Business Advice for all UK firms from starting a business to flotation

The Talk Talk cyber-attack

The experts in Cyber security discuss the Talk Talk breach and the lessons that could be learned

Professor Mark Skilton, of Warwick Business School, Professor of Practice of Information Systems and IT consultant.

Professor Mark Skilton said: "Large scale data theft is increasingly big business for professional cyber criminals. The value of personal identity data records and account details is increasingly high as it can be used in masquerading identity to commit theft of other data; or give direct access to personal bank account money and fraudulent transactions.

"It was reported that some of the Talk Talk data was not encrypted, suggesting again that lessons have not been learnt on controlling sensitive content. This is a reoccurring theme of data breeches and shows a lack of strong data controls.

"Talk Talk appear to have learnt the lesson of a quick media response to manage the damage to reputation that Sony, Target and others suffered after delaying days and weeks to tell customers, which compounded the damage to their brand.

"Talk Talk have alerted banks to the theft but this is too late as it will already be on the move in the cyber-criminal community. All that can be done now is to rapidly change the ‘locks' and identity management of the millions affected but that's not easy.

"For customers, if your Talk Talk username is your email address and you use that email and password combination anywhere else, change it immediately wherever you use it. And make your Talk Talk password unique to that site from now on. The attackers may still be in there.

"Check frequently for odd activity on sites where you use the same Talk Talk log-in credentials. Go back over your online bank account and check for any transactions you don't recognise."

Richard Cassidy, technical director EMEA, Alert Logic

"This represents another serious incident from a data-breach perspective at TalkTalk; unfortunately not for the first time this year. Questions have to be raised around the point of data-at-rest security and whether organisations are indeed doing all they can to assure that customer data (whether it be credit card, banking details or personally identifiable information) is as protected as it could be in the case of a serious data breach.

We cannot continue to rely on legacy security tools and techniques in the battle against the modern day cyber criminals that are targeting our organisations on a global scale. Fundamentally it is safer to assume that we will be a target of an attack (and in many cases an advanced threat) and look at the problem from the inside out. Clearly it's important to look at how we can better prevent data breaches and implement more effective tools to identify pre and post compromise activity, however CISO's, CSO's and CEO's should take the lessons learned from the countless data breaches we've seen this past while and seek to answer the question on how well prepared is the organisation in the event a data-breach does occur and how can customer data be better protected should the worst happen.

Clearly there are questions in the case of this breach, as to what mechanisms were put in place to protect the data hackers came after; perhaps too much focus was put on perimeter security and detection of threats, rather than focusing on better protecting what assets attackers would be coming after in the first place. Fundamentally organisations need to start with an intrinsic understanding the anatomy of an attack as the first line of defence. Organisations have responsibility for protecting our data and perhaps a change is needed in legislation to compensate customers who suffer a financial loss as a result of their data being compromised; all too often we see organisations defer liability when a customer suffers a financial loss at the hands of bad actor groups who used the data they stole from a successful breach to compromise the organisations customers. The vast majority of consumers are not I.T or even security savvy, especially the older generation; it can often be incredibly hard to discern from a bogus call purporting to be your provider (using the data they've gleaned from a breach) and a legitimate call. It would be far better for organisations of the ilk of TalkTalk to offer up better information to consumers on how to identify how their data could be used in such campaigns and to take more responsibility in supporting customers who suffer a loss as a result.

Ultimately however it points to the need for organisations to really question their "data-at-rest" encryption standards and capabilities and more importantly the protection of the keys that are used to maintain encryption. If more focus was placed on the assumption that a data breach is highly likely to occur and as a result of this, how can losses be mitigated against should corporate or customer data be exfiltrated. The first answer quite evidently lies in how we encrypt the data we might lose and thus make any attempt at using that data a very tall order indeed for the bad actors to seek it."

Ryan Wilk, director, NuData Security.

"This breach potentially exposed records including incredibly personal data such as credit card numbers, name, address, date of birth and so on. Data thieves sell this information to aggregators, who cross-reference and compile full identities - called "fullz" on the data black market. This increases the value and usefulness of the stolen data, which may have been gathered from multiple data breaches. With this level of information, fraudsters can create new bank accounts or take out loans under an actual person's name, causing problems for fraud victims for years down the road.

