A Practical Approach for IT Governance

What went wrong at Target and Home Depot?

with one comment

Security breach at Target which affected 70 million customers involving 40 million cards was seemingly dwarfed by the breach at Home Depot.

More than two weeks after Home Depot’s cyber-attack was first discovered, the retailer said today that the payment data breach exposed 56 million credit and debit cards.

The company saidHomeDepot CIO and Target CIO the breach has been contained and the malware responsible eliminated.

The malware was custom-built to evade detection and, contrary to earlier reports, had not been seen in other breaches, the company said.  Who is to blame? Target CIO’s Beth Jacob resigned and it is very likely that pressure will mount on Matt Carey, CIO at Home Depot.  Both have an excellent background in running IT and understanding the business, but failures of this magnitude claim many a CXO.  In fact with Target even the CEO was forced to resign.  Holding the CIO solely responsible is just politics.  It is critical to identify the root causes before pointing fingers.

Would good Governance have saved these firms?  Was it a preventable issue such as an architecture flaw?  Was it over reliance on vendors who were not qualified?  Was it reliance on old school security techniques with no emphasis on data analysis or analytics which might have shown trends?  It was clearly not a compliance issue as both Target and Home Depot were PCI compliant and do not store raw credit card information in the database.

In an excellent analysis of the Target debacle in the CIO Magazine, they identified 11 steps that the attackers took:

  • Step 1: Install Malware that Steals Credentials
  • Step 2: Connect Using Stolen Credentials
  • Step 3: Exploit a Web Application Vulnerability
  • Step 4: Search Relevant Targets for Propagation
  • Step 5: Steal Access Token from Domain Admins
  • Step 6: Create a New Domain Admin Account Using the Stolen Token
  • Step 7: Propagate to Relevant Computers Using the New Admin Credentials
  • Step 8: Steal 70 Million PII. Do Not Find Credit Cards
  • Step 9: Install Malware. Steal 40 Million Credit Cards
  • Step 10: Send Stolen Data via Network Share
  • Step 11: Send Stolen Data via FTP

The common link seems to be malware, but the question is could something have been done about it?  Even more important, who else are the targets?  Walmart?  I hope not, for the current CIO at Home Depot came from Walmart.

Written by Subbu Murthy

September 18, 2014 at 7:47 pm

One Response

Subscribe to comments with RSS.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: