4 ways your company can avoid Yahoo-level stupidity in enterprise security

Yahoo recently confirmed a leak of one billion accounts, adding to its growing list of security woes. Here are four actions your company can take to prevent a similar debacle.

Image: iStockphoto/RomarioIen

Yahoo has officially solidified its position as one of the worst protectors of user data in recent history. On Wednesday, Yahoo revealed in a press release that data from more than one billion user accounts had been stolen in 2013.

This is a separate breach than the one that occurred in September, when it was announced that 500 million accounts had been compromised. So, if you're keeping count, that means that two incidents have put 1.5 billion Yahoo users at risk.

SEE: Information security policy template (Tech Pro Research)

According to the release, criminals likely stole names, email addresses, telephone numbers, dates of birth, hashed passwords, security questions and answers, in the newest hack. However, Yahoo said that bank card information wasn't leaked.

While Yahoo said that it is working with forensic experts and taking steps secure user accounts, the news of this latest breach could be the nail in Yahoo's coffin. The fact that 1.5 billion accounts have been at risk for years is beyond problematic, and evidence enough that Yahoo isn't doing enough to protect its users.

If you're an IT leader, don't let your company be as stupid as Yahoo with your security. Here are four lessons you can learn from the incident.

1. Make security your brand

The first key lesson to learn from Yahoo's breach, said Forrester analyst Jeff Pollard, is that the way your organization handles security and security incidents is now a major part of your brand and reputation.

"Yahoo is now synonymous with the term 'mega-breach,' dethroning prior record holders from 2014 and 2015," Pollard said. "From an executive leadership standpoint, this is part of their legacy as well. Marissa Mayer is the CEO that presided over losing 1.5 billion records containing user information. Yahoo leadership is now the CISO's cautionary tale as what happens when you ignore your security team."

2. Understand your encryption

A big part of remaining secure is understanding what steps you have taken to protect your organization in the first place, and making sure you're using the best tools and services available to you. According to Kevin Bocek, vice president of security strategy and threat intelligence for Venafi, Yahoo wasn't.

Yahoo was primarily using MD5, which Bocek described as "a cryptographic hashing function that can be reversed with brute force attacks. MD5 also suffers from many serious, well documented vulnerabilities." Yahoo also used self-issued certificates with long expiration dates, which Bocke said are "symptoms of weak cryptographic control."

3. Know where your data is

In Yahoo's first announcement, it mentioned data details being encrypted with bcrypt. But, the latest announcement mentioned MD5, which Pollard said shows that Yahoo migrated how they encrypted their data.

"This serves as a reminder that there is always residual data somewhere, on some systems. That toxic unknown data places your users, employees, and customers at risk," Pollard said. "We all imagine that this information was downloaded in bulk from a live production database, but all we know is that it was obtained, not how it was retrieved or where it resided."

4. Anticipate the consequences

Currently, many companies don't seem to take their security seriously simply because they don't have to. According to Columbia Business School professor Shiva Rajgopal and Harvard Business School professor Suraj Srinivasan, investors only have pay a pittance, relative to the actual cost of a breach.

However, while the burden of responsibility on major companies isn't great currently, there are advocates who want to increase the liability of cybersecurity for the affected company. And, if a court case is brought, your company could lose big. Ashley Madison, for example, recently paid nearly $1.7 million to settle its case with the FTC over its data breach. Additionally, New York attorney general Eric T. Schneiderman has officially issued a statement regarding the Yahoo breach and begun to examine the circumstances of the breach.

Also see