MTSU Information Security and Risk Management Case Study

User Generated

Fgrcnqr

Computer Science

Middle Tennessee State University

Description

write individually a short summary of each case (about one A4 page for each of the two cases) focusing on the regulatory aspects (legal areas, standards, policy and regulations) of information security.

Please address the following questions:

1. Which are the threats, risks and vulnerabilities in the incidents presented in the case?

2. Please identify legal areas and possibly specific rules in legislation which are relevant for the case?

3. Which lessons for management can be drawn from the case? What could have been done to prevent or reduce the risks? If relevant identify possible standards and policy area

Unformatted Attachment Preview

The cases: 1. Plachkinova, M. & Maurer, C. (2018). Teaching Case: Security Breach at Target. Journal of Information Systems Education, 29(1), 11-20. 2. Bronx Lebanon Hospital Center Data Breach: a. https://www.nbcnews.com/news/us-news/thousands-patient-records-leakedhospitaldata-breach-n756981 b. https://www.hipaajournal.com/phi-of-thousands-of-patients-of-bronxlebanonhospital-center-exposed-online-8805/ c. https://www.scmagazine.com/home/opinions/blogs/the-data-breachblog/7000affected-in-bronx-lebanon-hospital-data-breach https://www.datex.ca/blog/2017-data-breaches-the-worst-so-far Highly sensitive medical records of thousands of patients of New York’s Bronx Lebanon Hospital Center have been exposed online. Those records were reportedly accessible for three years as a result of a misconfigured backup server. The exposed records were uncovered by researchers at the Kromtech Security Research Center after conducting a “regular security audit of exposed rsync protocols on Shodan,” a search engine that can be used to find networked devices. Rsync backup servers are used for transferring files between computer systems and for file syncing. The records were not encrypted nor protected with a password and could have been downloaded by any individual who knew where to look. It is currently unclear exactly how many patient records were exposed, with initial reports indicating tens of thousands of patients may have been affected. NBC’s Mary Emily O’Hara recently reported that the breach has impacted at least 7,000 individuals. The misconfiguration allowed the researchers to view highly sensitive information including names, addresses, medical diagnoses, health histories and highly sensitive data including HIV statuses, reports of domestic violence, sexual assaults and addiction histories. It was not initially clear to whom the data belonged, although the records were eventually traced to the Bronx Lebanon Hospital Center, with the backup device linked to iHealth Innovations, a Louisville, KY-based IT services and records management company. In a recent blog post, MacKeeper researcher Bob Diachenko explained that efforts were made by Kromtech to contact the owners of the data, with assistance provided by Databreaches.net. In a statement provided to databreaches.net, Diachenko confirmed there has been no improper usage of the data by the Kromtech researchers. While most data appear to relate to patients of the Bronx Lebanon Hospital Center, it is unclear at this stage whether patients of other healthcare providers have also been affected. iHealth has confirmed that a breach has occurred, and the incident has been investigated. While the investigation is ongoing, iHealth says the investigation revealed that only one individual had accessed the data – the Kromtech researcher who discovered the error. The server has now been reconfigured to prevent further access and the investigation is continuing, with a third-party cybersecurity company called in to validate iHealth’s analysis. The breach has been reported to law enforcement and Bronx Lebanon Hospital Center is assisting with the investigation. Bronx Lebanon Hospital Center May 10, 2017: Thousands of HIPAA-protected medical records were exposed in a data breach due to a misconfigured Rsync backup server hosted by a third party, iHealth. At least 7,000 patients who visited the Bronx Lebanon Hospital Center in New York between 2014 and 2017 may have had extremely personal information compromised. Leaked information has been reported to include names, home addresses, religious affiliations, addiction histories, mental health and medical diagnoses, HIV statuses, and sexual assault and domestic violence reports. Once the breach was detected, the hospital and iHealth took immediate steps to protect the exposed data. Medical records of at least 7,000 people compromised in a data breach involving Bronx Lebanon Hospital Center in New York disclosed patients' mental health and medical diagnoses, HIV statuses and sexual assault and domestic violence reports, according to records reviewed by NBC News. Other information in the compromised records, which online security experts said spanned 2014 to 2017, included names, home addresses, addiction histories and religious affiliations. Redacted screengrab of leaked patient medical record from Bronx-Lebanon Hospital CenterScreengrab by MacKeeper Security Research Center, used with permission / Screengrab by MacKeeper Security Research Center, used with permission Bob Diachenko, a security researcher with MacKeeper Security Research Center, told NBC News on Tuesday the leak was caused by a misconfigured Rsync backup server hosted by iHealth, a Louisville, Kentucky-based company that offers records management technology. It's unclear how long the records were exposed, but "if you visited BLHC during that period of time, your patient history was probably there," Diachenko said. The type of medical records exposed in the data breach are protected under the Health Insurance Portability and