SlideShare a Scribd company logo

Incident handling and Response - YAHOO UNAUTHORIZED ACCESS (DATA BREACH).pdf

S
SathishKumar960827

Yahoo was the victim of a significant cybersecurity attack in 2013, it was the greatest known attack on their computer network. All three billion user accounts' sensitive information, including names, birth dates, phone numbers, and passwords, were accessed by cybercriminals. In addition, the hackers acquired backup email addresses and security questions, which were useful details for breaking into other accounts belonging to the same user. The cyberattack seriously hurt Yahoo's reputation and business operations. The disclosure of the vulnerabilities almost averted the company's $4.48 billion (about $14 per person in the US) sale to Verizon. Due to the security breaches, Verizon dropped its original offer by $350 million. After the breaches were made public, Yahoo was subject to several shareholder lawsuits, which might have increased Verizon's financial obligations. In addition, the attack had a serious negative effect on the impacted users. There was a higher danger of account takeovers and email phishing because many of the three billion Yahoo accounts belonged to customers who shared their login information across numerous websites, products, and services. The hackers might be able to access the victims' bank accounts thanks to the information they obtained. The incident additionally impacted cybersecurity to a greater extent. The cybersecurity experts team advised that the breach highlighted the risks of using the same passwords frequently and underlined the significance of using stronger passwords from now on. It raised concerns regarding nation-state hacking and cyber warfare that the attackers were thought to be Russian and potentially connected to the Russian government. In summary, both Yahoo and its customers suffered significantly because of the 2013 cyberattack on the Yahoo business. It highlighted the importance of security and the risks of password reuse. It brought up concerns alongside nation-state cyber monitoring and cyber warfare. To protect their business's operations and reputation, organizations must take proactive measures to protect their networks and stop cyberattacks.

