.