Target 2013 Data Breach

Network and Internet Security

Homework #1 Solutions

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

Name: Abhinav Srinivasaraghavan

Andrew ID: asriniv1

Target 2013 Data breach

Background

“Target corporation is the second largest discount store
retailer in the United States, behind Walmart, and a component of the S&P
500 Index” [1]

How serious was the breach, both in scope and in costs?

Target made a public announcement about a major cyber-breach
on 19th of Dec 2013.  It was
discovered that around 40 million credit and debit card information had been
compromised. The credit card information included the card numbers, expiration
date and the Card Verification Value (CVV). In addition, personal information
of around 70 million people were breached, significantly higher than the
original 40 million that Target had estimated. The PII included information
such as full names of customers, contact information such as email addresses,
home addresses and telephone numbers. More than 11 GB of data was stolen as a
result. It was discovered that the data exfiltration process began immediately
after Thanksgiving, around black Friday on 27th Nov 2013 and lasted
till 10 days before Christmas till 15th Dec 2013.

According to Target’s 2016 annual financial report, the total
cost of the breach was estimated at $292 million. Target’s cyber insurance
policy absorbed some of the costs, hence the net cost after insurance is
estimated at $202 million.

This included all settlement charges to various states,
credit unions and community banks for reissuing credit cards, settlements to
Visa & Mastercard and finally, class action lawsuits that affected
consumers. In addition, it included the 1-year worth of identify protection and
credit monitoring charges for all Target customers. Target did not disclose
costs associated with credit monitoring services and its own legal fees.

“The settlement costs can be summarized as follows

–       
$10
million paid in a class action lawsuit to affected consumers in March 2015.

–       
$19
million paid to Mastercard in an April 2015
settlement.

–       
$67 million paid to Visa in August
2015.

–       
$39.4 million paid to banks and credit
unions for losses and costs related to the breach, in a December
2015 settlement.

–       
And $18.5 million in August 2015 week’s
settlement.” [2]

This cyber-security data breach has been classified as one
of the “largest top 10 data breaches of the 21st century by CSO
Online forum.” [3]

 

How did the breach occur?

Following steps were taken by the adversaries:

1.     
As similar to all Cyber kills chains, it started
off with a Reconnaissance and intel gathering phase. Attackers supposedly used
a Google search to identify how Target interacts with its vendors. Intel
revealed the existence of a vendor port, along with a list of HVAC and
refrigeration companies. Microsoft website has a detailed case study that
describes how Target uses Microsoft SCCM, Microsoft virtualization software and
centralized name resolution to deploy security patches and updates. Target’s IT
& network infrastructure along with information on Point of Sales (POS) is
available as a part of this case study.

2.     
Based on information gathered in the first step,
the hackers sent a phishing email containing a malware to one of the
refrigeration companies – Fazio Mechanical, about 2 months before the breach. Supposedly
a password stealing bot called Citadel, which is a derivate of the Zeus banking
trojan was installed. Therefore, this bot stole the credentials to Target’s
vendor portal.

3.     
Now the hackers had access to target’s vendor
portal system using the credentials stolen.

4.     
The vendor system was used as a pivot and the
hackers moved laterally through the network using vulnerable systems,
additional reconnaissance and other backdoors. Other network analysis tools
were used to perform reconnaissance once inside the network. Mostly SQL injection
was used to compromise the vulnerable servers.

5.     
The attacker searches for additional pivot
points which are basically centralized infrastructure such as Active Directory,
DNS server and end point monitoring systems.

6.     
The pivot systems were compromised by the
hackers and then malware was installed on the POS systems. The malware was
supposedly installed using the Microsoft SCCM auto update process, thereby
affecting a large number of POS system simultaneously. The custom-made malware
had the ability to avoid being detected and could evade anti-virus.

7.     
The malware extracted the credit card
information from the memory of POS systems as the cards were swiped. The
resulting data was “saved to a .dll file and stored in a temporary NetBios
share over ports 139,443 or 80” [4]

8.     
ICMP tunnels were used for communication between
the compromised POS system and the compromised pivot machine on the corporate
network.

9.     
Customized commands were sent from the
compromised pivot server over the network to the POS systems. These commands
were able bypass network access controls and remain undiscoverable by network
forensic tools.

10.  
The hackers moved the stolen data via FTP to a
group of compromised servers as drop locations. These drop locations were
present in Russia, Eastern Europe, Brazil and USA. Subsequently the stolen data
was retrieved from these drop locations by the hackers.

