IT Security Management: The Home Depot Data Breach
Verified
Added on 2022/12/23
|14
|4702
|91
AI Summary
This report analyzes the case study of Home Depot data breach, including the possibilities of the breach, its impact, and provides relevant solutions. It also discusses the information security framework for this particular case study.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Running head: IT SECURITY MANAGEMENT IT Security Management: The Home Depot Data Breach Name of the Student Name of the University Author’s Note:
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
1 IT SECURITY MANAGEMENT Table of Contents Part 1: Case Study Analysis.......................................................................................................2 1. Introduction........................................................................................................................3 2. Possibilities of the Security Breach....................................................................................3 3. Impact of the Breach..........................................................................................................4 4. Solutions or Patches...........................................................................................................5 5. Policies...............................................................................................................................6 6. Information Security Framework.......................................................................................6 7. Conclusion..........................................................................................................................7 Part 2: Computer based Fraud....................................................................................................8 1. Introduction........................................................................................................................8 2. Computer Fraud: Types and Impact on Organization........................................................8 3. Evidence of Involvement of IT Employees.......................................................................9 4. Few Possible Mechanisms for avoiding Fraud..................................................................9 5. Conclusion........................................................................................................................10 References................................................................................................................................11
2 IT SECURITY MANAGEMENT Part 1: Case Study Analysis Abstract The objective of this report is to analyse the case study of Home Depot data breach. Data breaches can be both accidental and intentional. A cybercriminal is responsible for hacking the specific organizational database, in which personal information is being shared. An employee in any particular organization accidentally exposes the information on the Internet and hence criminals get opportunity for accessing every vital personal detail from them. Most of the data breaches eventually involve vulnerable as well as overexposed unstructured data such as sensitive information and documents. Most of the rules and regulations have passed data breach notification laws and have required an organization to check whether data breaches are threatening for the customers or not. Home Depot has faced major issues related to the hacking of their POS systems. This report has identified the possibilities of the breach, impact of the breach and provided relevant solutions to these data breaches.
3 IT SECURITY MANAGEMENT 1. Introduction A data breach can be referred to as an incident, which exposes protected and sensitive information. It even involves subsequent theft or loss of the social security number, personal health data, emails, passwords and bank account details (Jaferian et al., 2014). A data breach occurs through insider and privilege misuses or physical loss or theft. Denial of services is the second significant and distinct type of data breach. The following report outlines a brief discussion of the case study of Home Depot Data Breach. Details related to possibilities of the security breach, impact of the breach, solutions, relevant policies and suitable information security framework for this particular case study will be provided in the report. 2. Possibilities of the Security Breach On 8thSeptember, 2014, the POS systems of Home Depot were being compromised by several exploitation methods and the utilization of stolen third party vendor credentials and RAM scraping malware were highly instrumental for making the data breach successful. The confidential information of the payment cards were sold online by the cyber attackers (Boyle & Panko, 2014). The very first step in this process is to sell the payment card to brokers, which is further sold to carders on certain phishing websites. There were almost 56 million payment cards stolen from the Home Depot data breach. The major possibilities of this particular security breach include involving memory scraping malware. This malware has the core capability of reading the contents of RAM on any POS terminal, as soon as the payment card data was present in clearer texts. The major weakness of the organization of Home Depot that allowed this threat to occur was that the respective POS systems were not properly locked down and as a result, the memory scraping malware had the capability of stealing such information (Hänsch & Benenson, 2014). The attacker had infiltrated the networks of POS and then implemented the process to steal the data of payment cards. The attackers, hence had the ability of obtaining access of the vendor environments with login credentials. As soon as they got into the network of Home Depot, they started to install the memory scraping malware for more than 7500 self checkout terminals of POS and then grabbed 56 million debit and credit cards. Home Depot did not consider and took necessary steps for protecting their point of sale systems and hence the attackers got the opportunities to implement such vulnerabilities and steal payment card information (Angst et al., 2017). Network segregation is yet another important weakness of this organization.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
