MIS403 Information Security Management

Home Exam

Subject name: Information Security Management

Subject code: MIS403-1

Responsible course manager: Rania El-Gazzar

Candidate numbers: 6023, 6034, 6010

Participation sheet!
Mandatory part

Question 1 (6010)
Question 2 (6010)
Question 3 (6010)
Question 4 (6010)

Question 5 (6023)
Question 6 (6023)
Question 7 (6023)

Question 8 (6034)
Question 9 (6034)
Question 10 (6034)

Optional part
Question 1 (6010)
Question 2 (6010)
1. How was the attack on Target perpetrated? Can you identify its main phases?

The massive data breach of Target was carried out successfully by the attackers because the
company failed to segregate their internal network from its third-party vendor Fazio
Mechanical Services, a provider of refrigeration services to Target. Initially, the hackers used
social engineering techniques and targeted the Fazio Mechanical services systems with a
phishing email and forced one of the employees of the Fazio mechanical services to
download the malicious package known as Citadel.
The malware aimed to extract the credentials of the Fazio Mechanical services, which the
attackers then used to gain unauthorized access to Target's internal network and the systems.
Furthermore, the attackers also exploited common vulnerabilities of third party vendors and
the security systems of the Target. Based on the given case study have identified the
following main phases of the data breach (Pigni et al., 2018).

Phase 1: Reconnaissance
At first glance, it is unclear how the attacker performs reconnaissance to get helpful
information such as its third-party vendor, such as Fazio mechanical services. Still, hackers
used Google search to find wealthy information about the target's suppliers and third-party
service providers and how the company interact with their service providers, including
payment etc. During this phase, the hackers found that Fazio mechanical services are linked
to contract management, project management and electronic billing systems of the TARGET.
During this phase attackers also found that third party services of the company were not using
two factor authentication while making transactions with the Target.

Phase 2: Exploitation of third-party vendor services

The case study (Pigni et al., 2018) let us investigate that attackers used social engineering
techniques, targeted one of the employees with a phishing link, and let them download a
malicious file called Citadel. This malicious program harvested the confidential information
of the service provider, which the attacker then used to gain initial access to the Target
internal network and the systems. The attackers also exploited the network segregation
vulnerability of the Target which was necessary to protect the point of sales (POS) servers
from being exploited by the attackers. Due to negligence of the security team attackers
further propagated the malware into the internal network and to the main servers of the
company which caused further damage to the confidential information stored on the servers.

Phase 3: Escalating the attack on the vendor's portal access

The vendor portal was connected to Target's contract management, project management and
electronic billing systems. Hackers used the Fazio portal to gain access to Target's internal
network by uploading malware to the web application, which seems legitimate.

Phase 4: Post Exploitation

Once they gained unauthorized access to the company's internal network, they started to get
helpful information such as network diagrams, login credentials, etc. Initially, they failed to
harvest credit card information, for which they installed the malicious program "Kaptoxa" to
scrape each unencrypted card.

Phase 5: Data Transfer

On November 30, the attackers successfully installed malware on all POS systems and
transferred helpful information to their internal server. In the next four days, the attackers
began to share their data with another server authorized to pass through the fireball of the
internal network. The server was located outside the U.S., i.e. in Russia.

2: Which weaknesses in Target security did hackers exploit?

Target's data breach happened because hackers exploited several company weaknesses. Some
of the flaws that the attackers targeted;
1. The first weakness the attackers used today in more than 80% of cyber-attack was
social engineering attacks. The attackers targeted the human weakness of one of the
employees of Fazio, a third-party supplier of Target, by sending a phishing email
containing a malicious link which let them download a malicious file which started
damage in the internal network and server the s of a third-party vendor.

2. The major weakness was that the company exposed sensitive information on the
internet, such as suppliers and vendor names being publicly available on the internet.
Attackers discovered this information during the reconnaissance phase and then
started to use that information. One of the public information that the attacker made it
a weakness was the information of its third-party mechanical service provider, named
Fazio Mechanical Services, a provider of refrigeration services to Target. Fazio used
free malware detection/antimalware programs on their systems which failed to detect
the malware Citadel aimed by attackers to target the Fazio Mechanical services'
internal network and the IT systems. This means that if they used a commercial
antimalware package, they would be able to detect the malware installed by the
attacker. The attackers were able to harvest the login credentials of Fazio, which were
later used to initiate the attack.