Technology
1 of 12
Incident Handling & Response YAHOO – UNAUTHORIZED ACCESS (DATA BREACH) Reported By SATHISH KUMAR YAHOO – UNAUTHORIZED ACCESS (DATA BREACH)
Yahoo – Unauthorized Access Data Breach Page 1 of 11 Table of Contents Yahoo – Unauthorized Access Data Breach ..............................................................................................2 Incident Description.............................................................................................................................2 Indicators ............................................................................................................................................3 1. Possible indicators....................................................................................................................3 2. Probable indicators ..................................................................................................................3 3. Define Indicators......................................................................................................................3 Incident and Response Plan - During an Attack.....................................................................................4 1. Preparation..............................................................................................................................4 2. Detection and Analysis:............................................................................................................5 3. Communication:.......................................................................................................................6 4. Activation and Response: .........................................................................................................6 5. Containment:...........................................................................................................................6 Incident Response Plan - After an Attack..............................................................................................7 1. Eradication / Remediation:.......................................................................................................7 2. Recovery / Resolution: .............................................................................................................7 3. After-Action Analysis: ...............................................................................................................8 Incident Response Plan - Before an Attack............................................................................................9 1. Preventive Measures................................................................................................................9 2. Preparations of the IR Team .....................................................................................................9 3. Training the CSIRT ..................................................................................................................10 4. Selecting and Maintaining Tools .............................................................................................10 5. Training the Users...................................................................................................................10 6. Testing the IR Plan..................................................................................................................11 References:........................................................................................................................................11
Yahoo – Unauthorized Access Data Breach Page 2 of 11 Yahoo – Unauthorized Access Data Breach Incident Description Yahoo was the victim of a significant cybersecurity attack in 2013, it was the greatest known attack on their computer network. All three billion user accounts' sensitive information, including names, birth dates, phone numbers, and passwords, were accessed by cybercriminals. In addition, the hackers acquired backup email addresses and security questions, which were useful details for breaking into other accounts belonging to the same user. The cyberattack seriously hurt Yahoo's reputation and business operations. The disclosure of the vulnerabilities almost averted the company's $4.48 billion (about $14 per person in the US) sale to Verizon. Due to the security breaches, Verizon dropped its original offer by $350 million. After the breaches were made public, Yahoo was subject to several shareholder lawsuits, which might have increased Verizon's financial obligations. In addition, the attack had a serious negative effect on the impacted users. There was a higher danger of account takeovers and email phishing because many of the three billion Yahoo accounts belonged to customers who shared their login information across numerous websites, products, and services. The hackers might be able to access the victims' bank accounts thanks to the information they obtained. The incident additionally impacted cybersecurity to a greater extent. The cybersecurity experts team advised that the breach highlighted the risks of using the same passwords frequently and underlined the significance of using stronger passwords from now on. It raised concerns regarding nation-state hacking and cyber warfare that the attackers were thought to be Russian and potentially connected to the Russian government. In summary, both Yahoo and its customers suffered significantly because of the 2013 cyberattack on the Yahoo business. It highlighted the importance of security and the risks of password reuse. It brought up concerns alongside nation-state cyber monitoring and cyber warfare. To protect their business's operations and reputation, organizations must take proactive measures to protect their networks and stop cyberattacks.
Yahoo – Unauthorized Access Data Breach Page 3 of 11 Indicators 1. Possible indicators – Here are some the possible Indicator methods used for Yahoo. • The high percentage of failed login attempts • An increase in phishing attacks against Yahoo customers or employees • Suspicious email behaviours, like a rise in the number of emails sent or received. • Unexpected adjustments to user accounts • Unknown authorization locations or network devices • Network traffic patterns that are somewhat strange 2. Probable indicators – Here are some of the possible indicator methods used on Yahoo. • An increase in Yahoo's distribution of security updates or patches • Suspicious or strange traffic on network patterns originating from multiple places. • Many reports of suspicious behaviour from different user's accounts • Increasing instances of phishing attacks targeting employees 3. Define Indicators – Here are some of the definite indicator methods used on Yahoo. • Exposing confidential user account information, e.g. o Phone numbers o Email addresses o Occasions such as birthdays o Security questions and responses • Implications for Yahoo's reputation and down of stock price • Evidence of sponsored by the state hackers' participation in Cybercrime.
Yahoo – Unauthorized Access Data Breach Page 4 of 11 Incident and Response Plan - During an Attack The following steps should be taken during an attack to Minimize the Impact of the data breach. 1. Preparation: The objective for this phase is to prepare Yahoo to effectively respond to information security incidents. Here are some required preparation categories are: a. Team Members: For effective preparation and management of incidents, Yahoo maintains a dedicated team called the incident response team. The primary role of this team is to scrutinize and analyze any event of security data breach and take appropriate corrective actions. b. Asset Identification / Classification: Yahoo should identify and prioritize its critical assets and data, which will help in determining the level of response required for each asset in case of an incident. Additionally, conduct regular vulnerability assessments and penetration testing to detect any potential weaknesses in its security systems.
Yahoo – Unauthorized Access Data Breach Page 5 of 11 2. Detection and Analysis: The detection and analysis procedure are a crucial part of the incident response plan during an incident involving unauthorized access. This process enables us to swiftly pinpoint the incident's origin and extent, gauge its possible consequences, and put in place efficient mitigation strategies. Investigating the breach to ascertain where it happened, what information was compromised, and how the hacker got access to the network and compromised systems would be the first step. In general, incidents are detected from either External or Internal sources. a. External Detection: If the Incident originates from outside of the organization, verify the individual identity and affiliation to proceed further. b. Internal Detection: Yahoo's IT team and customers should be familiar with their systems, so they can determine if an event occurs to information security incident. The IT team reviews their system and logs to identify deviations from normal operations. c. There are common indicators that a computer, device, or system may be compromised: • Alert from monitoring tools (Defender, malware, etc.). • Unexpected accounts or permission change. • Unexpected running processes. • Unexpected configuration changes on network, session, and ports. • Altered DNS and ARP tables or changes in the content of the host files.
Yahoo – Unauthorized Access Data Breach Page 6 of 11 3. Communication: Once a breach is confirmed, the response team should inform the logistics team to send a notification to the corresponding business units to cease work due to the compromise of the data. Additionally, including Legal, Compliance and Risk management teams. 4. Activation and Response: It is mandatory to activate Yahoo for Major Risk Incidents. The purpose of this Major Risk incident is to bring all required parties and teams connected in the bridge call and update management about response update timing and frequency expectations. 5. Containment: The priority of Yahoo is to contain the incident. An incident is considered contained when no additional harm can be caused, and the incident handler can focus on remediation. Containment consists of three stages: a. Short-term containment to stop the progress of the incident or attacker. Two phases within the short-term containment: • Quarantine (containment to the Yahoo network/keep Yahoo from spreading the attack to anyone else). • Isolation (keep the affected systems turned off from attacking any other systems within Yahoo including servers). • Information gathering, including affected (or potentially affected) individuals and systems. b. Long-term containment, including making changes to the production system.
