Unfolding of recent Talk Talk data breach
Following the recent Talk Talk breach Wim Remes, Manager of EMEA Strategic Services at Rapid7, comprised several comments, these including:
“Even though TalkTalk mentions that the attack happened yesterday, there are reasons to assume that the attack has lasted longer than just the past 24 hours. The data was released by the attackers yesterday, that is all we can derive from what we know now.
There is no need to speculate how the attackers got in, what they were after, and what their motivations are. Attribution, in my opinion, is a zero sum game and I am confident that TalkTalk will share that information once they have connected all the dots.
What I think is important to emphasize is TalkTalk’s very strong focus on clear communication. The CEO is the person representing the company to its stakeholders in times of distress without hiding the issues. They were breached, they are working on finding out what happened, and in the mean time here is the CEO talking clearly and without hesitation about what customers can expect from them. This is literally rule number one of incident response and one that is often forgotten once a breach happens.”
As the breach continued to unfold Matt Pearson, Channel Director of EMEA at Centrify also released several comments on the breach. These included:
“This is not the first time that TalkTalk has suffered a data breach, and it is yet another example of companies not taking breaches seriously. Whilst it is clear that TalkTalk have actioned their Incident Response teams well, they should have addressed their security failings equally. The question now is ‘why the breach occurred?’ The majority of breaches are usually as a result of someone either stealing credentials for privileged accounts or someone using a credential internally to gain access to somewhere sensitive they shouldn’t have access to. The difficulty with a breach is that once hackers have access to the network they can jump from one system to another and gain more and more knowledge about the environment, the servers, network and user accounts and ultimately find credentials for privileged admin accounts. Once they have access to these accounts, in most cases, if not all, they can then access the critical infrastructure housing valuable customer data.”
As the chaos of the breach came to an end Wim Remes had several closing statements in regards to his previous comment. These included:
“As the TalkTalk breach story continues to unfold, I think there are a few key points that are worth discussing. What TalkTalk (and some news outlets) calls a “sequential attack” is actually a SQL injection attack (or SQLi as we colloquially call it). This is an attack vector that has been known for more than a decade and it is still found in web applications around the globe. While it is possible for the error that enables such an attack to slip through a well-established application security program, they are fairly easy to prevent with the proper safeguards in place.
Through SQL injection an attacker can request arbitrary data from the database behind the application. It would be prudent to assume that all data kept within the database is now compromised. TalkTalk also mentions seeing a DDoS attack prior to the actual breach. The tactic of inundating an application with traffic to hide the real attack going on at the same time is very common nowadays. By distracting the target, the attacker buys more time to focus on the assets they are really after. Organisations can address this by implementing multi-layer monitoring systems.
Lastly, once again we see a public company being attacked and customer data getting compromised. If information security is not on the agenda of your executive team and board, it really should be. Only by understanding how information risk influences operational risk can organisations get a full view of their risk landscape and make the right investments to prevent as much as possible, and to respond adequately to the breach that will happen eventually.”
Image source: Pixabay.com