Friday 30 October 2015

Should TalkTalk be Raising the White Flag?


Guest Blogger: Nick Prescot 
Senior Information Security Manager
So it's been a week since we all found out that there was a large data breach at Talk Talk, and initial thoughts that 4 million customers' details had been taken by cyber jihadists and that the hack was done by cyber criminals in shadowy parts of the world.

We were then serenaded by the CEO of Talk Talk, Baroness Dido Harding who told us that she didn't know what information had been taken and that she was sending all their customers an email explaining what happened but couldn't tell us how it would be genuine email or a phishing email. The website had been taken down and that's a good thing because the hackers wouldn't be able to get at the information.

Baroness Harding was very brave to rally around the 24hour news channels professing how 'sorry' she was, but when it came to technical answers to technical questions, there was a feeling that the answers given were same result as the Brits at Eurovision, 'nil points'.  In the days of medieval chivalry, Richard III was famously quoted, 'a kingdom for a horse' - in these times, ' a company reputation for a CISO'

A week later, the attack wasn't done by cyber jihadists in a shadowy country sponsored by rogue nation states.  It was done by Aaron, 15, whom lives in Bellymena, Co. Antrim.  He is known for his love of computer games and also that he lives with his mother.  The police raided his house with a fully armed squad and seized his computer. But was he the only perpetrator or just a front?

Could a single desktop/laptop machine really be the complete set of infrastructure to mount such an attack?  I hear rumours from press sources that it was a DDoS attack that took down the website and created confusion and then a SQLi to get at the database and the rest has been played out. 

So a large ISP with 4 million customers was taken down by a 15 yr old with a laptop and a broadband connection; It might have been on a talktalk ISP connection but we don't even know that.  Some might say that this is the equivalent of a kid breaking into their office by spraying their CCTV with paint, getting in through the back door to find the financial information of their customers on the desk.

Security has been shown not to be a strong point in the Talk Talk attack...but it's ok because banking details are not required by law to be encrypted and if there were any payment card details it was the middle 6 numbers.

So compliant they may have been at the time of the breach but the levels of security are not what anyone in the industry would call 'best-practice' An SQL injection in 2015? This should have been patched years ago.  Non-encrypted cardholder/personal/financial information? A privacy impact assessment should have been done to classify the data.

Many people have asked me how do you quantify a reputational loss in the event of a data breach?  It's not an easy question to ask, but TalkTalk have shown us a case study where metrics can be based upon.  This would result in the loss of value on their share price, a class action by current customers and every customer looking to leave TalkTalk as soon as they are possibly able to.

From a regulatory perspective, this is up in the air but what it does mention in the Data Protection Act that, 

"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

So whilst this is not a specific obligation to encrypt the data, being attacked by a 15yr old with an SQL injection shows that the appropriate measures may not have been in place.  Also there is a clause in the contract with TalkTalk customers that says that they would take reasonable care with personal data.

What this boils down to is the balance of compliance and security.  It's clear that the level of security controls in place were not robust enough to withstand a real world breach and the response not strong enough not contain the loss of share price value and the action of customers walking away from them being loyal customers.

Yes, they may have been 'compliant' but it's clear that the current level of legislation and regulation is not at the level that warrants the right level of security.  And a cyber data breach is not a victimless crime, just think of those customers whom are not tech-savvy in the world and then a social engineer calls them up with their personal details, dates of birth etc. and having got the middle six number of their payment card (they can work out the 1st 6 through the BIN), they get the last 4 numbers of the card and possibly the CVV number.  They've got the bank account details and am sure that some direct debits will be made.

The sad truth is that replacing a payment card is a lot easier that validating and verifying  an individual's personal information with the credit agencies and that their information is not being used in an untoward way. That's where the loss of personal information is far more impacting and long lasting.  Everyone talks about the loss of payment card information and the fines ensued...but I don't see the same with the loss of customer personal data.

This is where the EU GDPR is long overdue and until then, the loss of reputation for a company, using TalkTalk as a case study as a data breach will highlight what boards need to do to ensure that their customer infrastructure is more resilient.  Or, take a leaf from Heartland payment systems in the US.  They had a massive breach in 2006 and then they decided that the only way to rebuild trust was to put security into everything and over time, they are known as a secure payment provider.