3. Another weakness that hackers exploited was that the Fazio mechanical services were
not following PCI compliance by not implementing two-factor authentication during
the transaction. The research shows that attackers used either brute force or dictionary
attacks to harvest the login information that was required for the transaction process,
and the absence of two-factor authentication makes the job of attackers easy, and they
were able to gain access to the main servers of the third-party vendor which were later
used for escalating the attack on the Target.

4. As per PCI compliance requirements, the companies must segregate their payment
servers from the rest of the network. This requirement was not fulfilled by Target as
their point of sales (POS) and other servers related to payment and transactions were
not segregated from the internal network of the company and their vendors. The Fazio
Mechanical Services' payment servers were linked to Target's contract management,
project management and electronic billing systems. The attackers used exploited
servers of third-party vendors and then propagated the malware within the internal
network of Target's company.

5. Another major weakness that was found was that the security team of Target
misinterpreted the attack and ignored the deletion of malware even though it was
triggered as an alarming situation by the two security programs. One of the expensive
security packages, Fireeye, was installed with a cost of $1.6 million, and it detected
 and reminded the security team of Target to delete the malware, but it was ignored by
the security team located in r in Minneapolis.

6. Target also did not maintain a whitelist or blacklist to allow or block programs such as
malware on their devices and servers. This weakness was exploited by the attackers,
and they used authorized privileges to install malware on Target's devices and servers.

7. The company has not kept any security policy to monitor the process of the creation
of new accounts. Attackers created authorized accounts, which were later used to
escalate the cyber-attack.

3. Would you consider the Target data breach an information system failure? Why/why
not?

I consider the Target data breach as both information system failure and human failure. The
breach is considered an information system failure because;
The antimalware program installed on the Fazio mechanical services was unable to detect the
malware triggered by the attackers, which is considered a major information system failure.
Here we can also consider this as the failure of the IT team of the third-party vendor because
they were using the free version of the antimalware program instead of the commercial
version, which ultimately let the attackers execute the attack.

Another piece of evidence that shows considers this breach as an information system failure
is that the servers used by Fazio Mechanical services were vulnerable to brute force and
dictionary attacks, which let the attackers extract sensitive credentials which were later used
in the data breach.

Another reason that the breach caused due to information system failure is the fact that the
third-party vendor's servers were connected to some of the critical systems and servers of the
Target Company. The company failed to segregate their internal network, which was later
exploited by the attackers to propagate the malware in the internal network of the company.
The point of sales (POS) of Target was connected to the rest of the information systems, and
hackers' main target was to gain unauthorized access to sensitive information located on the
servers of the target.

The credit card data and other personal information of the customers were left unencrypted,
which let the attackers use Kaptoxa malware on the internal servers of the company. This is
considered a serious information system failure because unencrypted data can lead to serious
damage to information systems as well as to the entire organization in terms of money and
reputation.

The firewall and the anti-virus programs of Target failed to detect and block the malicious
program as attackers were able to successfully install it on all the POS systems and servers of
the company. The failure of firewall and antimalware packages also led the attackers to install
malware on the internal network of the company, which further escalated the damage.'
Another piece of evidence that proves that the breach was due to information system failure
is that the web servers and directories were not configured to maintain a whitelist or blacklist
to allow or block programs such as malware on their devices and servers. This weakness was
exploited by the attackers, and they used authorized privileges to install malware on Target's
devices and servers.

Though I considered the Target data breach as an information system failure, I also
considered social engineering as the main reason behind the data breach. It seems that
employees of the third-party vendors were not aware of the phishing and other social
engineering attacks. The attackers targeted the human weakness of one of the employees of
Fazio, a third-party supplier of Target, by sending a phishing email containing a malicious
link which let them download a malicious file which started damage in the internal network
and servers of the third-party vendor.

4: Whom do you believe is to blame for the incident? Why?

The case study (Pigni et al., 2018) shows that a single individual cannot be blamed for the
entire incident instead it was caused due to carelessness of many individuals. From the
research I believe that the following personnel needs to be blamed for Target's Data breach.
Employees of the Fazio Mechanical services:
The incident was initiated when a phishing email was sent to the employees of the third-party
vendor, which contained a link which was visited by one of the employees of the service
provider and downloaded the malware. The malware first infected the employees' system,
which was then propagated to the internal network and servers of the service provider. This
means that employees of the third party vendors were not well trained about social
engineering attacks and they attackers used them as first target of the incident.

