12/6/2016 0 Comments
Home Depot Data Breach 2014
Recently, my graduate school program posted the question: "In September 2014, Home Depot stated that over 56 million credit cards had been compromised in a five-month cyber-attack on their payment systems...was the Home Depot incident handled correctly? Incorrectly?" (Southern New Hampshire University, 2016)
Reviewing the efficaciousness of the Home Despot Incident Response needs to be evaluated in the context of the time. Why? Monday morning quarterbacking without context threatens to overlook the serious constraints faced by any organization at the time. When criticizing the failure to respond, one must consider the institutional inputs that led to operational inertia. Without that consideration, information security leaders will diminish their trust among the those who most need their help: those organizations that have been hacked. An organization that has been breached faces many potential public relation and legal hurdles; they need some analysis that works with their current limitations to help them fix the problem.
Incidence Response begins with prevention. NIST lists five areas of prevention: Risk Assessments, Host Security, Network Security, Malware Prevention, and User Awareness and Training (Cichonski, Millar, Grance, & Scarfone, 2012).
In many discussions to date, Home Depot has been criticized for having outdated hardware, outdated operating systems, inadequate staffing, lack of planning, lack of endpoint protection, out of date operating systems. Bloombergpublished an article, which has been oft cited on this discussion board but may, in fact, be misleading.
In an article by Bank Info Security, the author points out a couple of points that are relevant. First, the Home Depot antivirus software which can assist in Malware Prevention. According to Schwartz, "Bloomberg describes the version 11 anti-virus software as being 'out of date.' But technically speaking, the anti-virus is still supported by Symantec and receives anti-virus signature updates" (Schwartz, 2014). Further, Schwartz continues to the point:
In the bigger picture, furthermore, the anti-virus software was irrelevant, contends Chester Wisniewski, a senior security advisor at antivirus vendor Sophos. "A smart attacker in a targeted environment will always bypass your anti-virus," he says, and especially if they're trying to take down a retailer the size of Home Depot. "If you're hitting something of that scale, you say, 'Oh they're running Symantec, or McAfee, or Sophos,' and the first thing the bad guy is going to do is download the software for free with a 30-day trial, write a virus that works on it, then hit it. These guys aren't stupid.(Schwartz, 2014)
From personal experience, organizations of Home Depot's size cannot roll out the latest version of anti-virus software whenever it is released. Any new software runs the risk interfering with existing software. Regression testing is needed, change control board need to sign off, rollback strategies in place to ensure thousand of POS systems don't fail at roll out of new antivirus. Also, from my experience, it is often the Security Team that causes the delay, not wanting to go on record and taking responsibility.
Home Depot may or may not have had a Risk Assessments that identified the threats the led to the data breach problems. It seems that they were partially aware of the situation.
In the year before cybercriminals penetrated payment systems of Home Depot stores in the U.S. and Canada, the retailer suffered at least two smaller hacks, according to internal company e-mails and reports. Afterward, Home Depot security contractors urged the company to strengthen its cyber defenses by activating a key, unused feature of its security software that the internal documents say would have added a layer of protection to the retail terminals where customers swipe their cards (Elgin, Riley, & Lawrence, 2014)
Home Depot being notified by contractors that Home Depot needed to strengthen it cyber defenses with specific recommendations as to where and why constitutes ipso facto threat assessment, at least partially. Home Depot not being able to act on this intelligence gives a possible indication that the Incident Response Team structure was lacking. Having two prior incidents and warnings from consultants, any existing incidence response teams didn't seem to have put a preventative in place before the next attack. Although, concerning failure to implement certain recommendations, "it’s not clear that the deactivated safeguard would have stopped it—a person familiar with the investigation says the attack did hit the stores’ registers"(Elgin, Riley, & Lawrence, 2014).
Particular criticism has surrounded Home Depot's lack of endpoint protection. Endpoint protection can assist with Network security but requires strong, experienced governance. EndPoint Security is a double-edged. From NIST:
"The volume of potential signs of incidents is typically high for example, it is not uncommon for an organization to receive thousands or even millions of intrusion detection sensor alerts per day." (Cichonski, Millar, Grance, & Scarfone, 2012)
"Deep, specialized technical knowledge and extensive experience are necessary for proper and efficient analysis of incident related data."
