It is now a week since the announcement that TalkTalk (no, not Talk Talk, the 80s new wave rock group), had been the subject of a targeted cyber attack that potentially exposed the personal information of up to four million TalkTalk customers. Such a Shame we don’t have all the details yet, but it’s still relatively early days, and, despite one individual being arrested and later, let out on bail (a 15-year old from Northern Ireland), the investigations will be ongoing. Security forensics experts will be piecing together the sequence of events by retracing the attacker’s steps from the reported initial attack and then working to determine if threats remain in their environment or if any other critical systems were touched in the process.
There still remain a number of open questions around the number and identity of the attackers, including where they were located, if they were tied to the same team or if different cells or individuals were involved, and whether they are linked to any previous attacks. There is also the potential for other hackers to leverage the high levels of attention in the British and global media to falsely take credit for the attack and extort TalkTalk.
Incidents such as TalkTalk spur other organizations to question their own security programs with executive management and boards of directors wanting to know, “Could this happen to us [me!]? It's My Life, or at least my job, on the line!” and seeking measurable evidence that their organization could react successfully to, or mitigate the risk away from, such an incident.
It is not a simple task, but I can guarantee that teams across the UK and elsewhere are attempting to answer that question, and provide assurances that they are immune and/or capable of response to an attack. Unfortunately, incidents such as this can take on a life of their own and can even be seen as the culmination of what “bad” looks like for other organizations. But, in reality, the incident itself and the subset of information provided about what exactly happened does not provide a de facto “magic bullet” template on how to protect your own business.
Despite this, larger breaches tend to become legendary: how many people still talk about the TJ Maxx, PlayStation, and RSA attacks? TJ Maxx is now eight years ago, and PlayStation and RSA were four years ago. If your security is focused on only halting similar attacks (whilst old tactics never die, so you may block something), reassessing your security technologies and governance posture needs to be a continual or at least periodic exercise. At the end of the day, the business of protecting your environment comes down to the cybersecurity triad of People, Process and Technology. In order to evaluate the strength of your organization’s security posture, consider asking yourself these questions:
- Do I have the right people with the right experience to deal with an unfolding incident in real time?
- Do these people know who their internal subject matter experts and stakeholders are, so they can be called on quickly as required?
- Does my team have the right level of skills to deal with such situations and, if not, are they empowered to engage third party experts or other necessary resources as required?
- Will my team work through the situation methodically, making sure each aspect is inspected carefully and either signed off or referred for deeper inspection?
- Are my processes aligned with any new objectives and strategies of the business, such as increased focus on mobile technologies and social media?
- For transformational IT projects, such as IaaS or software-defined data center migration, do my previous processes and policies still meet the business need for discovery, response and mitigation of threats?
- Do I have the necessary controls available across the business to prevent and otherwise remediate attacks when they arise?
- If I have outsourced parts of my business, what assurances do I have for monitoring and controlling supply chain and hosting/enabled cloud platforms?
- Who has authority to enforce the mitigation path in a timely fashion e.g.: shutting down servers (if absolutely necessary), or diverting resources? (You can have the best policy or process in the world, but if no-one is empowered to make the call, your incident response is hampered until someone shows up who can make the right decisions.)
- Do I have access to technology that can be used during an incident for the capture and snapshot-ing of affected systems/networks for offline analysis?
- Do I have systems that can churn large volumes of data in near real time, looking for patterns or indications of compromise?
- Does my (security) technology allow me to take action to mitigate events based upon that information? Meaning, if I see something malicious, can I also do something about it?
- Do my technology solutions reach into the dark corners of my organization to provide visibility and controls to the data flowing around it?
- Do my technology solutions provide me with a consolidated view of my data, including on-premise and third party platforms?
- Are my existing technology solutions able to keep pace with the IT infrastructure being employed by the business?
It is important in today’s cybercrime-afflicted world to ensure that your organization does not just “talk the talk”, but also “walks the walk” so if (or when) an incident occurs, the business has maximum visibility and control across all of the critical systems. We surely won’t see an end anytime soon to the attacks being levied against organizations, but with the appropriate people, processes, and technologies in place, your organization can be prepared and able to respond when you are the one in the crosshairs. It’s a challenge, to be sure, but I Believe In You.
You can start to gain visibility and control of the data in your organization for free by requesting a download of vArmour DSS-V today.