IT Department of Fazio Mechanical services:

I also believe that the IT department of the third-party service provider is also responsible for
the incident because they left a number of weaknesses in their information systems and in
their internal network. First, they installed a free anti-malware package on their information
systems instead of the commercial package, which was unable to detect the malware.
Secondly, they were not following PCI compliance by not implementing two-factor
authentication during the transaction, which paved the path for the attackers to get useful
information, i.e. login credentials of the servers, which were further used by the attackers to
attack Target's internal network and the servers.

The auditors of PCI SSC:

The case study (Pigni et al., 2018) showed that a clean cheat was given to Target's internal
network was given by PCI during the audit regarding network segregation which was
inadequate, and this weakness was later exploited by the attacker to propagate the malware in
the internal network and ultimately to the POS servers of the Target.

The IT department of Target:

The IT team of Target showed significance negligence on the following occasions;
1. The IT team of Target misinterpreted the attack and ignored the deletion of malware
even though it was triggered as an alarming situation by the two security programs.
One of the expensive security packages, Fireeye, was installed with a cost of $1.6
million, and it detected and reminded the security team of Target to delete the
 malware, but it was ignored by the security team located in Minneapolis. If action had
been taken before the execution of the malware, the Target would be able to contain
the damage caused by the malware.

2. The IT team of the company showed negligence while securing the internal network
of the company through network segmentation. The team did not provide attention to
segregating the point of sales (POS) from the internal network, which provided an
opportunity for the attackers to target the point of sales servers of Target, and they
were able to install the malware on POS and other servers. Also they had exposed
critical information about their suppliers on the internet unintentionally which caused
the data breach.

3. The IT department of Target also failed to maintain a whitelist or blacklist to allow or

block programs such as malware on their devices and servers. This weakness was
exploited by the attackers, and they used authorized privileges to install malware on
Target's devices and servers.

The IT team also failed to maintain a monitoring system to monitor the creation of new
accounts. Attackers created authorized accounts, which were later used to escalate the
cyber-attack.

5. How did Target manage the situation when the breach was detected? Do you consider
their reaction appropriate? Why/why not?

When target found out in mid-December that criminals forced their way into their system and
gained access to guest credit and debit information that contained guest information such as
name, phone number, e-mails, etc., it created complete confusion and frustration. This breach
extended to almost all target locations throughout the country and affected many. Shortly
after the breach, target managed to notify its customers.

They had to describe what happened and how it happened and how little the customer risk
was. Furthermore, they advised the customers to protect themselves and or what kind of
measures the customers should take, such as being careful with e-mails that contain business
or fake people claiming to be people you know who are asking for money, etc.

I think target handled the data breach very well, considering it could have been a lot worse.
Target managed to issue secure chip and pin cards after the data breach. Target had to come
up with a new plan that involved improving monitoring, logging, additional rules and
enabling additional logging functionality. They had to install application whitelisting points
for the points of sale. Restrictions on supplier access and many other measures to improve
had to be implemented.

We must remember that there was not only a threat to security, but also to Target's customers.
This data breach left customers with no faith in their security. The customers were worried
that their data would be leaked and therefore they were skeptical about buying from target.
How they have coped and used appropriate measures to keep customers' information safe
after everything that happened I find impressive.

Another measure that was on the case that was carried out was that the former managing
director of the company had to resign from his position after the breach. Furthermore, target
appointed a new Chief Information Officer and gave details of improving their security by
100 million dollars. The new boss's new tasks included upgrading insecure points of sale and
deploying chip and pin-enabled payment technology. Measures to improve network
segmentation, extensive log analysis and, not least, stricter access control are also the task of
the new boss.

Data breaches are expensive and can put businesses on the ground, not least their customers. I
think it made sense to make sure customers understand the threat while meeting their needs
and budgets. I think it is important for the CEO at target to put himself in the legislation that
protects his customers in the best possible way. As a liver, the new managers should
familiarize themselves with the law in that way it is easier to understand how data breaches
affect their employees and at the same time considering the managers in target are also
obliged to comply with the laws of several states in the world, if the customers are located in
these states. It is important to have lawyers on staff who can understand the ins and outs of
data breach notification laws and at the same time keep up to date with new changes in the
legislation.

6. Do you believe it was the CEO’s responsibility to inform customers about the data
breach? Why/why not? What would you have done?

