CSI5133 Information Security

Introduction

It was the day which is never dreamed by any organization in the history of Target shoppers. This was the pleasant month of December, 2013, when nearly 40 million credit cards were stolen. The way was totally unbelievable, which was accessing data on POS system. Approximately 70 million of customers affected and around 11 GB of data was stolen. There are so many different definitions of Information security but the best definition surely includes the maximum confidentiality of customer’s data, well established integrity and 24x7 availability of useful information. Information security is the most important aspect of any organization which must be designed to ensure the integrity and confidentiality of all the computer machines of organization. Three terms (confidentiality, availability and integrity) are collectively known as CIA triad. This triad is also known as Parkerian hexad and necessarily includes the control, authencity and other utility options besides above parameters of information security. In this report, all the information security vulnerabilities will be explained in depth.

Information security

As per the definition given by Techopedia, the very much popular brand in the field of information security which includes risk management. There may be two types of information in an organization: the first category uses the sensitive information which remains unchanged, unaltered, untransformed and modification can be done by using permission only (Miloslava Plachkinova, 2018). If we discuss the information security of any retail industry then it can be ensured by following best available security practices and protecting the personal as well as financial information of all the customers. It is a set of very useful strategies which are used to manage the process of data processing and threats which transforms the digital information of customers (Rouse, 2016).

Need of report

As the information security is the most important module of course curriculum, there cannot be the best example of such real time based case study just like this one. Every student must come to know about the latest technologies of information security. We are following here the perception that if there is any need to implement this conceptual knowledge in real life scenario, it can be used to ensure security issues in organization.

The timeline of Target data breach (2013)

The method we followed to accomplish this project report is:

• We collected all the verified information which might be useful to explain the security breaches and corrective measures of the target data breach in depth.
• We have done the detailed analysis of all the security threats, vulnerability issues and malwares of target breach(Xiaokui Shu, 2017).
• The difficult points and challenges while investigating the data breaches from the legal perspective is also analyzed.
• In this report further we provide security guidelines for organizations to improve the payment system security. There are three guidelines such as: Enforcing the integrity of payment system, designing the alert mechanism and segregation of network.
• We also discuss the credit card security which is being used in organizations currently and how to spread the best practices of using credit card securely.

Most important facts of the case study

The sources are enough to provide the most important facts of data breaches. Some of the key points of case study which we can target as the most critical points of all are:

The POS system of Target shoppers has technical issues related with virtualization, configuration, deploying security patches and the system updates.

Password breaching through bot program via Fazio mechanical who was a refrigeration vendor, due to which the malware was able to steal the credentials of customers.

The loss of personal financial information of customers which was very important to trace out the current bank statements and other information.

The POS machine was infected by such applications within a short span of time which customized the software and disable the virus scanner. The automated update process transferred the raw commands over the network and moved data to hacked servers via FTP.

Personal Identifiable Information

Personal identifiable information is used to identify any specific individual. It can be of two types: Sensitive and Non sensitive. Non sensitive personal identifiable information can be transmitted through network medium in unencrypted form as it would not result in form of any harm to individual person. This information can be simply collect from any source such as: public records, phone books, websites or any organizations directory (Rouse, personally-identifiable-information, 2014). On the other hand the sensitive information whenever disclosed, will result in form of individual harm. So, it is recommended that before transmitting this type of information encrypt it. For encryption biometric information, personally identifiable financial information (Bank account and password), medical information and some other SSN (Social security number)

Threats and Vulnerabilities

The IT system and network of Target shoppers was attacked in 2013, November. There were around 70 million records of customers stolen and 40 million credit card numbers were stolen by the attackers (Watts, 2017). There were some major parties who were actively involved the investigation of this whole incidence, such as DELL secure work, FBI, iSIGHT partners and United state secret service etc. Intel Crawler was actively involved to analyze the malware investigation and the marketing of all the stolen cards were done by BlackPOS.

From the above picture, we can say that the Fazio mechanical system was drastically compromised by Citadel Trojan. Possibly this Trojan was initially installed because of weak security system (Jones, 2016). Network segregation was present in network but it has so many loopholes. Network segregation is the concept where we use some network devices in our network and the main objective of using this is to filter out the data packets for the specific network. For example if there is need of installing a software on any POS, then firstly it has to pass through proper passage. Due to weak network the malware started gaining access of target machines. Once the malware reach the target machines, then it started accessing the credit card information specially numbers.

