My Projects

I am dealing with many different tasks and projects now as I am going through my Masters program.

Here is the analysis of the Home Depot Data Breach in 2014 as an example of such a project:

INTRODUCTION

The data breach in Home Depot happened just a few months after a similar attack on Target. In December 2013 Target disclosed that around 40 million payment cards of their customers were compromised by hackers (Krebs, 2014).

Obviously, every company in the industry was aware about that situation, but in April 2014 a group of hackers managed to steal even bigger number of payment card credentials from Home Depot which the company could detect only in September 2014 (Elgin et al., 2014). So, for the period of 5 months such sensitive information as customer’s credit and debit cards details and their email addresses was being constantly mined by the hackers without getting detected (Banjo, 2014).

Overall, the hackers stole the information about 56 million payment cards, and 53 million customer email addresses (Banjo, 2014). According to Poyraz et al. (2020) this breach costed to Home Depot around $340 million.

The irony of the situation with Home Depot breach was that their executives were confident that they took all the necessary measures to prevent a breach similar to one that happened at Target. In April 2014 when hackers intruded the company’s network without being detected, Home Depot was finishing a corporate document related to response to breach incidents (Banjo, 2014).

Rosenblum (2014) claims that Home Depot complied with Payment Card Industry Data Security Standard (PCI DSS). There are certain doubts to that, considering the fact that their system of monitoring could not detect any suspicious activity for such a long time. There was also lack of encryption in place which made it possible for hackers to steal the data. Besides that, compliance might be achieved at a certain point of time when an assessment took place, but it is not a static thing, and it needs to be sustained.

TECHNIQUES IMPLEMENTED BY HACKERS

First, the hackers acquired the credentials of Home Depot’s vendor (The Home Depot Reports Findings in Payment Data Breach Investigation, 2014). It could have been a result of a phishing attack (Winter, 2014). Those credentials allowed them to access an environment of a peripheral third-party vendor system.

After that, the attackers took the advantage of a zero-day vulnerability in Microsoft’s Windows operating system (Hawkins, 2015), which was most likely installed on a server, according to Rosenblum (2014). The patch to this vulnerability was issued only after the attack happened, so this allowed hackers to get access to the main computer network. They could also elevate their rights in the system (The Home Depot Reports Findings in Payment Data Breach Investigation, 2014).

From that point of time, the attackers have become able to act in Home Depot’s systems as if they were company’s employees with high-level permissions (Banjo, 2014). From the reference names of self-checkout terminals in the computer system the hackers could clearly understand that they were payment terminals, which made them an easy target. The standard registers were named only by their number, so these devices avoided being hacked (Banjo, 2014).

Next step of the hackers was installing memory scraping malware on those self-checkout POS terminals (Hawkins, 2015). So, when some payment card was swiped through an infected terminal, its details were in the form of clear text in a random-access memory (RAM) of a POS device, and the malware could read those details from RAM. Once captured, the information was silently exfiltrated to the attacker’s servers (Hawkins, 2015).

The malware infection went unnoticed for months, so all this time the hackers were mining customer’s information and payment card details (Banjo, 2014). The malware was designed that way that it deleted its own traces which has helped it to remain undetected by the antivirus software. The data was exfiltrated during the regular business hours, so that activity did not look suspicious for the company’s IT security team (Banjo, 2014).

In September 2014 the stolen data, containing card details and emails, was put up for sale on dark web and was bought there by cybercriminals called carders (Hawkins, 2015).

WEAKNESSES IN HOME DEPOT NETWORK

Hawkins (2015) highlights the following technological weaknesses in Home Depot information security management:

  1. The technical specialists of the company did not pay attention to an important feature of the antivirus called “Network Threat Protection” (Elgin et al., 2014). The network of the company was regularly scanned by an antivirus solution Symantec Endpoint Protection (SEP) but one of its functions related to checking the network threats was not simply switched on. This feature could have helped to prevent a breach, but the company failed to protect itself.
  2. There was no Point-to-Point (P2P) encryption at the moment of swipe, so the recorded information about the payment card was not protected. Home Depot started to implement P2P encryption technology after Target breach happened but did not get to finish this process before their company was attacked as well. Without encryption, the unprotected data became a target for the hackers.
  3. Home Depot had an outdated operating system on their POS-terminals. It was Windows XP Embedded SP3 (Hawkins, 2015), and this operating system was known for quite weak memory protection which made it possible for hackers to use RAM scraping technique (Sjouwerman, 2014).
  4. There was no appropriate network segregation between POS network and main corporate network of the company. If the company had such segregation in place, it would make much harder for hackers to install the malware in POS environment and to exfiltrate data from there.
  5. The company did not have a vulnerability management program. Monthly scans of the POS environment could have detected the gaps in this environment and that could have helped to prevent the breach before it happened.
  6. There were no appropriate monitoring capabilities. Having such capabilities in place would not let the breach to remain undetected for months as it occurred in Home Depot’s case, and the damage could be much less.

