We will write a custom Case Study on Target Stores’ Information Technology Failures specifically for you
807 certified writers online
The news of the data security breach at Target was delivered to the world by a blog that focuses on information security. The revelation occurred on December 2013, and it sent shockwaves across Target’s associates and customers all over the world. Target is a multinational retail chain of stores. In the United States, Target is the second largest retail store and it has close to 1,800 stores across the country. At the height of the revelations about the data security breach at Target, it became clear that thousands of customers from the big-box retailers had had their credit card data exposed.
In the Target security breach, the hackers focused on the crucial information that is stored in the magnetic strip of the credit cards. Nevertheless, it is not precisely clear for how long the Target stores remained vulnerable to the data security breach. The Target security breach mostly affected customers within the United States. As a mitigation method, Target agreed that their customers’ data had been exposed to a security breach in the busy shopping period that falls between Thanksgiving and Christmas (Stanwick 23).
Overall, it was estimated that the Target security breach affected over seventy million customers. Preliminary reports also indicated that the attackers utilized malware that was installed into the retailer’s network system. However, one of the most worrying trends in the Target security breach was that the compromised data also included customers’ pin numbers. The Target security breach showed that even data collected through physical shopping as opposed to making online purchases can have devastating implications. This paper explores the Target information security failure, its mechanics, and its implications on the data management.
There were wild speculations about how the attack on Target was precisely carried out. For most people, physical point of sale (POS) systems appeared to be exempt from data security breaches because of their simplistic nature. However, POS systems around the world operate under a certain set of guidelines that are meant to safeguard customer data. Furthermore, the payment industry is already aware of the sensitivity of the information that is swapped through POS systems. The Target security breach proved that all data is susceptible to attacks.
Later on, investigations revealed that the individuals who were behind the Target data security breach did not rely on complicated mechanisms to carry out their mission. Investigations indicate that the hackers who stole customer data at Target purchased malware-software from an open website and used it to hack into Target’s systems. The hackers also took time to infiltrate and explore Target’s systems before they found a method through which they could collect customer data. This process took a few weeks thereby raising questions as to how the retail store’s systems were not able to detect the infiltration.
The main concern throughout the information security breach touches on the functionality of the firewalls and other internet security systems at Target. It is a general assumption that any unauthorized entry into a network resource can easily be detected by firewalls and other security checks. However, further investigations reveal that the attack was unnoticeable because the attackers gained entry into the network through port 80. According to protocol, port 80 is often left unmanned for use by internet traffic. Consequently, the Target information security system did not perceive the hackers’ entry as a threat (Tipton and Choi 60). The vulnerability that was exploited by the hackers provides companies with an opportunity to seal similar loopholes.
One critical control that could have been employed in the course of the Target information security breach is security training for employees. This critical control would have combated the attackers’ reconnaissance. Target would have sensitized its employees about the dangers of sharing too much information with outsiders. It is quite likely that the attackers who gained access into the Target network disguised themselves as employees using information from genuine Target-employees.
Another critical control that would have been applicable to Target’s case is malware defenses. Malware defenses would have been applicable to Target’s because they would have eliminated the risk that comes with company-vendor interactions (Tipton and Choi 60). Controlled access is another critical control measure that would have been useful in preventing the attackers’ entry and subsequent reconnaissance into Target’s networks.
For a company that is as big as Target, boundary defenses are a critical control that would eliminate the security risk that comes with openly accessible port 80. Yet another critical control that is useful to this scenario is account monitoring and control to avoid situations where a hacker uses vendor credentials to gain access into a network. Another critical control that would have been essential in preventing hackers from exploiting vendor portals is making sure that all outside devices are secured.
These devices include laptops, smart phones, servers, and workstations. The attack would also have been prevented using controlled privileges. Controlled privileges would have prevented the hackers from using administrative powers to bypass access checks. Maintenance, analysis, and monitoring logs would have enabled administrators at Target to take note of anomalies within their network. This critical control would also have been accompanied by secure network engineering.
Another critical control that would have been useful in preventing the security breach is account monitoring and control. Account monitoring and control would have catered for the vulnerabilities that are often accompanied by faulty domain controllers. Investigations have revealed that malwares were instrumental in orchestrating the security breach at Target. Consequently, a critical control that requires administrators to make an inventory of all unauthorized and authorized software might have prevented the security breach at Target. The same problem would have been avoided by ensuring that all hardware and software had appropriate authentication measures in place.
