TalkTalk's Cybersecurity Lesson

Uploaded on 2016-02-10 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Last October broadband provider TalkTalk was hacked for the third time in the space of just a year. The company, which has around four million customers in the UK, was initially unable to confirm whether the stolen customer data was encrypted or not, fuelling public outrage and landing them with a total bill of £35 million as a result.

This attack is not an isolated incident. It followed a long line of similar attacks that have recently affected companies as varied as Target, Sony, Carphone Warehouse and Ashley Madison. So what can financial services companies learn from these attacks? Where should companies invest in stronger security and what should they be doing to protect their customers' data?

There is no doubt the tactics of cyber-criminals are becoming increasingly intelligent and complex. A vast range of bespoke criminal software, specifically designed to help hackers exploit weaknesses in cyber-security, is available for purchase by bitcoins on the dark web in an untraceable marketplace. This black market for exploitative software has become a billion dollar industry. According to the Federal Reserve Bank of San Francisco, unique strains of malware such as that sold on the dark web reached 100 million variants in 2012, and this number is growing at an accelerated pace.

When or if they ever get to the bottom of the TalkTalk attack, it would not be surprising to find that the malware code they used was procured from this dark web.

Aside from the threat of hackers obtaining malware on the dark web, there are still gaps and vulnerabilities in companies' software systems that must be closed. At present, the easiest way to break into someone's bank account – for example – is to get their valid user ID and password. Social engineering bypasses the traditional cyber-security of user IDs and passwords – the hacker just steals valid credentials and they're in. The consumer needs to be educated in the various scams criminals use to obtain these credentials. The confidence scams are clever and effective and make traditional cyber-security mechanisms useless.

Perhaps nowhere else is data security more paramount than in the financial services industry, and FS providers need to up their game to address threats in real-time. Currently, the FS industry has invested heavily in securing the ‘perimeter fence' of security. There is very little attention paid to securing the business applications themselves.
 
It should be obvious by now that relying on perimeter security to prevent data breaches is a seriously flawed strategy. Organisations now need to look past the point of entry for hacking threats, criminals will always find a way in. Just as with building security where systems include alarm systems and sensors both at the point of entry as well as within the building, banks also need to focus on cyber-security within the banking application itself.

Companies need to monitor user behaviour for inconsistencies, deploying software sensors at critical points in the applications to detect valid users who are not using the system as expected.  Such a system learns patterns of behaviour that are normal for users, and can detect hackers who must probe the system to find weaknesses thus exposing their presence because the hacker's behaviour is not what a normal user would do.  By knowing what the cyber-criminal does when they break in, companies can monitor for this type of activity and sound an alarm when it happens.
 
Tackling the threat posed by cyber-criminals is also on the government's agenda. It was recently announced that the UK government will be increasing it’s spend on cyber-security to £1.9 billion to protect the country from potentially devastating hacks on a national scale by terrorists – and increased governmental spend on cyber-security is likely to impact positively on the threat posed to UK consumers. In addition, the new EU Data Protection Regulations will have a two-year transition period for all systems in the EU to become compliant before enforcement starts.  
 
The new compliance requirements will include the stipulation that data security becomes an overriding priority, with safeguards having to be built-in to products and services from the earliest stages of development. The pan-European regulations will enforce, among other things, that if the regulations are broken, fines of four percent of global revenue or €100 million can be levied.
 
The next few years will see a major increase in cyber-defence spending across both public and private sectors, and companies must invest wisely to successfully protect their customers and their reputations.

SC Magazine:

 

 

« Self-Driving Car Poses High Hacking Risk
EU Protects Online Data Quite Differently From The US »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

AtkinsRéalis

AtkinsRéalis

AtkinsRealis is a market-leading design, engineering and project management consultancy operating in fields ranging from infrastructure, through energy and transport to cybersecurity.

Acuity RM Group

Acuity RM Group

Acuity RM Group helps businesses worldwide effectively manage, prioritize and report on their risks to inform strategic and tactical decision-making and build long-term resilience.

IPCopper

IPCopper

IPCopper specializes in network packet capture appliances for cybersecurity, cybersurveillance and network monitoring, and encrypted data storage.

Fortress Group

Fortress Group

Fortress is specialized in confidential and discrete recruitment solutions and temporary staffing in the field of security and risk management.

ABL Cyber Academy

ABL Cyber Academy

ABL provide certified training courses in the field of cyber security and IT project management.

Sysorex Government Services

Sysorex Government Services

Sysorex Government Services helps customers meet their strategic missions by providing secure, optimized IT solutions that allow them to perform more efficiently and effectively.

Cybercrime Support Network (CSN)

Cybercrime Support Network (CSN)

CSN is a public-private, nonprofit collaboration created to meet the challenges facing millions of individuals and businesses affected each and every day by cybercrime.

Hack The Box

Hack The Box

Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with thousands of people in the security field.

Crosspoint Capital Partners

Crosspoint Capital Partners

Crosspoint Capital Partners is a private equity investment firm focused on the cybersecurity and privacy sectors.

Data Storage Corp (DSC)

Data Storage Corp (DSC)

Data Storage Corporation is a provider of data recovery and business continuity services that help organizations protect their data, minimize downtime and recover and restore data.

JFrog

JFrog

JFrog is on a mission to enable continuous updates through Liquid Software, empowering developers to code high-quality applications that securely flow to end-users with zero downtime.

E2E Technologies

E2E Technologies

E2E Technologies are a proactive, SLA-beating, managed service provider that busts the common stereotypes surrounding IT.

Axiado

Axiado

Axiado Corporation is a security processor company redefining hardware root of trust with hardware-based security technologies, including per-system AI.

Primary Guard

Primary Guard

Primary Guard provides IT solutions and computing technologies that help minimize impact from cyber threats, improve business efficiency and maintain essential functions during or after a disaster.

BlackSignal Technologies

BlackSignal Technologies

BlackSignal Technologies provides cybersecurity, digital signal processing and electronic warfare products to help DOD and IC agency customers counter near-peer threats and security challenges.

INETCO Systems

INETCO Systems

INETCO deliver essential real-time cybersecurity, payment fraud detection, operational monitoring and analytics solutions that empower our customers to grow their businesses without interruptions.