I would recommend the same to Talk Talk...put security at the heart of everything you do but I would say that wouldn't I!  Will there be a big session of patches or a root and branch review of their infrastructure. Until then, this is a webpage that is worth looking at...

http://www.talktalk.co.uk/secure

More about Nick...contact me



'Nick Prescot is currently a Senior Information Security Manager at ZeroDayLab ltd. and is responsible for Governance, Risk and Compliance (GRC) and Incident Response (IR) consultancy and advisory services at ZeroDayLab.  Nick aims to assist companies whom are looking to improve the cyber resilience and posture in the ever ongoing battle against the emerging and continuing cyber threats.  By taking a detailed and holistic view of client's policy and governance infrastructure entwined with incorporating information assets within corporate risk registers, Nick is able to provide a clear strategy to client in order that their infosec operations and processes are aligned to industry practice.



Nick is also a seasoned incident response manager and when there is a security and/or availability incident, Nick is able to ensure that the incident is remediated as soon as possible and deploy the specialist response assets can remediate the incident. Nick also assists with the crisis management and media elements so that all parties are correctly informed as part of the resolution efforts.'


Friday 23 October 2015

Look Who's (Talk) Talking?


Guest Blogger: Nick Prescot 
Senior Information Security Manager
There's no doubt that this is the story of the day and since late last night people have been asking me, 'what's happened, when did it happen, who's to blame, what do I do?' It's nice to be thought of in this instance but I'm not in anyway involved with the investigation or have the inside track at the moment...however, this might change!

But what does strike me is that this is a company that processes personal data and payment data of 4 million customers and has been breached 3 times this year!  You would have thought that once is bad enough, twice is rubbing the salt into the wounds but 3 times....golly we must wondering what an earth was going on.

I hope that the CEO has got the full support and confidence in the CISO of the business, or do they have a CISO within TalkTalk. This morning, I had a quick look on my linkedin contacts and I didn't see any sign of a definite CISO.  What is also telling, is that not only is the reputation of TalkTalk suffered another hit (I don't think that anyone can vouch that TalkTalk is famous for its customer service) but it's share price has dropped 10%.  Also on top of this, the ICO and the Met. police are now involved with the investigation.  And remember that the ICO can fine upto £500k, and that's nothing in comparison with the new EU GDPR that might be able to fine upto 2-5% of global turnover.

So, if there is anyone in TalkTalk management reading this, I would ask the following questions;

1) Have all staff had information security awareness training?
2) Has there been a incident response plan tried and tested?
3) Do you have a security operations function that can detect and react to untoward events within your network
4) Do you have a crisis communications plan to deal with cyber security incidents?
5) Ok, you might not be able to encrypt all your data, but was there a data classification exercise to identify all personal and payment data?
6) Finally, the non PCI-DSS question; do you have a business continuity plan that deal with service continuity planning?

If most of these answers are no, then I can understand why there has been a numbers of breaches at TalkTalk, but to have three breaches and not to learn from them is showing that there is a culture of not taking information security as seriously as their customers might expect.

As Oscar Wilde once commented, 'experience is simply the name that we give to mistakes.' - whatever experience has been had, there is little doubt that TalkTalk is the talk of the town and I hope the outcome of this latest breach is that there are other companies out there that realise that they need to ensure that their data is safe, secure and robustly managed!

More about Nick...contact me

'Nick Prescot is currently a Senior Information Security Manager at ZeroDayLab ltd. and is responsible for Governance, Risk and Compliance (GRC) and Incident Response (IR) consultancy and advisory services at ZeroDayLab.  Nick aims to assist companies whom are looking to improve the cyber resilience and posture in the ever ongoing battle against the emerging and continuing cyber threats.  By taking a detailed and holistic view of client's policy and governance infrastructure entwined with incorporating information assets within corporate risk registers, Nick is able to provide a clear strategy to client in order that their infosec operations and processes are aligned to industry practice.
Nick is also a seasoned incident response manager and when there is a security and/or availability incident, Nick is able to ensure that the incident is remediated as soon as possible and deploy the specialist response assets can remediate the incident. Nick also assists with the crisis management and media elements so that all parties are correctly informed as part of the resolution efforts.'