It was collected from a source that all the credit card information which was stolen was aggregated on as server situated in Russia. The whole amount of stolen information was 11 GB

Preventive Measures (Alternative Course of action)

The security measures which can be taken to ensure the security of organization can be:

Do not run any system without security measures clearances (S, 2016). To implement it, network firewalls can be in place and they secure their network using the virtual local area network. Target shoppers has also deployed Fire Eye, which is a well popular network security system which provides a well secured multi layered and it is capable to detect malware by using network intrusion detection.

The case study has shown that target has failed to secure credit card information, due to lack of detecting and preventing the data stealing on various points, such as:

The security warnings which are generated automatically did not investigated due to disable of auto removal functionality (Gagliordi, 2015).

The methods did not corrected to segment the network and totally failure in isolating the sensitive network.

The software installation at point of sale was not strict and it was allowing unauthorized accessibility for configuring and installation in very simple steps. The result was data loss.

The third party partners did not following proper access control mechanism on various groups.

It can be ensured in information security that the credentials must be secure using additional layer on the top of communication channel. Proper firewall must be deployed to filter out the suspicious data packets in organization. To update the system or application installation proper admin rights must be provided to specific category of employee only. The mitigation points in case of any threat and vulnerability in hardware or software must be notified and banned immediately to ensure the security of whole organization and database server.

Risk Management

To adhere with PCI compliance is not alone can be taken as risk management strategy. It should be considered as that the details which are utmost required for payment should be considered only (Sullivan, 2015). Assets and the customer’s details can become very crucial for risk management. Once all the threats and vulnerabilities are identified, the risk management expected by individual threat must be analyzed (Halzack, 2015). In general the vulnerability which has highest likelihood and most critical in terms of cost for the organization should come on highest priority and fixed first of all.

Risk Management Matrix

Risk Management and POS system

After data breach, a risk management based approach to ensure security is implemented in Target shoppers on regular basis (Robin, 2013). All the risks are prioritized so that they can be easily traced. Threat model has been created for systems throughout the network of data centers. It covers all the pivot points which might be chosen as to reach the POS system.

Defense in Depth

Defense in depth means to cover all the security measures throughout the infrastructure, all the layers of protection should be analyzed to stop the attack on every suspected point (Sean Barnum, 2005). Implementing a strong defense in depth strategy will surely ensure the security of each level. To implement defense in depth, although encryption has been used in Target shoppers, the card data was available most of the time on POS systems. This card data can be easily accessible to hackers and attackers. One more technique which can be used to secure data is whitelisting the applications. It will allow only specific authorized software to run or to install on the POS systems. Jason Popp., the group manager has advised that whitelisting of applications can be done through hardware as well as software. The applications which are being run on POS must be digitally signature. It can be along with signing key which will be embedded in hardware security module to ensure only the authorized code to be installed on the POS systems. For encryption some additional layers can also be deployed to the POS operating system.

Critical control points

There are so many critical control points in Target shopper’s case study, but here we will discuss only the most important (SMITH, 2018). It is a list which is prioritized on the basis of critical happening, cost to recover, most likelihood, preventive measures etc.

Pivot point	Controlling measures
Reconnaissance	It is related with providing the training to boost the awareness about sharing which type of information with whom?
Malware installation	To resolve this, appropriate software which fulfill the security precaution should be installed on POS
Filtration of data packets and communication	Data packets must be filtered through administrative authentication only. Implement proper network boundaries to monitor the data packets travelling inside or outside the organization (Kilkelly, 2017). By using maintenance and audit logs, the analysis process become very simple. So never rely on standard tools only.
Installation of malware on POS	Only authorized software can be installed on POS. Regular scanning of HIDS is recommended.

Target shoppers after breach

Various points collected from sources described that Target shoppers was not in good condition as they had to pay around 18.5 million dollars to around 47 states and District of Columbia in form of settlement amount to the attorney general of states (Abrams, 2017). This settlement will end after a yearlong investigation about how this complete incidence happened and how the hackers were able to steal the information from credit card and exactly what were the source of other information of about 10 millions of people.

In this complete settlement amount New York will get 635000 dollars and California will get 1.4 million dollars.

Target had been agreed to implement strict digital security which also cover the maintenance of software and encryption decryption of messages to secure the personal information. It was decided that retailers will separate their cardholder data from the rest of network and pay only for independent assessment (jayakumar, 2014).

Learning outcomes

Although this data breach was one of the biggest in the history but it also shown the successful business in North of America having 1800 stores in 2015. The data breach had been impacted adversely on the image of Target shoppers but still there are some of the positive points as well, such as: some of the customers overlooked the massive security issues occurred in company and they shown their keen interest to associate with the company though. Some customers of target shoppers perceived the company as a victim of hackers and attackers and decided to stand with the company during hard times.

