As the smoke clears from the the attack on Tesco Bank, what lessons can be learned? As Sarb Sembhi, director of Storm Guidance and our speaker for the day, noted, we don't yet have a full picture: "There's a lot that's known about and at the same there's a lot that's not known about it and a lot that's not clear."
What we do know is that Tesco Bank was attacked on the weekend of 5 November and that 9000 accounts were breached resulting in the loss of £2.5 million. Most of that was refunded to customers and things appeared largely back to normal by Tuesday.
According to some reports, based on dark web conversations, online criminal activity targeting the bank had been known about since September and the organisation may have been exploited by a weakness in banking applications.
Tesco Bank was careful to word its response precisely. Michael Everall, an interim CISO for a variety of companies, encouraged the roundtable to "take the statement with that much salt" – indicating a cup full rather than a pinch..
According to Tesco Bank, the organisation itself wasn't actually breached and no personally identifiable information was taken. From a technical point of view that seems accurate. It was the accounts that were breached, not Tesco Bank itself, and the attackers made off with credit card numbers which by themselves are not personally identifiable.
Sarb Sembhi, director at Storm Guidance
Guessing at the attackers' methods, the favourite theories were compromise of credit cards using the multiple application method identified by Newcastle University researchers, or using credentials from other, unrelated hacks, where the same passwords were used.
Admitting to a full breach would have been different. Controlling the message, Tesco Bank understood, is of profound importance.
TalkTalk, the room agreed, did not control the message. Stephan Freeman, CISO of Telegraph Media Group, made the point that in a breach, “you're ultimately trying to protect your reputation”. This is plainly born out in the stock price drops experienced by TalkTalk, which was in the double digits, and that experienced by Tesco, which peaked at three percent.
To be fair, TalkTalk “turned it around spectacularly”, said Phil Scully, CTO of the Whitbread Group, adding that “consumer trust in their brand has lifted” (prior to recent router compromise issues).
The comparison isn't all that fair, said Nick Ioannou, head of IT at Ratcliffe Groves Partnership. To say that they haven't been breached isn't quite correct, considering not just customer data but funds were at risk here: "TalkTalk was a mobile phone provider, I don't put them in the same basket as a bank. We expect better security at a bank".
Jane Frankland, managing director at Cyber Security Capital
But maybe Tesco shouldn't be criticised for tailoring its message. If someone has reused his or her corporate credentials to sign up to a site such as Ashley Madison, was the company breached, or was the individual? These kinds of situations don't have clear answers, said Scully, asking, “When is a breach a breach?” And what does that mean when deciding what to tell your internal team and what to tell the public? There are few regulations that define a breach explicitly.
On the subject of threat intelligence and the dark web chatter, what and who should you be listening to? "Do any of you here pay attention to rumours?” asked Sembhi, and if you do, "how do you decide what influence its going to have on your organisation?"
The fruits of the dark web and hack forums may well furnish your organisation with good information ahead of time and allow you to show that you have been collecting intelligently when it comes time to face the regulator.
There's a hell of a lot of noise out there, and it was claimed that often threat intelligence companies can serve up little more than FUD. “The US really are ahead of us,” said Everall, "threat intelligence is still arcane and some people are milking it quite frankly."
Stuart Hodgson, group IT director at the First Names Group, bemoaned that lack of good intel and said that it's fine if you're a large company with security teams dedicated to this kind of intelligence gathering, but what do you do if you're medium or small?
(right) Nick Ioannou, head of IT at RGP
Making contacts within bleeding edge government organisations like the new National Cyber Security Centre is a good idea, said Freeman: "It's having decent contacts within those agencies that might be coming across that stuff day to day."
Intelligence sharing within the sector is a strategy approved by many, but not without its problems. Paul Watts, CISO at Network Rail, said that the minute you take commerciality into account, “that's when the problem starts”.
CEOs and CISOs are actually having to secretly share information in order to create the kind of communities that might help everyone become more secure. “We've got to get past this”, added Watts.
“It's a sackable offence. That's the risk we all take. We try and do our job but that's a breach,” said Jane Frankland, managing director of Cybersecurity Capital.
That said, forums really are taking off within the industry. “All of our suppliers are now starting to do third-party reviews,” said Chris Mann, information security and data protection officer at BNP Paribas, “but people are starting to ask what forums are you part of?"
"Infosec should not be a competitive subject", added Freeman.
(middle) Phil Scully, CTO at Whitbread Group
Unfortunately the sector is often driven by “the economics of criminality,” said Everall. In essence, you want the criminal to find your defences too overwhelming to conquer and look next door at your weaker neighbour.
In the absence of appropriate forums Freeman advocated setting up your own informal grouping among peers in your sector – as well as joining any formal groups such as CiSPs, and the newly formed NCSC which contains elements of CESG and the cyber part of CPNI.
Among other issues covered were third-party risks, with reference to both the Target breach, and the credit card compromise where, as Emma Wright, partner at Kemp Little noted, under EU GDPR the data processors would also potentially bear liability. She also noted that contracts with third parties will increasingly include thorough data protection assurance, with ever more complex Service Level Agreements.
Concerns about staff also came up, including, the need for all employees to understand that information is an asset and is their concern and not just an issue for IT, which calls for education, greater awareness and a change in security cultures.
And among very tech savvy staff, security of devices and services including shadow IT and remote access to corporate data remained an issue, with Bruce Beadle, information security officer at AtCoreTec, noting his organisation ensured that its wireless network was separate from its internal network.
Unrelated to the discussion, overheard during pre-breakfast networking, delegates discussed the skills shortage in the sector and noted how candidates were now demanding London salaries in any location within commuting distance of London. Two disparate approaches to the issue were to target staff in the north west, or to set up a London office to locate information security staff.
Chris Mann, information security and data protection officer at BNP Paribas
Bruce Beadle, information security officer at AtCoreTec
Emma Wright, partner and technology lawyer at Kemp Little
Giles Roberts, head of information security at The Share Centre
Stuart Hodgson, group IT director at First Names Group
(middle) Michael Everall, independent CISO and virtual CISO consultant
Tony Morbin, editor at SC Media UK
Peter Wenham, SCofE at BCS
Paul Watts, CISO at Network Rail
(second from left) Stephan Freeman, CISO at Telegraph Media Group