I believe it was the CEO's responsibility to inform the customers about the data breach that
took place. Considering the CEO is responsible for implementing existing plans and
guidelines, it is also part of the job to improve the relationship between the company and the
customers. Informing customers creates trust and reputation for the company. Considering
that it was personal information that was leaked, it is important that the CEO takes
responsibility for it because it is his job to have employees who secure this information in the
best possible way

“ It is a "direction-giving document" for defining acceptable behavior for employees when

using an organization's information assets. (Karlsson et al., 2017)

This here then means the guidelines for being able to protect information security. Having the
ability to protect customers' information means that they decide the fate of employees and the
business. The fact that the CEO took responsibility for informing the customer shows that
customers are important to target and they can always choose to buy from stores other than
target, but chose target for a reason. Customers are the core of all businesses and it would not
have been possible to sell a product or service without them. It is the customers who decide
whether companies go out of business if it is not financially profitable.

As CEO, I would do much of the same as targets' CEO and more. When you take
responsibility as a CEO you have responsibility for the business, employees and customers.
My job as a manager is to have customer relationships that are long-lasting. Especially when
the business is going through tough times, it is important to have the customers on target side.
I had made the customers feel secure even though the business had lost a lot of money and
informed them that even though there is a decline now for targets, it is not the end.
Furthermore, I would have informed them how important they are to target and their role. I
would have worked very hard to earn the customers' loyalty. Started an effective loyalty
program where I work to give more for the money. That way, as CEO, I would do my best to
increase turnover. Worked more on getting discounts and advertised and brought in new
products and services for those customers who have chosen to stand by us through the data
breach.

More room for the customers to give back messages and made room for improvement. I had
asked them if the business delivers the products and services up to expectations. My job
would be to focus on getting to know current customers better and at the same work well with
new ones.

Ultimately, there is no easy way to deal with data breaches. As long as the CEO takes care of
it and acknowledges the problem and contacts all the parties this problem concerns. I
personally had tried my best to create a good risk-based vulnerability remediation solution
continuously monitor threats and assess vulnerabilities.

7. What lessons should a CEO and CIO learn from Target?

I think that the data breach that has occurred should not only be something that the CEO and
CIO of target should learn from, but everyone who runs companies that carry these titles. I
think the CEO and CIO have probably learned from this data breach that they are going to
react better to malware infection, which are the areas target managers have underrepresented.
The company's response to malware attacks has a lot to say in minimizing the attack and how
it affects their customers and the company.

Through the case, it emerged that Target really missed several internal alerts, and they did not
discover the breach until they were contacted by the Ministry of Justice. It was actually their
surveillance software also known for (FireEye) that notified target employees in Bangalore in
India who in turn notified employees in Minneapolis, but the result led to no action being
taken.

This shows that even though Target spent a large sum on security technology by adopting
encryption, unfortunately their data was opened in memory, they were unencrypted. They can
learn from this by strengthening their security technology and, not least, a multi-layered
security strategy that could have prevented this data breach and at the same time at least
mitigated the harmful effects this had on both the target and their customers.

This here is a lesson they can take with them and at the same time they can avoid in the
future. I think business owners have really learned a lesson after this major data breach. They
should learn from investing in staff and their ability while providing proper training in
detecting phishing scams and using cyber security protections. Each activity indicates a
possible cyber attack that requires investigation, but many security analysts lack the tools and
human resources to do this effectively, and it has been found that a third of all reported cyber
incidents go under investigation. (Hassanien & Elhoseny, 2019).

I think they should reconsider the next time a warning should appear and should be
prioritized and reacted quickly based on written cyber security preparedness plans that are
easy for everyone to have access to. Important to have networks that are properly segmented
to isolate problems, and incoming and outgoing traffic must always be identified, and at the
same time monitored and validated for authorization.

It is necessary to have strong passwords that must be updated regularly to protect points of
sale and other sensitive hardware. Of course, it is not always easy to protect the companies
against cyber-attacks, but one can have a multifaceted approach to be able to protect the data
as well as possible at all possible stages of the network activities. It will be important to
further improve awareness of all possible data breaches and take action very early.

The faster you react to an outbreak, the better. I think it's a lesson Target's CEO has learned
and will benefit from in the future. CEOs have learned that it is crucial for a rapid response to
breaches to facilitate responses and ensure legal obligations are met after a data breach.

