Can Mega Data Breaches be Prevented? – What ITAM Can Learn from Target and Home Depot

By Dan Ingouf & Jenny Schuchert, IAITAM

ITAK V9 I12

As consumers, we are familiar with payment interface devices such as cash registers and point of sale (POS) terminals.  We take our chosen items to the check-out, and if we are one of the estimated 53 percent of consumers who use credit or debit as a form of payment, a card is swiped to complete the transaction.  With receipt and car keys in hand, we leave the store with little thought to the personal information exposed and access to electronic funds just granted.  We have trusted this process because it has worked like clockwork.  Driving away from a store, the completed transaction was of no concern until the multiple wake-up calls in 2013-2014.

What is happening with that financial and personal data?  What can we learn from recent incidents so that we can do a better job as an IT Asset Manager by either reducing the risks or supporting the repair after an incident?

What Does this Mean to the Organization?

Consumer fears used to be focused on online usage and physical credit card theft, but the recent incidents like the Target Corporation and Home Depot data breaches have broadened consumer fears to include the safe storage and use of data as the organization conducts business.

Data thieves are an Information Technology security nightmare and a career killer.  The data theft at Target snatched the headlines and caused Target’s CIO Beth Jacob to resign after the data breach.  After 35 years with Target, chief executive Gregg Steinhafel also lost his job because of the data breach.  The turnover of senior positions was just the beginning of the projected job losses.

At first, consumers seemed to acclimate to the idea of mass corporate data theft until the size of the Target data breach (affecting approximately 40 million people) sunk in.  Adding to consumer concern at the wrong moment, Home Depot announced their data breach with the magnitude of the theft exceeding that of Target (affecting approximately 56 million people).

More fuel was added to the fire when close to a month after the original data breach statement, Target announced that its recent data breach numbers were updated.  The revision indicates that the breach has actually affected as many as 70 million individuals which includes an overlap of name and address information; far more impact than the previous reports of 40 million had indicated.

This increase in fraudulent electronic access and the time period it seems to take to detect the problems are exacerbating the pressure on IT.

 

What Happened at Home Depot?

With the use of data encryption and many other financial and IT safeguards in place, how is it possible for such events to occur; not to mention continuing for months without notice?  According to an article in the New York Times, ex-Home Depot employees say that data was left vulnerable.   Furthermore, the risks that were clear to computer experts employed by Home Depot were regularly conveyed to corporate senior executives stressing that the data might be easy prey for hackers.  This warning is said to have been given for years before the breach.

In hindsight, piecing together the chain of events has led to the recognition of an unfortunate chain of security missteps in recent years.  According to the article, members of Home Depot’s cybersecurity team (who spoke only with the condition of anonymity) identified the following as contributing factors to this security breach:

· Slow response to early threats and only acting belatedly with reactive measures

· Continuing use of outdated security software

· Irregular scanning of systems that held customer information

· Managers regularly dismissing stated security concerns

· Lack of security related communication between Home Depot and other retailers

· Overall complacency in matters of cyber security

· Hiring a security expert to help oversee security in 2,200 stores who was subsequently arrested, convicted and sentenced to four years in prison for deliberately disabling computers at the company where he previously worked

Home Depot brought in more security experts, but by that time, cyber criminals were deep into the Home Depot’s security systems.  It was April 2, 2014 when Home Depot was made aware of the severity of the data breach.  The new encryption system was put in place, but that only served to stop further data theft; 56 million customers’ cards were at that point available in cyberspace.

The Target and Home Depot hackers are reported to have exploited the same vulnerabilities using similar malware to perpetrate the cybercrimes.

Where is the Stolen Data? 

So what becomes of stolen card information?  According to a recent article, cyber thieves take the stolen information to the cyber market.  This market is not for the average internet shopper; this is a specialized market frequented by Black-Hat hackers.  One of several known underground markets is Rescater.cc which reportedly received two massive dumps of stolen credit card numbers on September 2, 2014, a significant portion of which was from Home Depot.

Rescater is the same site where some of the stolen credit card data from the Target data theft first appeared.

Is Your Organization at Risk?

Can data disasters such as these happen in your organization?  Perhaps not to the magnitude of the Target and Home Depot data breaches, but even a small data breach can cause a loss of confidence leading to lost revenue and opportunity.  And, whether we feel righteous when reading the Home Depot mistakes above or not, mistakes and complacency can happen in any size or type of organization.  Consider restaurants and the amount of consumer fraud that they already deal with on a daily basis.    For a national chain restaurant with hundreds or thousands of locations, the IT staff or outsourcer is struggling to close the same opportunities for electronic fraud.  That restaurant chain (or charity or manufacturing company, etc.) faces the same possibility of hacking seen elsewhere.

What Should We Do?

IT Asset Management is not part of the security team, but the responsibility for the organization’s data does not stop with that team.  With every process, IT Asset Management is a facilitator of an understood and potentially controlled environment.  So, check mark, you are helping.  But is that enough?  Consider the following ideas:

· Version control of security software:  While it could be managed by Software Asset Management, a number of organizations separate this responsibility.  If the software is managed by the security team directly, get involved and facilitate the addition of the more robust ITAM processes and automation to support their work

· Extension of hardware inventory:  Hardware Asset Management has some of the best tools and processes for managing inventory.  Even if there are good inventory skills elsewhere, the Hardware Asset Manager brings the added benefit of IT knowledge and experience managing the complex relationship between hardware and software

· Manage mobile devices:  An internal inventory that is accurate and complete within an acceptable error rate (based on environment) is only step one.  IT Asset Managers sitting on the sidelines of the mobile access transition are allowing their organizations to make the same mistakes made with other hardware assets

· Promote contractual language to support security:  Prioritize the development and propagation of risk-reducing language in contracts.  While there might be the obvious language regarding liability and errors and omissions, indemnification is not a one-size-fits-all circumstances scenario.   Also, that language only helps after a problem has been encountered.  Is there an opportunity to reduce the risk for a problem?  IT Asset Management can help by questioning, suggesting, etc. based on our experiences

· Audit:  Experience with audits such as developing proactive processes, building documentation, conducting self-audits, creating a response team and meeting the vendor’s information requirements gives IT Asset Managers an awareness of business process flaws deeper than an ocean.  Apply that knowledge from a security perspective and communicate concerns

Be Vigilant

Employee awareness, tested plans of action for a data breach or recovery from a disaster and building information about the organization’s use of IT in general are all aspects of the IT Asset Management program that support a secure IT environment.  IT Asset Management absolutely contributes to the success of the IT security team and we can go further by championing their concerns and sharing our expertise to make it easier to identify the breaches and the problems that can lead to those breaches.   Hindsight is a terrible way to learn, so let’s use the published information about the Target and Home Depot data breaches as impetus to apply a security filter to all of the actions within the IT Asset Management program.

About Dan Ingouf

Dan Ingouf is the Content Development Specialist for IAITAM.