Professional Documents
Culture Documents
Case Study - The Home Depot Data Breach of 2014 - (Essay Example), 2227 Words GradesFixer
Case Study - The Home Depot Data Breach of 2014 - (Essay Example), 2227 Words GradesFixer
Case Study - The Home Depot Data Breach of 2014 - (Essay Example), 2227 Words GradesFixer
Now Accepting Apple Pay Apple Pay is the easiest and most
Table of contents
In 2014 Home Depot was hacked using a third party vendor’s log in information. From
there the hackers infiltrated their network, and installed custom malware. Home Depot
had many issues with the lack of security and updating of systems. With some of these
implementations they could reduce the risk of experiencing an event like this occurring
again. After months of not being detected, it was released to the public that 56 million
credit card numbers were compromised. The hackers carried out a passive attack after
gaining access to the network with a third party vendors log in credentials. After gaining
information about the system, they used a known issue with the OS to elevate their user
status. From this they were able to install custom RAM scraping malware that read
customer’s cards, and from this the hackers gained the credit card numbers of 56
million customers. They also got the email of 53 million customers. This will focus on the
protection of the customer’s data and the threats and risk associated with that data.
https://gradesfixer.com/free-essay-examples/case-study-the-home-depot-data-breach-of-2014/ Page 1 of 8
Case Study: The Home Depot Data Breach Of 2014: [Essay Example], 2227 words GradesFixer 22/03/1444 AH, 4:39 PM
Security Problems
Outdated Software
The POS terminals were running an out-of-date version of windows. The use of this
operating system made their POS terminals more vulnerable to attacks. The operating
system on the POS terminals should have been Windows Embedded 8 Industry or
Windows Embedded POS- Ready 7. If the operating system had been updated on the
POS terminals, then there would have been more security features available to use to
mitigate the risk of the present vulnerabilities. One important feature that would have
helped possibly prevented customer’s data from being seen by the threat agents would
be the use of Point-to-Point (P2P) encryption. This was not available on the operating
system that they were using at the time however. Along with the outdated operating
system, Home Depot’s anti-virus protection needed to be updated as well. The current
anti-virus software that was being used was Symantec’s Network Protection from 2007.
All the software should be a modern version, and if the POS terminals were not capable
of running it then the terminals should have been upgraded as well (might put this in
the risk mitigation part).
Lack of Monitoring
https://gradesfixer.com/free-essay-examples/case-study-the-home-depot-data-breach-of-2014/ Page 2 of 8
Case Study: The Home Depot Data Breach Of 2014: [Essay Example], 2227 words GradesFixer 22/03/1444 AH, 4:39 PM
Lack of Monitoring
It took five months for Home Depot to realize an outsider was gaining access to
customer’s information. If there had been regular network monitoring and audits
performed, they may have noticed the intrusion and not as many customer’s
information would have been compromised. The Payment Card Industry Security
Standards Council requires that scans of the system be conducted every quarter. Along
with this, they require that a third-party security team go through the network and
perform an audit. Former employees of Home Depot’s IT personnel say that Home
Depot was not adhering to either of these conditions. One important feature that was
not enabled was their Network Threat Protection. If these audits and scans had been
carried out, they may have been able address some of the vulnerabilities and
implement strategies that could have prevented or reduced the severity of this breach.
Risk Analysis
Identification of Threats
A) Card skimmers
Card skimmers are devices made by criminals to be placed upon POS terminals look
just like the normal devices we use to conduct our purchases. The devices still make
purchases, however they read and record the cards data and store it for the thief who
installed it. The data stored is the name of the card owner, the card number, and the
expiration date (Hawkins, 2015). Card skimmers could be installed on Home Depot’s POS
terminals. Attackers Attackers are the biggest threat to Home Depot’s POS terminals
and networks. The majority of attacks are outside attacks. Attackers are carrying out
these attacks most of the time to gain customer’s information. After they gain this
information, they turn around and sell it. In the case of this breach, this was an outside
attack. The hacker gained access to a third party vendor’s account, and carried out a
passive attack to gain information about the kind of software that was being used on
POS terminals. After this, the attacker, installed malware that read customer’s data from
their cards on around 7500 of Home Depot’s POS terminals. Attacker’s are the greatest
threat.
https://gradesfixer.com/free-essay-examples/case-study-the-home-depot-data-breach-of-2014/ Page 3 of 8
Case Study: The Home Depot Data Breach Of 2014: [Essay Example], 2227 words GradesFixer 22/03/1444 AH, 4:39 PM
Home Depot’s technological assets in this case are comprised of their POS terminals,
net- works, customer’s data, software and their network personnel. The customer’s data
is of the highest priority. In the case of Home Depot’s breach and numerous other
breaches, customers data is the target of the attackers. The security of this information
should be the first concern. The tarnishing of confidentiality can greatly affect the
public’s image of that company. If the publics opinion of a company lowers, the sales
will follow. The POS terminals, networks, software, and network personnel are all of
moderate priority. All of these assets are essential to function in the modern market.
However, without customer’s retail chains have nothing.