4 IT SECURITY MANAGEMENT Moreover, in spite of having SEP or Symantec Endpoint Protection installed within their environment, Home Depot had missed out an important feature to get turned on the product, known as Network Threat Protection (Fennelly, 2016). This particular feature is responsible for acting as a host intrusion prevention system and having configured the POS devices with the feature, remaining activated, it was vital for them to attest to the success of the feature, while completing vulnerability assessments on the systems. The operating system of Home Depot was not secured on the POS devices and thus Windows XP Embedded SP3 wasunsecured(Elmaghraby&Losavio,2014).Anotherdistinctiveweaknessofthis organization was that they missed utilization of P2P or point to point encryption and thus payment data was not secured from the attacks. 3. Impact of the Breach The impact of the breach on the POS systems of Home Depot has been extremely high and vulnerable. There had been numerous negative impacts of the data breach and these are described in the following paragraphs: i)Risk of Identity Theft: The first and the foremost significant negative impact of such distinctive security breach was that the confidential data of the customers’ payment cards like credit and debit cards was being completely lost (Siponen, Mahmood & Pahnila, 2014). Due to the loss of financial data and information, the customers of Home Depot were left open to the subsequent risk of identity theft. A high risk is present that targets the cyber criminals for attempting to compromise with data security. The possibility of such risks or security breaches has increased to around 66% for all types of organizations. ii)Compromising Customers’ Data: The second important and noteworthy negative impact of security breach is compromising the confidential data of their customers. Since, the payment card details of the customers were stolen by the attackers by getting into the respective POS networks, it is evident that the data breach has a major impact on the customers and Home Depot had the chance of losing maximum of their customers in the process (Rubóczki & Rajnai, 2015). Moreover, there even existed a high chance that the bank account details of the customers would also been stolen by the attackers, since credit and debit cards are directly linked with the bank accounts. iii)Risk of the Employees’ Data: Another distinctive and significant negative impact of security breach of Home Depot would be risk of the employers’ data. Since the POS networks were breached by the attackers, the employees’ data were also at risk (Maglaras et
5 IT SECURITY MANAGEMENT al., 2018). There was a major impact on employees’ data as they have used social engineering as one of the major impacts on data security on the company and then gaining unauthorized accessibilitytotheclassifiedinformation.TheCIAorconfidentiality,integrityand availability of the data were at stake, since for completing payments of the customers, it is required to link bank account details with the customers’ payments cards (Van Tilborg & Jajodia, 2014). Security processes and procedures were not stringent in Home Depot for the information of both employees and customers. iv)Missing Secure Configuration: Home Depot has missed out secure configuration. They did not use P2P encryption for their data. It eventually allowed payment card data for being encrypted at the point of swipe as well as allowing the data to be encrypted in memory (Shoven & Slavov, 2014). Since, Home Depot did not have the required hardware for using the technology, the confidential data was lost. The major reason for such discrepancy was that they did not upgrade to the operating system of POS devices within their organization. 4. Solutions or Patches The above mentioned impacts are extremely vulnerable and destructing for the organization of Home Depot and have resulted in losing confidential data of the payment card details eventually. However, there are some of the most significant and important solutions or patches to these issues or impacts that can reduce the impact and provide better accessibility and effectiveness in the respective organization (Safa, Von Solms & Furnell, 2016). The major solutions and patches of these impacts are as follows: i)Involving Point to Point Encryption: This is the first and the foremost solution to the data breach that has been occurred within Home Depot. They should have involved P2P or point to point encryption methodology for the existing POS devices, so that it becomes much easier for the organization to obtain high safety and security from any type of data breach. According to Soomro, Shah and Ahmed (2016), the security of the data for debit and credit cards should have been on top priority and even after attackers infiltrating the respective POS systems and installing memory scraping malware on the registers, it is highly recommended for this organization to implement P2P encryption in their business for successfully preventing the attackers from stealing the debit or credit cards. It would have provided encryption at the point of swiping the card and 4 digit PIN code that should be entered. Due to encryption algorithm, it becomes almost impossible to detect the pin and hence data is completely safe and secured (Goldstein & Frank, 2016).