Yahoo – Unauthorized Access Data Breach Page 7 of 11 Incident Response Plan - After an Attack 1. Eradication / Remediation: The next stage for the incident response team is to pinpoint the incident's underlying cause and take corrective measures to stop a recurrence. The necessary remedial actions are listed below: a. Identify the incident's cause(s) and symptoms and record them. b. Isolating the attack based on information gathered during the detection phase. c. Determine how the attack was executed. d. Remove vulnerabilities/artifacts (e.g., rootkits, compromised applications, drivers, modules) left from the incident. Check the Disaster Recovery site to whether affected or not. e. Perform risk assessment, network vulnerability assessment, penetration testing and a few other assessments from the legal team to determine if there is a weakness that could be targeted. f. Restore data from the backup. Also, if the DR site is not affected perform a "Failover" for business continuity. 2. Recovery / Resolution: The time when the team takes steps to restore the affected systems and resume production with utmost care to prevent any reoccurrence of the incident. This stage also involves critical decisions to be taken regarding the suitable time for restoration of the operations, methods, and duration of monitoring the impacted system during production to ensure normality. a. Handle Incident Resolution: Review root cause, which was derived from the Eradication process, with required team members which include, Incident Response Team, HR, Legal/Risk and Compliance, Public relation, IT, etc. Post confirmation from all these teams proceeds for the Incident Resolution step. b. Verify system performance and security before being brought back online. c. Complete tests and compare baseline system activity (gathered in the Preparation phase) to ensure the system is verified before operations are restored.
Yahoo – Unauthorized Access Data Breach Page 8 of 11 d. Schedule an after-action analysis meeting with the required team. (Schedule should be within two weeks) e. Send detailed RCA/Resolution information as Incident closer notification to the appropriate team. f. Close the Incident. g. Works/coordinates with the affected area/unit to identify and recommend changes to business, operational, or functional processes to reduce the risk of incident recurrence. 3. After-Action Analysis: Yahoo collects and shares relevant After-Action Analysis documentation with stakeholders, as identified by the communication plan and strategy. This phase is performed within two weeks of the occurrence of the incident. Below are the actions included in this phase. a. Collecting Data: The gathering of information on the incident response operation is the first step in after-action analysis. Information on the incident and the organization's response to the occurrence are both included in this. Relevant information from affected business units. b. Analyzing Data: The next stage is to analyze the data gathered to find the incident response operation's strengths and flaws. Examining incident response protocols and plans, speaking with personnel engaged in the response to incidents. c. Identifying Lessons Learned: Identifying the lessons from the incident response operation is the following step, which is based on the analysis. This can entail recognizing both areas that could have development and the best practices that functioned successfully during the operation. d. Developing Recommendations: The next phase is to create suggestions for enhancing the organization's incident response capabilities based on the lessons learnt. These suggestions can involve updating security controls, adding to incident response protocols, or providing more staff with training. e. Implementing Changes: Implementing into practice the suggested adjustments to the organization's incident response capabilities is the final step in the after-action analysis. This may include updating incident response plans and procedures, implementing new security controls, or providing additional training to personnel.
Yahoo – Unauthorized Access Data Breach Page 9 of 11 Incident Response Plan - Before an Attack The Computer Security Incident Response Team (CSIRT) should develop and periodically test an IRP to guarantee that it is efficient. Before a prospective security incident takes place. This section will discuss measures that can be implemented to prepare prior to an incident. 1. Preventive Measures To manage the risks associated with a particular attack, the organization must implement preventive measures. These measures include: • Vulnerability Assessment: A vulnerability assessment must be performed on the IT infrastructure to identify potential weaknesses that could be exploited by attackers. • Penetration Testing: A penetration test should be conducted to identify vulnerabilities that are not identified by a vulnerability assessment. • Access Control: The organization should implement appropriate access controls to ensure that only authorized personnel have access to sensitive data and systems. • Security Awareness Training: Employees should receive regular security awareness training to help them recognize and report security incidents. • Security Patches: Security patches should be installed on all endpoints to fix known vulnerabilities. • Firewall: A firewall can be used to prevent unauthorized access to the network (hardware- based or software-based). • Anti-virus/Anti-malware Software: Anti-virus/anti-malware software can be installed on all endpoints to detect and remove malicious software. 2. Preparations of the IR Team The Incident Response (IR) team should be prepared to handle a security incident. The following preparations are necessary: • Define Roles and Responsibilities: The organization should define the roles and responsibilities of the IR team members. Each member should know their role in the IR process. • Communication Plan: The organization should have a communication plan in place to ensure that all stakeholders are notified of an incident promptly. • Document IR Procedures: The organization should document the IR procedures to ensure that the team members follow the same procedures during an incident.
Yahoo – Unauthorized Access Data Breach Page 10 of 11 3. Training the CSIRT The Computer Security Incident Response Team (CSIRT) must be trained to deal with incidents and the below training should include: • Technical Training: CSIRT members should receive technical training to ensure that they can handle the incident. • Soft Skills Training: CSIRT members should receive soft skills training to ensure that they can communicate effectively with stakeholders during an incident. • Tabletop Exercises: The CSIRT should participate in tabletop exercises to simulate an incident and identify areas that need improvement. 4. Selecting and Maintaining Tools The organization should select and maintain the tools used by the CSIRT. The tools should be updated regularly to ensure that they can handle the latest threats. The tools include: • Incident Response Platform: The organization should have an incident response platform in place to manage the incident. • Forensic Tools: The organization should have forensic tools in place to analyze the incident. • Threat Intelligence: The organization should have access to threat intelligence to identify potential threats. 5. Training the Users Training the users is an essential part of the IR plan. The following training should be provided to users: • Security Awareness Training: Users should receive security awareness training to help them recognize and report security incidents. • Responsible Use Policy: The organization should have a responsible use policy in place to ensure that users understand the acceptable use of the IT infrastructure. • Incident Reporting: Users should know how to report a suspected incident and whom to report it to.
Yahoo – Unauthorized Access Data Breach Page 11 of 11 6. Testing the IR Plan Testing the IR plan is essential to ensure that it works as expected. The following strategies can be used to test the IR plan: • Desk Check: The IR team members should review the IR plan to ensure that it is accurate and up to date. • Structured Walk-through: The IR team members should walk through the IR plan to identify areas that need improvement. • Simulation: The IR team members should simulate an incident to test the IR plan. • Parallel Testing: The IR team members should perform a parallel test to ensure that the IR plan does not halt the operations of the business functions. References: • All 3 billion Yahoo Accounts Were Affected by the 2013 Attack https://www.nytimes.com/2017/10/03/technology/yahoo-hack-3-billion-users.html • Users of Yahoo say all three billion accounts were hacked in 2013 data theft. https://www.reuters.com/article/us-yahoo-cyber-idUSKCN1C82O1 • NIST SP 800-61r2, Computer Security Incident Handling Guide https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf • NIST SP 800-53r4, Security and Privacy Controls for Federal Information Systems and Organizations https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-53r4.pdf • ISO/IEC 27035-1:2016, Information technology - Security techniques - Information security incident https://www.amnafzar.net/files/1/ISO%2027000/ISO%20IEC%2027035-1-2016.pdf • ISO/IEC 27035-2:2016, Information technology - Security techniques - Information security incident https://www.amnafzar.net/files/1/ISO%2027000/ISO%20IEC%2027035-2-2016.pdf