11.  
Target had deployed FireEYE network monitoring,
intrusion and malware detection tools. The tool alerted staff in Bangalore,
India who informed the Target IT staff in Minneapolis, USA. Unfortunately, no
action was taken back then. In addition, some system administrators had turned
off key intrusion detection capabilities in FireEYE appliance.

12.  
The stolen credit card data was sold on the
black market.

 

How was the breach discovered?

Target’s IT personnel had missed alerts generated by FireEYE
security monitoring solution and discovered the breach only when they were
contacted by the US Department of Justice.

What could/should have been to prevent the breach from occurring?

Following measures could have been taken:

1.     
Removal of publicly available Microsoft case
study on Target’s IT infrastructure from the public domain. This reveals too
much information that could potentially assist hackers in the reconnaissance
phase.

2.     
Having a proper risk management process in place
to identity threat vectors and vulnerabilities in the entire IT infrastructure
on a regular basis would have ensured that vulnerabilities in the POS systems
were identified. Additional threat modeling could have predicted the attacks
used by the hackers to pivot vulnerable systems to get access to POS systems. A
risk management process also would have resulted in identifying the most
critical assets along with proper log analysis and monitoring to ensure more
secure systems.

3.     
Implementation of a Defense in Depth strategy
could have prevented the hackers from infiltrating the network at multiple
layers.

4.     
Mandatory security training for vendors. This
would have prevented the phishing attack from obtaining the credentials for the
logging portal. Additionally, more stringent security measures for the vendor
systems interacting with Target’s vendor portal could have been enforced.

5.     
Implementation of 2 or multifactor
authentication for login to the vendor portal.

6.     
Security hardening and secure configuration of
devices and systems, specially the vendor portal systems, POS systems and
vulnerable systems used a pivot. In addition, security hardening would have
disabled NetBIOS file share, which was used to exfiltrate data.

7.     
Regular monitoring, vulnerability scanning, and patching
of the vendor portal would have addressed the inherent security issues.

8.     
Penetration testing of critical systems would
have ensured that existing vulnerabilities were resolved and fixed in a timely
manner.

9.     
Use of administrative privileges should be
restricted. Easy access to administrative privileges may have resulted in bypassing
of network access controls and segmentation.

10.  
In addition to the existing FireEYE based
intrusion detection systems, installation of a Host Intrusion Detection System
(HIDS) would have been useful in detecting changes in server configurations.

11.  
Application whitelisting to ensure that malware
could not have been installed on the POS systems.

12.  
Additional Security training for incident
monitoring and incident response staff. In addition, more qualified monitoring
staff should have been hired. This would have resulted in them paying heed to
the FireEYE alerts generated.

What were the direct consequences of the breach in the first 6 months after
the event?

This major data breach has financial and reputational
consequences, which affected the company, customers, banks and senior
employees.

The CEO of Target, Gregg Steinhafel and the CIO Beth Jacob were
fired/resigned after the data breach incident. In addition, the board members
were threatened of being let go. This incident also resulted in more than 140
lawsuits being filed against the company. Target was supposedly compliant with
PCI-DSS. However, due to the breach, banks have sued Trustwave who are Target’s
PCI-DSS compliance auditors.

Banks started paying back customers all money that was
stolen from their credit or debit cards. This totaled around $200 million. The
target stock prices took a severe hit in the last quarter of 2013 where the
profits dropped by 46% compared to the year before. Moreover, the number of
customers visiting Target stores fell in early 2014, resulting in prolonged
losses.

In addition, Target also promised to provide identity theft
protection and credit monitoring for 1 year, free of cost to all customer who
shopped at its US stores.

A management decision had been taken by Target to spend $100
million in upgrading their payment terminals to support chip and PIN enabled
credit/debit cards.

References

Radichel, T. (2014, August 5). Case Study: Critical Controls
that Could Have Prevented Target Breach. Retrieved January 24, 2017, from https://www.sans.org/reading-room/whitepapers/casestudies/case-study-critical-controls-prevented-target-breach-35412

McGrath, M. (2014, January 10). Target Data Breach Spilled
Info On As Many As 70 Million Customers. Retrieved January 23, 2018, from https://www.forbes.com/sites/maggiemcgrath/2014/01/10/target-data-breach-spilled-info-on-as-many-as-70-million-customers/#1f6785c2e795

Krebs, B. (2014, May 06). The Target Breach, By the Numbers.
Retrieved January 23, 2018, from https://krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/

Lynch, V. (2017, May 26). Cost of 2013 Target Data Breach
Nears $300 Million. Retrieved January 23, 2018, from https://www.thesslstore.com/blog/2013-target-data-breach-settled/