(Cichonski, Millar, Grance, & Scarfone, 2012)
If Home Depot had high turnover, retaining knowledgeable talent would have been difficult at best. Bloomberg noted, "... the security department has struggled with employee turnover and old software for about three years". Adding stress to a limited and possibly under-trained workforce could have exacerbated the problem and improperly implemented Intrusion Protection is an active staff stressor. From NIST: "Incident response work is very stressful, as are the on-call responsibilities of most team members. This combination makes it easy for incident response team members to become overly stressed. Many organizations will also struggle to find willing, available, experienced, and properly skilled people to participate, particularly in 24-hour support" (Cichonski, Millar, Grance, & Scarfone, 2012). Turning on endpoint protection, with the possibility of a large number of false positives may have done nothing to prevent the breach, and may have instead contributed to greater attrition in its ranks of security professions.
I suspect that Network and Host security were in need of improvement, but I am not in possession of network diagrams. Further, there haven't been any articles that explain what configurations were on the POS systems. I have seen a lot of speculation. One document that I am critical of Case Study: The Home Depot Data Breach by Brett Hawkins on several points I won't address. In summary, though, a careful reading of that papers reveals numerous opinions that suggest bias, and few listings of facts. Regardless, Home Depot may have had an extremely poor network and host security, but without details, I can only depend on the opinions of others. And many authors contradict each other here.
It safe to say the Home Depot needed better prevention methods. It would be hard to argue otherwise. Yet, It is not possible from this author to conclude that Home Depot was somehow negligent without more facts. Why? Doesn't the fact that Target had been compromised six months prior the initial breaching event at Home Depot imply it? No, it does not. First, for any organization of Home Depot's size, change rarely happens that quickly. In a 2015 article by Rachel Abrams: Chip Credit Cards Give Retailers Another Grievance Against Banks, it wasn't clear to retailers that new chip credits would solve issues of theft. Second, two years after the U.S White House Office of Personnel Management is now less secure than when the first breach occurred (Russell, 2016). I have not seen any indication that security is worse at Home Depot. In fact, Home Depot has moved quickly to positively address the problems that were discovered, which is documented numerous places. "Last year, Home Depot said it beefed up security introducing EMV chip-and-PIN technology in its U.S. stores along with introducing enhanced encryption in Canadian stores that takes raw payment card information and scrambles it to make it unreadable to unauthorized users" (Spring, 2016). As documented in NIST: 800-61 Computer Security Incident Handling Guide, part of incident responses is learning how to prevent the incident from happening again. Home Depot did that.
Finally, Home Depot protected their shareholders. Protecting shareholders is a legitimate goal for a business and one of many reasons to create a corporation. In that way, I think Home Depot did exceedingly well. Incident Response prepares the organization for upcoming legal challenges, and Home Depot did that as demonstrated by their legal outcome: "Home Depot wants to put this behind them as fast as possible,” said Charles Hoff, data security attorney and CEO of cybersecurity website PCI University. Hoff said, relatively speaking, Home Depot is getting off fairly modestly" (Spring, 2016)
Abrams, R. (2015, November 16). Chip Credit Cards Give Retailers Another Grievance Against Banks. Retrieved November 25, 2016, from http://www.nytimes.com/2015/11/17/business/chip-credit-cards-give-retailers-another-grievance-against-banks.html
Bucher, A. (2016, March 2). Home Depot Data Breach Class Action Settlement. Retrieved November 22, 2016, from https://topclassactions.com/lawsuit-settlements/closed-settlements/334196-home-depot-data-breach-class-action-settlement/
Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012, August). NIST: 800-61 Computer Security Incident Handling Guide. Retrieved November 24, 2016, from Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012, August). NIST: 800-61 Computer Security Incident Handling Guide. Retrieved November 24, 2016, from http://www.bing.com/cr?IG=E4FE14A6D1FF451091A89309093D3FF3&CID=24CCAA2AC7A16539348CA3FDC6906414&rd=1&h=362W40gNTHHfKIo_VS1hgpbGy4Hr00QxMqQ8uy_DPeU&v=1&r=http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf&p=DevEx,5083.1
