On Friday 23rd October 2015, it came to light that TalkTalk, the telecommunications and internet provider was subject to a significant cyber-attack.
Some facts have come to light since the disclosure of the attack:
Third time’s a charm
The latest attack was the third cyber-attack in the past 12 months. It is believe that that this attack has allowed the attacker to steal four million records. It may also have been up to ten weeks, since the cyber-attack had occurred.
DDoS as a cover
A DDoS (Distributed Denial of Service) attack was used to overwhelm the existing perimeter solutions. The large volume of traffic will overwhelm perimeter solutions such as firewalls and IDS/IPS solutions which are there to scan and protect an organisation from malicious traffic. It seems there was either no or an inappropriate/inadequate DDoS mitigation solution in place. DDoS attacks are often used as a subterfuge to mask the real nature of the attack. In this case, it looks like the attacker is flooding a website, whereas the underlying attack is to exfiltrate customer data.
It is widely believed that the attack was on the application available on the internet, and using web application testing tools, such as a form of SQL injection attack, were able to access the data.
SQL is a database application, and an SQL injection is the ability to run a query on a database. Although very useful for database administrator, it gives malicious attackers the ability to query and export a whole database. The ability to run SQL injection attacks, are typically due to bad administration practices and not properly protecting the database.
Comprehensive data on people
The customer data lost is incredibly comprehensive. The list below shows the data the attacker was able to obtain.
- Email Address
- Telephone Number(s)
- TalkTalk Account Number
- TalkTalk Password
- Bank Details
- Partial Credit Card Details
The TalkTalk data wasn't encrypted, meaning the attacker was able to read all the above information. The data was in clear text, offering no protection to the customer.
It is believed that the Police and BAE Systems are carrying out a forensic investigation on the attack, but this relies on how much of a digital footprint was left during the attack and whether it was recorded at the time.
BEFORE THE ATTACK
As an organisation handling customer information, there are many actions that would help prior to an attack:
Identification of Data
With numerous databases, server shares, cloud storage solutions and user created data; identifying important information, such as customer’s PII (Personal Identifiable Information) and financial information is paramount.
Protection of Data
Once the important information has been identified, methods of protecting the data should be used. Encryption of data, where the data is encoded using a unique key and can only be decoded with this key, makes the data useless without it.
Testing of Systems
As applications are exposed the internet, such as customer portals, these need to be tested by a third party organisation with little or no knowledge of the application. A Web Application Penetration Test could have highlighted some of the shortcomings of the web facing applications, including testing for SQL injections.
DURING THE ATTACK
When an organisation is under attack, a number of solutions could have prevented an attack similar to TalkTalk’s.
It is often said that 100% of attacks have used administrative rights. There are Privileged Access Management solutions, which will safeguard the administrative accounts, and will offer full traceability of which administrator has done what. A typical attack will either use administrative credentials they have gained, or to elevate the administrative privileges of a normal user.
Protection from DDoS
A DDoS (Distributed Denial of Service) is normally used by a malicious attacker to take a web presence offline, making a web service inaccessible. In the case of TalkTalk’s attack, it was use to cloak the underlying attack. A hybrid DDoS mitigation solution could have prevented such an attack.
There are Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) which is used to detect and identify malicious activity on the network, then try to block or stop that traffic, and report back. These are available as standalone solutions or as part of a UTM (Unified Threat Management) or Next-Generation Firewall solution. Sometimes the early warning of an attack can help prevent the loss from being so great.
The data will need to be taken for a breach to have occurred, so a DLP (Data Loss Prevention) solution will monitor the vectors from which data can leave, such as web, email, USB, screenshots, printers, etc and if the monitored data leaves in an atypical fashion, it will be quarantined and administrators alerted.
AFTER THE ATTACK
After the compromise, what options are available?
Logs & Forensics
Post attack, it’s important to know what has been lost and preventing it from happening again. A SIEM (Security Information & Event Management) solution would be able to aggregate the logs from the various components of the network, and apply a level of intelligence to the data. Some will be able to carry out a forensic analysis on the logs.
Understanding the attack will allow a more effective remediation plan to be created.
What now TalkTalk?
Reading the press following the TalkTalk attack, there is no understanding to the significance of the data loss. Although there is no demand to encrypt the data, it doesn't mean that the information of your customers should not have been encrypted.
As a minimum, by pentesting the application to prevent the vulnerability, and encrypting the data so it's useless to the attacker, would have prevented TalkTalk from the media attention.
There is a call for the government to do more to prevent the cyber-attacks, but as highlighted here the technologies are available to help prevent, gain visibility or slow down the attack. The onus should not be on governments to protect the customer’s data, it should be the service provider.