TalkTalk Cyber Attack: Third Breach in 2015

*Breathe* TalkTalk have come under attack the third time this year. However this one, well and truly has really twisted the knife in. With TalkTalk's share price down nearly 10% this morning already.
It's early days, in terms of knowing what actually has happened but the Cyber-attack, which took place on Wednesday, was caused by a Distributed denial of service (DDos) attack. What is not clear is why this would result in the loss of data rather than just the site going down. One suggestion is that the DDoS was a means of distracting TalkTalk's defence team while the criminals went about their work.

TalkTalk launched a criminal investigation on Thursday. The Metropolitan Police are investigating this attack but have said no-one has been arrested yet but enquiries were ongoing. 
TalkTalk have over four million UK customers. There was a chance that some of the following customer data, not all of which was encrypted, had been accessed:
  • Names and addresses
  • Dates of birth
  • Email addresses
  • Telephone numbers
  • TalkTalk account information
  • Credit card and bank details
Cyber security consultant and former Scotland Yard detective Adrian Culley told BBC Radio 4's Today programme that a Russian Islamist group had posted on-line to claim responsibility for the attacks.
He said hackers claiming to be a cyber-jihadi group had posted data which appeared to be TalkTalk customers' private information - although he stressed their claim was yet to be verified or investigated.
Dido Harding, chief executive of the TalkTalk group, told BBC News the authorities were investigating and she could not comment on the claims.
Cited and more on this story at BBC News
For any TalkTalk customers (or come to that BlinkBox customers) follow the link below from the Guardian on how to equipped yourself.


Wednesday 14 October 2015

£20m Stolen from UK Bank Accounts

The UK's National Crime Agency is hunting cyber-attackers who stole more than £20m from British bank accounts.
Malware called Dridex harvested victims' online banking details so the attackers could siphon off funds.
The NCA said it was working with the FBI and other authorities to limit the malware's usefulness to criminals and one man had already been arrested.
One expert told the BBC the attackers had been particularly cunning to avoid being detected.
"This is very sneaky software that relied on people not being vigilant with their online banking," said Prof Alan Woodward, a cybersecurity expert who advises Europol.
"If you imagine thieves making lots of little transactions, rather than one big one, it is more likely to go unnoticed."

Cited and more information on How Dridex works at BBC News

Friday 9 October 2015

Experian - A World of Insight...to Customer Info


Okay the title is a little in your face but joking aside this could have serious consequences to Experian. We all (should) know that when dealing with third parties can cause IT Security worries but you can't get away with the 'blame game' anymore. Below is taken from the BBC news website but be good to know people's thoughts...

The Public Interest Research Group (PIRG) have called for a Federal Investigation into Experian, following a major hack at the credit database firm. Experian claims personal data on 15 million T-Mobile US customers was stolen in the breach. The PIRG are backed by 28 other bodies and they fear the hack may have extended to the rest of Experian's credit database which holds personal information about some 200 million Americans, it said.

"A data security breach that affected Experian's credit report files would be a terrifying and unmitigated disaster," it added.

Experian has said the business was "completely separate" from its main credit bureau business, which was "not affected".

But in a statement, PIRG's consumer programme director, Ed Mierzwinski, urged both the Consumer Financial Protection Bureau and the Federal Trade Agency to investigate whether other Experian databases had been breached.

He said: "If the server holding the T-Mobile files was subject to fewer security protections than the full Experian credit reporting database, why?...If it was subject to the same protections as the credit reporting server, doesn't this raise the troubling possibility that the server holding highly sensitive credit and personal information of over 200 million Americans is vulnerable to a data hack by identity thieves?"

Krebs thoughts

Prominent cybercrime journalist Brian Krebs has also raised concerns about Experian's internal data protection policies.

In a blog, published on 8 October, he claimed to have interviewed "half a dozen security experts" who recently left Experian frustrated with its approach.

"Nearly all described Experian as a company fixated on acquiring companies in the data broker and analytics technology space, even as it has stymied efforts to improve security and accountability at the firm," he said.

Experian data has been breached before - such as in 2012, when an attack on an Experian subsidiary exposed social security numbers of 200 million Americans.

Cited and more on this story at BBC News.