4 November 2015

When Warwick Ashford’s report about the TalkTalk data breach popped up in my mail box on 23 October I was busy with holiday preparations. Thus I skimmed only through the report. On Saturday morning at the airport I read the report in peace and searched for more information.

UK phone and broadband provider TalkTalk was hacked. The company announced the attack on 21 October on their website. Attackers may have accessed data of in the worst case 4 million customers.

What surprised me was that this was the second attack in this year.

But what really concerns me is the proposed solution:

“Encryption is the only way for organisations to get control and be in a position to mitigate and ultimately accept risk,”aid panellist Frank Weisel, regional sales manager at Vormetric in Germany.

Data encryption as an isolated protection measure is just irrelevant in this and many other cases. Because once the attackers managed to get on the victim’s network they are authorized users. And authorized users have access to the data and the encryption keys.

Whether the initial attack is performed via SQL or command injection, an unpatched server or a phishing attack is of no interest. Only the result counts.

Alan Solomon took the same line some days later in his post “TalkTalk was hacked. But it’s silly to ask if the data was encrypted”.

In my opinion the basic problem comes from the inherently weak user authentication technology. It became again clear to me when I collected my rental car at Funchal airport.

Although the desk operator had my reservation details on his screen I had to authenticate myself with my passport and a valid driver license to get the car key. When it comes to safety Two Factor Authentication (TFA) is taken for granted.

From my point of view it’s time to secure the access to business critical company data with a second authentication factor. For all employees who have a stake in the data, and for every session, and, of course in addition to encryption, patching, secure application development, etc.

This will hinder attackers massively in getting access to a company’s secrets.

Have a good day.