A Practical Approach for IT Governance

Archive for September 2014

What went wrong at Target and Home Depot?

with one comment

Security breach at Target which affected 70 million customers involving 40 million cards was seemingly dwarfed by the breach at Home Depot.

More than two weeks after Home Depot’s cyber-attack was first discovered, the retailer said today that the payment data breach exposed 56 million credit and debit cards.

The company saidHomeDepot CIO and Target CIO the breach has been contained and the malware responsible eliminated.

The malware was custom-built to evade detection and, contrary to earlier reports, had not been seen in other breaches, the company said.  Who is to blame? Target CIO’s Beth Jacob resigned and it is very likely that pressure will mount on Matt Carey, CIO at Home Depot.  Both have an excellent background in running IT and understanding the business, but failures of this magnitude claim many a CXO.  In fact with Target even the CEO was forced to resign.  Holding the CIO solely responsible is just politics.  It is critical to identify the root causes before pointing fingers.

Would good Governance have saved these firms?  Was it a preventable issue such as an architecture flaw?  Was it over reliance on vendors who were not qualified?  Was it reliance on old school security techniques with no emphasis on data analysis or analytics which might have shown trends?  It was clearly not a compliance issue as both Target and Home Depot were PCI compliant and do not store raw credit card information in the database.

In an excellent analysis of the Target debacle in the CIO Magazine, they identified 11 steps that the attackers took:

  • Step 1: Install Malware that Steals Credentials
  • Step 2: Connect Using Stolen Credentials
  • Step 3: Exploit a Web Application Vulnerability
  • Step 4: Search Relevant Targets for Propagation
  • Step 5: Steal Access Token from Domain Admins
  • Step 6: Create a New Domain Admin Account Using the Stolen Token
  • Step 7: Propagate to Relevant Computers Using the New Admin Credentials
  • Step 8: Steal 70 Million PII. Do Not Find Credit Cards
  • Step 9: Install Malware. Steal 40 Million Credit Cards
  • Step 10: Send Stolen Data via Network Share
  • Step 11: Send Stolen Data via FTP

The common link seems to be malware, but the question is could something have been done about it?  Even more important, who else are the targets?  Walmart?  I hope not, for the current CIO at Home Depot came from Walmart.

Written by Subbu Murthy

September 18, 2014 at 7:47 pm

The Power Of Small Data!

with one comment

The Power of Small DataWhile solving a tough Sudoku Puzzle, I was stuck on locating a “9”. As I was gazing at a location to put it, I stumbled across an interesting puzzle (not related to Sudoku). Take any number from 11 to 99. Say 37. The flip number of 37 is 73. The difference between the two is 36 which is 4 nines added to together. The number 4 comes the difference between 3 and 7, the two digits we were juggling. The same applies to say 46. The flip of 46 is 64 which 18 units apart from 46. 18 just happens to 2 nines added together, where the number comes as the difference between 4 and 6. You can try this – it will work for all numbers from 11 to 99.  I did some checking, and it is astonishing that in this day of Google I could not find this puzzle mentioned anywhere.  A point to note:  Dean Lane who runs Office of the CIO and a partner to my firm UGovernIT, Inc., pointed out that the resulting difference 36, 18 also relate to 9.  The digits 3+6 and 1+8 also add up to nine.

Others may have discovered this small numerological wonder, but the message for me was very simple. There is still so much to discover even with small data. When everyone is jumping to understand Big Data, we should not forget that case studies and qualitative data analysis are also very pertinent to decision making.

Written by Subbu Murthy

September 11, 2014 at 8:32 pm

Posted in Analytics