6 IT SECURITY MANAGEMENT ii)Involving Network Segregation: This is the second distinctive factor that was missed by Home Depot. The respective protection of parameter is considered as one of the most important components for successful prevention of larger retail breaches, which has taken place and is even termed as extremely critical while deploying the approach of defence in depth. Arachchilage and Love (2014) stated that, they should have properly segregated the POS network from the remaining corporate network and the utilization of private virtual local area network is required for such situations. iii)Management of Third Party Vendor Credentials: Another important and vital solution to resolve the impact of data breach in Home Depot is successful management of the third party vendor credentials (Mukundan & Sai, 2014). Various attackers had the ability to obtain accessibility to a vendor specified environment that was being utilized by retailers and had the ability of pivoting to every corporate network. It eventually demonstrated the significance to have adequate control in place and thus Home Depot would had been benefitted and secured from the breach. 5. Policies The organization of Home Depot should implement few policies for the security breaches, so that they are able to deal with complexities and vulnerabilities to a high level. The first and the most important policy that is to be considered by them is data security policy (Safa, Von Solms & Furnell, 2016). With this particular policy, they would be able to deal with financial data, PII information, restricted and sensitive information related to customers and employees. Any kind of unauthorized and unauthenticated user would not be able to access the data under any circumstance. Thus, information security would be maintained and ensuring that the scope of data is being printed effectively. A secured passwordshouldalsobeutilizedandthusimplementingapasswordpolicyforthe organization. Data leakage prevention policy is the next significant and vital policy that would be extremely effective for the organization of Home Depot (Rubóczki & Rajnai, 2015). This particular policy is being designed for making the users aware of the restricted and sensitive data that they are transferring to the other locations. For this case study, the information that is to be maintained is payment card details. 6. Information Security Framework There are some of the most effective and efficient IT security frameworks and standards that are required for helping the confidential data to remain safe and secured. This
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
7 IT SECURITY MANAGEMENT type of framework is the series of few documented procedures that are being utilized for definingpoliciesandproceduresaroundthesubsequentongoingandimplementation management of every information security control within the environment of enterprise (Elmaghraby & Losavio, 2014). The first significant IS framework is COBIT that helps to reduce all types of technical risks in the company, however has evolved recently with the new version for including alignment of IT with every business strategic objective. The second distinctive framework would be ISO 27000 series that is effective for the certification process and is applicable to each and every type or size of company. It is even considered as the information security equivalent of ISO 9000 quality standards and helps in information security (Siponen, Mahmood & Pahnila, 2014). NIST is the third distinctive IS framework that helps in any type of cyber-attack, occurringinthesupplychainandprovidingthebusinesswithnewbusinessrelated opportunities. Amongst the above mentioned information security frameworks, the most suitable and effective would be NIST framework for Home Depot. Since, the POS networks of this particular organization were being attacked and breached, it is evident that the intellectual propertieswere affected in this process (Soomro, Shah & Ahmed, 2016). However, with the successful implementation of NIST framework, the controlled unclassified information would had been protected and information system would had been aligned properly in terms of compliance. The sensitive information such as social security data or credit card data are well protected with this particular framework. 7. Conclusion Therefore, conclusion could be drawn that data breaches are the unintentional and intentionalreleaseofconfidentialorsecuredinformationordatatoanyuntrusted environment. Information leakage is the most common name of such data breach. It is a securityincident,whereconfidential,protectedandsensitiveinformationisstolen, transmitted, copied, utilized and viewed by an unauthorized and unauthenticated user or attacker. The point of sale systems of Home Depot have been compromised by exploitation methods.Thisaboveprovidedcasestudyanalysishasclearlydescribedaboutmajor possibilities of the security breach, with relevant solutions and relevant information security framework.