The missing security procedure that Home Depot had, according to Hawkins (2015), was that the management of third-party vendor identities and access was not done in a proper way. Only minimal access should be allowed to vendors but in situation with Home Depot the rights of the vendor were enough to make it possible for hackers to exploit the vulnerability in Microsoft Windows.

SUITABLE STANDARDS AND FRAMEWORKS TO PREVENT A BREACH

PCI DSS is an essential information security standard for retail industry. Depending on the number of transactions a year, each merchant is obliged to follow it on a certain level. Big retailers like Home Depot certainly belong to Level One, where their system of information security must be assessed by a certified specialist.

PCI DSS requires that all payment card data is encrypted both in transit and at rest. This helps to protect against unauthorized access to cardholder data. The standard also mandates that retailers use secure networks, such as firewalls, to protect against unauthorized access and attacks. To comply with the standard, retailers also must have a plan in place to respond to security incidents, including data breaches. This aims to minimize the impact of breaches and prevent future incidents. Another requirement of the standard is that access to cardholder data is restricted to authorized personnel only. This helps prevent insider threats and unauthorized access to sensitive data.

However, just formal following the standard for the sake of being considered as a company compliant with the regulations was not enough when companies in the industry were targeted by hackers. Since protecting the perimeter of the network became insufficient to provide the security, businesses needed to pay more attention to detection and response. One of the extra practices that retailers could implement for detection purposes is called a “honey pot’ (Rosenblum, 2014). As it was discussed above, in Home Depot’s case the right naming of devices played in favor of the hackers. This can be a way to trap them too, though, if a company creates a fake server with the name that would look attractive to hackers. The access to this fake server is a red flag that requires a proper investigation by the information security specialists in the company.

Implementation of the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) can be also beneficial for preventing data breaches in the retail industry in many ways. It provides a common language and a structure for organizations to understand and manage their cybersecurity risks, which can help retailers to identify and prioritize risks to their operations and systems. The three components of NIST CSF are the Core, the Implementation Tiers and Profiles. This framework is designed to be flexible and adaptable to different organizations and sectors, so retailers can tailor the framework to meet their specific needs by choosing the appropriate Profile, and use it as a starting point for developing their own cybersecurity programs.

The Core of this framework has five functions: Identify, Protect, Detect, Respond, Recover. The emphasis of these functions is on the need for ongoing monitoring and continuous improvement of cybersecurity programs, so each company’s program should be regularly updated to keep up with new threats and risks. The framework also encourages collaboration and information sharing among organizations, which can help retailers to learn from the experiences of others and stay up to date on emerging threats and trends in the industry.

SECURITY CONTROLS TO INTRODUCE AFTER THE BREACH

Establishing a secure configuration for both software and hardware is crucial for safeguarding any environment, particularly those that handle sensitive data. According to Hawkins (2015), the following technical security controls should be introduced in Home Depot to protect it from future breaches:

  1. The company need to be sure that their POS devices have a current, supported operating system. This is essential for hardening a corporate system and helps to avoid vulnerabilities related to operating systems.
  2. The antivirus software must be up-to-date and must have Host-based Intrusion Prevention System (HIPS). That would provide an extra layer of defense against POS network penetration.
  3. POS terminals using outdated technology need to be replaced by the ones using P2P encryption. They provide a strong protection and payment card data cannot be stolen, unless there is a payment card skimmer installed on a terminal.
  4. POS devices need to have only the very essential ports and services. All the unnecessary ones must be disabled to minimize the risks as any open port or a running service like NetBIOS represents a potential vulnerability that could be exploited by an attacker.
  5. POS registers also need some software which can detect the insertion of a USB device into the register in case someone is able to bypass the security measures. Such facts require investigation from company’s security specialists.
  6. Network segregation need to be implemented. To ensure security, the POS system should operate within a separate virtualized local area network (VLAN) and have limited communication with the company’s primary network. Step one is to create a private VLAN for the POS network. Step two is to configure the network device responsible for the VLAN to enforce access restrictions between the POS and corporate networks. Finally, the corporate firewall should restrict all outbound Internet access from the POS network and only permit connections for essential functions. These steps would help to limit the potential for attackers to use the POS system as a gateway into the corporate network, as well as reduce the risk of data exfiltration from the POS system. Segregation also helps to protect from malware infections.
  7. There must be a capability to forward network or host activity to a Security Information and Event Management (SIEM) system. It’s crucial to have a SIEM in place because it can collect event logs from various sources such as Windows, Domain Controller, anti-virus, DNS, firewall, and other networking devices. This provides real-time visibility into the POS environment’s activity, allowing security teams to create alerts within the SIEM to notify them of any suspicious or malicious activity.

When it comes to procedural security controls, the recommendations are these:

  1. A company should activate automatic updates on all POS devices and follow patch management best practices to keep them up to date with the latest patches. This is required for PCI compliance, and it helps to deal with the vulnerabilities of an operating system.
  2. Proper password and account policies should be set on all POS devices to ensure that they are secure and protected.
  3. Regular security awareness training should be provided for staff, and controls should be implemented to prevent the installation of skimmers.
  4. A vulnerability management program should be established, including monthly vulnerability scans of the POS environment, to identify and mitigate any security gaps before they can be exploited.
  5. The organization needs to have a reliable and fine-tuned system for identity and access management. All company’s employees and external third-party vendors need to have strong passwords that are not easy to guess. A multi-factor authorization can help to make the authorization process more secure and to prevent phishing. Third-party vendors should have only the minimal access to the necessary information.
  6. The company needs to have procedures for reviewing the accounts, specifically for third-party vendor accounts, and regularly audit them to detect abnormal behavior.
  7. The company should keep up to date with news about breaches in the industry and take action accordingly. For example, the Home Depot breach could have been prevented if the company had learned from the similar Target breach and taken action to encrypt card data at payment terminals sooner.

 

LESSONS LEARNED

The number one lesson from the Home Depot data breach is to be proactive in ensuring a company’s network security. It is not always enough just to follow the PCI standard procedures.

Second lesson is to react to news about potential threats without any delays. After the attack on Target happened, Home Depot started to introduce a project related to encryption of the customer card’s data, but it was not finished even by September 2014 (Banjo, 2014). It they managed to do that fast enough the breach could have been avoided. Situation with Target was an opportunity for other companies to learn and prevent same thing to happen again and again but many of them did not take this threat seriously enough.

Third lesson is that companies with billion-dollar turnovers should not be too greedy when they plan their budgets on updating the equipment that has shown itself as no longer secure enough. It is hard to accept big expenses when nothing happened yet, but similarly as insurance costs, that is an essential thing to do in order to manage risks effectively. Magnetic stripes were known to be an outdated technology but the costs of the equipment for chip-and-pin cards seemed to be too high for the companies in the industry before many of them faced the costs of dealing with data breaches. Eventually Home Depot had to install that equipment anyway but besides that had to deal with financial and reputational losses that followed the breach (Cronan, 2014).

Other important lessons are to plan the response to incidents, to have back up infrastructure to keep the business running even when a breach happens and other constituents of Business Continuity Plan. In case of Home Depot, they had to urgently buy a couple of dozen of new iPhones and MacBooks for their executives (Banjo, 2014), so that they could be confident that at least this environment is safe.

A business needs to make sure that there are appointed teams that respond to the incidents and that develop strategies and plans how to avoid them (Incident Response Team and Incident Management Team, respectively).

Incidents Response Plan (IRP) should be prepared in advance and should describe a set of actions how company determines the incident and its type, the ways how to contain and escalate it depending on the type, how to find and remove the source of the problem. It is also important to cover such topics as how to notify the victims and how to follow them up with all the necessary information and services.

