Case Study: The Home Depot Data Breach Of 2014: [Essay Example], 2227 words GradesFixer 22/03/1444 AH,

22/03/1444 AH, 4:39 PM

Now Accepting Apple Pay Apple Pay is the easiest and most

Case Study: The Home Depot Data

Breach Of 2014
Updated 10 December, 2020

Table of contents

In 2014 Home Depot was hacked using a third party vendor’s log in information. From
there the hackers infiltrated their network, and installed custom malware. Home Depot
had many issues with the lack of security and updating of systems. With some of these
implementations they could reduce the risk of experiencing an event like this occurring
again. After months of not being detected, it was released to the public that 56 million
credit card numbers were compromised. The hackers carried out a passive attack after
gaining access to the network with a third party vendors log in credentials. After gaining
information about the system, they used a known issue with the OS to elevate their user
status. From this they were able to install custom RAM scraping malware that read
customer’s cards, and from this the hackers gained the credit card numbers of 56
million customers. They also got the email of 53 million customers. This will focus on the
protection of the customer’s data and the threats and risk associated with that data.

Don’t use plagiarized sources. Get your custom essay on

Any subject Min. 3-hour delivery Pay if satisfied

GET CUSTOM ESSAY (HTTPS://MY.GRADESFIXER.COM/ORDER?

UTM_CAMPAIGN=INCONTENT_BANNER_SAMPLE_PAGE)

https://gradesfixer.com/free-essay-examples/case-study-the-home-depot-data-breach-of-2014/ Page 1 of 8
Case Study: The Home Depot Data Breach Of 2014: [Essay Example], 2227 words GradesFixer 22/03/1444 AH, 4:39 PM

Security Problems

Outdated Software
The POS terminals were running an out-of-date version of windows. The use of this
operating system made their POS terminals more vulnerable to attacks. The operating
system on the POS terminals should have been Windows Embedded 8 Industry or
Windows Embedded POS- Ready 7. If the operating system had been updated on the
POS terminals, then there would have been more security features available to use to
mitigate the risk of the present vulnerabilities. One important feature that would have
helped possibly prevented customer’s data from being seen by the threat agents would
be the use of Point-to-Point (P2P) encryption. This was not available on the operating
system that they were using at the time however. Along with the outdated operating
system, Home Depot’s anti-virus protection needed to be updated as well. The current
anti-virus software that was being used was Symantec’s Network Protection from 2007.
All the software should be a modern version, and if the POS terminals were not capable
of running it then the terminals should have been upgraded as well (might put this in
the risk mitigation part).

Third Party Access

The hackers would not have been able to make their way onto Home Depot’s network if
they had not gained access to a third-party vendor’s log-in credentials. Easy-to-guess
passwords are a prevalent problem with any sort of software that is reliant upon log-ins.
After the hackers got in the system using the third-party’s credentials, they took
advantage of an issue with the version of windows OS that was being used to elevate
their user-status within the system. After this increase in user-status (I’m pretty sure
there is a better word for this, find it), they switched to the corporate environment, and
installed a custom-built malware that affected numerous POS terminals. The third
party’s accessibility in this situation was a problem, as well as the lack of a strong log-in.

Lack of Monitoring
https://gradesfixer.com/free-essay-examples/case-study-the-home-depot-data-breach-of-2014/ Page 2 of 8
Case Study: The Home Depot Data Breach Of 2014: [Essay Example], 2227 words GradesFixer 22/03/1444 AH, 4:39 PM

Lack of Monitoring
It took five months for Home Depot to realize an outsider was gaining access to
customer’s information. If there had been regular network monitoring and audits
performed, they may have noticed the intrusion and not as many customer’s
information would have been compromised. The Payment Card Industry Security
Standards Council requires that scans of the system be conducted every quarter. Along
with this, they require that a third-party security team go through the network and
perform an audit. Former employees of Home Depot’s IT personnel say that Home
Depot was not adhering to either of these conditions. One important feature that was
not enabled was their Network Threat Protection. If these audits and scans had been
carried out, they may have been able address some of the vulnerabilities and
implement strategies that could have prevented or reduced the severity of this breach.

