WIXLIB

Risk managementYahoo has a robust risk management strategythat focuses on all aspects of the Yahooenterprise, ranging from security bugs insoftware to supply chain & supplier risks.Risk management overviewInformation security is paramount at Yahoo.There are inherent security risks that accompanyany IT infrastructure - Yahoo is no exception.Cybersecurity risks grow year after year asattackers and threats become more and moresophisticated. All cybersecurity decisions at Yahooare driven from a thorough understanding of theorganization’s assets, vulnerabilities, threats, data,and network systems. Risk management at Yahooinvolves constantly refining the organization’s risktolerance strategy, formally assessing securityrisks both internally and via third party auditors,tracking risks using robust ticket management andthreat intelligence platforms, and analyzing risksposed by third party vendors and suppliers.Risk policyYahoo has a guiding risk management frameworkin place which defines how employees andsystems should act in order to secure Yahoo andits consumers. Yahoo’s formal risk managementstrategies and risk assessments are used toevaluate how well Yahoo’s existing controls andpolicies protect customers and employees andshield the enterprise from risk. Many inputs impactrisk decisions at Yahoo, including regulatoryrequirements, contractual obligations, businessdrivers, and threat events. Yahoo frames andclassifies risks based on these inputs in order toproperly manage risk in the enterprise and formallyevaluate its current risk levels.Formal risk assessmentsFormal risk assessments are measures taken toevaluate the universe of risk at Yahoo. They areextensive operations that assess what potentiallycould go wrong, the likelihood of risk events10occurring, and the impact to the firm’s writ largelyif the event were to happen. They also providedirection on what gaps exist in current controlsand how/to what extent these should be alleviated.Yahoo follows industry standard risk assessmentprocedures with general guidance from NIST 80030. The risk assessment process at Yahoo includesthe following elements:System characterizationThe first step to any formal risk assessment atYahoo is to fully characterize Yahoo’s infrastructure(people, processes, and technology). To initializeany assessment, analysts on teams across Yahoo’splatform and security teams collaborate to provideinformation regarding asset details, configurations,system diagrams, interface information, processes,personnel lists, network schemas, etc. about theitems in scope in order to ensure that the riskassessment is thorough.Risk identificationInternal or external security and risk assessmentexperts across teams walk through systems in orderto identify potential threat vectors. For example,Yahoo’s Bug Bounty program and VulnerabilityManagement team are dedicated to identifyingtechnical vulnerabilities on Yahoo’s infrastructure.Other teams across Yahoo’s Paranoids play largeroles; for example, a network security expert mightnote that one network segment is particularlyvulnerable to a DDoS attack due to a gap in aprocess, or a product security expert at Yahoomight note that a group of encryption keys isvulnerable because there is no separation of dutiesmechanism in place. Outside of the Paranoidsorganization, risks also arise from M&A activity,PCI assessments, and third party security reports.All these threats are compiled into securelyprotected documentation with specific metricssuch as number of users on the platform, valueof data impacted, etc., in order to conduct impactanalyses and prioritization.YAHOO INFORMATION SECURITY

