Talk Talk Data Breach by Third Party Access

Brian Chappell

blog-bullet-holes

Talk Talk (a UK telecoms company) has announced that it has been the victim of a sustained cyber-attack which has resulted in the potential exposure of 4 million customer records (and possibly many more with past customer data as well). Responsibility for this attack has been claimed by a Russian Jihadi group, although not confirmed at this time. This is not the kind of thing that any of us want to wake up to, particularly as a past Talk Talk customer myself.

What is disturbing about this data breach is the reported method used to gain access, via a third-party organization. This has echoes of the Target attack as well as many others. When an organization sees the fallout from an intrusion such as that experienced by Target, which is incidentally still rolling on with $19m paid to MasterCard this year, that they would make sure that there wasn’t a route from necessary third-party links to sensitive data. You’d also hope they were encrypting critical data (and not storing the keys on the same system).

Let’s start by looking at network segregation. It’s not a new idea, many banks and other organizations have been using this kind of approach for years. Highly sensitive data is held in their high security network segment, sensitive data in the medium security segment and everything else in the normal security segment. The actual number of segments may be bigger or smaller but the concept remains the same. The higher the security level the harder it is to gain access, to the point that in many implementations there is no capability to initiate a connection from a lower to a higher security segment. Connections are configured only from the higher to the lower security segment effectively preventing unauthorized access.

This is an effective approach to securing that sensitive data and it doesn’t need to be difficult to implement either, even moving the sensitive data to a network segment that doesn’t have normal user or workstation access would be a good idea.

What is difficult is making sure that the secure segments are and remain secure. The biggest risks in this area are vulnerabilities, excess privilege and the use of that privilege. Effective vulnerability management is the first step in ensuring that the systems and infrastructure that make up your environment aren’t offering well-known, well publicized access points to hackers. Tools like Retina CS can help you in making sure the vulnerabilities you are tackling first are those that are well-known, with publicly available exploits. Taking this kind of approach to vulnerability management will help you avoid being drowned in lists of issues while also getting the biggest bang for your buck so to speak. Fix the things most likely to be used first, in good old Pareto terms, addressing the 20% of vulnerabilities that are 80% of the risk. Leveraging Retina CS’ Configuration Compliance capability enables you to ensure that carefully configured segmentation doesn’t get broken through changes to the environment.

Once the infrastructure is secure, solutions to allow effective privilege management are an essential next step. A wonderfully secure environment with unfettered admin access is a little like digging a moat around your castle then adding bridges everywhere. Managing admin access is a challenge, a significant challenge. Try to restrict users who have been given complete access to the environment is one problem, how that privilege can be misused when such an account is compromised is another concern entirely. Your users may be trustworthy and professional but that doesn’t prevent their accounts being misused by malicious actors. Least Privilege provides a mechanism to keep those users productive without given them unlimited access (which you then seek to restrict). PowerBroker for Windows, PowerBroker for Unix & Linux and PowerBroker for Mac all offer the capability of implementing true Least Privilege. Users are all standard users, no privilege at all. The PowerBroker tools allow you to target the applications that the users need to run, giving those specific applications specific privileges along with the capability to record what happens during those sessions. This enables you to have a situation where the default state is secure, the user is a standard user. The tools enable rather than trying to restrict (where the default state is insecure).

BeyondTrust IT Risk Management Platform (a free tool in nearly every product) monitors the activity in the tools, using advanced machine learning capability, to establish what normal activity looks like in your network rather than some ‘perfect’ lab environment. When you know what normal activity looks like then abnormal activity, even within granted rights, is easier to spot and home in on. Taking action is again focused on the areas that are most likely to improve the security of your systems. Our networks, irrespective of size, are complex and fragile environments and the right tools are essential. Tools that work well together to present a common, comprehensive picture will yield a better ROI than tools that require you to join the dots.

According to the 2015 Verizon Data Breach Investigations Report, data breaches are up 55% from last year.  The majority of data breaches are the result of well-known and entirely preventable vulnerabilities. It’s important to understand these publicized data breaches and how the learnings could apply to your environment. Don’t assume that your environment is secure, IT security is shifting sand, ever changing. Take the appropriate actions and avoid your network from being the next headline. Contact us to learn about our Privileged Account Management and Vulnerability Management solutions.

Brian Chappell

Brian has more than 20 years of senior level IT enterprise experience in a career that has spanned high-tech multi-nationals, including Amstrad plc, BBC Television and Xircom Inc. He has held technical IT roles including International Operations Manager for Cidera Inc. and Global IT Consultant for GlaxoSmithKline. Brian leads the Technical Services arm of BeyondTrust across the EMEAI & APAC regions. His role ensures the delivery of world-class technical services of BeyondTrust’s leading vulnerability management and least privilege platform, to some of the largest organisations in the world.