Yahoo Breach Shows Importance of User Attributes

October 14, 2016 |
Yahoo Breach Shows Importance of User Attributes

Yahoo’s confirmed data breach of at least 500 million user accounts may be one of the largest cybersecurity breaches ever according to CNN Money. Yahoo confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor.

“The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.”

Yahoo has advised users to change their password and security questions and to review their accounts for suspicious activity.

Concerns for Yahoo Enterprise Customers

A large concern for enterprises around the Yahoo hack is the loss of unencrypted security questions and answers. This creates a risk for organizations that rely on this technique (and therefore potentially the same answers) to enhance security for traditional credentials.

Traditional “something you know” methods of authentication are becoming irrelevant, as hackers continue to build broader dossiers of the things they know about us. The best defense is to deploy access controls that don’t rely simply on user input, and instead examine multiple user attributes – including location, device type, time, group, configuration and more – before allowing access. This type of “dynamic digital identity” makes it much harder for a hacker to take advantage of the type of information lost by Yahoo.

The Problems with Old Security Models

Current best practices recommend a laundry list of security technologies: VPNs, VLANs, NAC, Next Generation Firewalls, Privileged Access Management solutions, and so on.

But all this technology doesn’t necessarily improve security. And if you’re still using the same principles you were using ten or twenty years ago, you might have the strongest network perimeter in the world, but no ability to respond to internal or external threats.

One weakness is that once a user is authenticated at the start of a session, they’re in – until they log out again. It’s assumed that they are who they say they are, and will behave in the way they normally behave, indefinitely.

In technical terms, this might mean a user is permitted to join a VPN with firewall-provisioned access to certain servers and applications. After that initial transaction, the user’s identity is known to the network and authentication decides what the user is authorized to do. More modern, role-based access controls are better because they decide what access the user should be granted, but the use of identity is often the same – the user verifies his (or her) identity at the start of the session, but it is never checked again unless he explicitly logs out.

This means there’s almost never an opportunity to intervene when the context of a user’s connection, or behavior while logged on, demonstrates that the user is not actually who he says he is.

User Attributes Key to Improved Security

It’s easy to understand how checking user attributes can improve the security. If a user authenticates from an unknown device in Russia or the Far East when he is normally connected to the network from a PC in the US office, it should be fairly obvious that the risk profile has changed significantly. Meanwhile, regardless of circumstances, any attempt to open a confidential document or carry out a high-value transaction should face more scrutiny than routine types of activities. If you apply these principles in the case of credential theft, the benefits should be readily apparent.

Just as identity is not a one-time transaction, these rules should be dynamic to adjust to changing attributes – a user might typically appear from one or two specific locations, one at a customer location on a guest network and the other in their office, and so his or her access rights might be different, depending upon what he or she is trying to access at that time, according to policy. In line with this, a low-risk document might be made available in a wide range of contexts, but a confidential one should have more restrictions placed on it.

The Yahoo breach shows us that even our security questions and answers are of value to hackers. What we need is for organizations to employ fine-grained access controls including user attributes to help protect customers, employees and third-parties from exposing the organization to risk.

Back to Blog Home

Leo Taddeo

Leo Taddeo
Chief Security Officer

Leo Taddeo is the Chief Security Officer (CSO) for Cryptzone, a provider of dynamic, context-aware network, application and content security solutions. Taddeo, former Special Agent in Charge of the Special Operations/Cyber Division of the FBI’s New York Office, is responsible for analyzing the cybersecurity market to help shape Cryptzone’s vision for security solutions. Taddeo provides deep domain insight into the techniques, tactics and procedures used by cybercriminals, to help Cryptzone continue to develop disruptive solutions that enable customers to defend against advanced threats and breaches.

Prior to Cryptzone, Taddeo led more than 400 agents and professional support staff in cyber investigations, surveillance operations, information technology support and crisis management for the FBI. He oversaw high profile cases, including Silk Road, Blackshades and JP Morgan.

Previously, Taddeo served as a Section Chief in the International Operations Division, where he managed FBI operations in Africa, Asia and the Middle East. Taddeo has held various roles of increasing responsibilities in the field, including supervising a joint FBI/New York City Police Department Joint Terrorism Task Force and serving as the Legal Attaché in Rome, Italy.

After receiving his degree in applied physics from Rensselaer Polytechnic Institute in 1987, Taddeo served as a tank officer in the U.S. Marine Corps. In 1991, he was awarded a Purple Heart and Bronze Star Medal for valor for service in the Gulf War. Taddeo then earned a Juris Doctor from St. John’s University and joined the New York law firm of Mound, Cotton & Wollan, where he practiced civil litigation until entering the FBI.

Taddeo is a graduate of the CISO Executive Program at Carnegie Mellon University. He also maintains the Certified Information Systems Security Professional (CISSP) and GIAC Certified Incident Handler certifications.

Leave a Reply

Your email address will not be published. Required fields are marked *