Accountability Act (HIPAA). In its summary of the HIPAA security rule, the Department of Health and Human Services noted that "the rise in the adoption rate of these technologies [electronic health records] increases the potential security risks." Diachenko's team discovered the leak in early May during a routine sweep of the internet using Shodan, a search engine for networked devices from webcams to databases and industrial systems. "Just one 'addiction intake' file that researchers reviewed painted a full picture of the patient's drug use, medical history and suicidal thoughts and many other data points that the average person would never even consider," Diachenko said. Redacted leaked patient records from Bronx Lebanon Hospital CenterMackeeper Security Research Center, with permission / Mackeeper Bronx-Lebanon Hospital Center confirmed the breach to NBC News. "iHealth Solutions, Inc. (iHealth) confirmed to Bronx-Lebanon Hospital Center that an iHealth server containing hospital data was the target of an unauthorized hack by a third party. The hospital and its vendor, iHealth, took immediate steps to protect the data," the hospital said in a statement via email. "The hospital is cooperating fully with law enforcement agencies," it said. iHealth told NBC News on Tuesday night that only one person had unapproved access to the data. It said it immediately took steps to identify and remediate the issue, including an internal review. "While iHealth continues to work with a leading IT security firm to validate its analysis, at this time, iHealth believes that the issue has been contained," the company said. "iHealth has no indication that any data has been used inappropriately." Leaks from Rsync servers, which transfer and synchronize files across computer systems, are common; in Feburary, NBC News reported that misconfigured protocols at PIP Printing exposed thousands of documents, including the medical records of National Football League players and confidential filings in a sexual harassment lawsuit at the company that publishes Hustler magazine. In a blog post Tuesday, data security journalist Dissent Doe wrote that she was "tired of reporting" on leaks blamed on a simple protocol error in a server's firewall. "How many more nude photos of patients or ultrasound images will be exposed," Doe asked, "because of misconfigured Rsync backups?" "It's almost as if no one is listening to any of the researchers begging entities to secure their data," Doe added, pointing to the arrest of Justin Shafer, a security researcher who was raided by the FBI after he wrote a blog post about exposed patient data leaked by a dental software company. The difference between white hat security researchers and malicious hackers is stark. While malicious hackers could access leaked data with the intent to steal or blackmail, researchers like Diachenko scan for leaks to inform companies so they can repair them — and protect consumer and patient privacy. Diachenko had words of advice for techies looking to ensure maximum protection for their sensitive data storage. "It's important to follow the golden rules of 'cyber hygiene': you need to continuously check (ping) your 'internal' IP from the external environment," Diachenko said. "And, of course, don't forget to put a password on a backup device." Journal of Information Systems Education Volume 29 Issue 1 Winter 2018 Teaching Case Security Breach at Target Miloslava Plachkinova and Chris Maurer Recommended Citation: Plachkinova, M. & Maurer, C. (2018). Teaching Case: Security Breach at Target. Journal of Information Systems Education, 29(1), 11-20. Article Link: http://jise.org/Volume29/n1/JISEv29n1p11.html Initial Submission: Accepted: Abstract Posted Online: Published: 31 January 2017 26 October 2017 12 December 2017 21 March 2018 Full terms and conditions of access and use, archived papers, submission instructions, a search tool, and much more can be found on the JISE website: http://jise.org ISSN: 2574-3872 (Online) 1055-3096 (Print) Journal of Information Systems Education, Vol. 29(1) Winter 2018 Teaching Case Security Breach at Target Miloslava Plachkinova Department of Information and Technology Management University of Tampa Tampa, FL 33606, USA mplachkinova@ut.edu Chris Maurer McIntire School of Commerce University of Virginia Charlottesville, VA 22903, USA maurer@virginia.edu ABSTRACT This case study follows the security breach that affected Target at the end of 2013 and resulted in the loss of financial data for over 70 million customers. The case provides an overview of the company and describes the reasons that led to one of the biggest security breaches in history. It offers a discussion on Target’s vendor management processes and the vulnerability at Fazio Mechanical Services that was among the main causes of the breach. Further, the case introduces the incident response plan implemented by Target and discusses the aftermath of the attack. The lessons learned describe some of the steps the company took to mitigate risks in the future and to strengthen its security posture. While the breach had a significant impact on Target, the organization was able to fully recover from it and develop best practices that are now widely implemented by other retailers. The case is suitable for both undergraduate and graduate students enrolled in information security or information systems courses that discuss vendor management, security incident response, or general security program administration topics. Keywords: Information assurance & security, Cybersecurity, Case study, Teaching case, Experiential learning & education 1. INTRODUCTION There are numerous definitions of information security, but many of them revolve around achieving confidentiality, integrity, and availability of the information and/or systems (Anderson, 