Impact analysisAfter threats have been identified and the systemsin scope characterized, the impact analysisdetermines the scope of potential damage thatthe threat event would cause if it occurs. Somequestions to consider when looking at a threatevent would be:Which information systems and processes areimpacted by the threat event? How critical arethey to business operations?What are the interdependencies of these impactedsystems and processes?What is the required uptime/maximum downtimefor each of these systems?Probability calculationThe likelihood assessment stage of the risk analysisprocess is critical. A threat event with an extremelyhigh impact can have relatively low risk to theorganization if the likelihood of it occurring is closeto zero.Controls examinationYahoo utilizes industry standard procedures inorder to answer two key questions regardingexisting mitigating controls:Are there any gaps in current control coverage?Are the currently in-place controls sufficient todefend against attack?Yahoo utilizes both in-house teams and third-partyexperts to periodically reexamine Yahoo’s suite ofdefensive controls. Maturity models are used tomeasure Yahoo’s existing controls against industrystandard Cybersecurity Frameworks such as NIST.Controls ranging from technical network controls(such as firewall configurations) to administrativecontrols (such as a remote VPN policy) are reviewedin each risk assessment.the previous assessment stages, most notablyexposure, impact, and likelihood. This allows foranalysts to easily run reports and provide executivelevel visibility into security risks across Yahoo’senterprise.Risk tracking, reporting andtreatmentYahoo takes the final outputs from each stage ofrisk assessments and uses them to track variousrisks across the enterprise. Analysts acrossYahoo’s many teams create reports that flow upinto executive-level dashboards to provide holisticviews of risk across the firm.Security bugsYahoo’s Security Bugs (or, SBugs) program is a robustsolution for tracking and treating technical securityissues across the enterprise. Yahoo has dozens ofteams dedicated to hunting down SBugs acrossYahoo’s software platforms and meticulouslytracking them. Yahoo’s Risk Management team hastrained analysts dedicated to conducting statisticalanalysis across tracked security bugs in orderto inform the enterprise’s strategic initiatives.These analysts create executive level reports thatinform business owners and leadership about themost pressing technical risks the organization iscurrently facing, timelines for risk remediation, andwhich groups in the enterprise own the most risk.Yahoo’s Paranoids work with the business ownersto provide guidance on remediating the issues.Scoring and prioritizationThe final step of the risk assessment process is thescoring and prioritization phase. Prioritization isbased on a variety of risk inputs collected duringYAHOO INFORMATION SECURITY11

Vulnerabilitymanagement12YAHOO INFORMATION SECURITY

Vulnerability managementInternal scanningVulnerability managementoverviewAgent-based scanningYahoo has a dedicated team focused onensuring that vulnerabilities in the company’sinfrastructure are identified, tracked, andremediated within the standards set by Yahoo’sguiding Information Security Policy.In information security, a vulnerability is a weaknesswhich can be exploited by a malicious actor oradversary. Vulnerabilities arise from a multitudeof causes, such as misconfigured systems, designflaws, and bugs in code. Yahoo’s Paranoids havea dedicated group for handling vulnerabilities inthe infrastructure - the Paranoid VulnerabilityManagement team. This team utilizes automatedscans and internal research to detect, track, andperform remediation of vulnerabilities on Yahoo’ssystems. Vulnerability scans are performedregularly and are then tracked to remediation.Once a vulnerability is detected, the team assigns aticket to the team responsible for the system withtimelines for resolution. Categorization and SLAsare determined by the Paranoids Risk team.ScanningA key responsibility of the Paranoid VulnerabilityManagement team is to continuously scan systemsin order to proactively identify vulnerabilities,misconfigurations, and flaws, and then ticketfindings for remediation according to SLAsdetermined by Yahoo’s guiding information securityrisk frameworks. Several types of vulnerabilityscans and assessments are employed in orderto align with the enterprise’s guiding InformationSecurity Policy and SLAs.Perimeter scanningYahoo conducts periodic perimeter scansacross its external network infrastructure tocontinually assess the most exposed assets onthe infrastructure for both vulnerabilities and misconfigurations.In addition to perimeter scans, Yahoo alsoconducts a variety of internal scans. Internal scansexamine assets in the internal networks, in datacenters, and public clouds for vulnerabilities andmisconfigurations. They consist largely of discoveryscans and unauthenticated network scans.Yahoo also conducts agent-based scanning.Yahoo uses an agent-based scanning regimen togive high-fidelity authenticated scan informationat the host level. This will sometimes provideadditional context about a potential vulnerabilityor misconfiguration that would not normally arisefrom a basic perimeter or internal unauthenticatednetwork scan.The results of all scans are reported directly to theVulnerability Management team in real time.Maintenance requirementsYahoo policy states that IT systems andsoftware/firmware must operate at the highestsupported release which actively minimizes thenumber of known vulnerabilities due to systemmisconfigurations.Yahoo strives to ensure that installed software/firmware versions are updated, upgraded andpatched promptly when a known vulnerability isinvolved.Newly disclosed vulnerabilitiesThe Paranoids employ a layered approach toidentifying vulnerabilities on Yahoo’s infrastructure.One facet of this layered approach is Yahoo’s“Newly Disclosed Vulnerability Response.” Yahoo’sParanoids have a detailed playbook that walks stepby-step through the identification and response tovulnerabilities that have not yet been identifiedon Yahoo’s infrastructure (these are called NewVulnerabilities, or zero days). The playbook givesspecifics for monitoring and identification, anddrives the process through to remediation andYAHOO INFORMATION SECURITY13

mitigation of the newly discovered vulnerabilities.Yahoo’s Newly Disclosed Vulnerability Responseprocess is cross-disciplinary within Yahoo’sParanoids, including participants from securitymanagement, Yahoo’s Incident Response team,and Yahoo’s Security Bugs team. This provides theneeded flexibility to the Paranoids to work togetherto quickly identify, analyze, triage, and understandthe impacts of never-before-seen vulnerabilities.14YAHOO INFORMATION SECURITY

