Besides his role as Principal Security Strategist at Red Hat, Richard Morrell is a former UK Government CLAS senior advisor, co-author of the evergreen SmoothWall firewall appliance and founder and CEO of the same company. A security author and auditor, Richard is also head of social media for the Cloud Security Alliance.
At the end of last week every media outlet in the UK, ravening over a hot ‘hacking’ story from our own shores, jumped on the bandwagon to pick over the emerging Talk Talk story – without doing due diligence, and with immediate recourse to quotes from ‘security experts’. Those of us in the security field who chose not to return emails and calls to reporters watched on, aghast, as the column inches filled up with stories of stolen funds subsequent to the denial of service attack suffered by Talk Talk. Journalists from reputable media outlets ran unsubstantiated and unresearched stories, pouring more fuel on the fire.
In 2015 a front end DDoS against a public facing web-service should not lead to the exploitation and rooting of a customer provisioning platform. It’s a highly unlikely outcome: not only are the systems in question air-gapped, but often constitute discrete platforms running in entirely separate and unconnected locations.
Throughout the coverage I found myself sitting in my office, shouting at the television screen as numerous security experts, many unknown to me, were dragged hastily out of make-up to comment on the risks to customers, and to expand on the known facts.
Unfortunately there were none to be had.
The predictable claims that this was the work of ISIS-friendly tech hackers were only given credence when Talk Talk’s PR team let down Dido Harding, their CEO, by allowing her to mention on air – in five interviews – that she had had an email from a potential hacker holding data to ransom. At what point did any public relations person at Talk Talk think that was a remotely good idea to mention? Reaction to an outage or a service failure is about reputation protection, not just informing your customers and shareholders, and an own goal of this magnitude adds no value to such efforts.
PR teams are not security experts. It’s not what they do. In a situation such as unfolded last week, you allow your security teams, and any external contractors you bring in, to depict a situation that is both likely and realistic – especially if, like Talk Talk, you are a public trading company with institutional shareholders.
There were five or six occasions in the 24 hours after the incident where Talk Talk ended up damaging the brand more than the DDoS attack was able to
Harding was made to look weak by being allowed to indulge in this kind of sensationalist speculation, armed with no actual information other than an unconfirmed email – which in itself should have been set aside for a proper post-mortem process about the incident, not fed to the media wolves without further analysis.
Once you have a bearing on the root cause, and adequate time to address the problem, it’s the moment to give PR a statement that will act as your boilerplate response. PR officers are supposed to be your secret weapon; given the right process and the correct information, they can save the day. Instead the immediate aftermath of the Talk Talk DDoS attack consisted of nothing more than knee-jerk reactions and hasty, ill-conceived responses, multiplying the extent of the furore and the damage done to the company’s reputation.
There’s no implied criticism of Dido Harding here; she did a fantastic job of addressing the mainstream media as quickly as possible, despite being critically let down by her PR support network. Ultimately there were five or six occasions in the 24 hours after the incident where Talk Talk ended up damaging the brand more than the DDoS attack was able to.
Now Detica are in the loop, we can reasonably expect to see proper change controls instituted, and correct adhesion to certificate management and encryption policies; and, with those efforts, hopefully a rebuilding of faith in the brand. The Met Police will learn from this and take the experience upstream towards generating an understanding of how to react and plan for increasingly frequent events of this nature.
A denial of service attack can affect any organisation; it was Talk Talk’s turn. The correct response would have been to deal with the public properly and to react accordingly. Talk Talk left their CEO, whose role was to be the calm centre of a media storm, to negotiate that storm without any proper briefing or informed support. Talk Talk’s PR team neither understood how badly they were out of their depth nor the grave implications of addressing the issue publicly until the situation was clearer.
Neither are the British media exonerated; its hasty parade of the wrong experts only added fuel to the fire, leading to an escalation of customer calls, increased traffic to a recovering platform and public speculation that fuelled attention-seekers claiming non existent or non related financial losses.
The views expressed on this blog are Richard’s personal views and do not reflect or represent the views of his employer, Red Hat.