TV Interview Script from DW (2017-10-04) – live interview questions and answers (via Skype) between a news reporter and Jonathan Deveaux regarding the recently announced Yahoo data breach update of 2 billion more accounts exposed.
Reporter: Let’s get some insight now from Jonathan Deveaux – cybersecurity specialist at comForte in San Diego.
Reporter: Why do you think it has taken Yahoo so long for revealing this massive breach in Cybersecurity?
Jonathan Deveaux: It’s difficult to say, when companies experience a data breach like this, they have to hire an incident response team, to do forensics and to take a deeper look at security configurations in the company to determine how hackers got in. And I think in this case when Yahoo hired that forensics team, they were going through the exercise to understand how the hackers got in and discovered that the hackers had access to more data than they originally thought. It’s difficult to say how they got in, but it’s good that they continued to do this with forensics.
Reporter: So what were the hackers looking for? Do we know that? We’ve heard that credit card details, passwords, apparently they were not compromised.
Jonathan Deveaux: Yes, that’s right it seems they weren’t after the credit card numbers or payment card details, but user IDs, passwords, names, birth dates – basically personally identifiable information; and they also got a hold of security questions and answers to user ids and passwords. It’s things like that that the hackers were after, because they can take that data and sell it on the Dark Web. And it’s here where they plan to expose it and get money for it.
Reporter: And 3 Billion accounts – staggering number there of accounts that were affected. Just walk us through – say that we have a Yahoo account… what does this breach mean for those 3 Billion users whose accounts are affected?
Jonathan Deveaux: I’m actually a Yahoo User and I’m affected by this and what it meant to me was – I received the notice from Yahoo saying “we experienced a breach – you should respond by resetting your password, and things associated.”
But we should put this in perspective – the 3 billion accounts affected were as of August 2013. At that time, even though we discovered the additional 2 billion accounts now, that’s when everybody was exposed. So most likely now in 2017, people most likely have reset their passwords, hopefully they have reset their security questions and answers, and hopefully they have checked other areas that may have suspicious activity and determined if they were fraudulent or not.
But the main thing is – I know I have reset my password – and also checked other accounts that use the Yahoo User ID as an entry point into websites – people need to take a deeper look at that.
Reporter: Let’s talk about a deeper look. We all know that we should from time to time reset our passwords and things of that nature, but I mean you’ve mentioned that some of this information is for example being sold there on the Dark Web. What else should users know now, do you think? I mean what else is just good cyber hygiene, generally speaking?
Jonathan Deveaux: One thing that is really being promoted right now from a user point of view is when your in your email application and responding to emails (Yahoo or other email accounts), be careful with what you click on. Typically this is where a ransomware, malware payload, or some sort of malicious activity is kept – it’s in a file that looks like it’s intended for you, maybe from a friend or from a common account, or you are expecting to receive an email, but instead it actually contains a virus or a trojan or something that tracks activity on your desktop or laptop or even mobile device.
So be careful of what you click on. #2 is try to update your passwords (more frequently) and if you’re not able to, we I like to suggest to people to do is to try to activate a 2nd form of authentication. Everyone has a user id and password to enter a website, but, if the website offers a way to receive a text that has a special code that needs to be typed in during the time you are logging onto the website, this also prevents situations where a hacker could get hold of a user ID and password only to get into an account – they still may not be able to access the account without that 2nd form of authentication.
Reporter: Some useful tips!
End of Interview
Our additional commentary…
One thing that I wish the reporter asked about, was:
What can businesses – large like Yahoo, or small like a corner coffee shop - do to improve data security and to better protect their customers from exposures of this sort?
We at comforte highly recommend that businesses do more to protect the sensitive data itself. Most businesses take a layered approach when it comes to data security. Layers typically involve 5 or so levels:
- Network of Firewall protection
- System Access and Identity Management
- Antivirus, Intrusion detection, or similar run-stop program management
- Disk or Volume/Folder level protection
- Data focused protection
We recommend that businesses continue their effort to maintain their security posture with the layered approaches, but what is most important is taking a more detailed view into data focused protection. What this means is that businesses who store sensitive data, should strongly consider tokenization and encryption to render the data useless if it is exposed (either by accident or by a malicious event).
With tokenization, sensitive data elements such as credit/debit card numbers, tax IDs or social security numbers, date of births, first and last names, and more, are replaced, at the time the data is being written, with non-identifiable values. These non-identifiable values are created by a random generator using a secret algorithm within the tokenization engine. So, if by chance the data gets into the wrong hands the data is meaningless since the values are no longer the original values, and are not exploitable.
Encryption is the process of encoding with an encryption algorithm and encryption key so that accessed is not granted unless the encryption key is provided to decrypt. Encryption would typically be used when sensitive data is unstructured, within a file for example.
A major value with data protection is that protection follows the data no matter where it resides. If the data is stolen and exfiltrated to a hacker’s server, or if the credentials to a cloud server where the data resides are hacked, protection with tokenization or encryption still does not reveal the sensitive data.
Unfortunately, no security effort is 100% effective – hackers, attackers, and bad actors have proven themselves to be very savvy and intelligent, and have found ways around most of the layers of data security in which companies invest. Additionally, internal incidents happen where employees accidentally expose sensitive customer data. However, one of the best ways to reduce the risk of data exposure or of a data breach, is to remove the sensitive data element itself – which tokenization does. And encrypting files in cases when you cannot tokenize, also adds to the strength of the layered approach to data security.