For all the talking about it, the recent TalkTalk data breach has been characterised by a lack of clarity about what happened. But despite the lack of details there are still some valuable lessons that can be drawn.
On 21 October 2015 the UK telco TalkTalk suffered a “significant and sustained cyber-attack” by criminals who succeeded in stealing sensitive data from 156,959 customers.
Since then, four people have been arrested but few details have emerged about exactly what happened, even though CEO Dido Harding completed an exhaustive round of media engagements.
Harding’s attempts to clarify what happened to her customers were hampered by revisions in the numbers affected, conflicting reports of what occurred and a peculiar and unhelpful insistence that TalkTalk’s cybersecurity was “head and shoulders” above its competitors.
Protecting data from a Distributed Denial of Service Attack
We were initially left wondering how TalkTalk would have suffered data loss during a Distributed Denial of Service attack (DDoS), since a DDoS attack is a tidal wave of incoming requests that overwhelms a system making it unavailable to anyone who wants to use it.
If hacking is analogous to picking a door lock, then a DDoS attack is like boarding the door shut from the outside. It’s vandalism rather than theft and it’s not a technique that can be used for stealing data.
But it was probably a technique borrowed from criminals who work in the world of bricks and mortar.
Why DDoS is more dangerous than it seems
In April of this year, a team of bank robbers made off with 70 safety deposit boxes worth £35 million from Hatton Garden Safety Deposit Ltd. At around the same time, a nearby tube station suffered a fire that brought chaos to London and sparked a huge power cut. It later emerged that the robbers started the fire to burden the security services and reduce the chance that they would be detected in achieving their real objective.
DDoS is a similar tactic that was probably used in the TalkTalk hack. It provided a smokescreen that enabled the thieves to go about their business whilst distracting those tasked with responding to the crisis with a dashboard full of red warning lights.
Whatever happened to TalkTalk, the very fact that a DDoS could have been used to distract staff should be a prompt for all of us to ask if our reporting is up to the job.
Could your security monitoring reveal a pinpoint hack inside a DDoS attack? When everything is in the red could you still identify and prioritise what’s important? Has your team habituated any persistent errors or false positives to the point of ignoring them?
Securing the perimeter is not enough
Much of the conversation about the TalkTalk breach has centred around the subject of encryption – the company’s beleaguered CEO did not help matters by saying that customer details were not encrypted at TalkTalk – but that was OK because, as she put it, there was “No legal obligation to encrypt customer bank details.”
Industry regulation is the bare minimum of what we need to do to secure our customers. Judging by the reaction to Harding using it as a fig leaf, I’m not alone in this position.
Financial services need to offer a higher level of security to its digital banking customers
We need regulation to ensure that everyone is at a minimally acceptable level but financial services must aim higher and move faster. It is a fact of life that regulatory change will not evolve at the pace of cybersecurity threats. Regulation is literally years behind. The new EU General Data Protection Regulation (GDPR) will finally be made into law over 2 years after it was introduced. It is critical that financial services clear a higher security bar, one that is continually moving upwards. The more secure we are as an industry the more we change the cost benefit analysis that drives organised cybercriminals to our networks.
All companies should be protected against SQL injection attacks
But encryption is still not at the root-cause of this problem. Encryption certainly has its place but what is now emerging is that that the hackers succeeded in breaching TalkTalk’s defences with a SQL injection attack. A well-known vulnerability that has been around for years, and one of the basics that all companies should have be protected against.
Hackers simply enter commands written in SQL, the lingua franca of databases, into fields on the website that expect user input such as search boxes or login screens.
If the commands are not properly handled by the website then the site can be tricked into asking the database to access whatever data the hacker wants. .
Of course to gain access to the secure website, and to launch the SQL injection, the hackers must be logged in, they must be authorised users. The hackers must have in their possession a valid user id and password – and if in fact this is how TalkTalk was knocked over, this is yet another lesson for us all.
Securing the perimeter is not enough.
Financial systems need attack-aware applications
The SQL injection attack suffered by TalkTalk and its customers is yet another example of why business applications need to have information security built-in.
Financial systems cannot depend on firewalls and perimeter security alone to identify attacks. The applications need to be able to tell the difference between good user behaviour and suspicious user behaviour in real time.
Keeping your banking details safe from cybercrime
Networks understand the world in terms of packets and protocols. But applications understand business concepts like users, credit cards, customer accounts and balance transfers. Attack-aware applications can use this business knowledge to better examine what a user is up to and identify potential threats.
A user might be authorised to ask for 150,000 customer records, for example, but it’s very different from the behaviour we’d expect from a normal user. Attack-aware applications will be able to identify this abnormal behaviour and alert systems operations to the threat.
It’s time for the industry to step up to this new level of cybersecurity.