Recommended

Types of malware
Types of malwareTypes of malware
Types of malwaretechexpert2345
 
Involving computers (Laws and bills)
Involving computers (Laws and bills)Involving computers (Laws and bills)
Involving computers (Laws and bills)Sharwin Calimlim
 
1 introduction-to-computer-networking
1 introduction-to-computer-networking1 introduction-to-computer-networking
1 introduction-to-computer-networkingMayank Jain
 
Frame Work of Employee Relation Law , Lahore Garrison University
Frame Work of Employee Relation Law , Lahore Garrison UniversityFrame Work of Employee Relation Law , Lahore Garrison University
Frame Work of Employee Relation Law , Lahore Garrison Universitytouseefaq3
 
Misuse of computer
Misuse of computerMisuse of computer
Misuse of computerMuhammad Haroon
 
anatomy of a sw house
anatomy of a sw houseanatomy of a sw house
anatomy of a sw houseHamza Cheema
 
Computer misuse and criminal law
Computer misuse and criminal lawComputer misuse and criminal law
Computer misuse and criminal lawZaheer Irshad
 
Computer networking
Computer networkingComputer networking
Computer networkingJayVerma35
 

Recommended

Types of malware
Types of malwareTypes of malware
Types of malwaretechexpert2345
 
Involving computers (Laws and bills)
Involving computers (Laws and bills)Involving computers (Laws and bills)
Involving computers (Laws and bills)Sharwin Calimlim
 
1 introduction-to-computer-networking
1 introduction-to-computer-networking1 introduction-to-computer-networking
1 introduction-to-computer-networkingMayank Jain
 
Frame Work of Employee Relation Law , Lahore Garrison University
Frame Work of Employee Relation Law , Lahore Garrison UniversityFrame Work of Employee Relation Law , Lahore Garrison University
Frame Work of Employee Relation Law , Lahore Garrison Universitytouseefaq3
 
Misuse of computer
Misuse of computerMisuse of computer
Misuse of computerMuhammad Haroon
 
anatomy of a sw house
anatomy of a sw houseanatomy of a sw house
anatomy of a sw houseHamza Cheema
 
Computer misuse and criminal law
Computer misuse and criminal lawComputer misuse and criminal law
Computer misuse and criminal lawZaheer Irshad
 
Computer networking
Computer networkingComputer networking
Computer networkingJayVerma35
 
Advanced computer network
Advanced computer networkAdvanced computer network
Advanced computer networkTrinity Dwarka
 
Spyware
SpywareSpyware
SpywareBabur Rahmadi
 
Active Directory
Active DirectoryActive Directory
Active DirectoryHameda Hurmat
 
Data leakage detection
Data leakage detectionData leakage detection
Data leakage detectionkalpesh1908
 
Cloud Computing & Distributed Computing
Cloud Computing & Distributed ComputingCloud Computing & Distributed Computing
Cloud Computing & Distributed ComputingAmity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
 
Direct Attached Storage CONCEPTS
Direct Attached Storage CONCEPTSDirect Attached Storage CONCEPTS
Direct Attached Storage CONCEPTSRamkaliyaperumal
 
Computer Malware
Computer MalwareComputer Malware
Computer Malwareaztechtchr
 
Computer hacking
Computer hackingComputer hacking
Computer hackingshreyas dani
 
Computer Malware and its types
Computer Malware and its typesComputer Malware and its types
Computer Malware and its typesJatin Kumar
 
Malicious software
Malicious softwareMalicious software
Malicious softwarerajakhurram
 
What is malware
What is malwareWhat is malware
What is malwareMalcolm York
 
Cybersecurity tips for employees
Cybersecurity tips for employeesCybersecurity tips for employees
Cybersecurity tips for employeesPriscila Bernardes
 
Computer Ethics
Computer EthicsComputer Ethics
Computer Ethicspoonam.rwalia
 
Computer network
Computer networkComputer network
Computer networkMarinduque National High School, Marinduque State College
 
System Administration
System AdministrationSystem Administration
System AdministrationFree Open Source Software Technology Lab
 
Ethics in-information-security
Ethics in-information-securityEthics in-information-security
Ethics in-information-securityMilinda Wickramasinghe
 
Data security
Data securityData security
Data securitySoumen Mondal
 
Spyware and rootkit
Spyware and rootkitSpyware and rootkit
Spyware and rootkitNikhil Pandit
 
Data & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny LeroyData & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny LeroyThoughtworks
 
Network technology ppt
Network technology pptNetwork technology ppt
Network technology pptSanviGulati
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemAffine Analytics
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threatillustro
 

More Related Content

What's hot

Advanced computer network
Advanced computer networkAdvanced computer network
Advanced computer networkTrinity Dwarka
 
Data leakage detection
Data leakage detectionData leakage detection
Data leakage detectionkalpesh1908
 
Direct Attached Storage CONCEPTS
Direct Attached Storage CONCEPTSDirect Attached Storage CONCEPTS
Direct Attached Storage CONCEPTSRamkaliyaperumal
 
Computer Malware
Computer MalwareComputer Malware
Computer Malwareaztechtchr
 
Computer Malware and its types
Computer Malware and its typesComputer Malware and its types
Computer Malware and its typesJatin Kumar
 
Malicious software
Malicious softwareMalicious software
Malicious softwarerajakhurram
 
Cybersecurity tips for employees
Cybersecurity tips for employeesCybersecurity tips for employees
Cybersecurity tips for employeesPriscila Bernardes
 
Data & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny LeroyData & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny LeroyThoughtworks
 
Network technology ppt
Network technology pptNetwork technology ppt
Network technology pptSanviGulati
 

What's hot (20)

Advanced computer network
Advanced computer networkAdvanced computer network
Advanced computer network
 
Spyware
SpywareSpyware
Spyware
 
Active Directory
Active DirectoryActive Directory
Active Directory
 
Data leakage detection
Data leakage detectionData leakage detection
Data leakage detection
 
Cloud Computing & Distributed Computing
Cloud Computing & Distributed ComputingCloud Computing & Distributed Computing
Cloud Computing & Distributed Computing
 
