Case Study: The Home Depot Data Breach of 2014

In 2014 Home Depot was hacked using a third party vendor’s log in information. From there the hackers infiltrated their network, and installed custom malware. Home Depot had many issues with the lack of security and updating of systems. With some of these implementations they could reduce the risk of experiencing an event like this occurring again. After months of not being detected, it was released to the public that 56 million credit card numbers were compromised. The hackers carried out a passive attack after gaining access to the network with a third party vendors log in credentials. After gaining information about the system, they used a known issue with the OS to elevate their user status. From this they were able to install custom RAM scraping malware that read customer’s cards, and from this the hackers gained the credit card numbers of 56 million customers. They also got the email of 53 million customers. This will focus on the protection of the customer’s data and the threats and risk associated with that data.

Security Problems

Outdated Software

The POS terminals were running an out-of-date version of windows. The use of this operating system made their POS terminals more vulnerable to attacks. The operating system on the POS terminals should have been Windows Embedded 8 Industry or Windows Embedded POS- Ready 7. If the operating system had been updated on the POS terminals, then there would have been more security features available to use to mitigate the risk of the present vulnerabilities. One important feature that would have helped possibly prevented customer’s data from being seen by the threat agents would be the use of Point-to-Point (P2P) encryption. This was not available on the operating system that they were using at the time however. Along with the outdated operating system, Home Depot’s anti-virus protection needed to be updated as well. The current anti-virus software that was being used was Symantec’s Network Protection from 2007. All the software should be a modern version, and if the POS terminals were not capable of running it then the terminals should have been upgraded as well (might put this in the risk mitigation part).

Third Party Access

The hackers would not have been able to make their way onto Home Depot’s network if they had not gained access to a third-party vendor’s log-in credentials. Easy-to-guess passwords are a prevalent problem with any sort of software that is reliant upon log-ins. After the hackers got in the system using the third-party’s credentials, they took advantage of an issue with the version of windows OS that was being used to elevate their user-status within the system. After this increase in user-status (I’m pretty sure there is a better word for this, find it), they switched to the corporate environment, and installed a custom-built malware that affected numerous POS terminals. The third party’s accessibility in this situation was a problem, as well as the lack of a strong log-in.

Lack of Monitoring

It took five months for Home Depot to realize an outsider was gaining access to customer’s information. If there had been regular network monitoring and audits performed, they may have noticed the intrusion and not as many customer’s information would have been compromised. The Payment Card Industry Security Standards Council requires that scans of the system be conducted every quarter. Along with this, they require that a third-party security team go through the network and perform an audit. Former employees of Home Depot’s IT personnel say that Home Depot was not adhering to either of these conditions. One important feature that was not enabled was their Network Threat Protection. If these audits and scans had been carried out, they may have been able address some of the vulnerabilities and implement strategies that could have prevented or reduced the severity of this breach.

Risk Analysis

Identification of Threats

A) Card skimmers

Card skimmers are devices made by criminals to be placed upon POS terminals look just like the normal devices we use to conduct our purchases. The devices still make purchases, however they read and record the cards data and store it for the thief who installed it. The data stored is the name of the card owner, the card number, and the expiration date (Hawkins, 2015). Card skimmers could be installed on Home Depot’s POS terminals. Attackers Attackers are the biggest threat to Home Depot’s POS terminals and networks. The majority of attacks are outside attacks. Attackers are carrying out these attacks most of the time to gain customer’s information. After they gain this information, they turn around and sell it. In the case of this breach, this was an outside attack. The hacker gained access to a third party vendor’s account, and carried out a passive attack to gain information about the kind of software that was being used on POS terminals. After this, the attacker, installed malware that read customer’s data from their cards on around 7500 of Home Depot’s POS terminals. Attacker’s are the greatest threat.

B) The Value of the Assets

Home Depot’s technological assets in this case are comprised of their POS terminals, net- works, customer’s data, software and their network personnel. The customer’s data is of the highest priority. In the case of Home Depot’s breach and numerous other breaches, customers data is the target of the attackers. The security of this information should be the first concern. The tarnishing of confidentiality can greatly affect the public’s image of that company. If the publics opinion of a company lowers, the sales will follow. The POS terminals, networks, software, and network personnel are all of moderate priority. All of these assets are essential to function in the modern market. However, without customer’s retail chains have nothing.

Current Control Measures

There was insufficient information available on the control measures that were in place during the time of this breach. Home Depot used Symantec’s antivirus from 2007 on their network. According to Symantec (2006), “This patent-pending technology detects camouflaged threats at all system levels, including the application, user mode, and kernel level.” The software also provided solutions towards preventing threats from taking advantages of the vulnerabilities within the version of Windows being used at the time (Symantec, 2006). There was no information as to whether Home Depot also used Norton Internet Security 2007, which would have provided additional network protection. Since the threat agents gained access using the log-in credentials of a third party vendor, Home Depot did have accessibility controls in place.

