TalkTalk's lessons for cyber security

All companies are technology companies - and need to make security a priority with an investment to match, not an after-thought

When TalkTalk's website started going slow on the afternoon of Wednesday, 21 October, the company knew that there was a possibility that it had been targeted in yet another attack.

Yet it was another day and a half before it went public, just in time for the company to get its message out on the 10 o'clock news and for the first editions of Friday's newspapers. The IT press, which had been assured that nothing (much) was wrong when it first made contact with TalkTalk on Wednesday afternoon – after TalkTalk's users had started complaining that the website had gone down – was left to hear about it on the news.

But it wasn't a ham-fisted attempt at news management, according to a TalkTalk spokesperson. "TalkTalk began to experience latency issues on its website on Wednesday. We took the website down as soon as it was clear there was unusual activity.

"We immediately began investigating what was happening, including working with external cyber security experts. Working through the night it became clear that TalkTalk had been the victim of a cyber attack and that customer data had potentially been accessed," claimed the TalkTalk spokesperson in response to a series of questions filed by Computing.

Since Thursday evening, the company's hapless CEO Dido Harding has variously claimed that the company was subjected to an extortion attempt - for the princely sum of £80,000 in bitcoin - and that the attackers had subjected the company to a "sequential attack", by which she presumably meant "SQL injection" attack.

She even went as far as to claim that the company had been targeted by "cyber jihadis", a claim that a number of supposed jihadi groups were all too willing to play up to - until a 15-year-old boy was arrested on "suspicion of crimes under the Computer Misuse Act" just days later.

Defence in depth

Regardless of who was responsible, the attack highlights one of the first areas that web-facing organisations need to consider to avoid looking too tempting a target for either real attackers, or script kiddies bearing hacking tools they don't necessarily fully understand: locking down database access to prevent front-end forms from being used to make backend database queries.

"This [SQL injection] is an attack vector that has been known for more than a decade and it is still found in web applications around the globe. While it is possible for the error that enables such an attack to slip through a well-established application security program, they are fairly easy to prevent with the proper safeguards in place," said Wim Remes, EMEA manager of strategic services at security services company Rapid7.

TalkTalk has also, rightly, come under attack for admitting that sensitive customer data wasn't even encrypted - despite promises that it made earlier this year after customer information was lost in previous attacks.

Encryption isn't a panacea. Data does need to be processed and, hence, accessed and decrypted, and there are techniques an attacker can use to make a database spit out decrypted data, depending on how the database is set up. But there are measures that can be taken that can make it much more challenging for any attacker to decrypt data encrypted in a database. Indeed, even the IT leadership group BCS Elite was moved to issue a statement.

"It is difficult to understand why, in the context of previous cyber attacks against the company, TalkTalk has found it necessary to admit that some of their sensitive customer data was not adequately encrypted. TalkTalk was clearly a high-profile target, as are all companies holding data on large numbers of consumers, so the board and IT leadership of the company must have been aware that they were at risk," said the BCS Elite in its statement.

Indeed, only in August, Harding had claimed that the company had taken all measures necessary to protect customer data - yet this doesn't seem to have been the case.

It continued: "In modern IT systems it is easy to encrypt the data on the disks, in the database, in transit, and/or in the applications which use the data, some or all of which may be appropriate depending on the systems architecture and purpose for holding the data, meaning that nobody may read the data without the encryption key.

"Furthermore, it is equally easy to 'one-way hash' data so that while it may be used for comparison purposes, such as checking the validity of a password or security response, it may not actually be read by anyone ever. Simply, while the technological sophistication required may be beyond the resources of some small companies, there is no good reason why any large company with extensive IT resources like TalkTalk should not encrypt and protect customers data," according to BCS Elite.

Encryption, although not a perfect solution by any means, and one with its own security flaws, provides extra security in depth.

"Of course, unlike hashing, encryption does not provide perfect protection because anyone with the encryption key may read the data," says BCS Elite, "but for all practical purposes, encryption keys may also be protected so that the possibility of a hacker obtaining both the encrypted data and the encryption key are infinitesimally small - the difficulties encountered by GCHQ and the NSA in trying to monitor criminal and terrorist electronic communications is demonstration enough that encryption is effective in protecting data."

BCS Elitewent on to suggest that, although it's a bit late in the day, TalkTalk will now be urgently looking at the problem of upgrading its databases and applications to ensure that all sensitive personal data is encrypted, but was mystified as to why Harding hadn't made sure it already was.

Harding herself had suggested, in a television interview, that it wasn't a legal requirement, but the Information Commissioner's Office (ICO) may have a different interpretation - although the worst that the ICO can do is fine TalkTalk a paltry £500,000, and it's unlikely to even be this big. Indeed, when online web store Pharmacy2U was found to be selling customer data, it was only fined £130,000.

"As IT leaders [at BCS Elite] we cannot fathom why the TalkTalk data was not adequately encrypted: the Information Commissioner has been recommending the use of encryption to protect data for many years. With our understanding of governance we cannot fathom why the TalkTalk board had not demanded that the company encrypt personal data. Failure to encrypt customer data in the volumes which TalkTalk holds seems akin to securing Fort Knox with a tin padlock.

"The TalkTalk incident should be yet another wake-up call to company boards and IT leaders - it's time to take cyber security seriously."

Furthermore, it highlights the importance of CEOs having more than a modicum of IT and IT security knowledge.

"Once again we see a public company being attacked and customer data getting compromised," said Remes. "If information security is not on the agenda of your executive team and board, it really should be. Only by understanding how information-risk influences operational risk can organisations get a full view of their risk landscape and make the right investments to prevent as much as possible, and to respond adequately to the breach that will happen eventually."

For TalkTalk, though, its lackadaisical approach to security, even in the face of almost a year of cyber attacks, has only served to make it a bigger target - and, perhaps, to draw the attention of better hackers to organisations across Britain as potential soft targets.