Network administrationand change controlYAHOO INFORMATION SECURITY15

Secure network administrationYahoo’s Network Operations organization usesstate of the art tools to ensure that all enterprisesystems operate seamlessly and securely.OverviewNetwork security is one of the most critical stagegates in securing Yahoo’s data and services.Yahoo’s network is the perimeter that encirclesthe enterprise’s valuable data and assets. Yahoo’sNetwork Operations organization and Yahoo’sParanoids are dedicated to the enterprise’snetwork security. They are responsible for ensuringthat no violations of Yahoo’s Information SecurityPolicy and guiding strategy are deployed onto thenetwork. These teams are staffed with engineerswho work with various Yahoo business units tonot only remediate any existing network incidents,but also assist in hardening system and networkinfrastructure. Secure network administrationat Yahoo considers a wide breadth of functionssuch as: utilizing industry standard networkhardening mechanisms, ensuring that the networkis standardized, making sure that changes to thenetwork are well-defined and approved prior todeployment, conducting rigorous network riskassessments, and managing the implementationof preventative mechanisms and controls foremergency operations.Defending the perimeterYahoo’s network engineers and engineers acrosstheir Paranoids teams have implemented a varietyof industry standard controls in order to harden thenetwork perimeter. Yahoo’s network and systemenvironments are logically separated in order toensure the isolation and protection of sensitive data.This defined separation allows Yahoo to strategicallyplace network tools such as firewalls, intrusiondetection systems, and intrusion preventionsystems across the infrastructure at criticalchoke points. Yahoo has teams of trained expertsdedicated to both monitoring the configurationson network defense systems and reviewing the16logs coming from them to ensure that all threats tothe network are thoroughly tracked and negated.Yahoo’s information security compliance teamsmaintain rigorous sets of policies, standards, andprocedures that all network perimeter operationsabide by. These policies and procedures define, forexample, how administrators at Yahoo configurethe vast array of firewalls on the infrastructure upto secure, effective levels.Network standardizationNetwork standardization is one of the keyphilosophies that guides Yahoo’s network securitystrategy. Network standardization eliminates oneoff cases on systems and ensures that all Yahoosystems, including those from any of Yahoo’slegacy infrastructures can cooperate seamlessly.To achieve this high level of standardization,Yahoo uses a “zero-trust” paradigm in provisioningnew network devices. This means that when newnetwork devices are added, it is assumed thatuntrusted or trusted actors could be attemptingto use it - this is a guiding principle that leads tototal standardization and rigorous authenticationof access to devices. Besides minimizing networkresource usage, keeping network hardwareand software standardized also allows a morestreamlined approach to network monitoring anddefense implementation. With full standardization,communication across personnel and infrastructurebecomes simpler, and network security incidentsbecome easier to manage.Secure change controlChange is inherent to any organization, but many donot realize that change management is, above all,a security issue. Each change to an organization’ssystems: the addition, removal, or modification ofexisting policies and systems, can introduce newrisks.Network change controlYahoo’s Network Operations organization valueseffective change management. Network policyYAHOO INFORMATION SECURITY