Direct Attached Storage CONCEPTS
Direct Attached Storage CONCEPTSDirect Attached Storage CONCEPTS
Direct Attached Storage CONCEPTS
 
Computer Malware
Computer MalwareComputer Malware
Computer Malware
 
Computer hacking
Computer hackingComputer hacking
Computer hacking
 
Computer Malware and its types
Computer Malware and its typesComputer Malware and its types
Computer Malware and its types
 
Malicious software
Malicious softwareMalicious software
Malicious software
 
What is malware
What is malwareWhat is malware
What is malware
 
Cybersecurity tips for employees
Cybersecurity tips for employeesCybersecurity tips for employees
Cybersecurity tips for employees
 
Computer Ethics
Computer EthicsComputer Ethics
Computer Ethics
 
Computer network
Computer networkComputer network
Computer network
 
System Administration
System AdministrationSystem Administration
System Administration
 
Ethics in-information-security
Ethics in-information-securityEthics in-information-security
Ethics in-information-security
 
Data security
Data securityData security
Data security
 
Spyware and rootkit
Spyware and rootkitSpyware and rootkit
Spyware and rootkit
 
Data & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny LeroyData & Privacy: Striking the Right Balance - Jonny Leroy
Data & Privacy: Striking the Right Balance - Jonny Leroy
 
Network technology ppt
Network technology pptNetwork technology ppt
Network technology ppt
 

Similar to Incident handling and Response - YAHOO UNAUTHORIZED ACCESS (DATA BREACH).pdf

Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemAffine Analytics
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threatillustro
 
IRJET- Ethical Hacking
IRJET- Ethical HackingIRJET- Ethical Hacking
IRJET- Ethical HackingIRJET Journal
 
What To Do If Compromised - Fraud Control and Investigations Procedures
What To Do If Compromised - Fraud Control and Investigations ProceduresWhat To Do If Compromised - Fraud Control and Investigations Procedures
What To Do If Compromised - Fraud Control and Investigations Procedures- Mark - Fullbright
 
The Inside Job: Detecting, Preventing and Investigating Data Theft
The Inside Job: Detecting, Preventing and Investigating Data TheftThe Inside Job: Detecting, Preventing and Investigating Data Theft
The Inside Job: Detecting, Preventing and Investigating Data TheftCase IQ
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Karl Kispert
 
Anatomy of a breach - an e-book by Microsoft in collaboration with the EU
Anatomy of a breach - an e-book by Microsoft in collaboration with the EUAnatomy of a breach - an e-book by Microsoft in collaboration with the EU
Anatomy of a breach - an e-book by Microsoft in collaboration with the EUUniversity of Essex
 
Course Session Outline - Internal control in Information System
Course Session Outline - Internal control in Information SystemCourse Session Outline - Internal control in Information System
Course Session Outline - Internal control in Information SystemTheodore Le
 
White paper Real Time Transaction Analysis and fraudulent transaction detecti...
White paper Real Time Transaction Analysis and fraudulent transaction detecti...White paper Real Time Transaction Analysis and fraudulent transaction detecti...
White paper Real Time Transaction Analysis and fraudulent transaction detecti...Ajay Alex
 
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...cyberprosocial
 
2. IntroductionYou are employed with Government Security Consu.docx
2. IntroductionYou are employed with Government Security Consu.docx2. IntroductionYou are employed with Government Security Consu.docx
2. IntroductionYou are employed with Government Security Consu.docxstandfordabbot
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoMark John Lado, MIT
 
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docxISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docxchristiandean12115
 
Risk Assessment Cybersecurity Project at Utica College
Risk Assessment Cybersecurity Project at Utica CollegeRisk Assessment Cybersecurity Project at Utica College
Risk Assessment Cybersecurity Project at Utica CollegeJeff Macharyas
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Cybersecurity with AI - Ashrith Barthur
Cybersecurity with AI - Ashrith BarthurCybersecurity with AI - Ashrith Barthur
Cybersecurity with AI - Ashrith BarthurSri Ambati
 
I’ve Been Hacked  The Essential Steps to Take Next
I’ve Been Hacked  The Essential Steps to Take NextI’ve Been Hacked  The Essential Steps to Take Next
I’ve Been Hacked  The Essential Steps to Take NextBrian Pichman
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselCasey Ellis
 

Similar to Incident handling and Response - YAHOO UNAUTHORIZED ACCESS (DATA BREACH).pdf (20)

Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection system
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
 
IRJET- Ethical Hacking
IRJET- Ethical HackingIRJET- Ethical Hacking
IRJET- Ethical Hacking
 
What To Do If Compromised - Fraud Control and Investigations Procedures
What To Do If Compromised - Fraud Control and Investigations ProceduresWhat To Do If Compromised - Fraud Control and Investigations Procedures
What To Do If Compromised - Fraud Control and Investigations Procedures
 
The Inside Job: Detecting, Preventing and Investigating Data Theft
The Inside Job: Detecting, Preventing and Investigating Data TheftThe Inside Job: Detecting, Preventing and Investigating Data Theft
The Inside Job: Detecting, Preventing and Investigating Data Theft
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016
 
Anatomy of a breach - an e-book by Microsoft in collaboration with the EU
Anatomy of a breach - an e-book by Microsoft in collaboration with the EUAnatomy of a breach - an e-book by Microsoft in collaboration with the EU
Anatomy of a breach - an e-book by Microsoft in collaboration with the EU
 
Course Session Outline - Internal control in Information System
Course Session Outline - Internal control in Information SystemCourse Session Outline - Internal control in Information System
Course Session Outline - Internal control in Information System
 
White paper Real Time Transaction Analysis and fraudulent transaction detecti...
White paper Real Time Transaction Analysis and fraudulent transaction detecti...White paper Real Time Transaction Analysis and fraudulent transaction detecti...
White paper Real Time Transaction Analysis and fraudulent transaction detecti...
 