Elgin, B., Riley, M., & Lawrence, D. (2014, September 14). Home Depot Hacked After Months of Security Warnings ... Retrieved November 24, 2016, from http://www.bing.com/cr?IG=537D0710BF8B4A16A9228B87AD7058D0&CID=1383FE0640FA6BB11495F7DE41CB6A90&rd=1&h=psa8wPmwCEQVIr0-M3uFp2qzd9otrbUoig8MRouzfJ8&v=1&r=http://www.bloomberg.com/news/articles/2014-09-18/home-depot-hacked-after-months-of-security-warnings&p=DevEx,5087.1
Krebs, B. (2014, March 19). Krebs on Security. Retrieved November 22, 2016, from https://krebsonsecurity.com/2014/03/are-credit-monitoring-services-worth-it/
Russell, G. (2016, November 18). Two years after super-hack of US secrets, White House agency getting worse at cyber-defense. Retrieved November 25, 2016, from http://www.foxnews.com/politics/2016/11/18/two-years-after-super-hack-us-secrets-white-house-agency-getting-worse-at-cyber-defense.html
Schwartz, M. J. (2014, September 16). Analysis: Home Depot Breach Details - BankInfoSecurity. Retrieved November 25, 2016, from http://www.bing.com/cr?IG=44329B369743426D8A47F4316E67379A&CID=31489BFD2C5865E1010492252D69648A&rd=1&h=9CvoZWd7AgflUplQv8dVuVAmol4Ekj7_ilvEdPwyZx0&v=1&r=http://www.bankinfosecurity.com/analysis-home-depot-breach-details-a-7323&p=DevEx,5082.1
Spring, T. (2016, March 18). Home Depot Agrees To $19.5 Million Settlement To End 2014 Breach Nightmare. Retrieved November 25, 2016, from https://threatpost.com/home-depot-agrees-to-19-5-million-settlement-to-end-2014-breach-nightmare/116884/
Stafford, L. (2015, October 24). Data breach still a headache for Home Depot. Retrieved November 22, 2016, from http://www.ajc.com/business/data-breach-still-headache-for-home-depot/F2iNdZvPYYS2n50eFv3HjN/
APA formatting by BibMe.org.
Laws of Identity
From time to time, I am asked; Can we change this to Ping, Dell CAM, <fill in whatever>? The answer is usually, yes. Why? Most modern Single Sign-on products adhere to Kit Cameron’s Laws of Identity. As such, there is high degree of compatibility between all true SSO. Incidentally, this is also why Accela’s product has never been SSO, they fail to implement the industry accepted Laws of Identity.
I have sent this because in seven bullet points, you have strong guidance of what makes modern identity management system and what it should be able to do. Also, please note the reference source, in my graduate program there is a definite focus on clear communications. 😀
Kit’s laws of identity are as follows:
Lacey, David. Managing the Human Factor in Information Security: How to win over staff and influence business managers. John Wiley & Sons P&T, 2009-02-17. VitalBook file.
9/14/2016 0 Comments
Security Problems with the Web
There are not many sets of ubiquitous shortcomings that affect all web users equally. Universal shortcomings that at affect all or most equally are the problems that get fixed first. If not, it may be that the security risk associated is deemed acceptable.
Further one organization may benefit from a security hole that harms another. Activities that benefit from security exceptions are not just criminal organizations. Journalists, whistle-blowers, and democratic movements benefit from security holes. The diversity of security scenarios underscores the problem of cyber security and why so many cyber security problems exist. The variety of security contexts, situations, needs, and configurations points to the most significant security concern with the web: a lack of talented, trained IT security professionals.
From Root9B Technologies CEO and former UBS Paine Webber chairman Joe Grano: “If you were to ask and answer the following question: ‘What do JPMorgan Chase, Home Depot, Target, Sony, IRS all have in common?’ It’s not that they just got hacked. It’s that despite spending $1 billion on their firewalls, they were exploited. So what it says is, as a country, we have to take a whole new level of protection.” (Wisner 2016) It is Grano's contention that the root problem is a lack of training. Again Grano, "The challenge is we have to train our CSOs and our CTOs, they’ve never been trained in cyber. They’re very, very talented people, you know, creating a network, give me a process to transact transactions – now they have to be trained in cyber."(Wisner 2016)
Many authors have proposed that ordinary users are the biggest security concern. While they are a concern, I think technical leadership is the larger issue since professional leaders are building the systems that expose ordinary people. IT too often deploys technical capabilities first, then secures them as threats are developed by opportunists looking to capitalize on the data and capabilities that may have been accidentally exposed.