8 IT SECURITY MANAGEMENT Part 2: Computer based Fraud 1. Introduction Computer fraud can be referred to as the activity of utilizing a system for altering or taking electronic data and even gaining unlawful utilization of a system and computer. Such fraud eventually criminalizes computer related activities under federal jurisdictions (Vahdati & Yasini, 2015). There are various types of computer fraud, which include distribution of hoax emails, accessing unauthorized or unauthenticated computer systems, engagement in data mining through malware or spyware, hacking into the computer systems for illegal accessibility of personal information like credit card details and sending worms for ruining and destroying system or computer of other party. 2. Computer Fraud: Types and Impact on Organization There are some of the most distinctive and noteworthy types of computer fraud, which comprise of significant impacts on the respective organization. The major types of computer fraud are as follows: i)Distributing Hoax Emails: With this type of computer fraud, the hacker distributes hoax emails to the victims and the victims get no idea regarding the legitimacy. According to Button et al. (2014), there is a huge impact of these emails on organizations, since, as soon as the emails are opened, confidential data of the systems and users are being stolen and could not be recovered under any circumstance. ii)Accessing Unauthorized Computer Systems: This is the second type of computer fraud, in which the victims access the unauthorized computer systems. These victims often do not have any idea regarding unauthorized or authorized computer systems and they use the unauthorized computer systems, hence creating a major issue for each and every confidential data or information that is needed to be stored effectively (Liao, Balasinorwala & Rao, 2017). iii)Engagement of Data Mining with Malware: The third type of computer fraud is engaging data mining with malware or spyware. By this particular fraud, it becomes quite easy for the attacker to get access of the data mining process and also remaining engaged with the data mining by implementation of malware in the system. iv)Illegal Accessibility of Personal Information: The illegal access to personal data or information is responsible for stealing the confidential data in such a manner that when data is being stolen, it becomes absolutely impossible to involve more targeted attacks, after
9 IT SECURITY MANAGEMENT focusing on the specified systems. Gupta and Gupta (2015) stated that, the most common examples of such attacks is cross site scripting or XSS attack and it could leverage malware on one site for running malicious codes for the respective organization. v)Sending Computer Viruses: The organizational data could be lost forever and there would be no scope for recovering the data if computer viruses are being involved by the attackers within the systems and computers of that particular company (Sadaoui, Wang & Qi, 2015). Sensitive information is being stolen in this process. vi)DoS Attacks: In this type of attack, an attempt is made by the attacker to prevent anyone from getting connected to the Internet with a computer. Unwanted data is being restricted in the process and Internet traffic is blocked for sending or receiving any type of message. It has a major impact on the organization, since they are unable to send or receive information in this process. 3. Evidence of Involvement of IT Employees It is being often proved that IT employees are highly involved with the computer fraud and hence it is also termed as insider threats. The existing or new IT employees have insider information for concerning regarding organizational security practices, computer systems and confidential data (Button & Cross, 2017). The involvement of these employees in computer fraud can bring out issues such as theft of confidential information and even intellectual properties. They could even sabotage the computer systems completely. One of the most popular evidence of such involvement of IT employees in computer fraud is Jason Needham. He was the co-owner of HNA Engineering and was charged for violating Computer Fraud and Abuse Act, which put into prison for 5 years with $250000 fine. He used to work in Allen and Hoshall before starting his own firm (Cyber Insider Threat. 2017). During 2014 and 2016, he continuously accessed the file sharing network and email accounts of the servers of his former company for downloading digitally rendered engineering schematics with over 100 PDFs with budgetary documents. He accessed for hundred times the email account of his colleague in Allen and Hoshall for breaching the data and finally the IT staff found out the issue and reported to the FBI. 4. Few Possible Mechanisms for avoiding Fraud The few possible mechanisms for avoiding computer fraud are as follows:
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
10 IT SECURITY MANAGEMENT i)Regular Inspection on the IT Employees: According to Han and Xiao (2017), the IT employees should be inspected on a regular basis, so that they do not get the scope for stealing the data confidential data or breaching data under any circumstance. As a result, these IT employees would be able to complete their duties efficiently and computer fraud could be avoided without much complexity in the business. ii)ImplementingAntivirusSoftware:Thesecondeffectiveandsignificant mechanism for solving such issues would be implementation of antivirus software. This type of software act as a shield to any kind of unauthenticated or unauthorized data and providing security from virus or ransomware. iii)UsingStrongerPasswordsandEncryption:Thisisyetanothervitaland noteworthy mechanism that is effective for computer fraud (Gupta & Gupta, 2015). Stronger passwords and encryption techniques encrypt the confidential data into an encrypted or hidden form and hence attackers do not get an opportunity to hack the data at any cost. 5. Conclusion Hence, conclusion could be drawn that computer fraud can be of different types such as phishing, viruses, DDoS attacks and social engineering attacks that are being utilized for obtaining accessibility to any other network. It is the utilization of computers, Internet devices or services for defrauding organizational resources or people. Since smart phones and devices have become extremely common in present days, computer fraud is being used by several cyber criminals. It even included perpetuating several common types of scams with electronic tools like impersonating the victim for stealing data or money and even utilizing electronic tools for promoting deals. The above literature review has clearly described about computer fraud with relevant details.
