Yahoo cybersecurity lead Bob Lord took to the stage at TechCrunch Disrupt Monday to discuss why Yahoo’s security efforts have fallen short and what others should take away from the company’s two historic data breaches.
“If you’re familiar with that effect that Alfred Hitchcock perfected — where things look like they’re sort of telescoping out. And you can still see everything but you still have this weird parallax going on,” Lord said. “I remember feeling that when I was putting all of the different pieces together. And that’s not a great feeling.”
Yahoo disclosed in September a breach affecting 500 million user accounts originating from 2014. Just months later, in December, Yahoo announced another theft of a billion records stemming from 2013, a year prior to the previously disclosed hack.
While the Justice Department in March indicted two FSB officers and two of their associates based in Russia and Canada for the 2014 breach, one of whom was already on the FBI “most wanted” cyber list, Lord was not able to provide answers regarding how personal data was collected from a billion accounts in 2013 and said we will “potentially” never know.
“To date, we have not been able to find the source of that intrusion to understand how it happened or to understand who it was. It is likely distinct from the 2014 attack, but again there is not enough information, not enough evidence, to say anything more at this point,” Lord said.
Lord points to a limited amount of logs as one of the potential reasons it has been extremely difficult to map the infiltration, especially given the fact they were such long-term compromises.
“You really have to find ways to keep logs for a much longer period of time than you would normally do. And in fact if the average time between intrusion and detection is six months, depending on who you listen to, you’re going to need to have to double that in order to account for other factors in your investigations.”
While reports, including a damning investigative piece from New York Times, suggest Yahoo did not invest in the proper resources to prevent cybersecurity breaches, Lord is confident Yahoo’s “red team” of penetration testers (who he calls “The Paranoids”) is more than capable and has received the support they’ve needed since his tenure began in October 2015.
“I’m unaware of any CISO (Chief Information Security Officer) who says, “I have everything all the time,”’ Lord said. “For me, that contention did not resonate with what I knew the culture to be.”
While Lord maintains a defense against the New York Times report, where insider sources claim CEO Marissa Mayer denied the security team financial resources and put off proactive security defenses, he does point to a disconnect between security practitioners and the executives as an area for future improvement.
“We try to dumb things down for them and it means you engage in these transactional relationships,” Lord said. “What matters is how the business thinks about security from a strategic standpoint and how people are engaged in their daily activities. It has to be a companywide initiative across all the different layers.”
News of the two large breaches in September and December came as Verizon planned a 4.8 billion dollar purchase of Yahoo. The negotiated acquisition deal reportedly dropped by 250 million after the revelation of the breaches, according to a Bloomberg report.
“If you’ve been in this business for more than a few years you’ve had your skirmishes, so I think the question is always really can you get enough of a root cause analysis to remediate? Can you demonstrate that there are any improvements in place and that the attackers are out of the network?” Lord said when asked about Yahoo’s reputational damage.
Bloomberg’s report indicates Verizon and Yahoo will share the legal responsibilities associated with the breach, as Yahoo is the subject of several class-action lawsuits by the victims of the mail spying. Mayer said in an earnings statement in April the deal is expected to close in June.