Steve Armstrong, certified instructor, SANS
Steve Armstrong, certified instructor, SANS

The TalkTalk breach was a classic online web attack with a high noise element (the DDoS attack) coupled with a stealth attack (the SQL Injection), which is nothing new, and therefore pretty disappointing from an industry perspective. But it has brought encryption into the spotlight due to the CEO being uncertain as to whether or not the data was encrypted. This in turn leads to a discussion about the costs associated with encryption versus those associated with a breach.

Website penetration tests aren't just for major updates

Let's start by explaining a little bit more about why this breach is so disappointing. The SQL Injection attacks associated with this breach are a core test that is part of every web application penetration professional's tool kit; heck for some it is 60 percent of their tool kit. So it is disappointing that the breach appears to be as a result of this vector.

The problem with a lot of high volume public websites is that the owners seek high levels of user functionality and usability resulting in frequent updates to the website's underlying code. Unfortunately, the security auditing and testing of such websites is complex and time-consuming (read expensive), therefore many organisations only get web penetration tests at major releases.  This means an application could be 99.99 percent secure with just one tiny parameter vulnerable to injection attacks for the whole system can be compromised.  Therefore, a single minor update by a junior developer can render an entire website and its underlying servers exploitable.  

Encryption is complicated and expensive

More servers: The disincentives for encryption are cost and complexity. Encrypting data requires extra CPU cycles which reduces the number of users a server can handle. To maintain user capacity when encryption is enabled, the number of servers needs to be increased, which is a direct cost. 

More people: This complexity slows down the day-to-day administrative work as staff need to be sure that the service will remain up whilst they conduct routine operations on all aspects of the infrastructure; this delay usually requires a counter balanced increase in staff head count and thus adds more cost.

The hard and soft costs associated with breaches

Regardless of the fines from the ICO or the potential future fines due to the new EU regulations, there is a host of other significant costs arising from breaches. There are direct costs such as the investigation, planning and implementation of the mitigation, new hardware and upgrades to existing systems as well as the indirect reputational costs.

Investigation: The investigation costs on large and complex systems can be significant as most of the IT support staff are focused on validating that systems have not been breached or gathering evidence for the internal and police investigation. These costs can increase if external specialist incident response organisations are employed.

Management: Management time will be spent on planning and organising the mitigation activities (rebuilding and securing the servers) as well as briefing the board, law enforcement and generating the right press message and customer communications.

Mitigation: Mitigation activities will include re-engineering the security barriers, detection and website to detect and prevent such attacks in future which often results in new or upgraded hardware. This sort of very public breach is also debilitating to normal productivity as staff discuss the breach, cyber-security in general and how it may affect the business. Let's not forget that TalkTalk staff are probably TalkTalk customers so for them it could be a worrying time.  

Reputation: Commercially speaking, the impact to the reputation of TalkTalk is significant with many users concerned about their personal information. However, there are two things in TalkTalks favour; one - they should be more secure than before and therefore there is an argument they are a better company to do business with and secondly - while customer data has been lost and cannot be recovered, some users will not leave TalkTalk because they can't actually be bothered or they stay for the first reason, that TalkTalk should now be more secure.

A long-term solution to this kind of breach

Let's finish by offering some practical advice for right now and the future. To address this in the short term, organisations should get their sites tested more frequently. However, a better long-term solution is to teach the developers how to code securely. Sadly, our universities and academies are still teaching poor security practices and few even cover software security attacks and mitigations, neither of which are actually difficult, underlined by the arrest of a 15-year old in Northern Ireland. So while getting kids to code in school appears great, there's a massive security exploit storm looming on the horizon until we start teaching them how to code securely.

Contributed by Steve Armstrong, certified instructor, SANS