BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

TalkTalk's cyber-security lesson

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 4 Feb 2016 19:02:06 -0700
http://www.scmagazineuk.com/talktalks-cyber-security-lesson/article/467550/

Last October broadband provider TalkTalk was hacked for the third time in
the space of just a year. The company, which has around four million
customers in the UK, was initially unable to confirm whether the stolen
customer data was encrypted or not, fuelling public outrage and landing
them with a total bill of £35 million as a result.

Unfortunately, this attack is not an isolated incident. It follows a long
line of similar attacks that have recently affected companies as varied as
Sony, Carphone Warehouse and the infamous Ashley Madison. So what can
financial services companies learn from these attacks? Where should
companies invest in stronger security and what should they be doing to
protect their customers' data?

There is no doubt the tactics of cyber-criminals are becoming increasingly
intelligent and complex. A vast range of bespoke criminal software,
specifically designed to help hackers exploit weaknesses in cyber-security,
is available for purchase by bitcoins on the dark web in an untraceable
marketplace. This black market for exploitative software has become a
billion dollar industry. According to the Federal Reserve Bank of San
Francisco, unique strains of malware such as that sold on the dark web
reached 100 million variants in 2012, and this number is growing at an
accelerated pace.

When or if they ever get to the bottom of the TalkTalk attack, it would not
be surprising to find that the malware code they used was procured from
this dark web.

Aside from the threat of hackers obtaining malware on the dark web, there
are still gaps and vulnerabilities in companies' software systems that must
be closed. At present, the easiest way to break into someone's bank account
– for example – is to get their valid user ID and password. Social
engineering bypasses the traditional cyber-security of user IDs and
passwords – the hacker just steals valid credentials and they're in. The
consumer needs to be educated in the various scams criminals use to obtain
these credentials. The confidence scams are clever and effective and make
traditional cyber-security mechanisms useless.

Perhaps nowhere else is data security more paramount than in the financial
services industry, and FS providers need to up their game to address
threats in real-time. Currently, the FS industry has invested heavily in
securing the ‘perimeter fence' of security. There is very little attention
paid to securing the business applications themselves.

It should be obvious by now that relying on perimeter security to prevent
data breaches is a seriously flawed strategy. Organisations now need to
look past the point of entry for hacking threats, criminals will always
find a way in. Just as with building security where systems include alarm
systems and sensors both at the point of entry as well as within the
building, banks also need to focus on cyber-security within the banking
application itself.

Companies need to monitor user behaviour for inconsistencies, deploying
software sensors at critical points in the applications to detect valid
users who are not using the system as expected.  Such a system learns
patterns of behaviour that are normal for users, and can detect hackers who
must probe the system to find weaknesses thus exposing their presence
because the hacker's behaviour is not what a normal user would do.  By
knowing what the cyber-criminal does when they break in, companies can
monitor for this type of activity and sound an alarm when it happens.

Tackling the threat posed by cyber-criminals is also on the government's
agenda. It was recently announced that the UK government will be increasing
its spend on cyber-security to £1.9 billion to protect the country from
potentially devastating hacks on a national scale by terrorists – and
increased governmental spend on cyber-security is likely to impact
positively on the threat posed to UK consumers. In addition, the new EU
Data Protection Regulations will have a two year transition period for all
systems in the EU to become compliant before enforcement starts.

The new compliance requirements will include the stipulation that data
security becomes an overriding priority, with safeguards having to be
built-in to products and services from the earliest stages of development.
The pan-European regulations will enforce, among other things, that if the
regulations are broken, fines of four percent of global revenue or €100
million can be levied.

The next few years will see a major increase in cyber-defence spending
across both public and private sectors, and companies must invest wisely to
successfully protect their customers and their reputations.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.
Previous By Date Next
Previous By Thread Next

Current thread: