Tardy TalkTalk advertised for a new infosec officer 1 week ago Embattled telco TalkTalk, under fire for losing four million customers' data to an apparent hack, was hiring an information security officer just seven days ago. Following TalkTalk's announcement of the data breach, which it bizarrely attributed to a Distributed Denial of Service Attack directed at its website, the company …
I was going to suggest:
15. Parrot "we have no evidence that this information is being used for criminal behaviour"
...but apparently TT are already receiving ransom notes.
http://www.bbc.co.uk/news/uk-34615226
Point 11 is also interesting, did their last infosec bod leave in the middle of an internal/external audit?
As per my post the maximum fine that the ICO can levy is apparently £500,000 (hmm, I don't suppose that could be 500k per customer record? Thought not...)
I hope that the banks transfer the costs of any losses to customers to TalkTalk. They could certainly make the case for doing so.
So that's okay then. What exactly will the ICO do? Give them a jolly good talking to? The maximum penalty that the ICO can apply is £500,000. I'd have thought that storing banking data for 4 million people in an unencrypted format, along with other personally identifiable information would warrant the maximum penalty. In this case that amounts to 12.5p per record!
Personally I'd consider this to be criminal negligence and would like to see someone up before the beak and facing time. Chances of this happening given that the Honourable Diana Harding is married to one of call me Dave's best mates?
Pharmacy2u were fined £130,000 for selling customer info to fraudsters, which I would say is a more serious offence than what Talk Talk did. To be proportionate with that, the fine would probably be about £25,000. But I agree, the fines are way too low to be an effective deterrent.
I suspect even a company as dysfunctional as TalkTalk has more than just one lowly ICO in infosec roles especially since they will be reporting to the "Head of Security".
Head of Security may actually be in the process of changing his/her title to "Scapegoat in Chief / Top Blamehound". Much like the 'rogue' VW engineers that are being liberally coated with executive blame right now in Germany.
If they were half decent I feel sorry for them because they've probably spent the last 6 months (or 6 years) being told to shut up whenever they pointed out a vulnerability or predicted a problem.
Hmm, I don't know.
This is the perfect time to clean things up. There is a massive balls up, the share price has taken a hit - everything says "get a decent budget now" because it must be visible that the company is doing something.
The debate about the cost of security usually happens when nothing has happened for a while, and granted, it IS possible to overspend on security (by, for instance, buying every possible toy and getting pen tests in without first getting decent processes in place).
Whoever steps in now will have their work cut out, but also stands the best possible change of avoiding the scape goat game. Not so much luck later when the noise has died down and the accountants return.
I have sat with this type of attitude in my last two jobs before and that is exactly how it works from my previous and current employer. If you find a problem, don't say a word because you simply get crapped on if you do.
Then 6 months later, what you predicted actually happens and management says they never knew.
Personally I always look at security with the assumption that everything is always vulnerable. You always looking for holes and you become less complacent with security.
Anonymous obviously...
"If you find a problem, don't say a word because you simply get crapped on if you do."
Good job this management approach isn't widespread. Imagine if this attitude were prevalent in safety critical areas. Oh hang on, no need to imagine, it's been going on for the last five years, "ethics hotline" included. But over two thousand redundancies of skilled engineers, and offshoring much of the remaining work to India, should surely improve matters no end. Well, improve costs anyway. Who cares about quality.
Toodle pip.
When I pointed out the obvious vulnerabilities on our IM System I was told:
"We don't want to hear that"
I was accused of "being negative" and "overestimating the extent of the problem".
We "lost" Credit card and Bank details for many thousand TfL Oyster customers. The data theft hasn't been made public.
There is no chance that it's going to be admitted publicly because there are minuted records of the meetings in which I (and others) pointed out the vulnerabilities - heads would roll. no chance of that happening in the feather-bedded world of Government Departments!
AC because I want to keep my post at the moment!
"Much like the 'rogue' VW engineers that are being liberally coated with executive blame right now in Germany."
With any luck those "rogue" engineers will have kept the meeting notes and emails from top brass telling them to do it, despite objections.
Or they could be handsomely paid off for _not_ revealing said items.
Is this going to be one of those job interviews where they ask you "how would you deal with...?" and then use the replies to tell them what to do without actually giving anyone the job?
OTOH I think any candidates going to interview are going to ask some fairly pointed questions of their own, ending with "what budget do you have for all this?"
Bullet points 3 & 4 - assist the Head of security & Act as expert in all matters.
Call me old skool but the Head of Security should already be fired since he/she obviously doesn't know security and is probably some 'man manager' type rather than a techie type. I don't know them, only saying from what I've observed.
"Call me old skool but the Head of Security should already be fired"
Call me even older school but the Board should accept the CEO's resignation. They may need to prompt her for it once they've accepted it.
In VW's case Winterkorn did the honourable thing in quitting although maybe the generous package tainted this. This seems to be an exception, someone at the head of a business which gets thing this wrong should quit, not make the rounds of the media giving interviews. It would ensure a culture in which things are done right, security gets precedence over marketing and customers can begin to trust the business.