Risk Analysis
Identification of Threats
A) Card skimmers

Card skimmers are devices made by criminals to be placed upon POS terminals look
just like the normal devices we use to conduct our purchases. The devices still make
purchases, however they read and record the cards data and store it for the thief who
installed it. The data stored is the name of the card owner, the card number, and the
expiration date (Hawkins, 2015). Card skimmers could be installed on Home Depot’s POS
terminals. Attackers Attackers are the biggest threat to Home Depot’s POS terminals
and networks. The majority of attacks are outside attacks. Attackers are carrying out
these attacks most of the time to gain customer’s information. After they gain this
information, they turn around and sell it. In the case of this breach, this was an outside
attack. The hacker gained access to a third party vendor’s account, and carried out a
passive attack to gain information about the kind of software that was being used on
POS terminals. After this, the attacker, installed malware that read customer’s data from
their cards on around 7500 of Home Depot’s POS terminals. Attacker’s are the greatest
threat.

https://gradesfixer.com/free-essay-examples/case-study-the-home-depot-data-breach-of-2014/ Page 3 of 8
Case Study: The Home Depot Data Breach Of 2014: [Essay Example], 2227 words GradesFixer 22/03/1444 AH, 4:39 PM

B) The Value of the Assets

Home Depot’s technological assets in this case are comprised of their POS terminals,
net- works, customer’s data, software and their network personnel. The customer’s data
is of the highest priority. In the case of Home Depot’s breach and numerous other
breaches, customers data is the target of the attackers. The security of this information
should be the first concern. The tarnishing of confidentiality can greatly affect the
public’s image of that company. If the publics opinion of a company lowers, the sales
will follow. The POS terminals, networks, software, and network personnel are all of
moderate priority. All of these assets are essential to function in the modern market.
However, without customer’s retail chains have nothing.

Current Control Measures

There was insufficient information available on the control measures that were in place
during the time of this breach. Home Depot used Symantec’s antivirus from 2007 on
their network. According to Symantec (2006), “This patent-pending technology detects
camouflaged threats at all system levels, including the application, user mode, and
kernel level.” The software also provided solutions towards preventing threats from
taking advantages of the vulnerabilities within the version of Windows being used at
the time (Symantec, 2006). There was no information as to whether Home Depot also
used Norton Internet Security 2007, which would have provided additional network
protection. Since the threat agents gained access using the log-in credentials of a third
party vendor, Home Depot did have accessibility controls in place.

Vulnerabilities of Systems
As stated in the Security Problems section, there were numerous problems with Home
Depot’s systems. The POS terminals are running Windows XP Embedded SP3 as their
operating system. This version of Windows is susceptible to attacks. Older versions of
operating systems may not get all the security patches and updates that the current
operating systems receive. The version of the antivirus that they were using was seven
years old at the time. The software may have supported the current POS infrastructure
https://gradesfixer.com/free-essay-examples/case-study-the-home-depot-data-breach-of-2014/ Page 4 of 8
Case Study: The Home Depot Data Breach Of 2014: [Essay Example], 2227 words GradesFixer 22/03/1444 AH, 4:39 PM

that the stores carried, but it suffers from the same problems as older operating
systems. The POS terminals physical security can be compromised if there are open
ports. It is recommended to disconnect or physically block all ports except for one for
maintenance. Having vendors be able to have access to the same network that Home
Depot uses for its other operations, is a major security risk and vulnerability. Limiting
their accessibility and segregating different parts of their network could help in the
prevention of a hacker getting much information of their network or databases. There is
the possibility of someone installing a card skimmer on a POS terminal if they are left
around an unattended POS terminal for long enough. Home Depot’s networking
personnel stated that Home Depot did not perform monthly audits or vulnerability
scanning of the network and system. These measures need to be in place. Without
these measures, the networking personnel are unaware if the current measures that are
in place are sufficient enough or not. Constant improvement of the security of these
systems cost the company money, however, the savings from preventing a major
breach as in this case is much lower compared to the costs both financially and of the
company’s image. Their networking personnel also determined that on their Symantec
Endpoint Protection that the Network Threat Protection option was not activated. (This
measure does this and would have prevented the situation from being worse blah blah
blah).

Risk Based upon the Generic Organization Risk Context, retail is not an industry that is
as vul- nerable as some of the other fields on the spectrum. Retail is likely to be targeted
because there is a lot of people’s information going around on their network.
Customer’s credit card information is valuable. Retailer’s know they are at risk however,
and they know that they have to take more precautions than some other fields. A
combined approach risk assessment (https://gradesfixer.com/free-essay-examples/the-
importance-of-risk-management/) is the ideal assessment. The baseline would be
upgrading the operating system, an- tivirus software, firewall, and physically blocking
ports on the POS terminals. The customer’s data is typically the most sought after
information by threat agents. Therefore, the decision to protect this information the
most is good for Home Depot’s public image and for the well-being of the customer’s

https://gradesfixer.com/free-essay-examples/case-study-the-home-depot-data-breach-of-2014/ Page 5 of 8
Case Study: The Home Depot Data Breach Of 2014: [Essay Example], 2227 words GradesFixer 22/03/1444 AH, 4:39 PM

security. Since this is so important, there needs to be even more security for this area.
There needs to be more encryption of the customers information, as well as the
separation of the customer’s information into different files. The risk of a card skimmer
being installed on a POS terminal is rather low, but the cost to implement a fix for the
problem is low as well. The best solution for this potential threat is to have proper
training of employees and let them know about the likelihood of such a situation