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
 
2. IntroductionYou are employed with Government Security Consu.docx
2. IntroductionYou are employed with Government Security Consu.docx2. IntroductionYou are employed with Government Security Consu.docx
2. IntroductionYou are employed with Government Security Consu.docx
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
 
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docxISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
 
Risk Assessment Cybersecurity Project at Utica College
Risk Assessment Cybersecurity Project at Utica CollegeRisk Assessment Cybersecurity Project at Utica College
Risk Assessment Cybersecurity Project at Utica College
 
IRP on a Budget
IRP on a BudgetIRP on a Budget
IRP on a Budget
 
Powerpoint v7
Powerpoint v7Powerpoint v7
Powerpoint v7
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
Cybersecurity with AI - Ashrith Barthur
Cybersecurity with AI - Ashrith BarthurCybersecurity with AI - Ashrith Barthur
Cybersecurity with AI - Ashrith Barthur
 
I’ve Been Hacked  The Essential Steps to Take Next
I’ve Been Hacked  The Essential Steps to Take NextI’ve Been Hacked  The Essential Steps to Take Next
I’ve Been Hacked  The Essential Steps to Take Next
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 

Recently uploaded

Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Skynet Technologies
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxFIDO Alliance
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityVictorSzoltysek
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!Memoori
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxFIDO Alliance
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsLeah Henrickson
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewDianaGray10
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdfMuhammad Subhan
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxMarkSteadman7
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxFIDO Alliance
 
How to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in PakistanHow to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in Pakistandanishmna97
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfAnubhavMangla3
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch TuesdayIvanti
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfdanishmna97
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctBrainSell Technologies
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 

Recently uploaded (20)

Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
How to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in PakistanHow to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in Pakistan
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 

