Question

Yahoo! has been the target of numerous hacks over the years. According to an article by Business Insider, much of Yahoo!’s vulnerability lies in a critical misalignment between the organization’s leadership and cybersecurity governance strategy.

Discuss how Yahoo! might have realigned its leadership and governance structure to mitigate the hack that occurred in 2014.

Also, provide examples of other organizations whose leadership and governance structures either hindered their ability to respond to a hack or that aided them in successfully responding to a hack in a timely manner.

Answer 1

The attack on Yahoo in 2014 was unprecedented in size, more than triple other large attacks on sites such as eBay Inc EBAY.O, and it comes to light at a difficult time for Yahoo.

1. Adopt a cybersecurity-conscious culture. The first, important step is to instill in the organization a security culture. To do that, a number of initiatives can be implemented to involve the entire staff (including management) in a collective effort towards the safeguard of the systems and data. For example, is an environment where everyone is aware of his or her own importance for the protection of the business; is and feels accountable; is encouraged to give contributions by sharing ideas and concerns which is the best ground for the proper receiving of security policies and awareness initiatives.
2. Develop an effective security plan coordinated with decision-makers.
   A plan must be in place to clearly describe how the organization stands and is progressing towards the safeguard of systems and data. It is essential, however, to secure the buy-in of the company decision-makers; C-suite and senior leaders and board members need to be aware of the security plans and needs of the organization, and they need to approve all strategies. Executives need to have the possibility to have a say on which assets to consider the most critical to protect and how much risk the organization is willing to take when making information security decisions. This is particularly important to ensure the adequate and timely funding of any needs the business might have to secure its systems or respond to incidents.
3. Apply user training and awareness.
   Investing in cyber awareness training, the most significant activator of cybersecurity readiness is one of the best possible moves. As many cyber threats exploit the human factor, it is fitting that a company invest not only in technical safeguards but also and especially in the workforce to improve its ability to adapt and thrive in an evolving threat landscape. Educating users on cyber risks while teaching best security practices helps reduce the likelihood of staff becoming easy targets via computer phishing, hacking or malware. A good awareness program is made of different phases and approaches as mentioned in The Components of Top Security Awareness Programs and is to be tailored to the organization, its requirement, and workforce. The key is that everyone is involved in training (management included) to convey the importance awareness has for the organization, and so that everyone feels a part of the company’s cyber resilience approach. A good security awareness program not only gives info and tips on how to spot and avoid common pitfalls but also puts in perspective for employees all the restrictive measures enforced by the organization and gives importance to all the often-cumbersome policies and procedures that are released; it also requires devising and implementing activities such as a self-assessment and program evaluation for the purpose to identify cyber improvements as well as gaps and deficiencies to be addressed.

4. Don’t be afraid to outsource your cybersecurity.
   Companies that lack trained staff or don’t have premise-based IT software and tools might consider outsourcing their cybersecurity functions to third-party experts that can work with the organization to neutralize any threats or attacks in a way that also ensures regulatory compliance. It is often possible that smaller companies might not see the need to hire personnel specifically for their cybersecurity needs or they might have a small office unable to provide all the functions necessary to secure systems and data 24/7. Thus, an outsourced security program can give quick access to specialized, fully trained professionals that can fill staff gaps and ensure the protective services needed by the company. Cyber Security-as-a-Service, a cloud Managed Security Service Provider (MSSP), or a Cloud Security Operations Center (SOC) can be the best solution for defending against network attacks around-the-clock and keep up with the constant threats in cyberspace without adding personnel costs.

   Some companies see outsourcing as a risky business and fear the amount of exposure they will need to allow to the third-party company, but contacting reputable companies with a proven track record, signing explicit agreements and allowing the least possible access to systems and data as necessary for an external contracted third party to perform their function can help mitigate any risks. The same precautions can be taken when employing knowledgeable outside experts to test the systems. As well, vulnerability or security assessments can often be provided by an outside professional, such as a penetration tester, that can give a company options that an on-site security team cannot provide; penetration testing from within the premises or from outside the network perimeters, performed with or without the knowledge of the company’s own security team is capable of disclosing vulnerabilities that can help gain a deeper understanding of threat actors in order to provide the essential intelligence needed for decision-makers to take the most efficient steps towards improving cybersecurity with targeted investments.