It may cost Home Depot money in time, but its cost outweighs what the cost of a card
skimmer could affect the company. The training just has to include not to leave POS
terminals unattended for long periods of time, and to turn off certain machines if they
are not in use. The installation of a card skimmer takes time, if a threat agent is unable
to get the time to carry out the installation, then this issue will not occur. The network
needs a monthly audit checklist. Logs of any breaches, or attempts to breach should be
noted and reported. The network should also have a penetration test done regularly.

Risk Mitigation Strategies

Luckily there are many methods of addressing the vulnerabilities that have been
identified. For the POS terminals, all ports except for one should be physically
inaccessible or disconnected from the terminal. The one terminal left will be used for
maintenance purposes. If there are less open ports, there are less ways for someone to
connect a device and install malicious software. Also Home Depot employees should be
trained and informed as to why they should never leave a POS terminal alone for an
extended period of time. They need to be informed about card skimmers. POS terminals
that are not needed should be shut down as well. To help in the prevention of the
terminals being hacked and that they have some of the advanced security mea- sures,
the terminals operating system needs to be updated from Windows XP. The networks
need to be separated. A third party vendor should not have access to the same network
as customer data. Third parties should be granted only the least amount of access that
they require. Monitor all third party activity on the network. Have strict password
guidelines to create strong password that are harder to crack. The customer’s data
should also be separated into different files and encrypted. The different regions of
https://gradesfixer.com/free-essay-examples/case-study-the-home-depot-data-breach-of-2014/ Page 6 of 8
Case Study: The Home Depot Data Breach Of 2014: [Essay Example], 2227 words GradesFixer 22/03/1444 AH, 4:39 PM

Home Depot’s network should be separated as well. This way if one area is
compromised, the whole network is not compromised. The network needs an audit
schedule and regular penetration testing. It doesn’t matter if improvements are made if
the networking personnel are unaware if it is effective. The network needs a more up-to-
date antivirus software.

Conclusion
There was not just one single issue that was bigger than the rest. This breach is the
culmination of several security measures that were lacking in strength. Using some of
the risk mitgation straegies listed before may have cost the company money. However,
is the cost of a breach of 56 million credit card numbers, the loss of integrity and
confidentiality of customer’s data not more important? It is cheaper in the long run to
put the money down to keep systems up-to-date to prevent these breaches.

References
1. Bluefin. (2014, September 15). Home depot had started payment encryption work
before emv implementation. Retrieved February 22, 2019, from
https://www.bluefin.com/bluefin- news/home-depot-started-payment-encryption-
work-emv-implementation/.

2. Gallagher, S. (2014, September 20). Home depot ignored security warning for years,
em- ployees say. Retrieved February 22, 2019, from
https://arstechnica.com/information- technology/2014/09/home-depot-ignored-
security-warnings-for-years-employees-say/.

3. Hawkins, B. (2015, January). Case study: The home depot data breach. Sans.
Retrieved February 23, 2019, from https://www.sans.org/reading-
room/whitepapers/casestudies/case-study- home-depot-data-breach-36367.

4. Kerner, S. M. (2014, November 8). Home depot breach expands, privilege escalation
flaw to blame. eWeek. Retrieved February 22, 2019, from
https://www.eweek.com/security/home- depot-breach-expands-privilege-escalation-
https://gradesfixer.com/free-essay-examples/case-study-the-home-depot-data-breach-of-2014/ Page 7 of 8
Case Study: The Home Depot Data Breach Of 2014: [Essay Example], 2227 words GradesFixer 22/03/1444 AH, 4:39 PM

https://www.eweek.com/security/home- depot-breach-expands-privilege-escalation-
flaw-to-blame.

5. Stallings, W., & Brown, L. (2018). Computer security principles and practice. Pearson
Educa- tion, Inc.

6. Symantec. (2006, n.d.). Symantec’s norton antivirus 2007, norton internet security
2007 provides state-of-the-art security and performance to protect against today’s
newest threats. Symantec. Retrieved February 26, 2019.

Did you like this sample? Yes No

https://gradesfixer.com/free-essay-examples/case-study-the-home-depot-data-breach-of-2014/ Page 8 of 8