Incident handling and Response - YAHOO UNAUTHORIZED ACCESS (DATA BREACH).pdf

  • 1. Incident Handling & Response YAHOO – UNAUTHORIZED ACCESS (DATA BREACH) Reported By SATHISH KUMAR YAHOO – UNAUTHORIZED ACCESS (DATA BREACH)
  • 2. Yahoo – Unauthorized Access Data Breach Page 1 of 11 Table of Contents Yahoo – Unauthorized Access Data Breach ..............................................................................................2 Incident Description.............................................................................................................................2 Indicators ............................................................................................................................................3 1. Possible indicators....................................................................................................................3 2. Probable indicators ..................................................................................................................3 3. Define Indicators......................................................................................................................3 Incident and Response Plan - During an Attack.....................................................................................4 1. Preparation..............................................................................................................................4 2. Detection and Analysis:............................................................................................................5 3. Communication:.......................................................................................................................6 4. Activation and Response: .........................................................................................................6 5. Containment:...........................................................................................................................6 Incident Response Plan - After an Attack..............................................................................................7 1. Eradication / Remediation:.......................................................................................................7 2. Recovery / Resolution: .............................................................................................................7 3. After-Action Analysis: ...............................................................................................................8 Incident Response Plan - Before an Attack............................................................................................9 1. Preventive Measures................................................................................................................9 2. Preparations of the IR Team .....................................................................................................9 3. Training the CSIRT ..................................................................................................................10 4. Selecting and Maintaining Tools .............................................................................................10 5. Training the Users...................................................................................................................10 6. Testing the IR Plan..................................................................................................................11 References:........................................................................................................................................11
  • 3. Yahoo – Unauthorized Access Data Breach Page 2 of 11 Yahoo – Unauthorized Access Data Breach Incident Description Yahoo was the victim of a significant cybersecurity attack in 2013, it was the greatest known attack on their computer network. All three billion user accounts' sensitive information, including names, birth dates, phone numbers, and passwords, were accessed by cybercriminals. In addition, the hackers acquired backup email addresses and security questions, which were useful details for breaking into other accounts belonging to the same user. The cyberattack seriously hurt Yahoo's reputation and business operations. The disclosure of the vulnerabilities almost averted the company's $4.48 billion (about $14 per person in the US) sale to Verizon. Due to the security breaches, Verizon dropped its original offer by $350 million. After the breaches were made public, Yahoo was subject to several shareholder lawsuits, which might have increased Verizon's financial obligations. In addition, the attack had a serious negative effect on the impacted users. There was a higher danger of account takeovers and email phishing because many of the three billion Yahoo accounts belonged to customers who shared their login information across numerous websites, products, and services. The hackers might be able to access the victims' bank accounts thanks to the information they obtained. The incident additionally impacted cybersecurity to a greater extent. The cybersecurity experts team advised that the breach highlighted the risks of using the same passwords frequently and underlined the significance of using stronger passwords from now on. It raised concerns regarding nation-state hacking and cyber warfare that the attackers were thought to be Russian and potentially connected to the Russian government. In summary, both Yahoo and its customers suffered significantly because of the 2013 cyberattack on the Yahoo business. It highlighted the importance of security and the risks of password reuse. It brought up concerns alongside nation-state cyber monitoring and cyber warfare. To protect their business's operations and reputation, organizations must take proactive measures to protect their networks and stop cyberattacks.
  • 4. Yahoo – Unauthorized Access Data Breach Page 3 of 11 Indicators 1. Possible indicators – Here are some the possible Indicator methods used for Yahoo. • The high percentage of failed login attempts • An increase in phishing attacks against Yahoo customers or employees • Suspicious email behaviours, like a rise in the number of emails sent or received. • Unexpected adjustments to user accounts • Unknown authorization locations or network devices • Network traffic patterns that are somewhat strange 2. Probable indicators – Here are some of the possible indicator methods used on Yahoo. • An increase in Yahoo's distribution of security updates or patches • Suspicious or strange traffic on network patterns originating from multiple places. • Many reports of suspicious behaviour from different user's accounts • Increasing instances of phishing attacks targeting employees 3. Define Indicators – Here are some of the definite indicator methods used on Yahoo. • Exposing confidential user account information, e.g. o Phone numbers o Email addresses o Occasions such as birthdays o Security questions and responses • Implications for Yahoo's reputation and down of stock price • Evidence of sponsored by the state hackers' participation in Cybercrime.
  • 5. Yahoo – Unauthorized Access Data Breach Page 4 of 11 Incident and Response Plan - During an Attack The following steps should be taken during an attack to Minimize the Impact of the data breach. 1. Preparation: The objective for this phase is to prepare Yahoo to effectively respond to information security incidents. Here are some required preparation categories are: a. Team Members: For effective preparation and management of incidents, Yahoo maintains a dedicated team called the incident response team. The primary role of this team is to scrutinize and analyze any event of security data breach and take appropriate corrective actions. b. Asset Identification / Classification: Yahoo should identify and prioritize its critical assets and data, which will help in determining the level of response required for each asset in case of an incident. Additionally, conduct regular vulnerability assessments and penetration testing to detect any potential weaknesses in its security systems.
  • 6. Yahoo – Unauthorized Access Data Breach Page 5 of 11 2. Detection and Analysis: The detection and analysis procedure are a crucial part of the incident response plan during an incident involving unauthorized access. This process enables us to swiftly pinpoint the incident's origin and extent, gauge its possible consequences, and put in place efficient mitigation strategies. Investigating the breach to ascertain where it happened, what information was compromised, and how the hacker got access to the network and compromised systems would be the first step. In general, incidents are detected from either External or Internal sources. a. External Detection: If the Incident originates from outside of the organization, verify the individual identity and affiliation to proceed further. b. Internal Detection: Yahoo's IT team and customers should be familiar with their systems, so they can determine if an event occurs to information security incident. The IT team reviews their system and logs to identify deviations from normal operations. c. There are common indicators that a computer, device, or system may be compromised: • Alert from monitoring tools (Defender, malware, etc.). • Unexpected accounts or permission change. • Unexpected running processes. • Unexpected configuration changes on network, session, and ports. • Altered DNS and ARP tables or changes in the content of the host files.
  • 7. Yahoo – Unauthorized Access Data Breach Page 6 of 11 3. Communication: Once a breach is confirmed, the response team should inform the logistics team to send a notification to the corresponding business units to cease work due to the compromise of the data. Additionally, including Legal, Compliance and Risk management teams. 4. Activation and Response: It is mandatory to activate Yahoo for Major Risk Incidents. The purpose of this Major Risk incident is to bring all required parties and teams connected in the bridge call and update management about response update timing and frequency expectations. 5. Containment: The priority of Yahoo is to contain the incident. An incident is considered contained when no additional harm can be caused, and the incident handler can focus on remediation. Containment consists of three stages: a. Short-term containment to stop the progress of the incident or attacker. Two phases within the short-term containment: • Quarantine (containment to the Yahoo network/keep Yahoo from spreading the attack to anyone else). • Isolation (keep the affected systems turned off from attacking any other systems within Yahoo including servers). • Information gathering, including affected (or potentially affected) individuals and systems. b. Long-term containment, including making changes to the production system.
