SBA

Can We TalkTalk Privately?

A headline in Computing magazine reads “TalkTalk demonstrates that technology-inept CEOs are a potential liability”. TalkTalk’s £6.8M p.a. rock-star CEO Dido Harding got out there front and centre to lead the company’s PR blitz following the hack and theft of customer data - and in doing so exposed her remarkable ignorance of technology matters as the boss of a company entirely dependent on tech. TalkTalk shareholders paid the price - the company’s stock plummeted 22% from the first signs of the attack and is still significantly depressed. Despite the later news that the hack was not as bad as originally feared, at the time of writing TalkTalk shareholders have lost around £400 Million before penalties, compensation and customer desertion kick in.

What was more remarkable to many however was the admission that the stolen data was not encrypted. The IT Leaders group BCS ELITE is quoted as saying “Failure to encrypt customer data in the volumes which TalkTalk holds seems akin to securing Fort Knox with a tin padlock”.

Global technology leader Hewlett Packard recently claimed that 87% of Cyber Security spending is on firewalls - that’s perimeter defences trying to prevent intruders from entering the network. The reality is that however good the perimeter defences, someone will always find a way in if they’re sufficiently expert and determined although this wasn’t the case with the TalkTalk attack, they basically left the front door unlocked and some teenage vandals took advantage. If you accept that the more competent and determined professional cyber-criminal is going to find a way in, what can you do?

A “Defence in Depth” model requires that you not only secure the perimeter, but also secure each information silo / server, from exfiltration as well as intrusion. Each layer of defence makes the thief’s job harder, but where there’s a will there’s a way. The final layer of defence, and probably one which most organisations should implement early, is to make the contents of your digital fortress worthless - in a word, Encryption.

Encryption works: quoting BCS ELITE again “the difficulties encountered by GCHQ and the NSA in trying to monitor criminal and terrorist electronic communications is demonstration enough that encryption is effective in protecting data”. Governments can’t crack good encryption, and nor can cyber-criminals, so how do you do it? There are basically six layers in which encryption may be used to protect data.

Disk / device encryption - this is used to encrypt the whole of the data storage in a computer, meaning that if the computer is stolen the data is useless to the thief. Essential for laptops and mobiles, and effective against burglars but largely irrelevant to the Internet hacker who comes in through your network because the data is automatically decrypted whilst you are using it.

File encryption - this allows you to encrypt data file by file, so that a file may only be read by someone with the key or password. If a cyber-thief gets access to your computer they won’t be able to read any data, and if they stole your files it would take them many years to get into them.

Whole database encryption - this is a form of file encryption used to protect database files so that the database may read them but nobody else can. It’s weak in that anyone who can get access to the database can then read the data.

Database field encryption - this allows each individual data item in the database to be encrypted so that only the application with the key can read the data. This is much stronger and means that a hacker who has gained access to your database will find it useless unless they also have the key.

Application encryption - this is where the data is encrypted and decrypted by the application (CRM system, web portal etc.) meaning that the data is already encrypted when it reaches the database. It is the strongest form of protection for your customers’ data, but it limits database functionality - the database can’t search the encrypted data.

In practice properly protecting your customers’ data means using a combination of these techniques - disk encryption to protect against device theft, file encryption for documents and spreadsheets, database field encryption for data which the database must be able to search on such as customer’s name, postcode etc., and application encryption for the more sensitive stuff.

The sixth layer is encrypting data in transit - when it is passing between computers, from the database to the application, and from the application to the viewer. Most of us are used to the latter stage, whenever we use the web using an address starting with “https” we are browsing securely in that the link between us and the web server is encrypted. If someone penetrates your network they will be able to watch all the data travelling between your database and the application, so it makes sense to encrypt data in transit in-house as well as on the Internet.

None of this is complex or particularly expensive to do, although some off-the-shelf systems have not been designed to support encryption. Once done you can be confident that however good the hacker the implications of a breach will be minimal - the theoretical time needed to decode modern encryption is counted in billions of years. Indeed disclosing that you have been hacked but that everything was properly encrypted may even improve public perception.

One more point on data security; there is some data you never want to know, such as the customer’s password and identity validation responses - for example Mother’s Maiden Name, Name of First Pet etc. All you ever need to do with this data is check that the customer has supplied the correct answer. For this we can use a technique called One-Way Hashing, which is a form of irreversible encoding - you can never read the secure value, but you can always check whether the customer has provided the correct response by repeating the hash process and checking that the hashed values match. One way hashing is not encryption, because the data can never be decrypted, but it is the ultimate protection for test questions such as passwords.

None of this would have stopped the TalkTalk hackers from stealing data, because the TalkTalk systems included a very basic flaw meaning that they were vulnerable to what is known as a SQL Injection attack, in which a hacker may instruct the database behind a website to cough up its data. SQL Injection attacks have been known about for over ten years and any competent web developer can easily protect against them so TalkTalk should not have been vulnerable, but as I said earlier the determined expert hacker will find a way in. If TalkTalk had encrypted their database using the techniques I’ve described all the hacker would have got would have been a lot of meaningless gibberish.  

In summary; you should have firewalls on your network, but you should also have firewalls on each server, your firewalls should be configured as much to prevent data extraction as to prevent intrusion, your data should be encrypted, and if you are a director you should be asking your IT provider or manager for assurance that these things are done. Nothing will protect your computers and networks from basic stupidity, software bugs, or determined expert thieves, but using proper encryption will mean you can sleep soundly knowing that if you are hacked, or your laptop is stolen, your customers’ data, your reputation, your share price and your job will be safe.