8. Assume you are the information security manager for Target. Argue for what you
would suggest Target should do next?

Due to globalization, information security became an essential part of any organization and
information security manager became the key role of any business. Whereas, the main
obligations of information security managers is to ensure security policies and make
decisions about it, based on confidentiality, integrity and availability (Haqaf & Koyncu,
2018). After the data breach occurred in Target, several steps had been taken to recover this
such as apologizing to customers, restricted vendor access, improved payment card security.
If I were the security manager, I would suggest some more steps considering different
concepts from the course.

As an information security manager, the first recommendation would be to ensure strong

Payment Card Industry (PCI) policies for protecting card information. Whereas, they don’t
have sufficient security before an incident happens. But after breach, they have taken
initiative to start payment card service with chip and PIN code. As per the case, Target was
using a separate network for saving this sensitive card information. Albeit, this separate
network is insufficient and needs to build up more which was said by Payment Card Industry
during audit. As a consequence, I would make this isolated network more secure by using
different security policies.

Apart from this, I would suggest making their POS (Point-of-scale) Terminal more reliable.
They need to protect unencrypted data of payment cards to secure from malware, which go
through the POS terminal (pcidssguide.com, 2021). It is known that unencrypted data make
the system unprotected, whereas payment cards contain precious information about
customers. So I would use an encryption method for making the POS system protected from
hacking. In this system, When customers enter the card to swipe for payment then the POS
Terminal would convert the valuable payment data into encrypted code so that hackers could
not identify that. This means that encryption helps the POS Terminal to transfer data using
code for the consumers of Target, so that hackers will be unable to read the original form of
data.

Furthermore, the internal network of Target is essential to improve for securing the whole
system. Especially from disguised or unauthorized files which contain malware and can
damage the system, even via a web application of the network. Whereas, according to the
case, scraping is a dangerous element to copy data from anywhere such as a website, personal
computer or any network. So as a security manager, I would make strong policies for
securing the whole network ( Karlsson et al., 2017). It is not guaranteed that these policies
would secure the data, whereas security managers play a vital role to make the policies
successful. So it is on officers’ hand who deal with the policies and give priorities when
disaster occurs. On the other word, it can be said that precise use of policies can emerge when
qualified officers can handle them.

Another thing, which I would take into consideration is whether a third party is using strong
security protection or not, because their vulnerable network apparently can make the Target
network insecure and perhaps make it closer to another breach. So if they are not using
security protection then I might be suggest them to ensure it for further working with them.
Apart from this, the name of suppliers need to make confidential for safeguard the security
system which we both need to confirm by our information systems.

Furthermore, I would recommend implementing security culture in organizations with

organization culture for information security awareness can mitigate risks and enhance
security acknowledgement (Wiley et al., 2020).

Apart from this, several training sessions would be advised by me, for security officers to
make them better understanding of risk management skills (Haqaf & Koyncu, 2018),
cost-benefit understanding and also which practices give priority between information
security practices and work practices.

As a manager of information security, I would propose to include a prevention and response

paradigm (Baskerville et al., 2014). Whereas, when the incident happened in Target, they did
not have any required response method to recover the situation and they also did not have
enough prevention methods. So I would establish prevention and response strategy, and also
make a balance between both of these for tackling future incidents.

To conclude this, it can be said that deploying different security policies and systems might
not completely prevent malware or other malicious software from effecting the network of
Target but would decrease the rate of hacking, which would be my main Objective to achieve
as an information security manager

9. Which topics, concepts, and/or frameworks from the course can you relate the case
to? Explain their relation.

Information security management is a crucial sector for business organizations, which

protects information from threats and risks. Whereas, as mentioned in the case that a data
breach happened in a store, I can relate several concepts and themes from my course topic
which are related to this store incident and their management. Some of them are discussed
here and shown relation between them.

Topic 1: One of the concepts of my course is unrealistic optimism (Rhee et al., 2012) which
is related to case stories. This happens when managers of information security are not aware
of risk perception. They want to secure the system but their perception about the threat is not
good enough. They need to understand their own weakness to perceive the whole situation of
risk. As an example, driving a car at high speed is dangerous. It is known by the driver, albeit
they perceive that will anyhow manage the car and will be safe which is unrealistic optimism.
In information security, the manager who goes through this phase is not conscious about the
vulnerability of their perception. In some cases they believe that they are at less risk
compared to other business partners which is called optimistic bias and it can have a negative
effect on their managing system and fail to manage the risk of information security.
Moreover, when security officers’ perception about risk is like that, then different data
breaches can occur smoothly.

I can relate this case study to a case story precisely. In the case story, they didn’t perceive the
risk of hacking, but concentrated on profit of their business. The information security officers
and managers know the risk of malware but feel that they can keep away their system from
data breach. As a result, they didn’t get strong protection to secure the whole system and get
affected by breach easily.

Topic 2: Organizational culture is essential to create information security awareness for

security risk. Normally culture creates human manners, whereas organization culture creates
human manners towards security awareness for mitigating risk (Wiley et al., 2020). So it is
required to include security culture in any organization for securing data and analyzing
relations between organization culture, security culture and information security awareness.

This frame is not related but required for Target to create information security awareness in
organization by deploying security culture. This is the relationship I have found that lack of
security culture is a great reason behind these data beaches happening in Target.

Topic 3: Another theme is regarding ten security mistakes which need to give priority to
ensure security of information (Solms & Solms, 2004). One of them is protecting information
as a business issue but security officers take it as a technical issue. In most cases, information
managers think that security is a technical matter and don’t need to think about it a lot for
increasing the profit of an organization which is a great mistake according to this case.
Another aspect is a security plan which is based on risks that are known and identified. This
is really mandatory when making a security plan because known risk must be mitigated for
proper security.
If we relate this with the case, both of these two deadly sins were done by the information
security department of Target. They need to avoid those and ensure proper management of
risk and technical issues for the future.

Topic 4: Incidents are a common phenomenon in information security management. For

controlling this, prevention and response strategies are used in a balanced way for making the
security policies effective (Baskerville et al., 2014). Prevention paradigms are used before the
incidents happen and response paradigms used immediately after the incident happen.
Balance between these two makes a stable security environment for an organization. Author
shows three organizations where two have imbalance and others have a balanced relationship
between prevention and response model.

Whereas, I can relate this with the case study where the store didn’t take any strong
prevention model for ensuring security to their network. Even they did not take proper steps
to respond to the incidents because they were supposed to not have any disaster recovery
plan. As a response plan, they can inform customers immediately and can do post incident
activities for quick recovery from this.

Topic 5: Risk management is an essential part for balancing operational and economic cost
for generating a good amount of profit. There are three steps to achieve this, risk assessment,
risk mitigation and evaluation (Stoneburner et al., 2002). Risk assessment is acquired by
assessing the risk precisely by identifying hazard for any organization, risk mitigation is done
by making decision that what need to avoid, need to reduce and then then act according to
economic situation of organization. Cost –benefit analysis is an important topic here to add
new controls for risk management of security systems which analyze cost and benefit and
make decisions (Stoneburner et al., 2002).

If we try to relate this concept with the case, I can say that security officers of Target were not
aware about risk management before the data breach. After the disaster happened, they
appointed the Chief Risk and Compliance Officer for managing risk for future protection
from threat.

To conclude, it can be said that some topics of our course are related to data breach incidents
and some frameworks are required to implement the security management system of Target.
Whereas, they have deployed few after incident and few concepts necessary to add for their
future protection from threat.

10. Discuss whether the reactions and attitudes of Target customers were taken into
consideration and assured.

When incidents happen in any organization, Customer reaction is the first priority to observe
and tackle for customer satisfaction whereas, for achieving this numerous strategies are
followed in business to overcome the occurrence.

According to the case, when the data bleach happened at Target, they immediately didn’t
inform customers about the incident and this story came to light when a reporter wrote it in
his blog. After that, Target announced about the data bleach on 19 th of December, three days
after the incident and apologized to their customers about it in January. However, it was too
late to inform valuable consumers about their inconvenience. As because they did not have
any response plan for disaster, they were not able to co-op with this. So there should be a
balance between prevention and response to any incident which takes place in any
organization (Baskerville et al., 2014). Target had few steps to prevent incidents although
those are not adequate to halt a disaster, but did not have any response model for recovery
after breach. As a consequence, they did not bother to inform customers about it immediately
and made Customers really disappointed.

Apart from this, data bleach was started to work in Target network From November 27 but
they didn’t realize it due to lack of proper security. Means that they didn’t give priority to the
security of customers’ sensitive data. However, these data should get the highest priority in
security policies ( Karlsson et al., 2017). Apart from this, they never disclosed that they don’t
have adequate support to protect customer information. As a consequence, several damages
were done to customers by compromising their financial and personal data, applying different
charges from banks and troubling access to their funds. This made customers frustrated and
Target apologized for this by ensuring them that they will take care of this and settle the
financial matter as well. As a result, they had updated their website about the incident and
how consumers could properly manage the situation. They had changed some security
systems for better protection. One of them was, they have created strong security of login
method and vendor access which is crucial for them because hackers had made their way to
enter the Target network through a third party vendor network. To make this successful, they
introduced a whitelist method which gives access to particular entities to enter their network
and others are denied. They have also introduced pin enabled payment card systems for better
protection. Their plan for the future is to add a master card which would be a great
achievement for all customers of Target.

Finally, according to the case when the situation became worse than consumers, bank and
payment card companies took legal action and filed a case in court about this. Various
lawsuits were created which describe several suffering from this incident. To resolve those,
Target is required to pay a substantial portion of the fine. Some of them were settled by
Target and some remained unsettled for a few years. Whereas, it can be said that Security
officers of Target thought that they have minimized company cost by not adding a strong
security system to avoid breach but in the end, they have to pay a big amount to make it
recover with having customers’ despondency. This situation arises when organizations have
insufficient knowledge about cost-benefit analysis (Stoneburner et al., 2002).

From the above discussion, it can be said that customers' reactions were very tremendous
about the data breach that happened in Target and they almost lost consumers' trust which
would be one of the main segments to earn success in business.

Optional 1:
If you are asked to conduct a risk management process for Target to better prepare for
similar incidents in the future, how would you conduct such a process?

The risk management process allows companies like Target to identify, analyze, and respond
to potential risks that companies may face. The risk management process will let the Target
Company mitigate the risk of similar incidents in the future. To prevent such incidents in the
future, I will conduct the risk management process in the following manner;

Identifying the Risks:

This will be the first step in my risk management process for Target, in which I will identify
the risks by understanding the threats, vulnerabilities and consequences to the information
systems and the overall business strategy of Target. Identifying risks will let Target know
about the threats, both internal and external, that may negatively harm the business assets and
let the attackers gain unauthorized access to its information systems of the Target (Lucid
Content Team,2019). In risk identification, once the threats are identified, the next process will
be to find vulnerabilities in information systems, internal networks etc., so that attackers
might not be able to exploit these vulnerabilities to target the internal network and
information systems of the company.

Assessing the risks: This will be my 2nd step in the risk management process, and it is
considered one of the most important in terms of security across the organization. Assessing
risk will allow Target's company IT team to understand Target's level of risk. To assess the
risks, I will start by identifying all the assets Target owns. Secondly, I will try to identify all
the threats and vulnerabilities associated with each asset. Next, I will address all the
vulnerabilities by recommending different control measures. Next, I will calculate the impact
analysis of the threats and the likelihood of every single threat. This can be done by using a
risk assessment matrix, which assigns a likelihood and impact rating to each risk.

Prioritizing the risks:

Once risks are assessed, the next step will be to prioritize the risks that are analyzed in the
prior step. This will be done by using the likelihood and potential impact of each risk. Risks
that have a high likelihood and high impact should be given the highest priority, followed by
risks with a high likelihood and low impact, and so on (Ingrid Horvath- et al., 2022).

Developing risk mitigation and response plan:

Once risks have been prioritized, the next step will be to develop a risk mitigation and
response plan in order to develop strategies to mitigate the risks associated with Target's
assets. This will include implementing preventive measures to avoid the risk, transferring the
risk to another party, accepting the risk, or mitigating the potential impact of the risk.

Implementing risk mitigation strategies:

This will be the final step in the risk management process of Target Company which will
consist of implementing the strategies that were developed earlier to minimize the effect of
risks that might affect the information assets and other business assets. We will try to
implement and monitor those strategies in the final step of the risk management process in
order to measure their effectiveness. This can involve setting up systems and processes to
track the status of each response strategy and making any necessary adjustments to ensure
that they are effective.

Optional 2:
If you were asked to draft an information security policy for Target, what would you
include in that policy?

Information security policy for Target:

Introduction: Target believes in the confidentiality, integrity and availability of the
information they hold and process in their daily business operations. Failing to secure the
customers, suppliers and employees' information can cause both financial and reputation
damage to Target. This information security policy shows Target's approach to the security of
information assets and will provide guidelines for the security of information assets, POS
systems, servers and other critical data (exambeam ,2022).