  • 8. Yahoo – Unauthorized Access Data Breach Page 7 of 11 Incident Response Plan - After an Attack 1. Eradication / Remediation: The next stage for the incident response team is to pinpoint the incident's underlying cause and take corrective measures to stop a recurrence. The necessary remedial actions are listed below: a. Identify the incident's cause(s) and symptoms and record them. b. Isolating the attack based on information gathered during the detection phase. c. Determine how the attack was executed. d. Remove vulnerabilities/artifacts (e.g., rootkits, compromised applications, drivers, modules) left from the incident. Check the Disaster Recovery site to whether affected or not. e. Perform risk assessment, network vulnerability assessment, penetration testing and a few other assessments from the legal team to determine if there is a weakness that could be targeted. f. Restore data from the backup. Also, if the DR site is not affected perform a "Failover" for business continuity. 2. Recovery / Resolution: The time when the team takes steps to restore the affected systems and resume production with utmost care to prevent any reoccurrence of the incident. This stage also involves critical decisions to be taken regarding the suitable time for restoration of the operations, methods, and duration of monitoring the impacted system during production to ensure normality. a. Handle Incident Resolution: Review root cause, which was derived from the Eradication process, with required team members which include, Incident Response Team, HR, Legal/Risk and Compliance, Public relation, IT, etc. Post confirmation from all these teams proceeds for the Incident Resolution step. b. Verify system performance and security before being brought back online. c. Complete tests and compare baseline system activity (gathered in the Preparation phase) to ensure the system is verified before operations are restored.
  • 9. Yahoo – Unauthorized Access Data Breach Page 8 of 11 d. Schedule an after-action analysis meeting with the required team. (Schedule should be within two weeks) e. Send detailed RCA/Resolution information as Incident closer notification to the appropriate team. f. Close the Incident. g. Works/coordinates with the affected area/unit to identify and recommend changes to business, operational, or functional processes to reduce the risk of incident recurrence. 3. After-Action Analysis: Yahoo collects and shares relevant After-Action Analysis documentation with stakeholders, as identified by the communication plan and strategy. This phase is performed within two weeks of the occurrence of the incident. Below are the actions included in this phase. a. Collecting Data: The gathering of information on the incident response operation is the first step in after-action analysis. Information on the incident and the organization's response to the occurrence are both included in this. Relevant information from affected business units. b. Analyzing Data: The next stage is to analyze the data gathered to find the incident response operation's strengths and flaws. Examining incident response protocols and plans, speaking with personnel engaged in the response to incidents. c. Identifying Lessons Learned: Identifying the lessons from the incident response operation is the following step, which is based on the analysis. This can entail recognizing both areas that could have development and the best practices that functioned successfully during the operation. d. Developing Recommendations: The next phase is to create suggestions for enhancing the organization's incident response capabilities based on the lessons learnt. These suggestions can involve updating security controls, adding to incident response protocols, or providing more staff with training. e. Implementing Changes: Implementing into practice the suggested adjustments to the organization's incident response capabilities is the final step in the after-action analysis. This may include updating incident response plans and procedures, implementing new security controls, or providing additional training to personnel.
  • 10. Yahoo – Unauthorized Access Data Breach Page 9 of 11 Incident Response Plan - Before an Attack The Computer Security Incident Response Team (CSIRT) should develop and periodically test an IRP to guarantee that it is efficient. Before a prospective security incident takes place. This section will discuss measures that can be implemented to prepare prior to an incident. 1. Preventive Measures To manage the risks associated with a particular attack, the organization must implement preventive measures. These measures include: • Vulnerability Assessment: A vulnerability assessment must be performed on the IT infrastructure to identify potential weaknesses that could be exploited by attackers. • Penetration Testing: A penetration test should be conducted to identify vulnerabilities that are not identified by a vulnerability assessment. • Access Control: The organization should implement appropriate access controls to ensure that only authorized personnel have access to sensitive data and systems. • Security Awareness Training: Employees should receive regular security awareness training to help them recognize and report security incidents. • Security Patches: Security patches should be installed on all endpoints to fix known vulnerabilities. • Firewall: A firewall can be used to prevent unauthorized access to the network (hardware- based or software-based). • Anti-virus/Anti-malware Software: Anti-virus/anti-malware software can be installed on all endpoints to detect and remove malicious software. 2. Preparations of the IR Team The Incident Response (IR) team should be prepared to handle a security incident. The following preparations are necessary: • Define Roles and Responsibilities: The organization should define the roles and responsibilities of the IR team members. Each member should know their role in the IR process. • Communication Plan: The organization should have a communication plan in place to ensure that all stakeholders are notified of an incident promptly. • Document IR Procedures: The organization should document the IR procedures to ensure that the team members follow the same procedures during an incident.
  • 11. Yahoo – Unauthorized Access Data Breach Page 10 of 11 3. Training the CSIRT The Computer Security Incident Response Team (CSIRT) must be trained to deal with incidents and the below training should include: • Technical Training: CSIRT members should receive technical training to ensure that they can handle the incident. • Soft Skills Training: CSIRT members should receive soft skills training to ensure that they can communicate effectively with stakeholders during an incident. • Tabletop Exercises: The CSIRT should participate in tabletop exercises to simulate an incident and identify areas that need improvement. 4. Selecting and Maintaining Tools The organization should select and maintain the tools used by the CSIRT. The tools should be updated regularly to ensure that they can handle the latest threats. The tools include: • Incident Response Platform: The organization should have an incident response platform in place to manage the incident. • Forensic Tools: The organization should have forensic tools in place to analyze the incident. • Threat Intelligence: The organization should have access to threat intelligence to identify potential threats. 5. Training the Users Training the users is an essential part of the IR plan. The following training should be provided to users: • Security Awareness Training: Users should receive security awareness training to help them recognize and report security incidents. • Responsible Use Policy: The organization should have a responsible use policy in place to ensure that users understand the acceptable use of the IT infrastructure. • Incident Reporting: Users should know how to report a suspected incident and whom to report it to.
  • 12. Yahoo – Unauthorized Access Data Breach Page 11 of 11 6. Testing the IR Plan Testing the IR plan is essential to ensure that it works as expected. The following strategies can be used to test the IR plan: • Desk Check: The IR team members should review the IR plan to ensure that it is accurate and up to date. • Structured Walk-through: The IR team members should walk through the IR plan to identify areas that need improvement. • Simulation: The IR team members should simulate an incident to test the IR plan. • Parallel Testing: The IR team members should perform a parallel test to ensure that the IR plan does not halt the operations of the business functions. References: • All 3 billion Yahoo Accounts Were Affected by the 2013 Attack https://www.nytimes.com/2017/10/03/technology/yahoo-hack-3-billion-users.html • Users of Yahoo say all three billion accounts were hacked in 2013 data theft. https://www.reuters.com/article/us-yahoo-cyber-idUSKCN1C82O1 • NIST SP 800-61r2, Computer Security Incident Handling Guide https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf • NIST SP 800-53r4, Security and Privacy Controls for Federal Information Systems and Organizations https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-53r4.pdf • ISO/IEC 27035-1:2016, Information technology - Security techniques - Information security incident https://www.amnafzar.net/files/1/ISO%2027000/ISO%20IEC%2027035-1-2016.pdf • ISO/IEC 27035-2:2016, Information technology - Security techniques - Information security incident https://www.amnafzar.net/files/1/ISO%2027000/ISO%20IEC%2027035-2-2016.pdf