Vulnerabilities of Systems
As stated in the Security Problems section, there were numerous problems with Home
Depot’s systems. The POS terminals are running Windows XP Embedded SP3 as their
operating system. This version of Windows is susceptible to attacks. Older versions of
operating systems may not get all the security patches and updates that the current
operating systems receive. The version of the antivirus that they were using was seven
years old at the time. The software may have supported the current POS infrastructure
https://gradesfixer.com/free-essay-examples/case-study-the-home-depot-data-breach-of-2014/ Page 4 of 8
Case Study: The Home Depot Data Breach Of 2014: [Essay Example], 2227 words GradesFixer 22/03/1444 AH, 4:39 PM
that the stores carried, but it suffers from the same problems as older operating
systems. The POS terminals physical security can be compromised if there are open
ports. It is recommended to disconnect or physically block all ports except for one for
maintenance. Having vendors be able to have access to the same network that Home
Depot uses for its other operations, is a major security risk and vulnerability. Limiting
their accessibility and segregating different parts of their network could help in the
prevention of a hacker getting much information of their network or databases. There is
the possibility of someone installing a card skimmer on a POS terminal if they are left
around an unattended POS terminal for long enough. Home Depot’s networking
personnel stated that Home Depot did not perform monthly audits or vulnerability
scanning of the network and system. These measures need to be in place. Without
these measures, the networking personnel are unaware if the current measures that are
in place are sufficient enough or not. Constant improvement of the security of these
systems cost the company money, however, the savings from preventing a major
breach as in this case is much lower compared to the costs both financially and of the
company’s image. Their networking personnel also determined that on their Symantec
Endpoint Protection that the Network Threat Protection option was not activated. (This
measure does this and would have prevented the situation from being worse blah blah
blah).
Risk Based upon the Generic Organization Risk Context, retail is not an industry that is
as vul- nerable as some of the other fields on the spectrum. Retail is likely to be targeted
because there is a lot of people’s information going around on their network.
Customer’s credit card information is valuable. Retailer’s know they are at risk however,
and they know that they have to take more precautions than some other fields. A
combined approach risk assessment (https://gradesfixer.com/free-essay-examples/the-
importance-of-risk-management/) is the ideal assessment. The baseline would be
upgrading the operating system, an- tivirus software, firewall, and physically blocking
ports on the POS terminals. The customer’s data is typically the most sought after
information by threat agents. Therefore, the decision to protect this information the
most is good for Home Depot’s public image and for the well-being of the customer’s
https://gradesfixer.com/free-essay-examples/case-study-the-home-depot-data-breach-of-2014/ Page 5 of 8
Case Study: The Home Depot Data Breach Of 2014: [Essay Example], 2227 words GradesFixer 22/03/1444 AH, 4:39 PM
security. Since this is so important, there needs to be even more security for this area.
There needs to be more encryption of the customers information, as well as the
separation of the customer’s information into different files. The risk of a card skimmer
being installed on a POS terminal is rather low, but the cost to implement a fix for the
problem is low as well. The best solution for this potential threat is to have proper
training of employees and let them know about the likelihood of such a situation
It may cost Home Depot money in time, but its cost outweighs what the cost of a card
skimmer could affect the company. The training just has to include not to leave POS
terminals unattended for long periods of time, and to turn off certain machines if they
are not in use. The installation of a card skimmer takes time, if a threat agent is unable
to get the time to carry out the installation, then this issue will not occur. The network
needs a monthly audit checklist. Logs of any breaches, or attempts to breach should be
noted and reported. The network should also have a penetration test done regularly.
Home Depot’s network should be separated as well. This way if one area is
compromised, the whole network is not compromised. The network needs an audit
schedule and regular penetration testing. It doesn’t matter if improvements are made if
the networking personnel are unaware if it is effective. The network needs a more up-to-
date antivirus software.
Conclusion
There was not just one single issue that was bigger than the rest. This breach is the
culmination of several security measures that were lacking in strength. Using some of
the risk mitgation straegies listed before may have cost the company money. However,
is the cost of a breach of 56 million credit card numbers, the loss of integrity and
confidentiality of customer’s data not more important? It is cheaper in the long run to
put the money down to keep systems up-to-date to prevent these breaches.
References
1. Bluefin. (2014, September 15). Home depot had started payment encryption work
before emv implementation. Retrieved February 22, 2019, from
https://www.bluefin.com/bluefin- news/home-depot-started-payment-encryption-
work-emv-implementation/.
2. Gallagher, S. (2014, September 20). Home depot ignored security warning for years,
em- ployees say. Retrieved February 22, 2019, from
https://arstechnica.com/information- technology/2014/09/home-depot-ignored-
security-warnings-for-years-employees-say/.
3. Hawkins, B. (2015, January). Case study: The home depot data breach. Sans.
Retrieved February 23, 2019, from https://www.sans.org/reading-
room/whitepapers/casestudies/case-study- home-depot-data-breach-36367.
4. Kerner, S. M. (2014, November 8). Home depot breach expands, privilege escalation
flaw to blame. eWeek. Retrieved February 22, 2019, from
https://www.eweek.com/security/home- depot-breach-expands-privilege-escalation-
https://gradesfixer.com/free-essay-examples/case-study-the-home-depot-data-breach-of-2014/ Page 7 of 8
Case Study: The Home Depot Data Breach Of 2014: [Essay Example], 2227 words GradesFixer 22/03/1444 AH, 4:39 PM
https://www.eweek.com/security/home- depot-breach-expands-privilege-escalation-
flaw-to-blame.
5. Stallings, W., & Brown, L. (2018). Computer security principles and practice. Pearson
Educa- tion, Inc.
6. Symantec. (2006, n.d.). Symantec’s norton antivirus 2007, norton internet security
2007 provides state-of-the-art security and performance to protect against today’s
newest threats. Symantec. Retrieved February 26, 2019.
https://gradesfixer.com/free-essay-examples/case-study-the-home-depot-data-breach-of-2014/ Page 8 of 8