Cybersecurity experts today reacted to news that a former Yahoo engineer used his insider access to steal users’ sexual images.
Dan Tuchler, CMO with SecurityFirst:
“An internal threat from an engineer with access is one of the most difficult things to guard against, but companies like Yahoo need to do more than they are doing today. One area of exposure is doing testing on live or near-live user data, putting engineers into contact with vulnerable data. This needs to be rarely done and carefully guarded, with multiple eyes on the exercise. Another step is to limit access by job role and report any anomalies, which can be done with established technology, but it takes attention and resources to configure these controls correctly. Checks and balances exist which can limit the damage done by an insider, and enterprises need to take these steps, whether motivated by financial or regulatory reasons.”
Gerrit Lansing, Field CTO with STEALTHbits Technologies:
“This gross intrusion of the privacy of thousands of individuals illustrates again the need for enterprise to invest more in detecting and preventing abuse of privilege. Investing in privilege pays dividends – it’s essential to protecting data from both insider and external threats. It’s also past time for companies to require two-factor authentication for sensitive services; it’s clear passwords aren’t enough and opt-in approaches only work for the already security-minded.”