Objectives: The objectives of this policy are; to provide a framework to secure all the
information assets of Target and to make sure every stakeholder is aware and comply with the
country's cybersecurity laws and regulation.

Scope: The scope of this policy is limited to all the staff, third-party suppliers, service
providers and any other vendor which interacts with the information systems and to the data
somehow.

Policy:
Information security principles:
· Information should be categorized by keeping in view its confidentiality, integrity and
availability.
· All users will abide to handle the information appropriately.
· The IT team will be responsible for making sure that information is secure and available to
all legitimate users, and access to the information will only be given on the least privileges
· All sensitive information, including credit card details, needs to be protected from
unauthorized access.
· All the suppliers and third-party vendors will abide by the security policy of Target or
otherwise be able to demonstrate corporate security policies providing equivalent assurance.

Data support and operations:

All the data that will be stored and processed must be protected as per PCI and NIST
compliance standards and regulations. Data will be backed up at regular intervals and will be
stored in encrypted form. All the data that will process through the internet will be protected
by the industry's best security protocols.

Security Awareness:
Regular training sessions will be arranged for the target's employees to make sure that
everyone is involved in the cybersecurity of the company and to avoid any social engineering
attacks in the future.
Incidents handling:
If the staff of the company find any suspicious activity, they are then responsible for reporting
such incidents instantly to the IT department of Target.
Responsibilities, rights, and duties of personnel:
Employees will be appointed to carry out user access reviews, education, change
management, incident management, implementation, and periodic updates of the security
policy. Responsibilities should be clearly defined as part of the security policy.
References

Fredrik Karlsson, Karin Hedström, Göran Goldkuhl (2017). Practice-based discourse analysis of
information security policies.
https://www-sciencedirect-com.ezproxy1.usn.no/science/article/pii/S0167404816301833

Richard Baskerville, Paolo Spagnoletti, Jongwoo Kim (2014). Incident-centered information security:
Managing a strategic balance between prevention and response.
https://www-sciencedirect-com.ezproxy1.usn.no/science/article/pii/S0378720613001171.

Husam Haqaf, Murat Koyuncu (2018). Understanding key skills for information security managers.
https://www-sciencedirect-com.ezproxy2.usn.no/science/article/pii/S0268401218302251.

Hassanien, Aboul Ella. & Elhoseny, Mohamed. 2019. Cybersecurity and Secure Information Systems.
Challenges and Solutions in Smart Environments

Karlsson, Fredrik, Karin Hedström, and Göran Goldkuhl. "Practice-based discourse analysis of
information security policies." Computers & Security 67 (2017): 267-279.‫‏‬

pcidssguide.com. (2021). point of sale POS security issues.

https://www.pcidssguide.com/point-of-sale-pos-security-issues/.

Hyeun-Suk Rhee, Young U. Ryu, Cheong-Tag Kim (2012). Unrealistic optimism on information
security management.
https://www-sciencedirect-com.ezproxy2.usn.no/science/article/pii/S0167404811001441

Basie von Solms, Rossouw von Solms (2004). The 10 deadly sins of information security management.
https://www-sciencedirect-com.ezproxy2.usn.no/science/article/pii/S0167404804001221

Gary Stoneburner, Alice Goguen, and Alexis Feringa (2002). Risk Management Guide for Information
Technology Systems.

Ashleigh Wiley, Agata McCormac, Dragana Calic (2020). More than the individual: Examining the
relationship between culture and Information Security Awareness.
https://www-sciencedirect-com.ezproxy2.usn.no/science/article/pii/S0167404819301841

Pigni, F., Bartosiak, M., Piccoli, G., & Ives, B. (2018). Targeting target with a 100 million Dollar data
breach. Journal of Information Technology Teaching Cases, 8(1), 9–23.
https://doi.org/10.1057/s41266-017-0028-0
Ingrid HorvathIngrid Horvath. (2022, August 17). Five steps of Risk Management Process: Effective Risk
Management process. Invensis Learning Blog. Retrieved December 9, 2022, from
https://www.invensislearning.com/blog/risk-management-process-steps/
The 12 elements of an information security policy. Exabeam. (2022, November 17). Retrieved December
9, 2022, from
https://www.exabeam.com/explainers/information-security/the-12-elements-of-an-information-security-p
olicy/
5 steps to any effective risk management process. Lucidchart. (2019, October 9). Retrieved December 9,
2022, from https://www.lucidchart.com/blog/risk-management-process