TalkTalk has been hit by several security breaches in the last year. In December 2014, the company saw customers hit by India-based scam calls after a data breach. It happened again in February 2015, when attackers stole customer information from TalkTalk’s internal systems via a third-party that had access to its network.Its customers were also affected by an attack on Carphone Warehouse systems, in which the personal information of up to 2.4m customers was obtained. The sheer number of breaches has raised concern, with many claiming that TalkTalk hasn’t kept pace with the quick evolution of hacking techniques – nor the set standards for data protection. This was echoed by David Emm, principal security researcher at Kaspersky Lab, who said: “What is worrying is that this is the third time TalkTalk has been compromised this year, with no apparent changes to their internal policies and security strategies.” And according to cyber security experts, the 11 separate vulnerabilities found in the company’s website may have enticed criminals to target it. In fact, prior to the most recent hack, one of the company’s customer service representatives tweeted information that indicated the company stored customer’s login credentials in an unencrypted format. As such, TalkTalk has been accused of several security failings. Taking this criticism on board, however, the company appointed PwC to carry out an independent investigation into whether the company could have done more to protect its customers – as well as to determine how it could be better shielded in the future. Read more about cyber crime:
- As cyber crime soars, one SME is offering companies a new way to keep safe
- Police find clever ways to crack down on intellectual property crime
- TalkTalk CEO reveals she received ransom demand from data theft group
(1) Code any web applicationsHe explained that firms needed to use a secure software development lifecycle, such as those described in the OWASP top ten and SANS/CWE top 25 to code any web-based applications. If applications are incorrectly coded, it is impossible to guarantee that data is secure.
(2) Test applicationsUse an external penetration testing organisation to regularly test web applications and external hosts, suggested Foster. He said: “External penetration testing will highlight any flaws in the network that could potentially be used as an access point for a hacker. If any issues are flagged during testing, the organisation should address these immediately.”
(3) Protect yourselfIt is crucial to use Web Application Firewalls (WAFs), Intrusion Detection and Prevention (IDP/IPS) and Data Leakage Prevention (DLP) solutions to help protect both individual computers and shared networks against external security threats.
(4) Encrypt important and sensitive information“Any sensitive information stored in shared files or databases should be encrypted,” said Foster. “This adds an additional layer of security and often protects an organisations most valuable assets such as credit card details.”
(5) Separate computer functions and accessDoing so will prevent direct access to multiple files. It also means that if one file is hacked, another is not automatically at risk.
Share this story