As the Yahoo story breaks, I will continue to preach the “due-diligence” approach. These attacks occur because companies do not pay attention. D33ds claims this is a “wake-up call” – I would say to everyone, not just Yahoo.
As the story breaks we are learning more details, but lets examine three areas of “fail” on Yahoo’s part from what is speculated at this point.
- Fail 1. Encrypting Data at Rest – The credentials were reported to be found in clear text
- Fail 2. Monitoring – It is reported that over 2,000 database tables and/or column names along with 298 MySQL variables were captured. The amount of network traffic this attack would have generated should of set off the lightest of IDS rules
- Fail 3. Least privilege – D33ds was reported to have gained administrative access to the database. Clearly the concept of least privileged was not used for the application service account
As a bonus, what happened to Security as part of the Development Life-cycle – How did a SQL-based injection make it to production?
“What constitutes proper due diligence?”
The answer: Due diligence is a relative term; properly inventorying assets and assessing risk enables an organization to recognize gaps and implement controls and/or mitigation processes and polices.
Understanding the business objectives, processes, and data provide organizations with a foundation for how to build the proper controls, processes, and policies.
The basics – such as requiring strong passwords, monitoring, disabling and filtering unnecessary services, and least privileged account access are still being missed today. How we implement these items is specific to our business, but is crucial to staying safe.
Located in Pennsylvania, Jason Rhykerd, CISSP, is a security professional with over 10 years of experience in assessing, analyzing, and auditing IT security risk. Jason has worked in multiple industries including healthcare, manufacturing, nuclear power generation, and government.