Kassner, M. (2015, February 02). Anatomy of the Target data
breach: Missed opportunities and lessons learned. Retrieved January 24, 2018,
from http://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-learned/

Citations

[1] Wikipedia. (2014). Target Corporation. Retrieved January
24, 2018, from https://en.wikipedia.org/wiki/Target_Corporation

[2] Lynch, V. (2017, May 26). Cost of 2013 Target Data
Breach Nears $300 Million. Retrieved January 23, 2018, from https://www.thesslstore.com/blog/2013-target-data-breach-settled/

[3] Armerding, T. (2017, October 11). The 16 biggest data
breaches of the 21st century. Retrieved January 24, 2018, from https://www.csoonline.com/article/2130877/data-breach/the-16-biggest-data-breaches-of-the-21st-century.html

 [4] Radichel, T.
(2014, August 5). Case Study: Critical Controls that Could Have Prevented
Target Breach. Retrieved January 24, 2017, from https://www.sans.org/reading-room/whitepapers/casestudies/case-study-critical-controls-prevented-target-breach-35412

JP Morgan Chase 2014 Data breach

Background

“JP Morgan is the largest bank in the US with over $2.5 trillion
in assets”. [1] JP Morgan is known to be extremely particular about
securing its business operations and IT assets, as it spends $250 million
annually on cyber-security initiatives.

How serious was the breach, both in scope and in costs?

The data breach at JP Morgan in 2014 stands out as one of
the largest data breaches in history. 83 million records of Personally Identifiable
Information (PII) such as Full name, contact details – phone numbers, addresses
and email addresses were stolen. Household (76 million) and small business (7
million) accounts were affected. However, it was also confirmed by JP Morgan
that PII such as social security numbers and credit card information was not
stolen. Some of the exfiltrated data includes customer identification data by
categories such as private banking, mortgage and credit cards.

This breach resulted in a high risk of identity theft, impersonation
and phishing attacks.

Though JP Morgan has not officially disclosed the cost of
the attack, the cost of the attack is estimated at $12.782 billion ($154/record)
as per a study conducted by Ponemon Institute.

How did the breach occur?

In June 2014, one of JP Morgan’s employee’s computer was
affected with malware which resulted in stealing of user login credentials. The
initial entry into JP Morgan’s network occurred when the infected user
connected to the network through VPN. The hackers were then able to move
laterally in the network and penetrate the various layers of the network using
malicious programs. The hackers were successful at privilege escalation and
managed to compromise in excess of 90 servers. Supposedly, multiple zero-day
exploits were used to penetrate the network. “To avoid detection, the data was
stolen over a period of several months. The stolen login credential would have
been useless if it weren’t for the overlooked server that failed to receive the
two-factor authentication update.” [2]

How was the breach discovered?

The only reason that the breach was discovered was that one
of JP Morgan’s charity websites was breached by the hackers. “Hold Security,
Inc. was the one that discovered a billion stolen passwords and usernames, some
of which belonged to the J.P. Morgan Chase Corporate Challenge site.” [3]
This resulted in JP Morgan’s security team inspecting their own network and
discovering that they too were compromised. The hackers could have exfiltrated
additional sensitive data from JP Morgan’s network, if Holding Security had not
noticed the breached information. It is estimated that the breach started in
early April 2014 and continued till June 2014 as the hackers were able to
conceal their tracks by clearing log files. The relatively quick detection of
the breach ensured that the incident was mitigated before any financial data
could have been exfiltrated.

What could/should have been to prevent the breach from occurring?

1.     
Using a Host based Intrusion Prevention System
(HIPS) solution – The JP Morgan breach occurred because of an infected employee
machine, with compromised login credentials connecting to the company network
through a VPN. JP Morgan did not provide additional details as to how this
system was infected and credentials stolen in the first place. But it can be
deduced that this was a result of the employee clicking a link in a phishing
email. Deploying a Host based IPS solution could have prevented such attacks. A
HIPS offers better protection as it monitors the system on which it is deployed
and offers preventing control by blocking and quarantining activities that
seems suspicious.

2.     
Mandatory annual security training for
employees. This would prevent phishing attacks as employees would have a higher
awareness level about general security concerns. This is a critical step as
humans are the weakest link in any organization. Security training needs to be
incorporated in JP Morgan’s global security policies.

3.     
Implementation of application whitelisting. If
application whitelisting had been implemented, the malware could not have
automatically installed itself on the employee’s computer, thus preventing the
breach. However, constant monitoring, fine tuning and updating is required to
ensure that legitimate applications are not blocked.