Vulnerabilities of Systems

As stated in the Security Problems section, there were numerous problems with Home Depot’s systems. The POS terminals are running Windows XP Embedded SP3 as their operating system. This version of Windows is susceptible to attacks. Older versions of operating systems may not get all the security patches and updates that the current operating systems receive. The version of the antivirus that they were using was seven years old at the time. The software may have supported the current POS infrastructure that the stores carried, but it suffers from the same problems as older operating systems. The POS terminals physical security can be compromised if there are open ports. It is recommended to disconnect or physically block all ports except for one for maintenance. Having vendors be able to have access to the same network that Home Depot uses for its other operations, is a major security risk and vulnerability. Limiting their accessibility and segregating different parts of their network could help in the prevention of a hacker getting much information of their network or databases. There is the possibility of someone installing a card skimmer on a POS terminal if they are left around an unattended POS terminal for long enough. Home Depot’s networking personnel stated that Home Depot did not perform monthly audits or vulnerability scanning of the network and system. These measures need to be in place. Without these measures, the networking personnel are unaware if the current measures that are in place are sufficient enough or not. Constant improvement of the security of these systems cost the company money, however, the savings from preventing a major breach as in this case is much lower compared to the costs both financially and of the company’s image. Their networking personnel also determined that on their Symantec Endpoint Protection that the Network Threat Protection option was not activated. (This measure does this and would have prevented the situation from being worse blah blah blah).

Risk Based upon the Generic Organization Risk Context, retail is not an industry that is as vul- nerable as some of the other fields on the spectrum. Retail is likely to be targeted because there is a lot of people’s information going around on their network. Customer’s credit card information is valuable. Retailer’s know they are at risk however, and they know that they have to take more precautions than some other fields. A combined approach risk assessment is the ideal assessment. The baseline would be upgrading the operating system, an- tivirus software, firewall, and physically blocking ports on the POS terminals. The customer’s data is typically the most sought after information by threat agents. Therefore, the decision to protect this information the most is good for Home Depot’s public image and for the well-being of the customer’s security. Since this is so important, there needs to be even more security for this area. There needs to be more encryption of the customers information, as well as the separation of the customer’s information into different files. The risk of a card skimmer being installed on a POS terminal is rather low, but the cost to implement a fix for the problem is low as well. The best solution for this potential threat is to have proper training of employees and let them know about the likelihood of such a situation

It may cost Home Depot money in time, but its cost outweighs what the cost of a card skimmer could affect the company. The training just has to include not to leave POS terminals unattended for long periods of time, and to turn off certain machines if they are not in use. The installation of a card skimmer takes time, if a threat agent is unable to get the time to carry out the installation, then this issue will not occur. The network needs a monthly audit checklist. Logs of any breaches, or attempts to breach should be noted and reported. The network should also have a penetration test done regularly.

Risk Mitigation Strategies

Luckily there are many methods of addressing the vulnerabilities that have been identified. For the POS terminals, all ports except for one should be physically inaccessible or disconnected from the terminal. The one terminal left will be used for maintenance purposes. If there are less open ports, there are less ways for someone to connect a device and install malicious software. Also Home Depot employees should be trained and informed as to why they should never leave a POS terminal alone for an extended period of time. They need to be informed about card skimmers. POS terminals that are not needed should be shut down as well. To help in the prevention of the terminals being hacked and that they have some of the advanced security mea- sures, the terminals operating system needs to be updated from Windows XP. The networks need to be separated. A third party vendor should not have access to the same network as customer data. Third parties should be granted only the least amount of access that they require. Monitor all third party activity on the network. Have strict password guidelines to create strong password that are harder to crack. The customer’s data should also be separated into different files and encrypted. The different regions of Home Depot’s network should be separated as well. This way if one area is compromised, the whole network is not compromised. The network needs an audit schedule and regular penetration testing. It doesn’t matter if improvements are made if the networking personnel are unaware if it is effective. The network needs a more up-to-date antivirus software.

Conclusion

There was not just one single issue that was bigger than the rest. This breach is the culmination of several security measures that were lacking in strength. Using some of the risk mitgation straegies listed before may have cost the company money. However, is the cost of a breach of 56 million credit card numbers, the loss of integrity and confidentiality of customer’s data not more important? It is cheaper in the long run to put the money down to keep systems up-to-date to prevent these breaches.

References

1. Bluefin. (2014, September 15). Home depot had started payment encryption work before emv implementation. Retrieved February 22, 2019, from https://www.bluefin.com/bluefin- news/home-depot-started-payment-encryption-work-emv-implementation/.
2. Gallagher, S. (2014, September 20). Home depot ignored security warning for years, em- ployees say. Retrieved February 22, 2019, from https://arstechnica.com/information- technology/2014/09/home-depot-ignored-security-warnings-for-years-employees-say/.
3. Hawkins, B. (2015, January). Case study: The home depot data breach. Sans. Retrieved February 23, 2019, from https://www.sans.org/reading-room/whitepapers/casestudies/case-study- home-depot-data-breach-36367.
4. Kerner, S. M. (2014, November 8). Home depot breach expands, privilege escalation flaw to blame. eWeek. Retrieved February 22, 2019, from https://www.eweek.com/security/home- depot-breach-expands-privilege-escalation-flaw-to-blame.
5. Stallings, W., & Brown, L. (2018). Computer security principles and practice. Pearson Educa- tion, Inc.
6. Symantec. (2006, n.d.). Symantec’s norton antivirus 2007, norton internet security 2007 provides state-of-the-art security and performance to protect against today’s newest threats. Symantec. Retrieved February 26, 2019.