@olaf Not so unusual to have a single lowly tech responsible for all duties described in TalkTalk job role. I speak from personal experience currently in a very similar role, also in a company that is national critical infrastructure... Not best pleased with my present position, in fact I saw TalkTalk job a couple of weeks ago as I was searching job boards, my present role is so unrealistic I even considered the TalkTalk job for a few seconds.........luckily I smelled another trap
<Not so unusual to have a single lowly tech responsible for all duties described in TalkTalk job role. I speak from personal experience currently in a very similar role, also in a company that is national critical infrastructure.</i>
Speaking for my own company, who probably qualify as critical national infrastructure, I'm also unconvinced that infosec has sufficient status and resource. A senior staff grade employee and a graduate for the UK, with the senior staffer reporting to a manager in another country. There's some good stuff been done, our web site passes the "free to web" vulnerability tests, our security staff do try and educate the wider employee base, but its notable that several multiples more effort is put into "customer experience" than into protecting the customer data and thus protecting the company.
One good thing about the TalkTalk debacle is that it has suddenly and dramatically (if temporarily) elevated the priority of infosec. Every fatcat in the land is see Ms Harding looking increasingly stressed and haggard, and hearing as the news seems to go from bad to worse.
All I can say is me too.
Recently I was told to remove references to significant vulnerabilities from a report because they might upset the board.
Currently studying for CISSP not because I need it to do the job but to get past the HR droids and try to get a decent salary for being ignored and sidelined.
Infosec might be the subject du jour right now but that'll soon fade. I'd rather be paid well to be ignored than paid poorly.
She should do the decent thing - third time unlucky - and go. The shareholders should demand this unless they want to see their assets plummet further and their customers data plundered wholesale yet again (of course it may be too late and they will, as did Sony, have to suffer yet more public pain).
Dido has displayed quite incredible hubris over the last year given the repeated clear warning signs of the infosec problems at TT, If nothing else, the very obvious and well publicised examples of infosec fails at other suffering corps should have pursuaded her that TT needed to pull it's corporate finger out and pay much much more than lip service to the scale of the risks involved .
The head of an IT business that still doesn't seem to really get why IT security should be top of her to do list when repeatedly burned should resign in favour of one who does.
Unfortunately there is very likely a dearth of such tech savvy C level execs.
The head of an IT business....
TalkTalk aren't really an IT business, they are barely even a telecoms company. They are primarily a telecoms supplier who retail services mostly bought wholesale, and as is the current fashion they have outsourced everything they possibly can, because that way they can sack expensive UK based workers, and give the money to their obscenely over-paid, and utterly incompetent board.
This post has been deleted by its author
Listening to Talk Talk's boss on Radio 4 this morning she sounded shaken, and appeared more so in later TV interviews.
There seems a perverse kind of justice here -- I've wasted hours trying to tie down the actual cost of selecting various ISPs due to the confusing and incomplete pricing displayed in ads and on websites. Talk Talk's current offer seems terrific value (e.g. free internet for 12 months) but averages out over an 18 month contract at about the same as competitors, once you add in charges for "phone packages" Can't quite see why I'd pay for the ability to use a phone line when it has to be there anyway, while also being charged for calls.
I'm almost inclined to call their sales people while this debacle unfolds on the assumption that they won't be too busy and may be begging to do a deal, any deal.
...that the problem is more deep seated than poor infosec?
To quote from the original article "Earlier today TalkTalk's chief executive, Dido Harding, apologised for the company's lax security practices.
Looking at the list of "Primary Responsibilities" I would argue that there is a complete lack of clarity on exactly who is responsible for what. Anybody courageous (or daft) enough to apply for this job will find him/herself saddled with a list of responsibilities, while at the same time having to answer to a Head of Security, who, it must be said, has clearly failed in his (or her) job so far.
Any upward reference based on a clear assessment of what actions are required is going to hit a brick wall because a more senior person agreeing with those proposals is tacitly admitting that whatever is recommended ought to have been done long ago.
I also find myself wondering exactly who has Ensure compliance with the Data Protection Act in his or her Job Description.
IMHO the published Job Description shows woolly thinking on the part of TalkTalk's very own Catbert, and it may be indicative of a wider failure to make sure that the various jobs to be done are correctly allocated to people of the right standard in the right order of seniority.
I suspect that potential applicants will be putting a stop on their submissions immediately, and breathing a sigh of relief at getting a timely warning of what they would be saddled with if they had actually succeeded.
Most companies have severe security problems, most corporate networks are horrendously insecure and basically an accident waiting to happen.
Yet companies do nothing about it, they bury their heads in the sand... They assume that because they have not yet become the subject of a high profile breach that they must be secure. Even when they do hire competent infosec people, those people are usually completely hamstrung.
The quote on yesterday's article was great:
"Complacency is the biggest enemy of security, just because things 'have always been done a certain way' doesn't mean it remains the most effective way. "
Most companies are complacent, they are happy to make the same stupid mistakes because "everyone else is doing it", they assume they are secure because they haven't been (that they're aware of) hacked yet but the reality is that they've just been lucky and/or aren't worth targeting.
Most companies are complacent, they are happy to make the same stupid mistakes because "everyone else is doing it"
Well, there is always "something more important to do" and "we can't afford to slow down now" and "we can't say no this customer, stop wasting your time on security".
This is why companies should be governed by a board of people who have risen up through the ranks on merit, not by a charismatic and dynamic "leader" who starts Barbarossa operations on a whim.
This is why companies should be governed by a board of people who have risen up through the ranks on merit, not by a charismatic and dynamic "leader" who starts Barbarossa operations on a whim.
Will you change that view if the charismatic leader offers you the chance to strut around in a cool-as-fuck Hugo Boss uniform?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