2003; Dhillon and Backhouse, 2000; Sumra, Hasbullah, and AbManan, 2015; Von Solms and Van Niekerk, 2013). These goals are important, as they provide trust and guarantee the safety of data in motion and data at rest. Within the retail industry, information security is critical as it ensures that the organizations follow best practices and can protect the personal and financial information of the customers. As Greig, Renaud, and Flowerday (2015) point out, a focus on employee behavior is vital since an “organization’s success or failure effectively depends on the things that its employees do or fail to do” (Da Veiga and Eloff, 2010). Security culture has the potential to play a significant role in this respect (Vroom and Von Solms, 2004). A strong and effective security culture is in place when every employee performs daily tasks in a secure manner and such secure behavior is considered to be ‘the norm’ (Von Solms, 2000). 11 Demonstrating a strong security posture is especially important for retail companies because they rely on having positive brand recognition and gaining the customers’ trust. A security breach at a big retail company can also have a domino effect and potentially impact many other corporations in a negative way. Thus, understanding the critically important factors in building a strong security culture and following best practices is essential for any retail company. 2. MOTIVATION The authors’ motivation to write this case study comes from the need to incorporate real world examples into the cybersecurity curriculum. While it is important for students to master terminology and have solid foundational knowledge, the authors believe they should also be able to apply the knowledge to actual organizational settings where information security issues arise. There has been a myriad of breaches affecting a wide range of companies and individuals (Home Depot, JP Morgan Chase, Ashley Madison, the Office of Personnel and Management, eBay, Sony, and Hillary Clinton), Journal of Information Systems Education, Vol. 29(1) Winter 2018 but there are relatively few case studies developed solely for use in the classroom with accompanying learning objectives and teaching notes. Thus, the authors wanted to explore the recent security breach at Target due to the abundance of information available and the various angles from which the students can approach the topic. Target’s efforts to improve its security and minimize the risk of other attacks in the future. The structure of the presented case study is as follows: Target’s company profile, the timeline of the events, the company’s business processes before and after the breach (including vendor management and incident response), the investigation, the fallout, and lessons learned. 3. EVALUATION 5. CASE TEXT After drafting the case text, it was distributed to students in an information security principles course at a medium-sized, private university in the US. Thirty eight undergraduate students were presented with the case text and reflection questions (provided in the teaching notes). Students’ analyses of the case and reflection questions were collected as part of a graded assignment and were evaluated using rubrics to determine whether students exceeded, met, or did not meet expectations across various learning objectives. The authors also provided students with a paper survey that included several open-ended questions. The authors asked them to describe what they liked and disliked about the case, whether any additional information should be provided, whether they have any suggestions for improvement, and what sources they used when preparing their analyses. Overall, students provided very positive feedback on the case write-up. Students expressed some concern over the discussion of vendor management processes, and therefore additional detail around the vendor management processes was added to the case. In terms of performance against leaning outcomes, the average grade students received on this assignment was 94%, which exceeds expectations. More specifically, 1 student did not meet the expectations (90%). These results indicate that students were able to successfully perform the case study analysis, understand and interpret the main issues, and provide feasible and adequate solutions for improving the security practice at Target Corp. The authors evaluated the students’ writing skills, as well as their ability to support their statements with additional resources, readings, and integrate previous course content in their analysis. The authors used TurnItIn to avoid any plagiarism on the assignment, and the grading rubrics were adapted from the University’s College of Business recommended rubric for problem solving. 4. CASE SYNOPSYS At the end of 2013, amid the holiday shopping season, Target became a victim of a security breach affecting over 70 million customers. Their personal and financial data was stolen through a vulnerability in one of Target’s vendors – Fazio Mechanical Services. The breach was first reported by the security journalist Brian Krebs, and Target’s official response came shortly after the announcement. While slightly late, the company’s incident management was still successful as they were able to regain the customers’ trust and maintain their status as a successful retailer. After the attack, Target implemented several steps to mitigate any future breaches. The company created a Cyber Fusion Center, provided free credit card monitoring for its customers, and implemented POS terminals with chip readers. These steps demonstrate 12 5.1 Company Profile With its first store opening in Roseville, Minnesota, on May 1, 1962, Target aimed to differentiate itself by providing many features of traditional department stores but provide low prices typically associated with discount retailers. The