Yet another breach has hit the hacking headlines, but are we surprised? Too many high-profile breaches have been under speculation so far this year, and businesses are still failing to put proper security measures in place to not only make their systems more difficult to hack, but to limit the scope if a breach does occur. Paul German offers his thoughts on the TalkTalk episode.
Although the complete details of the TalkTalk breach are still unknown, one thing is for certain: TalkTalk must not have had a software-defined security strategy in place, focusing on users and applications rather than the network itself.
How do we know this? If TalkTalk had cryptographically segmented its security system into pre-defined and clearly understood fragments, the breach would have been more manageable instead of system-wide.
The TalkTalk breach shows that merely assuming internal networks are safe and trusted is no longer acceptable. Hackers have turned trusted networks into playgrounds, moving laterally from system to system and liberally exfiltrating data.
By compromising one user, even a contractor, hackers get past the firewall and enjoy access to essentially anything. When a no-trust security model is in place, it means that no network is trusted, inside or outside the perimeter, no user is fully trusted and, equally, no device is trusted.
TalkTalk needs to take note: the most secure enterprises have adopted crypto-segmentation, meaning that they encrypt all sensitive application flows inside and outside the perimeter. To achieve this requires eliminating silos and establishing a centralised method of creating and managing policies, as well as keying for end-to-end protection across all applications and networks.
Developing a cryptographic relationship
Building on the identity and access control technologies widely deployed, a cryptographic relationship creates a clean and unbreakable link between each user and the permitted data and applications, meaning that if a breach does occur, the hacker is then limited with the information and data that he or she is able to exploit.
Crypto-segmentation combined with role-based access means authorised users can access applications encrypted from server to user. If a user is compromised, hackers can access only that user’s applications. Lateral movement to more sensitive applications is blocked, and the breach is therefore contained. This kind of arrangement could have stopped the TalkTalk hackers in their tracks.
Architectures need to quickly adapt to the new world of user and application mobility by ensuring that network segmentation and application isolation may be applied across all environments irrespective of network level control.
User access control policies must be applied and enforced in real-time and across all users and applications both inside and outside the traditional fire-walled perimeter.
The time for the industry to recognise that a fresh approach is needed is now. We must question how many more high-profile breaches like the one TalkTalk is currently dealing with are needed before clear and concise action is taken by the businesses most at risk.
Paul German is Vice-President (EMEA) at Certes Networks
What to do if you think you may have been affected
*Contact your bank/credit card company so that they can monitor for suspicious activity on your account(s)
*Change your password for your online accounts. Use three words which mean something to you, but are random to others. This creates a password that’s strong and more memorable. You should change passwords often and never use the same one twice
*Monitor your account for any suspicious or unexpected activity
*Beware of targeted phishing e-mails. If you receive unsolicited e-mails never reply with your full password, login details or account details. Don’t click on any links as you could end up downloading a virus
*Be wary of anyone calling asking for personal information, bank details or passwords. If in doubt, just hang up. In the past, TalkTalk customers have complained about receiving scam calls from fraudsters pretending to be TalkTalk employees and claiming that they want to warn users about malware infections on their computer
*If you’ve fallen victim to fraud, report it to Action Fraud and obtain a police Crime Reference Number
TalkTalk has also said that it will never:
*Ask for your bank details to process a refund. If you’re ever due a refund from them, they would only be able to process this if your bank details are already registered on their systems
*Call you and ask you to download software to your computer unless you have previously contacted TalkTalk, discussed with them and agreed a call back for this to take place
*Send you e-mails asking you to provide your full password. They will only ever ask for two digits from it to protect your security