Friday 30 October 2015

Should TalkTalk be Raising the White Flag?

Guest Blogger: Nick Prescot 
Senior Information Security Manager
So it's been a week since we all found out that there was a large data breach at Talk Talk, and initial thoughts that 4 million customers' details had been taken by cyber jihadists and that the hack was done by cyber criminals in shadowy parts of the world.

We were then serenaded by the CEO of Talk Talk, Baroness Dido Harding who told us that she didn't know what information had been taken and that she was sending all their customers an email explaining what happened but couldn't tell us how it would be genuine email or a phishing email. The website had been taken down and that's a good thing because the hackers wouldn't be able to get at the information.

Baroness Harding was very brave to rally around the 24hour news channels professing how 'sorry' she was, but when it came to technical answers to technical questions, there was a feeling that the answers given were same result as the Brits at Eurovision, 'nil points'.  In the days of medieval chivalry, Richard III was famously quoted, 'a kingdom for a horse' - in these times, ' a company reputation for a CISO'

A week later, the attack wasn't done by cyber jihadists in a shadowy country sponsored by rogue nation states.  It was done by Aaron, 15, whom lives in Bellymena, Co. Antrim.  He is known for his love of computer games and also that he lives with his mother.  The police raided his house with a fully armed squad and seized his computer. But was he the only perpetrator or just a front?

Could a single desktop/laptop machine really be the complete set of infrastructure to mount such an attack?  I hear rumours from press sources that it was a DDoS attack that took down the website and created confusion and then a SQLi to get at the database and the rest has been played out. 

So a large ISP with 4 million customers was taken down by a 15 yr old with a laptop and a broadband connection; It might have been on a talktalk ISP connection but we don't even know that.  Some might say that this is the equivalent of a kid breaking into their office by spraying their CCTV with paint, getting in through the back door to find the financial information of their customers on the desk.

Security has been shown not to be a strong point in the Talk Talk attack...but it's ok because banking details are not required by law to be encrypted and if there were any payment card details it was the middle 6 numbers.

So compliant they may have been at the time of the breach but the levels of security are not what anyone in the industry would call 'best-practice' An SQL injection in 2015? This should have been patched years ago.  Non-encrypted cardholder/personal/financial information? A privacy impact assessment should have been done to classify the data.

Many people have asked me how do you quantify a reputational loss in the event of a data breach?  It's not an easy question to ask, but TalkTalk have shown us a case study where metrics can be based upon.  This would result in the loss of value on their share price, a class action by current customers and every customer looking to leave TalkTalk as soon as they are possibly able to.

From a regulatory perspective, this is up in the air but what it does mention in the Data Protection Act that, 

"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

So whilst this is not a specific obligation to encrypt the data, being attacked by a 15yr old with an SQL injection shows that the appropriate measures may not have been in place.  Also there is a clause in the contract with TalkTalk customers that says that they would take reasonable care with personal data.

What this boils down to is the balance of compliance and security.  It's clear that the level of security controls in place were not robust enough to withstand a real world breach and the response not strong enough not contain the loss of share price value and the action of customers walking away from them being loyal customers.

Yes, they may have been 'compliant' but it's clear that the current level of legislation and regulation is not at the level that warrants the right level of security.  And a cyber data breach is not a victimless crime, just think of those customers whom are not tech-savvy in the world and then a social engineer calls them up with their personal details, dates of birth etc. and having got the middle six number of their payment card (they can work out the 1st 6 through the BIN), they get the last 4 numbers of the card and possibly the CVV number.  They've got the bank account details and am sure that some direct debits will be made.

The sad truth is that replacing a payment card is a lot easier that validating and verifying  an individual's personal information with the credit agencies and that their information is not being used in an untoward way. That's where the loss of personal information is far more impacting and long lasting.  Everyone talks about the loss of payment card information and the fines ensued...but I don't see the same with the loss of customer personal data.

This is where the EU GDPR is long overdue and until then, the loss of reputation for a company, using TalkTalk as a case study as a data breach will highlight what boards need to do to ensure that their customer infrastructure is more resilient.  Or, take a leaf from Heartland payment systems in the US.  They had a massive breach in 2006 and then they decided that the only way to rebuild trust was to put security into everything and over time, they are known as a secure payment provider.

I would recommend the same to Talk Talk...put security at the heart of everything you do but I would say that wouldn't I!  Will there be a big session of patches or a root and branch review of their infrastructure. Until then, this is a webpage that is worth looking at...

More about me

'Nick Prescot is currently a Senior Information Security Manager at ZeroDayLab ltd. and is responsible for Governance, Risk and Compliance (GRC) and Incident Response (IR) consultancy and advisory services at ZeroDayLab.  Nick aims to assist companies whom are looking to improve the cyber resilience and posture in the ever ongoing battle against the emerging and continuing cyber threats.  By taking a detailed and holistic view of client's policy and governance infrastructure entwined with incorporating information assets within corporate risk registers, Nick is able to provide a clear strategy to client in order that their infosec operations and processes are aligned to industry practice.

Nick is also a seasoned incident response manager and when there is a security and/or availability incident, Nick is able to ensure that the incident is remediated as soon as possible and deploy the specialist response assets can remediate the incident. Nick also assists with the crisis management and media elements so that all parties are correctly informed as part of the resolution efforts.'

No comments:

Post a Comment