Data protection controls would have ensured that critical credit card information was not swappable through simple software manipulation. In addition, application software security would have prevented hackers from gaining access to customer card information. Target could also have instituted data protection policies that would have alerted administrators any time data left the company in clear text. Another critical control that would have been practical to the situation is continuous vulnerability assessment, and remediation.
This critical control is essential in preventing ignorance to fire-eye alerts in the course of network security. Another universal critical control that could remedy the effects of a security breach that involves credit card information is data-protection through chip and pin technology (Gray and Ladig 60). Cards that use chip and pin technology cannot be cloned and used in other locations.
CIA Triad and Target Breach
Confidentiality, integrity, and availability (CIA) of data “is a model that is designed to guide policies for information security within an organization” (Kadivar 67). The three terminologies account for specific aspects of data where confidentiality limits right of entry to information, integrity provides guarantees that transmitted data can be trusted, and availability makes information available to the relevant people. The CIA of the data can be safeguarded by the controls that are listed above in a number of ways.
Get your first paper with 15% OFF
First, the security skills and assessment skills training help safeguard the confidentiality of data. For instance, the training would help in sensitizing target employees against sharing too much information with outsiders. Consequently, the privacy of Target’s data is maintained when only the right people have critical information concerning data. Another critical control that can be used to safeguard the confidentiality of data is controlling access of data and making sure it is only transmitted on a ‘need to know’ basis.
For example, making too much information available to vendors can compromise its confidentiality. On the other hand, Target should monitor how much information about its network systems is available to the public. From this knowledge, the company can be able to update its systems accordingly.
The integrity of information can be safeguarded using various critical controls. First, boundary defense can be used to ensure vendors and their affiliates do not tamper with information without supervision. Second, malware defenses critical controls ensure that vendors are required to institute commercial security precautions before accessing the parent network. Vendor portals were instrumental in orchestrating the network attack on Target because they were largely unrestricted at the time. The attackers used these portals to install malware that compromised the integrity of information that was handled across the network. It is also critical to ensure that vendors take their staff through training on data handling. This critical control also ensures the integrity of data in a network system.
Availability of data in a network can be ensured through ‘misconfigured’ systems in the form of hardware and software. The critical measure that can guarantee the availability of data to the relevant people is “ensuring secure configurations for hardware and software on mobile devices, laptops, workstations, and servers” (Kadivar 30). This critical control eliminates weaknesses that might allow unauthorized access to network resources. Another critical control that might be useful in ensuring the availability of data is account monitoring and control. Monitoring accounts ensures that profiles are monitored to determine if their behaviors and patterns are normal to the network. Consequently, data should only be available to the right people and at the right times.
Recommendations to Target
The attack on Target revealed that hackers have the capacity to infiltrate data from complex and large retail establishments. My advice to Target is that the company should ensure that the complexity of the retailer’s network is simplified through adequate protocols. Consequently, vulnerable entry points into the network should be few and restrictive. Furthermore, Target should not rely on ‘standard’ network security measures to secure its data.
For instance, the hackers used open market standard malware-software to infiltrate Target’s data recourses. Target is a multinational company that has the capacity to institute ‘non-vendor’ network-security measures. Another recommendation for Target is that the company should be in the habit of hiring outside professionals to access its network vulnerabilities. For example, experts were aware of software that could be used to collect credit card data but none of Target’s employees were aware of it.
Gray, Dahli, and Jessica Ladig. “The Implementation of EMV Chip Card Technology to Improve Cyber Security Accelerates in the US Following Target Corporation’s Data Breach.” International Journal of Business Administration 6.2 (2015): 60-61. Print.
Kadivar, Mehdi. Entity Relationship Diagram Approach to Defining Cyber-attacks, Mississippi: Carleton University, 2015. Print.
Stanwick, Peter. “A Security Breach at Target: A Different Type of BullsEye.” International Journal of Business and Social Science 5.12 (2014): 23-25. Print.
Tipton, Stephen, and Young Choi. “The Target Security Breach: A Case Study.” International Journal of Business Administration 6.2 (2014): 59-60. Print.