11 IT SECURITY MANAGEMENT References Angst, C. M., Block, E. S., D'arcy, J., & Kelley, K. (2017). When do IT security investments matter?Accountingfortheinfluenceofinstitutionalfactorsinthecontextof healthcare data breaches.Mis Quarterly,41(3). Arachchilage, N. A. G., & Love, S. (2014). Security awareness of computer users: A phishing threat avoidance perspective.Computers in Human Behavior,38, 304-312. Boyle, R. J., & Panko, R. R. (2014).Corporate computer security. Prentice Hall Press. Button, M., & Cross, C. (2017).Cyber frauds, scams and their victims. Routledge. Button, M., Nicholls, C. M., Kerr, J., & Owen, R. (2014). Online frauds: Learning from victimswhytheyfallforthesescams.Australian&NewZealandjournalof criminology,47(3), 391-408. Cyber Insider Threat. (2017). Accessed fromhttps://www.cdse.edu/documents/cdse/Case- Study-Cyber-Insider-Threat.pdf[Accessed on 20 September 2019]. Elmaghraby, A. S., & Losavio, M. M. (2014). Cyber security challenges in Smart Cities: Safety, security and privacy.Journal of advanced research,5(4), 491-497. Fennelly, L. (2016).Effective physical security. Butterworth-Heinemann. Goldstein, A., & Frank, U. (2016). Components of a multi-perspective modeling method for designing and managing IT security systems.Information Systems and e-Business Management,14(1), 101-140. Gupta, P. K., & Gupta, S. (2015). Corporate frauds in India–perceptions and emerging issues.Journal of Financial Crime,22(1), 79-103. Han, W., & Xiao, Y. (2017). A novel detector to detect colluded non-technical loss frauds in smart grid.Computer Networks,117, 19-31. Hänsch, N., & Benenson, Z. (2014, September). Specifying IT security awareness. In2014 25th International Workshop on Database and Expert Systems Applications(pp. 326- 330). IEEE.
12 IT SECURITY MANAGEMENT Jaferian, P., Hawkey, K., Sotirakopoulos, A., Velez-Rojas, M., & Beznosov, K. (2014). HeuristicsforevaluatingITsecuritymanagementtools.Human–Computer Interaction,29(4), 311-350. Liao, R., Balasinorwala, S., & Rao, H. R. (2017). Computer assisted frauds: An examination of offender and offense characteristics in relation to arrests.Information Systems Frontiers,19(3), 443-455. Maglaras, L. A., Kim, K. H., Janicke, H., Ferrag, M. A., Rallis, S., Fragkou, P., ... & Cruz, T. J. (2018). Cyber security of critical infrastructures.Ict Express,4(1), 42-45. Mukundan, N. R., & Sai, L. P. (2014). Perceived information security of internal users in Indian IT services industry.Information Technology and Management,15(1), 1-8. Rubóczki, E. S., & Rajnai, Z. (2015). Moving towards cloud security.Interdisciplinary Description of Complex Systems: INDECS,13(1), 9-14. Sadaoui, S., Wang, X., & Qi, D. (2015, June). A real-time monitoring framework for online auctions frauds. InInternational Conference on Industrial, Engineering and Other Applications of Applied Intelligent Systems(pp. 97-108). Springer, Cham. Safa, N. S., Von Solms, R., & Furnell, S. (2016). Information security policy compliance model in organizations.computers & security,56, 70-82. Shoven, J. B., & Slavov, S. N. (2014). Does it pay to delay social security?.Journal of Pension Economics & Finance,13(2), 121-144. Siponen, M., Mahmood, M. A., & Pahnila, S. (2014). Employees’ adherence to information security policies: An exploratory field study.Information & management,51(2), 217- 224. Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs more holistic approach: A literature review.International Journal of Information Management,36(2), 215-225. Vahdati, S., & Yasini, N. (2015). Factors affecting internet frauds in private sector: A case study in cyberspace surveillance and scam monitoring agency of Iran.Computers in Human Behavior,51, 180-187.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
13 IT SECURITY MANAGEMENT Van Tilborg, H. C., & Jajodia, S. (Eds.). (2014).Encyclopedia of cryptography and security. Springer Science & Business Media.