TalkTalk is continuing to confuse experts with its latest assessment of the root cause of a high profile breach on its systems last week, which may have exposed the bank details including bank information of up to four million customers.
The under-fire telco is saying that it has become the victim of a “sequential attack” when in reality it is talking about a SQL injection attack and not a follow-up assault. Security experts from Tripwire, Imperva and MTI Technology have the following comments on it.
[su_note note_color=”#ffffcc” text_color=”#00000″]Kevin Foster, Testing Services Manager at MTI Technology :
“Although reports indicate that Talk Talk reacted to the breach by shutting down their website by lunchtime, the fact that the My Account section is still not online suggests that this was the access point used to execute the attack.
“From first glance, it looks as though there was not an adequate DDoS (distributed denial of service) mitigation solution in place. DDoS attacks are often used as a ploy to mask the real nature of the attack. In this case, it looks like the attacker is flooding a website, with an underlying attack taking place to extract customer data. Given Credit Card Data is involved, Talk Talk should have been conducting tests on a regular basis, especially when major changes occur at the network, OS, server and application level, under a PCI DSS compliance regime given there’s reference to Credit Card Data in Talk Talk’s announcement.
“For Talk Talk customers, the worry will lie in just how much information was obtained by the attackers and how easy it was to bypass the company’s security defences and data encryption, so soon after the breach in February. The fact that credit protection services are being offered to customers shows that the telecoms provider is worried about what information was obtained and potentially concerned that the security measures were not adequate enough. With suspected customer credit card details having been stolen, the company is also likely to face PCI DSS fines in the millions.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Ken Westin, Senior Security Analyst at Tripwire :
“When an organization is targeted it can be difficult to identify the scope and scale of the compromise. Sophisticated attackers often leverage a number of initial attack vectors and techniques to gain access to networks and it can be difficult initially to tell which technique was successful.
Once attackers gain access to the targeted network they typically pivot and deploy different tools and techniques. Correlating these events is difficult because most organizations are essentially under attack all the time so tying specific events to one campaign or actor is daunting. A DDoS attack is a very common smokescreen to distract responders. It’s often a precursor to additional attacks that are designed to breach security controls.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Ofer Gayer, Security Researcher at Imperva :
“It seems like even tech-oriented companies with a fairly large infrastructure sometimes fail at perimeter protection 101.
One prominent cause for the successfulness of these breaches is not lack of security, rather lack of visibility.
Security visibility is probably one of the hardest things to do at scale, and attackers understand this very well.
Using these DDoS attacks as a “sucker punch” can completely blindside a company’s IT staff and render them blind regarding low-rate traffic, containing a malicious payload or data being exfiltrated. A modern day smokescreen.
With >100Gb attacks becoming a daily routine, it’s fairly obvious to anyone who has ever dealt with them that this is not something that can be handled on premise and by untrained staff.
Using a proper DDoS mitigation suite combined with a tweaked WAF gives complete clarity in this battlefield, and leaves defenders focused on what’s important instead of putting out fires.”[/su_note]