name Target was chosen purposefully as Stewart Widdess (Director of Publicity) states “As a marksman’s goal is to hit the center bulls-eye, the new store would do much the same in terms of retail goods, services, commitment to the community, price, value and overall experience” (Target, 2017). The company went public on October 18, 1967, (under the name “Dayton Corporation”) and began expanding across the country. Through various acquisitions and expansions into new areas of the country, Target has become the second-largest discount retailer in the United States (behind Walmart). As of February 1, 2014, Target operated 1,793 retail store locations in the United States, employed approximately 360,000 employees, and had annual revenues of $72.6 billion (Statista, 2015). Target’s slogan of “Expect more. Pay less.” embodies their corporate mission of providing great value to its customers while maintaining an exceptional shopping experience. A key component of Target’s strategy for creating an exceptional experience for both customers and employees is to always behave ethically and with integrity. Their efforts to be a responsible corporate citizen have earned various awards such as inclusion on Fortune Magazine’s “20 Most Generous Companies of the Fortune 500” and “World’s Most Admired Companies” lists (Target, 2017). While Target has worked diligently to position itself as a leading retailer in the United States with prominent charitable values, they have certainly experienced hardships throughout their long history. Notably, in 2013, they suffered a massive data breach that exposed sensitive financial information for millions of customers. While the data breach significantly affected Target’s operations, the company has recovered and has learned many valuable lessons on the importance of protecting sensitive information. 5.2 Before the Breach Like many corporations, Target employed a staff of dedicated security professionals to implement safeguards to protect sensitive data. As part of their ongoing security efforts, Target successfully passed a compliance audit for the Payment Card Industry Data Security Standard (PCI-DSS) in September of 2013 (Riley et al., 2014). PCI audits involve a review of critical security controls and systems configurations to verify that best practices for protecting payment card information on computer systems is maintained. Target also completed the implementation of a $1.6 million malware detection tool developed by the cybersecurity company FireEye in 2013 (Riley et al., 2014). Their security operations center, with Journal of Information Systems Education, Vol. 29(1) Winter 2018 teams of personnel in Minneapolis, Minnesota, and Bangalore, India, provided round-the-clock monitoring of cybersecurity threats on the network. While there is no method for ensuring complete protection against cybersecurity threats, Target appeared to be following industry best practices and had reasonable security controls in place. 5.3 Breach Notification and Initial Response On November 30, 2013, security operations personnel in Bangalore, India, received a notification from their malware detection software that some potentially malicious activity was recorded on the network. The alert was shared with security personnel in Minneapolis, but no further action was taken. Another alert was raised on December 2, 2013, but again no action was taken (Riley et al., 2014). It was not until December 12, 2013, when the U.S. Department of Justice contacted Target about a possible data breach on their network, that Target began investigating the issue in earnest. The Federal Bureau of Investigation (FBI) and the Secret Service joined the investigation as well. While no public disclosure was made at the time, the independent security researcher and blogger, Brian Krebs, posted information regarding a possible breach of the Target network on December 18, 2013. On December 19, 2013, Target issued the following public statement on the matter: Target today confirmed it is aware of unauthorized access to payment card data that may have impacted certain guests making credit and debit card purchases in its U.S. stores. Target is working closely with law enforcement and financial institutions, and has identified and resolved the issue. “Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause,” said Gregg Steinhafel, chairman, president and chief executive officer, Target. “We take this matter very seriously and are working with law enforcement to bring those responsible to justice.” Approximately 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013. Target alerted authorities and financial institutions immediately after it was made aware of the unauthorized access, and is putting all appropriate resources behind these efforts. Among other actions, Target is partnering with a leading thirdparty forensics firm to conduct a thorough investigation of the incident. Initially, Target denied that debit card PIN numbers had been stolen, but reports confirmed that encrypted PIN numbers had indeed been stolen (Finkle and Henry, 2013). Another update (Target, 2014) on the breach was provided by the company a month later, on January 10, 2014, outlining the fact that personal information (names, addresses, phone numbers, and email addresses) were also taken in this breach. While there were some critiques about the fact that the company delayed its response after initially identifying the breach, Target Chairman and CEO Gregg Steinhafel defended the decision: 13 Sunday (Dec. 15) was really day one. That was the day we confirmed we had an issue and so our number one priority was ... making our environment safe and secure. By six o’clock at night, our environment was safe and secure. We eliminated the malware in the access point, we were very confident that coming