1.Identify five major themes (with a focus on the breach’s cause and effect) that can help to refine the threat elements further and give a better perspective on the Target breach.
2.Discuss why despite substantial investments made by in the past, Target still suffers security weaknesses?
3.Choose one particular discipline relevant to the breach, based on your field of study at CGU (such as Psychology, Sociology, Economics, Management, Political Science, Mathematics, Education, Philosophy, History, Anthropology, Law, Health, Religion and Culture, Science and Technology). In your particular discipline, you defined a specific research question that will enable you to produce more understanding about the Target breach.
The field of study is computer information systems.
Case Study Target Questions
Hackers from various unknown locations commenced a phishing campaign on Fazio Mechanical Services, the ventilation and external heating providers for Target (Srinivasan et al. 2). After the attack, the information and data about the vendor of the company were availed to the public. Once the employee of Fazio opened the email, the hackers were able to steal the relevant passwords to disseminate the aforementioned information.
The primary approach for detecting malware by Fazio was the ‘Malwarebytes Anti-Malware’ that had been prohibited for business use (Srinivasan et al. 2). Target did not scrutinize the security arrangements of the vendor.
Payment Card Industry (PCI)
Target identified several vulnerabilities in the cash registers and the card payment systems and failed to undertake investigations about the issue. Furthermore, hackers used the stolen credentials to gain access to the network of the company for electronic billing, submission of contracts, and project management (Srinivasan et al. 2). The above intrusion could be prevented with the PCI requiring a double-factor based authentication, including a password and verification code.
Point-of-Sale (POS) Systems, Citadel, and the RAM scrappers
The malware incorporated by various hackers was designed to steal the customer data for Target at the POS (Srinivasan et al. 3). The citadel and the RAM scrappers were used to copy the card information of the customers while in the POS storage system of the company.
Flaws in Network Design
The network design of the company allowed hackers to scour through the firm’s internal network and update various malware for subsequent attacks (Srinivasan et al. 3). According to security reports, the attackers initially installed three modifications of the malware that was further updated twice.
An investigation by the Senate indicated that the security team at the company had identified various vulnerabilities in the POS system. Moreover, the team had requested a review of the network to the top management (Srinivasan et al. 3). According to one of the previous employees, the firm updated the payment portals that limited the time that the security personnel could identify flaws within the system. Notwithstanding, the Senate investigation found that the analysts’ request was ignored while Target prepared for an impending Black Friday. The above employee elaborated that the vast amount of warnings received by the retailer made it hard to identify the issue to be prioritized. Furthermore, the company has a big cybersecurity team, which identifies the threats weekly. Also, Target did not comply with PCI 2.0 when the breach occurred since the attack was unnoticed for up to 18 days (Srinivasan et al. 7). The company should have elaborated on the requirements to vendors such as Fazio on close monitoring of the integrity of their files.
The breach at Target is a watershed circumstance in the regulation of cybersecurity. Awareness of the employees’ behavior in the company demonstrated the extent to which corporations allow workers to circumvent various technological architectures that exposes the systems of the firm to breaches (Manworren et al. 4). Congress considered various data breaches and cybersecurity laws. Such considerations, both procedural and structural by Congress, are necessary for the assessment of the current framework of cybersecurity. Nonetheless, the absence of federal laws and regulations allowed various corporations to pass massive amounts of money on expenses associated with data loss to several credit companies, consumers, and insurance firms. The Target attack is a warning to courts and regulators about the role that organizations play in allowing a vast loss of data. Kim et al. elaborate that the absence of federal regulations requires that corporations operating within several states to comply with the respective laws in the individual regions, making compliance inefficient (2).
Kim, Bokyung et al. “Lessons From The Five Data Breaches: Analyzing Framed Crisis Response Strategies And Crisis Severity”. Cogent Business & Management, vol 4, no. 1, 2017, pp. 1-16. Informa UK Limited, doi:10.1080/23311975.2017.1354525. Accessed 12 Feb 2020.
Manworren, Nathan et al. “Why You Should Care About The Target Data Breach”. Business Horizons, vol 59, no. 3, 2016, pp. 1-10. Elsevier BV, doi:10.1016/j.bushor.2016.01.002. Accessed 12 Feb 2020.
Srinivasan, Suraj et al. “Cyber Breach At Target”. Harvard Business School, 2019, pp. 1-32., Accessed 12 Feb 2020.