Professional security staff is not ready to handle the threats that are evolving, while at the same time they are increasing the available attack surface! From MacAfee: "Over time, what we call perimeter inversion or outside-in happens: Applications and devices that were once directed primarily to the corporate network and data center are now directed primarily to the Internet and cloud, with the data center hosting limited processing and storage only for core intellectual property." (mcafee.com et al. 2016)
McAfee also points out that cyber-threats are advancing. Nation states and organized crime are advancing the threat by bringing sophistication by having the resources to develop sophisticated threats (mcafee.com et al. 2016). It is against this backdrop that new security professional finds themselves requiring a multitude of skills to combat a diverse, sophisticated cyber-threat landscape. Here are a few of the web threats McAfee identifies for 2016:
Cloud computing. Most tend to worry about the security of the cloud provider itself. However few tend to think about the resources it gives to the cyber attacker. From McAffee: "Cloud computing will also provide tremendous resources to criminals in the form of computing and storage capacity, plus the ability to appear and disappear at the click of a mouse. Law enforcement organizations will find it challenging to shut down an entire cloud service provider for the behavior of its criminal clients..." (mcafee.com et al. 2016)
Digital exhaust. Digital exhaust is the data we give away purposefully. Most don't realize the cumulative amount of data leaked by companies, their employees or private users that are harvested without even breaking into to a secured system. A criminal will combine public information with data from comprised or snooped-on systems to collect identities to sell them. (mcafee.com et al. 2016)
Payment systems. Payment systems seem to be an area where the benefits appear to outweigh potential risk, and the risk appears to be acceptable. Credit companies have endured a system fraught with security holes. Credit companies have allowed technology to remain relatively static, not advancing to meet the threat. From McAfee: "We see little innovation in attack methods associated with debit and credit cards. Most attacks approach payment card theft in the same way they have for the past 10 years, by attacking payment mechanisms or the databases containing card data. Once they have obtained the card data, they sell it as quickly as possible and pocket the profit." (mcafee.com et al. 2016). In short, it seems to this author, that credit companies have to this point deemed credit card theft losses to be acceptable since they have not moved to address them seriously as an industry.
The are numerous threats to the web. If we want to consider just a few resources. From Symantec we can see a number of current threats:
Until the need for trained security professionals is recognized, organizations and governments will not invest in developing this talent. The US federal government has started to recognize the size of the need, but companies are still behind in this issue. Once the problem is more clearly identified, consortiums can be developed to work together on how to develop this needed talent.
Mcafee.com, Antoniewicz, B., Bee, C., Campbell, T., Davis, G., Dooley, C., . . . Macaulay, T. (2016). McAfee Labs 2016 Threats Predictions. Retrieved September 7, 2016, from http://www.mcafee.com/us/resources/reports/rp-threats-predictions-2016.pdf
Jacobs, Stuart (2015-12-01). Engineering Information Security: The Application of Systems Engineering Concepts to Achieve Information Assurance (IEEE Press Series on Information and Communication Networks Security) (Kindle Locations 7895-7897). Wiley. Kindle Edition.
Owasp.org. (2013, June 23). Top 10 2013-A5-Security Misconfiguration. Retrieved September 08, 2016, from https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration
Owasp.org. (2015, February 3). Top 10 2013-A2-Broken Authentication and Session Management. Retrieved September 08, 2016, from https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management
Symantec.com. (2016). 2016 Internet Security Threat Report. Retrieved September 08, 2016, from https://www.symantec.com/security-center/threat-report
Wisner, M. (2016, September 7). America's Businesses Losing the Battle Against Hackers | Fox Business. Retrieved September 07, 2016, from http://www.foxbusiness.com/features/2016/09/07/americas-businesses-losing-battle-against-hackers.html
Robert Fischer is an Enterprise Cloud Architect working on a Masters Degree in Cyber Security. These posts are adapted from his graduate work. Anne Fischer edits these posts for this blog.