“Another day, another hack”: the TalkTalk breach under the microscope

Paul German

Paul German

Yet another breach has hit the hacking headlines, but are we surprised? Too many high-profile breaches have been under speculation so far this year, and businesses are still failing to put proper security measures in place to not only make their systems more difficult to hack, but to limit the scope if a breach does occur. Paul German offers his thoughts on the TalkTalk episode.

Although the complete details of the TalkTalk breach are still unknown, one thing is for certain: TalkTalk must not have had a software-defined security strategy in place, focusing on users and applications rather than the network itself.

How do we know this? If TalkTalk had cryptographically segmented its security system into pre-defined and clearly understood fragments, the breach would have been more manageable instead of system-wide.

The TalkTalk breach shows that merely assuming internal networks are safe and trusted is no longer acceptable. Hackers have turned trusted networks into playgrounds, moving laterally from system to system and liberally exfiltrating data.

By compromising one user, even a contractor, hackers get past the firewall and enjoy access to essentially anything. When a no-trust security model is in place, it means that no network is trusted, inside or outside the perimeter, no user is fully trusted and, equally, no device is trusted.

TalkTalk needs to take note: the most secure enterprises have adopted crypto-segmentation, meaning that they encrypt all sensitive application flows inside and outside the perimeter. To achieve this requires eliminating silos and establishing a centralised method of creating and managing policies, as well as keying for end-to-end protection across all applications and networks.

Developing a cryptographic relationship

Building on the identity and access control technologies widely deployed, a cryptographic relationship creates a clean and unbreakable link between each user and the permitted data and applications, meaning that if a breach does occur, the hacker is then limited with the information and data that he or she is able to exploit.

Crypto-segmentation combined with role-based access means authorised users can access applications encrypted from server to user. If a user is compromised, hackers can access only that user’s applications. Lateral movement to more sensitive applications is blocked, and the breach is therefore contained. This kind of arrangement could have stopped the TalkTalk hackers in their tracks.

Architectures need to quickly adapt to the new world of user and application mobility by ensuring that network segmentation and application isolation may be applied across all environments irrespective of network level control.

User access control policies must be applied and enforced in real-time and across all users and applications both inside and outside the traditional fire-walled perimeter.

The time for the industry to recognise that a fresh approach is needed is now. We must question how many more high-profile breaches like the one TalkTalk is currently dealing with are needed before clear and concise action is taken by the businesses most at risk.

Paul German is Vice-President (EMEA) at Certes Networks

What to do if you think you may have been affected

*Contact your bank/credit card company so that they can monitor for suspicious activity on your account(s)

*Change your password for your online accounts. Use three words which mean something to you, but are random to others. This creates a password that’s strong and more memorable. You should change passwords often and never use the same one twice

*Monitor your account for any suspicious or unexpected activity

*Beware of targeted phishing e-mails. If you receive unsolicited e-mails never reply with your full password, login details or account details. Don’t click on any links as you could end up downloading a virus

*Be wary of anyone calling asking for personal information, bank details or passwords. If in doubt, just hang up. In the past, TalkTalk customers have complained about receiving scam calls from fraudsters pretending to be TalkTalk employees and claiming that they want to warn users about malware infections on their computer

*Watch out for signs of identity crime. Visit Experian, Equifax or Noddle to check your credit rating to make sure no-one has applied for credit in your name

*For online safety advice visit Get Safe Onlne and Cyberstreewise

*If you’ve fallen victim to fraud, report it to Action Fraud and obtain a police Crime Reference Number

TalkTalk has also said that it will never:

*Ask for your bank details to process a refund. If you’re ever due a refund from them, they would only be able to process this if your bank details are already registered on their systems

*Call you and ask you to download software to your computer unless you have previously contacted TalkTalk, discussed with them and agreed a call back for this to take place

*Send you e-mails asking you to provide your full password. They will only ever ask for two digits from it to protect your security

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts