5 Lessons from the TalkTalk Hack

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/blogs/5-lessons-from-talktalk-hack-p-1967

Organizations worldwide can learn some valuable lessons from the most
recent hack attack against British telecom company TalkTalk that exposed
information on about 2.1 million customers (see TalkTalk Breach Fuels Call
for Tougher U.K. Laws).

For starters, every organization should determine whether it has proper
measures in place to avoid being breached by hackers like the four arrested
so far by British police in connection with the TalkTalk breach. Three of
the suspected attackers are age 16 or younger.

Here are five top lessons that CEOs, boards of directors and information
security professionals alike can learn from this breach:

1. Come Clean Quickly

Kudos go to TalkTalk for coming clean quickly in the wake of its Oct. 21
breach. Indeed, it's a notable change from the November 2014 breach the
company suffered, which it didn't disclose until February 2015. That breach
resulted in scammers stealing customers' account and contact details, which
they've used to successfully bilk some people out of up to £5,000 ($7,700)
each. To date, however, TalkTalk has earned no plaudits for its refusal to
compensate affected customers, arguing that they suffered no financial loss
as a direct result of the attack - as opposed to falling victim to
fraudsters. The U.K. Information Commissioner's Office, which enforces the
country's data protection laws, is continuing to investigate.

2. Eliminate Well-Known Vulnerabilities

No organization should fall victim to easily preventable SQL injection
attacks, such as the one that reportedly felled TalkTalk, which has so far
declined to comment on that attack vector, citing the ongoing police
investigation.

If reports on the nature of the attack are accurate, however, it means
TalkTalk likely didn't have proper defenses in place - in the form of Web
application firewalls - and likely didn't test to find and eliminate these
SQL injection vulnerabilities.

"This type of vulnerability has been around for many years, yet is still
proving to be one of the most effective ways for criminals to breach the
security of a website," Dublin-based information security consultant Brian
Honan tells me. "Companies need to ensure their Web applications are coded
in a secure manner and that they are regularly tested for potential
vulnerabilities."

3. Encrypt All PII

While TalkTalk did tokenize stored payment card numbers by removing the
middle six digits, all other customer and bank account information was
being stored in plaintext. With attackers seeking individuals' contact
information for use in scams, security experts say businesses must encrypt
every piece of personally identifiable information they store.

"The CEO for TalkTalk stated that some of the customer data was not
encrypted because there was no legal obligation to do so," says Honan,
who's also a cybersecurity adviser to the association of EU police agencies
known as Europol. "This focus on compliance can often leave companies
falling short of the goal of being secure."

4. Understand Breaches Will Be Costly

Boards of directors that fail to invest in a proper security program should
be prepared for their company's value to plummet, or even to suffer
bankruptcy, if there's a data breach.

In the wake of TalkTalk's breach, for example, U.K. legislators have been
pillorying the company's security practices, begging the question of how
long the brand name might endure. TalkTalk's stock has also become a
favorite of short sellers, who expect its value to continue to decline in
the wake of the breach, Financial Times reports.

"The biggest driver that I have seen come out of the TalkTalk breach is the
10 percent hit in the company's share price after news of the breach
broke," Honan says. "This has a real-world impact on the company and will
make cybersecurity an urgent item for the board to address."

5. Security Requires a Cultural Change

While legislators may attempt new legal remedies for the world's data
breach epidemic, that won't magically resolve any of the challenges, Honan
says. Instead, companies must change their culture - from the top down - to
emphasize security.

"More laws will not prevent criminals from attacking websites and systems.
Nor will more laws make companies necessarily more secure, particularly if
the focus in those companies is on being compliant with laws and
regulations," he says. "What is required is a cultural change by consumers,
regulators, and governments to ensure companies take a risk-based approach
to security."

To rephrase Honan's advice: Don't just talk about security after the fact.
Instead get serious well before your organization is breached.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!