We've seen among our clients that account creation fraud attempts are on a sharp rise. Of the 500+ million account creations we analysed, more than 57% of them were flagged fraudulent and account creation fraud has risen over 100% since February of this year alone. That kind of long-term, big payout fraud can only happen with stolen customer PII.

This underscores why it's vital to switch from traditional and insecure KBA-based authentication - easily stolen, hard to replace - to user behavioral analytics (UBA) and passive biometrics. Harness the power of behavioral attributes to authenticate users in ways that are less intrusive yet more secure. We learn how a legitimate users act and get a front row seat to watch thieves try and fail to game the system with their stolen data. Becoming complacent in an age of massive data breaches is both a financial and reputational hazard."

Andy Heather, VP EMEA, HP Security - Data Security

"Immediately following any high profile cyberattack there are questions such as who, how and what - to a great extent this is immaterial. Most companies do collect significant amounts of personal information on their customers such as their addresses, identification numbers and dates of birth. If left unprotected, this information would give the attackers almost all of the information they need to undertake fraudulent activity on the compromised user's behalf.

This breach highlights a need for companies to place tighter controls on how their customers' sensitive information is protected. If data is left unprotected, it's not a matter of "if" it will be compromised - it's a matter of "when". Even the best security systems in the world cannot keep attackers away from sensitive data in all circumstances. When a company is storing sensitive information about their customers, the risk is to the data itself. Therefore, a company needs to assume that all other security measures may fail, and the data itself must be a primary focus for protection - via encryption. It is critical to note that this protection needs to include all potentially sensitive information and not just financial related data.

Many leading companies already employ format-preserving encryption to protect the data itself. The TalkTalk attackers would have ended up with unusable encrypted data instead of the current outcome where an untold amount of their customers' personal information is now in the hands of cyber criminals.

The theft of financial information credit card or account information has a limited lifespan, until the victim changes the account details etc. but the personal information that can be obtained by accessing someone's account profile has a much broader use and can be used to commit a much wider range of fraud and identity theft, and simply cannot be changed.

The value of this personal data to the cybercriminal has a much greater value, for example where the selling price for a single stolen credit card is around $1, if that card information is sold with a full identify profile that can dramatically increase up to $500. If the cyber criminals know where the real value is then surely we should all expect responsible organisation to pay appropriate attention to keeping our personal information safe.

Encryption of data is essential to protect customer data not just when it is stored but throughout its entire life cycle, wherever it is, and however it is used within an organisation this, along with a robust security stance is the only way to stop criminals profiting from stolen data."

Jon French, security analyst of AppRiver

"The two major things customers need to do is keep an eye on their banking information to look for fraudulent transactions, as well as be vigilant with communications. By communications, I mean they should be suspicious of any unexpected emails or phone calls that may be asking them for additional information. If someone calling or emailing you already has information like name, address, email address, or other account information, that doesn't mean they can automatically be trusted. They may cite that data to get someone to trust them to hand over more information like a credit card or password."

Benjamin Harris, Managing Security Consultant of MWR InfoSecurity

"As always when there is a concern that payment data may have been breached, consumers should pay attention to transactions made on their debit and credit cards and report any suspected fraudulent transactions to their card issuer. Being proactive will help to limit any damage caused by exposure of credit card information, however if consumers are heavily concerned about the confidentiality of their debit or credit card, it is recommended that they contact their card issuer to provision replacement cards, thus invalidating the previous credit or debit card used.

"It appears that TalkTalk have been proactive in this instance, and have done the correct things by issuing a public statement and involving the relevant authorities, allowing the attack to be investigated and thus limit any further damage.

"Incident response is a necessity for most organisations. In this case, it is important that organisations are both proactive and honest about any security breaches, and that they enlist the correct help from the outset. Identifying the attack mechanism is an important step in mitigating the risk, and pre-emptive actions (such as immediately destroying an infected machine) could lose vital evidence that would be useful in identifying the actual impact.

"Organisations should also regularly test their incident response plans. For example, logging and monitoring systems may not be regularly inspected. Realising that a log collation server has not been working for months and has not recorded information relating to a breach can be very frustrating, and these issues can be avoided with regular inspection.

Share |

Post Date: October 24th, 2015