After the data breach Target shoppers promised to invest a huge amount on improving their cybersecurity operations. They created the first cyber fusion center in 2015, which is strongly dedicated to prevent such type of attacks.

One more noticeable improvement done was adding chip readers for customer’s PIN. Target shoppers became the first organization in US who issued such cards to their customers,

Summary

Although the security breaches seem critical for an organization, but these are now become our day to day life problem. It is important to monitor the expected security breaches regularly. Whatever happened with Target shoppers can be repeated with other organizations as well. In conclusion this report is summarizing the events of 2013 Target breach, the actions taken by the company to resolve the data loss. The objective is to generate the awareness among society about the importance of security aspects which must be followed in today’s environment.

References

Abrams, R. (2017, May 23). Target to Pay $18.5 Million to 47 States in Security Breach Settlement. Retrieved from www.nytimes.com: https://www.nytimes.com/2017/05/23/business/target-security-breach-settlement.html

Gagliordi, N. (2015, November 27). /the-target-breach-two-years-later. Retrieved from www.zdnet.com: https://www.zdnet.com/article/the-target-breach-two-years-later/

Halzack, S. (2015, March 19). target-data-breach-victims-could-get-up-10000-each-from-court-settlement. Retrieved from www.washingtonpost.com/: https://www.washingtonpost.com/news/business/wp/2015/03/19/target-data-breach-victims-could-get-up-10000-each-from-court-settlement/?noredirect=on&utm_term=.4a93d65258b0

jayakumar, J. L. (2014, January 10). target-says-70-million-customers-were-hit-by-dec-data-breach-more-than-first-reported. Retrieved from www.washingtonpost.com: https://www.washingtonpost.com/business/economy/target-says-70-million-customers-were-hit-by-dec-data-breach-more-than-first-reported/2014/01/10/0ada1026-79fe-11e3-8963-b4b654bcc9b2_story.html?utm_term=.7acd0aaa9e47

Jones, B. (2016, June 20). threat-vulnerability-risk-commonly-mixed-up-terms. Retrieved from www.threatanalysis.com: https://www.threatanalysis.com/2010/05/03/threat-vulnerability-risk-commonly-mixed-up-terms/

Kilkelly, C. (2017, May 18). the-cis-critical-controls-explained-control-7-email-and-web-browser-protection. Retrieved from blog.rapid7.com: https://blog.rapid7.com/2017/05/18/the-cis-critical-controls-explained-control-7-email-and-web-browser-protection/

Miloslava Plachkinova, C. M. (2018). Teaching Case. Journal of Information Systems Education, 12. Retrieved from https://jise.org/Volume29/n1/JISEv29n1p11.pdf

Robin, J. (2013, July 13). pos-systems-and-risk-management. Retrieved from www.armaghpos.com: https://www.armaghpos.com/pos-systems-and-risk-management/

Rouse, M. (2014, January 14). personally-identifiable-information. Retrieved from searchfinancialsecurity.techtarget.com: https://searchfinancialsecurity.techtarget.com/definition/personally-identifiable-information

Rouse, M. (2016, september 13). information security (infosec). Retrieved from techtarget.com: https://searchsecurity.techtarget.com/definition/information-security-infosec

S, A. (2016, june 24). risk-management/it-risk-management/. Retrieved from www.business.qld.gov.au: https://www.business.qld.gov.au/running-business/protecting-business/risk-management/it-risk-management/reducing

Sean Barnum, M. G. (2005, september 13). defense-in-depth. Retrieved from www.us-cert.gov: https://www.us-cert.gov/bsi/articles/knowledge/principles/defense-in-depth

SMITH, T. (2018, April 3). 20-critical-security-controls-control-13-data-protection. Retrieved from www.tripwire.com: https://www.tripwire.com/state-of-security/security-data-protection/20-critical-security-controls-control-13-data-protection/

Sullivan, P. (2015, March 10). Information-security-risk-management-Understanding-the-components. Retrieved from searchsecurity.techtarget.com: https://searchsecurity.techtarget.com/tip/Information-security-risk-management-Understanding-the-components

Watts, S. (2017, June 21). security-vulnerability-vs-threat-vs-risk-whats-difference. Retrieved from www.bmc.com: https://www.bmc.com/blogs/security-vulnerability-vs-threat-vs-risk-whats-difference/

Xiaokui Shu, K. T. (2017, January 18). Breaking the Target. Target Data Breach and Lessons Learned, p. 10.