According the International Business Times, the Metropolitan Police advised TalkTalk not to discuss their breach. (you can read the article here)
Here, in conversation on the topic , is Advent IM Directors, Julia McCarron and Mike Gillespie and Security Consultant, Chris Cope.
“This is interesting as it shows the 2 different priorities at work. For the police, the key aim is to catch the perpetrator. This often means allowing an attacker to continue so they can be monitored on the network and their activities logged and traced without causing them to suspect that they are being monitored in such a way. The Cuckoos Egg details how the Lawrence Berkeley Lab famously did just this in response to a hack of their system. However, TalkTalk have a duty of care to their customers. If personal information could be used to steal money, then they must weigh up the advice from the police, along with the potential impact of not publicising this attack on ordinary people. Its easy to see how a CEO can be caught in between trying to help the police, but also attempting to limit the damage to their customers. Ultimately it’s a difficult decision, but one that could be made easier with correct forensic planning, i.e. working out how to preserve evidence of an attack, which can be provided to the police, whilst ensuring that normal services continue and customers are warned. Making these decisions during an actual incident will only make a stressful time even more so; far better to plan ahead.”
“Totally agree … something to add…
This is a classic case of being stuck between a rock and a hard place. As Chris quite rightly says two different objectives were at play here and each had its merits. Ultimately it was a difficult decision to make but you can’t knock TalkTalk for once, as it appears to have been an informed one.
Whilst I also agree with Chris on the forensics front, experience has shown us that staff need to be aware of what to do ‘forensically’ in the event of an incident and this is often where the process falls down. Because such incidents are usually rare, the chain of evidence is often corrupted unintentionally because no-one knows what to do, or it’s no longer available due to the time lag in occurrence and detection.
Intrusion detection systems along with other technological measures will be an asset in reducing that time lag but key to success is scenario training. In the same way as we are seeing Phishing tests becoming the norm, especially in customer facing organisations like TalkTalk, is there a place for forensic readiness testing to ensure staff know what to do when a security attack occurs? Then vital evidence is at hand when hacks like this occur and the force awakens.”
“Totally agree, Chris. It’s a tough balance but the protection of the consumer should always come first in my opinion.
Forensic readiness planning is key and continues to be a weak area for many organisations – linking this with an effective communication plan is vital – and as with any plan it needs to be properly tested and exercised…….as do all aspects of cyber response…..using appropriate scenario based exercises.
All of this should be designed to drive continual improvement and to ensure our cyber response evolves to meet emerging threats.”
If you would like support for Cyber Essentials and completing your questionnaire, you can find details here.