Yahoo Breach Shows Importance of User Attributes
Yahoo’s confirmed data breach of at least 500 million user accounts may be one of the largest cybersecurity breaches ever according to CNN Money. Yahoo confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor.
“The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.”
Yahoo has advised users to change their password and security questions and to review their accounts for suspicious activity.
Concerns for Yahoo Enterprise Customers
A large concern for enterprises around the Yahoo hack is the loss of unencrypted security questions and answers. This creates a risk for organizations that rely on this technique (and therefore potentially the same answers) to enhance security for traditional credentials.
Traditional “something you know” methods of authentication are becoming irrelevant, as hackers continue to build broader dossiers of the things they know about us. The best defense is to deploy access controls that don’t rely simply on user input, and instead examine multiple user attributes – including location, device type, time, group, configuration and more – before allowing access. This type of “dynamic digital identity” makes it much harder for a hacker to take advantage of the type of information lost by Yahoo.
The Problems with Old Security Models
Current best practices recommend a laundry list of security technologies: VPNs, VLANs, NAC, Next Generation Firewalls, Privileged Access Management solutions, and so on.
But all this technology doesn’t necessarily improve security. And if you’re still using the same principles you were using ten or twenty years ago, you might have the strongest network perimeter in the world, but no ability to respond to internal or external threats.
One weakness is that once a user is authenticated at the start of a session, they’re in – until they log out again. It’s assumed that they are who they say they are, and will behave in the way they normally behave, indefinitely.
In technical terms, this might mean a user is permitted to join a VPN with firewall-provisioned access to certain servers and applications. After that initial transaction, the user’s identity is known to the network and authentication decides what the user is authorized to do. More modern, role-based access controls are better because they decide what access the user should be granted, but the use of identity is often the same – the user verifies his (or her) identity at the start of the session, but it is never checked again unless he explicitly logs out.
This means there’s almost never an opportunity to intervene when the context of a user’s connection, or behavior while logged on, demonstrates that the user is not actually who he says he is.
User Attributes Key to Improved Security
It’s easy to understand how checking user attributes can improve the security. If a user authenticates from an unknown device in Russia or the Far East when he is normally connected to the network from a PC in the US office, it should be fairly obvious that the risk profile has changed significantly. Meanwhile, regardless of circumstances, any attempt to open a confidential document or carry out a high-value transaction should face more scrutiny than routine types of activities. If you apply these principles in the case of credential theft, the benefits should be readily apparent.
Just as identity is not a one-time transaction, these rules should be dynamic to adjust to changing attributes – a user might typically appear from one or two specific locations, one at a customer location on a guest network and the other in their office, and so his or her access rights might be different, depending upon what he or she is trying to access at that time, according to policy. In line with this, a low-risk document might be made available in a wide range of contexts, but a confidential one should have more restrictions placed on it.
The Yahoo breach shows us that even our security questions and answers are of value to hackers. What we need is for organizations to employ fine-grained access controls including user attributes to help protect customers, employees and third-parties from exposing the organization to risk.