When a data breach happens, companies obviously need to publicly express their attitude to the incident and its victims. Kim et al. (2017) analyzes the possible response strategies of the businesses, such as providing an apology or expression of regret, denial (shifting the blame), compensation/corrective action and others. Depending on the circumstances of the incident, a certain type of response (or a combination of them) must be chosen. For example, Home Depot addressed the needs of the victims by offering them 12 months of identity protection services as a compensation, and that was found to be a good solution to restore customer’s loyalty (Hoehle et al., 2021). Some customers were also granted with $50 gift cards as a sign of appreciation for loyalty (Winter, 2014) which was another form of compensation.

After the incident is eradicated and the business is back to function as normal, an appropriate analysis of the lessons learned must be done, as well as the list of the necessary adjustments to make sure that same problem will not happen to the company again.

CONCLUSION

The analysis of Home Depot data breach in 2014 shows that even big established companies often do not pay enough attention to security issues. When the industry faces news about other businesses being hacked, all the other companies must take lessons from that news and must act immediately to make their information systems more secure at any cost. The costs of dealing with the breach can be very substantial, but besides that, a company will have to go through such things as the negative publicity, loss of clients, litigations etc.

 

REFERENCES

Banjo, S. (2014, November 7). Home Depot Hackers Exposed 53 Million Email Addresses. WSJ. https://www.wsj.com/articles/home-depot-hackers-used-password-stolen-from-vendor-1415309282?mod=djemalertNEWS

Cronan, B. (2014, Sep 19). Home Depot breach hits 56 million cards. Why do hacks keep happening? The Christian Science Monitor https://www.proquest.com/newspapers/home-depot-breach-hits-56-million-cards-why-do/docview/1564001192/se-2

Elgin, B., Riley, M., & Lawrence, D. (2014, September 18). Home Depot Hacked After Months of Security Warnings. Bloomberg.com. https://www.bloomberg.com/news/articles/2014-09-18/home-depot-hacked-after-months-of-security-warnings#xj4y7vzkg

Hawkins, B. (2015, October 27). Case Study: The Home Depot Data Breach. https://www.sans.org/white-papers/36367/

Hoehle, H., Wei, J., Schuetz, S., & Venkatesh, V. (2021). User compensation as a data breach recovery action: a methodological replication and investigation of generalizability based on the Home Depot breach. Internet Research, 31(3), 765–781. https://doi.org/10.1108/intr-02-2020-0105

Kim, B., Johnson, K., & Park, S. (2017). Lessons from the five data breaches: Analyzing framed crisis response strategies and crisis severity. Cogent Business & Management, 4(1), 1354525. https://doi.org/10.1080/23311975.2017.1354525

Krebs, B. (2014, May 6). The Target Breach, By the Numbers. https://krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/

Poyraz, O. I., Canan, M., McShane, M. J., Pinto, C., & Cotter, T. S. (2020). Cyber assets at risk: monetary impact of U.S. personally identifiable information mega data breaches. Geneva Papers on Risk and Insurance-Issues and Practice, 45(4), 616–638. https://doi.org/10.1057/s41288-020-00185-4

Rosenblum, P. (2014, November 7). Lessons From Home Depot: Expect Hackers To Crack More Retailers This Holiday Season. Forbes. https://www.forbes.com/sites/paularosenblum/2014/11/06/lessons-from-home-depot-expect-hackers-to-crack-more-retailers-this-holiday-season/?sh=6b29ead68bc6

Sjouwerman, S. (2014, September). Home Depot, Target Breaches Exploited Old WinXP Flaw. https://blog.knowbe4.com/bid/396931/home-depot-target-breaches-exploited-old-winxp-flaw

The Home Depot Reports Findings In Payment Data Breach Investigation. (2014, November 6). [Press release]. https://ir.homedepot.com/news-releases/2014/11-06-2014-014517315

Winter, M. (2014, November 7). Home Depot hackers used vendor log-on to steal data, e-mails. Usatoday. https://www.usatoday.com/story/money/business/2014/11/06/home-depot-hackers-stolen-data/18613167/

 

ABOUT ME

a founder of an omni-channel organic store, a finance manager and a property manager in the past, pursuing a new career in New Zealand

CONTACT
  • 10/14 Lorne Street, Auckland CBD, Auckland 1010
  • see the number in the RESUME
  • 105551@icl.school.nz
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from - Youtube
Vimeo
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Save