5. Implement a security assessment program to identify risks, threats, and vulnerabilities. This is a crucial step to assess the security posture of a company and measure objectively any progress due to the implementation of new programs, technical countermeasures, and training. Companies need to make a full assessment of current risks, threats, and vulnerabilities while addressing them through metrics against which to objectively gauge efforts. Using pre-defined scales (e.g., Low-Medium-High), a business can assess the consequences and impact of each activity or the likelihood of particular kind of cyber threat activity separately and devise how to mitigate the most significant problems first. This insight will then help determine how to handle specific circumstances using a methodology that is entirely appropriate for the company and to determine the best approaches in protecting a system against a specific threat or known weakness of an asset/resource that can be exploited by one or more attackers. An assessment, above all, helps organizations promote a risk-aware culture.
6. Employ a purpose-made cybersecurity policy. This is another essential part of any company’s security program. A good cybersecurity policy addresses several needs: it can raise awareness of the potential risks and give insight on possible vulnerabilities and how they can be corrected, so that employees can be better equipped to prevent them; it gives clear guidelines on the acceptable use of all digital assets and data in the company; it describes the goals of the procedures and embodies all the detailed actions that personnel are required to follow and that are crucial to an organization’s success; it outlines where to look for help and where to report cyber-related issues; and it, of course, defines disciplinary consequences for out-of-policy actions. A well-thought-out IT policy, then, must strike the right balance between business requirements and security needs; this will require continuously refreshing the document
   to make sure it is in line with the demands of new technologies and addresses issues that arise in the ever-changing cyber threat landscape. If the organization, due to its size or scope, believes a cyber-policy may be unnecessary, it should at least consider providing a quick review of guidelines that might be readily available for staff to follow.
7. Acquire cyber insurance for potential costly outcomes.
   Adding cyber insurance can really help safeguard a business, as it covers first-party losses and third-party claims. Such insurance will not help protect digital assets but might mitigate some of the economic effects of an incident and/or provide defense and liability coverage for any data breach cases that might result in litigation. Regulatory fines, lawsuits, damage to the reputation of the organization’s brand, recovery of data as well as hardware repairs and software protection due to cyber-related security breaches or otherwise harmful events might be covered, so companies should carefully evaluate what are the most cost-effective options for their needs (an insurance policy checklist might help with this effort). As always, a credible, reputable, industry-known cyber insurance provider should be chosen.
8. Work to achieve resilience, not to merely avoid risk. Leaders need to concentrate on the resilience of their entire organization, as risks can be mitigated but not eliminated. The first step is obviously hardening the network through monitoring tools and technical countermeasures. However, managers should pay attention to the implementation of technical and administrative controls and personally review the results of any security assessments and testing to get an understanding of where attention is needed. Working on strengthening the company’s security posture, rather than concentrating mainly on incident response, can go a long way in protecting the business and ensure its quick recovery in case of trouble.ETHICAL HACKING TRAINING – RESOURCES (INFOSEC)
9. Don’t exist in a vacuum. Many companies are used to guard themselves against their competitors but collaborating with others in their own industry when it comes to IT security could be a winning strategy. Sharing information with similar companies nationwide or even abroad can facilitate the sharing of lessons learned, the identification of trends and common warning signs. It also aids the creation of new standards and, in general, strengthen the resilience of the entire industry to attacks.
10. Always have a plan B. This entails a backup plan. Proper disaster management and business continuity plan, as well as an effective data recovery strategy, can make the difference after an incident and allow for quick come back and less financial impact. Leaders can have a role in identifying the needed recovery tempo through the preparation of a business impact analysis (BIA) created with the data gathered during assessments. The recovery time for IT resources and operations need to align with the recovery time objective identified for all business functions and processes.

Marriott/Starwood

In November 2018, Marriott International announced that hackers had stolen data about approximately 500 million Starwood hotel customers. The attackers had gained unauthorized access to the Starwood system back in 2014 and remained in the system after Marriott acquired Starwood in 2016. However, the discovery was not made until 2018.

The information that was exposed included names, contact information, passport number, Starwood Preferred Guest numbers, travel information, and other personal information. Marriott believes that financial information such as credit and debit card numbers, and expiration dates of more than 100 million customers were stolen, although the company is uncertain whether the attackers were able to decrypt the credit card numbers.