BLACKFOOT QUARTERLY - PAGE 3 UK telecoms company TalkTalk was fined a record £400,000 by the Information Commissioner's Office (ICO) in 2016 for security failings that led to a data security breach in October 2015.A litany of common failings contributed directly to the breach, which proves the importance of being compliant and maintaining this through BAU activity. Merge and purge back office systems In 2009 TalkTalk acquired the UK operations of Tiscali. TalkTalk was not aware that Tiscali's infrastructure included webpages that were still available via the internet in 2015, according to the ICO. This included access to an underlying database that held the personal data of customers, including financial information. Protect against SQL attacks The ICO's monetary penalty notice to TalkTalk states that "between 15 and 21 October 2015, a cyber attack exploited vulnerabilities in three webpages. The attacker was able to probe for the vulnerabilities and perform an SQL injection attack [
] and then exfiltrate data from the database." SQL injections have been on the OWASP top ten vulnerabilities list for more than a decade, and defences exist. There is no good reason why businesses should be falling victim to this popular but preventable attack. Patch regularly "The database software in use was an outdated version of MySQL," the ICO's monetary penalty notice said. "The software was affected by a bug which meant that the attacker could bypass access restrictions that were in place. The bug was first publicised in 2012 when a fix was made available by the software vendor." Simply put: patch and patch regularly. Monitor and test networks "On 17 July 2015, there was a successful SQL injection attack that exploited the same vulnerability within the webpages. There was a second attack between 2 and 3 September 2015," according to the ICO. TalkTalk had two early warnings that it was unaware of. Undertaking appropriate proactive monitoring will reveal vulnerabilities to prevent, detect and minimise the impact of security incident.TALKTALK CASE STUDYReview the planAnything could happen within your business or to the external threat landscape. At its most effective, risk management takes account of changes to remain aligned with your objectives. Therefore ongoing monitoring of your BAU plan is essential to managing your risk and making any adjustments as necessary. We offer advice on key risk and control indicators, internal roles and responsibilities, frequencies and benchmarking to help ensure that a good risk culture becomes embedded within your organisation. For more informationMuch of the above may sound like common sense. Yet reading reports of high-level security incidents makes you realise that common sense is not always that common. So many compromises have happened as a result of one or more of these basic BAU activities not being done, done often enough or done correctly.To commission a Blackfoot review of your BAU processes, or obtain a copy of our BAU best practice document with tasks and suggested frequencies mapped against various compliance standards, please contact your Blackfoot account manager.
PAGE 4 - BLACKFOOT QUARTERLYRansomware and distributed denial of service (DDoS) attacks have been around for some while. However, the nature and severity of the attacks is intensifying. We explain the background and how you can protect your employees and your business from these evolving threats.RansomwareIt started with fake anti-virus software, file lockers and the infamous CryptoLocker of 2013, but the ransomware threat has evolved. Criminals have moved on from consumers to target businesses, local councils and hospitals with new variants of file-encrypting ransomware. They lock computers or encrypt files and demand money from victims to regain access to their devices or data.Ransomware is typically installed when a user clicks on a malicious link, opens a file in an e-mail that installs malware, or through a so-called 'drive-by' download when the user visits an infected website.Nearly a third of UK councils fell victim to ransomware attacks in 2015, according to a Freedom of Information request. Lincolnshire County Council was offline for four days in January 2016, following an attack and £1 million ransom demand. In California, a hospital reportedly paid a $17,000 ransom to restore its files and systems in 2016. It was hit by a ransomware attack and a demand for 9,000 Bitcoins (around $5.7 million), and suffered a downtime of five days. The threat is sufficiently serious that the FBI issued a public service announcement on ransomware in September, and urged victims to report attacks. Meanwhile in Europe, nearly 15 countries have signed up to a public-private partnership, comprising Europol, national law enforcement and private security vendors, to fight ransomware.RANSOMWARE AND DDOS ATTACKS SUPER-CHARGEDOld exploits are evolving we provide a survival guideNearly a third of UK councils fell victim to ransomware attacks in 2015