As TalkTalk are fined, what website security threats do we face?


With TalkTalk being presented with a £400,000 fine for poor website security, it seems like a good time to brush up on what security threats are constantly lurking within the shadows.

Let's set the scene. Acquiring customer data is the holy grail. It can provide businesses with a greater ability to provide bespoke communications and interactions, and allows the company to be better prepared to utilise marketing automation, or even utilising artificial intelligence in a marketing context.

However, consumers step into the world of information giving with trepidation, with the pitfalls highly evident throughout media (TalkTalk attack and PPI nuisance calls). We need to make sure we protect this data like it is our own. To be able to build consumer confidence and even a loyalty to what we are trying to achieve; for the good of the consumer and to make their lives easier.

This article is a step by step guide to highlight the threats that are out there and what are the security best practices on CMS.

What type of threats are out there?

Attacks can be aimed to get data/information or to bring sites/servers to a standstill or fall over.

The latter; A Distributed Denial-of-Service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, with one or more web servers.

DDoS-Attack-Illustration-(1).png

You can see some real-time map information of any DDoS attacks here.  

The other type of attack is aiming to hack and penetrate email accounts/websites/applications to gain restricted access. Once within these areas the aim is to corrupt, data mine and export as much sensitive records/information/data as possible.

Examples of both types of attacks in recent times

DDoS Attacks Data/Cyber Attacks
BBC TalkTalk
Irish Lottery MoonPig
Nissan Ashley Madison
Microsoft xBox California College
Turkey KKK (Ku-Klux Klan)

Stopping these threats within the CMS platforms

I want to write that doing ‘x,y,z’ is going to be the so called ‘silver bullet’ and stop you being a target, but i'm afraid there isn’t. What you can do is implement some best practice guidelines to minimise the threat of being a target and limit the impact if you are targeted. So in essence, you are trying to make yourself a hard enough target that they will pick and choose an easier target. Essentially, the accusations levied against TalkTalk are that they failed to do this.

Similar to protecting your house against burglars, you are trying to do 3 things:

  1. Make it hard for the burglar to gain entry/access to your house 

  2. Make it hard for the burglar to steal anything if inside your house

  3. Put things in place that there is a high risk the intruders will be found and held accountable.

General Good Practice

  • Training - Understand how the CMS works and know what actions can make an impact to your security.‚Äč
  • Keep your CMS system up-to-date - Applying hotfixes and security patches limits the risk of an attack. 
  • Server DDoS Protection - The CMS is only as secure as its server it sits on, many systems and support networks are available to lower the risk of a the server going down with varying costs/solutions.
  • Never put passwords/usernames in emails - If emails are hacked or compromised they can also gain backdoor access to other systems. We are advocates of using PwPush to share passwords which decreases the risk if your email accounts are compromised.
  • Use ‘Strong Passwords’ - Don't use common passwords
  • Never share your individual user accounts - It’s your user account, there should be no reason to share this information. If more individuals need access then further logins should be created. 
  • Individual User Accounts - You need to have an audit trail and transparency to identify of what each user has done.
  • Restrict Access of Roles/Users - It’s important that the user privileges are set accordingly to lower the risk of anything happening. 
  • Housekeeping of user accounts - Make sure there is a process in place for when staff leave or change roles.

Know your weak points

If you think your business/website is a fortress and cannot be brought down, you could be considered as naive or actually just plain wrong. The question should be how much strain/tolerance can the site take before it does fall over or know if ‘x’ is done then potentially the data could be at risk.

It is certainly wise to conduct an audit to know where your areas of weakness and strengths are, so you have the information available to allocate resources accordingly. The first step is to invest in the audit and then from this report, areas can be prioritised and a business case can action tests to identify these weak points. Examples include; external penetration testing, internal penetration testing, firewall rules, and database penetration to name but a few.

Quba Real Life Experience

We have had situations in the past where some of our clients have been actively pursued by Anonymous (International network of hackers).

An example, happened a few years ago when Gazprom were attacked due to the industry they worked in and their perceived company ethics. The attack exposed a list of emails and passwords that were compromised. With the political situation with Ukraine and Russia intensifying at the time, this escalated the situation even further.

While Quba had no control over hosting or the database structure of the website, we took measures within the CMS to make sure that if any emails were hacked and any possible CMS accounts were then compromised, then it would be to the smallest gain possible for the hackers. Any backdoor intrusion to the Gazprom Energy website was essentially minimised by restricting the CMS permission roles appropriately. So any intentional destructive work would be minimal and manageable.   

And finally disproving urban myths

A common statement I receive is:

“If we change the URL of the login screen we will be safer, isn't it true that a large reason why the open-source platform Wordpress is vulnerable is due to this. You can just to add /wp-admin in the URL and it opens the CMS login screen on a plate for you”

This simply isn’t true or the case.

You could compare this to having your life savings under your bed, where nobody knows and expects it to be there, does that mean it’s in a safe place compared to having the money in a bank?

Security experts do warn that security through obscurity is a discouraged practice, since it can encourage laxness in addressing vulnerabilities if you think no one can find them:

“The security of a system should depend on its key, not on its design remaining obscure”

Security Engineer Ross Anderson, 2008.

In summary, we would recommend that you take the following steps to ease any security concerns you have:

  • Review your current site to illustrate your strengths and weaknesses
  • Provide recommendations that will increase security and ensure best practice is adhered to
  • Physically perform the upgrades and execute delivery.

Call: 0114 279 7779 or Email: hello@quba.co.uk to speak to a Quban

Sources: http://www.bbc.co.uk/news/business-37565367

 

11 Oct

2016
Chris Bainbridge
Listed in: 
Estimated read time:
 words,  minutes

Signup to receive these articles straight to your inbox.