4.     
Internal network segregation. Protecting
critical assets by limiting access based on VLAN zones would have prevented the
hackers from laterally moving within the network and compromising additional
systems. In addition, implementation of Role Based Access Control (RBAC) would
have proved effective.

5.     
Implementing Network Access Control (NAC).
Through implementation of NAC, access to network resources by end point devices
is restricted and subject to their compliance with security policies.

6.     
Having all outbound traffic pass through a
proxy. Hackers usually encrypt their data exfiltration traffic so that it goes
undetected by an organization’s security defenses. A proxy would have the
ability to decrypt and verify whether the outbound or inbound traffic is
authorized.

7.     
Regular monitoring, vulnerability scanning, and
patching of the critical IT infrastructure would have addressed inherent
security issues. Deployment of an incident & log monitoring and analysis
tool such as SIEM would have helped in generating alerts while the breach was
underway.

8.     
Penetration testing of critical systems would
have ensured that existing vulnerabilities were resolved and fixed in a timely
manner.

9.     
Security hardening of device configurations for
all critical systems.

10.  
Deployment of Honeypots. Honeypots are a great
way to lure an attacker and must be monitored on a regular basis for any
malicious activities. By analyzing the kill chain, attack tools and traffic, JP
Morgan IT staff would be able to better secure their systems against future
attacks.

11.  
Having a proper risk management process in place
to identity threat vectors and vulnerabilities in the entire IT infrastructure
on a regular basis would have ensured that vulnerabilities in critical systems
were identified. Additional threat modeling could have predicted the attacks
used by the hackers. A risk management process also would have resulted in
identifying the most critical assets of the organization, enabling JP Morgan to
implement more secure mechanisms to protect these assets.

12.  
Implementation of a Defense in Depth strategy
could have prevented the hackers from moving laterally and infiltrating the
network at multiple layers.

13.  
Implementation of multi factor authentication
for all servers would have prevented the hackers from gaining control of a
vulnerable server and offered more resilience to an attack.

What were the direct consequences of the breach in the first 6 months after
the event?

The financial and reputation impact because of this breach
were minimal. Its share price fell by only 1.3% by Aug 2014. JP Morgan
currently spends $250 million per year on cyber-security. Following the
incident, the management has decided to double the cyber-security spending to
$500 million in 5 years and also increase the number of security professionals
to 1000.

In addition, this breach resulted in a high risk of JP
Morgan’s customers becoming vulnerable to identity theft and impersonation
attacks. Small business account owners were informed by JP Morgan to change
their account passwords immediately.

As a consequence, JP Morgan also began the process of
swapping and replacing some of their enterprise applications and rework on
product licensing with their technology suppliers.

 

References

Jeng, A. (2015, March 15). Minimizing Damage from JP
Morgan’s Data breach. Retrieved January 27, 2018, from https://www.sans.org/reading-room/whitepapers/casestudies/minimizing-damage-jp-morgan-039-s-data-breach-35822

Howden, S. (2015, December 02). What was the cost of the JP
Morgan Chase data breach? Retrieved January 27, 2018, from https://www.morganmckinley.co.jp/en/article/what-was-cost-jp-morgan-chase-data-breach

Matthew Goldstein, Nicole Perlroth and Michael Corkery.
(2014, December 22). Neglected Server Provided Entry for JPMorgan Hackers.
Retrieved January 27, 2018, from https://dealbook.nytimes.com/2014/12/22/entry-point-of-jpmorgan-data-breach-is-identified/

Howarth, F. (2015, April 30). The Damage of a Security
Breach: Financial Institutions Face Monetary, Reputational Losses. Retrieved
January 27, 2018, from https://securityintelligence.com/the-damage-of-a-security-breach-financial-institutions-face-monetary-reputational-losses/

Jessica Silver-Greenberg, Matthew Goldstein and Nicole
Perlroth. (2014, October 02). JPMorgan Chase Hacking Affects 76 Million
Households. Retrieved January 27, 2018, from https://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues/

Citations

[1] Lewis, D. (2014, October 03). JP Morgan data breach
confirmed affecting at least 83 million customers. Retrieved January 27, 2018,
from https://www.csoonline.com/article/2691596/data-breach/jp-morgan-data-breach-confirmed-affecting-at-least-83-million-customers.html

[2] Jeng, A. (2015, March 15). Minimizing Damage from JP
Morgan’s Data breach. Retrieved January 27, 2018, from https://www.sans.org/reading-room/whitepapers/casestudies/minimizing-damage-jp-morgan-039-s-data-breach-35822

Leave a Reply

Your email address will not be published. Required fields are marked *