changes are carefully reviewed in order to preventthe creation of violations on Yahoo’s networks. Allpolicy changes to the network must undergo requestand approval processes. The Yahoo Paranoidsteam has change approval oversight; the Paranoidswork closely with business units to ensure thatthey not only adhere to the guiding informationsecurity strategy, but they understand it as well.Yahoo’s Network Operations organization providesexpert support to the Paranoids organization inorder to validate that both the business units’ andParanoids’ operations remain in compliance withnetwork security requirements. Yahoo typicallymanages major network policy changes using athorough change management request (CMR)process.Systems change controlYahoo Change Management policy aims to reducerisk and service disruption caused by changesacross the organization. Consolidation efforts inlarge organizations such as Yahoo can be extremelycomplex and challenging.Change Management drives the adoption of bestpractices and secure process improvement forthe enterprise. Change Management Processesprovide guidance and procedures for implementingproposed changes as well as a means to managechange approvals.are conducted separately from annual, formalthird party risk assessments that evaluate howeffectively Yahoo’s security mechanisms align withthe enterprise strategy.Cryptographic architectureYahoo’s cryptographic architecture provides aframework for how to manage encryption processeswithin the Yahoo network environment. Encryptionis one of the foundations of cybersecurity. Itis the process used to protect and encode thetransmission of secure data across communicationchannels within and across a network infrastructure.A cryptographic architecture is a wide-rangingframework. It describes the mathematicalalgorithms, protocols, access mechanisms, andencryption key characteristics used to successfullyexecute encryption on or across a network. Yahoo’steam of cryptography experts have engineered amathematically sound, proprietary cryptographicframework that protects against unauthorizedaccess to Yahoo’s most sensitive systems.Network risk evaluationsMembers outside of the Network Operationsorganization such as Yahoo’s VulnerabilityManagement team (and others in Yahoo’sParanoids) provide independent assessmentsand evaluations to ensure the highest rigor ininternal network risk analysis. Yahoo regularly runsscheduled, automated vulnerability scans againstall publicly facing systems to ensure that all systemsare hardened to secure levels. Yahoo does notshare specific infrastructure details or vulnerabilityinformation outside of authorized personnel.The results and reporting documentation fromrisk and vulnerability assessments are storedsecurely. These internal network risk evaluationsYAHOO INFORMATION SECURITY17

Secure softwaredevelopment18YAHOO INFORMATION SECURITY

Software securitySecure software development at Yahoo ensuresthat applications are developed with securityas a priority. Yahoo utilizes a secure productdevelopment methodology to help developersintegrate security into the creation of applications.Yahoo’s industry standard secure productdevelopment practices attempt to address securityissues before they manifest in production systems.These mechanisms drive security assuranceactivities methodically throughout the product’slifecycle.Yahoo developers work with in-house securityexperts, called the Paranoids, to review securityrequirements, implement architecture and designreviews, conduct code reviews, employ threatmodeling, utilize web application security testing,conduct penetration testing, and practice secureby design methodologies to help bring Yahoo’sprojects and applications to a secure baseline.Yahoo’s information security experts regularlypresent at conferences nationally and developersare trained in-house in the implementation ofsecure development methodologies.Secure by designSoftware developers on Yahoo teams implementsecurity into their software following a “BuildSecurity In” paradigm. Security experts withinYahoo’s Paranoids engage with developers toconduct security plan reviews, requirementsreviews, architecture reviews, automated andmanual code reviews, and remediation validationthroughout development. These mechanismsstrive to ensure that the technical security controlsimplemented in an application support Yahoo’sguiding security strategy.Planning and requirementsYahoo’s Information Security Policy provides highlevel information security requirements that teamsstrive to integrate into project requirements andanalysis activities. Developers work with securityexperts to leverage assurance gates at the outsetof project design to help the team understand risksduring periodic checkpoints. Yahoo’s developmentteams utilize software security plans to identifyand baseline integrated security activities inorder to achieve the appropriate level of productdevelopment security assurance against Yahoo’sbusiness objectives. Further, the team adviseson patterns and antipatterns, secure featuredevelopment, and proper security testing/ QA.DesignParanoids at Yahoo provide specialized expertiseand guidance to developers in order to help ensuresecure application design.Development projects at Yahoo use threatmodeling in order to support the deployment oflayered defenses.ImplementationParanoids provide security training such as OWASPbased Web Application Security, Secure DevOps,Secure Development in Java, and other relevantrole-based instructor-led training to developers.These trainings are periodically refreshed in orderto stay abreast of the newest secure code industrystandards.Yahoo developers are trained in safe codingprocesses such as conducting frequent codeanalyses that can be integrated into developerbuild and deploy DevOps pipelines and only usingdevelopment tools that pass Yahoo security

Yahoo "Unified Control Framework" (UCF) that is specifically formulated to both implement security best practices at a granular level, and align with the NIST categorization of security standards. Business units are expected to view the security controls of each standard as mandatory, and implement them with the guidance of Yahoo's Paranoids.