into Monday guests could come to Target and shop with confidence and no risk. Day two was really about initiating the investigation work and the forensic work ... that has been ongoing. Day three was about preparation. We wanted to make sure our stores and our call centers could be as prepared as possible, and day four was about notification. (Quick, 2014) In addition to the public response, Target sent out an email to its customers (Appendix A) on January 16, 2014, offering one year of free credit monitoring. The company provided them with information about protecting themselves and staying safe. However, the email was sent to many individuals who never had conducted business with Target, which raised speculation as to how the retailer obtained the data. One possible explanation is that perhaps the email addresses were from Amazon, a remnant from the old Amazon-Target partnership. However, when consumers asked where Target obtained email addresses for people who are not now and have never been customers of the retailer, the spokeswoman simply said, “The information was obtained by Target through the normal course of our business” (Quirk, 2014). Instead of retaining its customers and solidifying their trust with the offered incentives, Target opened another door for speculations on its processes for collecting and handling customer data. 5.4 The Investigation As part of the incident response process, Target commissioned security professionals at Verizon to assist in the investigation into how the breach occurred. A detailed security audit was performed from December 21, 2013, to March 1, 2014, and served two primary purposes: 1) identify the root cause of the breach and 2) identify opportunities to improve the security of Target’s infrastructure. While the report issued by Verizon has remained confidential, various media outlets claimed to have received information stemming directly from the report. The findings presented below have not been confirmed by Target, but have been reported by several reputable security researchers and media outlets. The initial point of entry appears to have stemmed from hijacked credentials stolen from Fazio Mechanical Services, a third party service provider. Fazio, a supplier of refrigeration devices and services, began working with Target to support the expansion of fresh food offerings across stores in the United States. As with many other vendors and suppliers of Target, Fazio was provided access to Target’s systems to handle “electronic billing, contract submission, and project management.” Fazio Mechanical did not, however, “perform remote monitoring or control of heating, cooling, or refrigeration systems for Target” (Fazio Mechanical Services, 2014). In the fall of 2013, Fazio Mechanical Services was the “victim of a sophisticated cyber-attack operation” despite Journal of Information Systems Education, Vol. 29(1) Winter 2018 stating that their “IT system and security measures are in full compliance with industry best practices” (Fazio Mechanical Services, 2014). Industry experts believe the breach involved an infection of the ‘Citadel’ malware that can be used to steal logon credentials from computer systems. Despite a claim that Fazio was in compliance with “industry best practices,” it has been alleged that Fazio relied on the free, non-commercial version of Malwarebytes Anti-Malware software, which does not provide real-time protection. It is not clear whether Target enforced any ongoing security reviews of its vendors to ensure compliance with security best practices. While this attack did not appear to have an immediate impact on Fazio, it is likely that account credentials for accessing Target systems were stolen during the Fazio breach. Access to Target’s systems granted to Fazio would not have allowed attackers to access customer data, however, so additional vulnerabilities inside the Target network must have allowed attackers to escalate their account privileges, traverse the network, and obtain over 40 million customer card numbers. Further investigation revealed that there were no major obstacles to accessing point of sale (POS) terminals across the entire network once inside the internal Target network. This lack of network segmentation could allow any malicious user the ability to traverse the network and attempt to access various devices ranging from point of sale terminals to mission critical back-end systems. To illustrate the lack of segmentation, the Verizon audit team supposedly accessed a cash register after they compromised a deli counter scale that was located in a different store (Krebs, 2015). The audit team also found significant problems with enforcement of password policies. Target maintained a password policy that included industry-standard practices, however investigators found multiple files stored on Target servers that included logon credentials for various systems. According to Brian Krebs, the audit report revealed that The Verizon security consultants identified several systems that were using misconfigured services, such as several Microsoft SQL servers that had a weak administrator password, and Apache Tomcat servers using the default administrator password. Through these weaknesses, the Verizon consultants were able to gain initial access to the corporate network and to eventually gain domain administrator access. (Krebs, 2015) The use of weak passwords was apparently rampant within the Target infrastructure, and the security investigation team was able to crack over 500,000 passwords, representing 86% of identified accounts, to various internal Target systems. Investigators also identified significant issues related to the maintenance and patching of systems. Again, Brian Krebs claims: For example, the Verizon consultants found systems missing critical Microsoft patches, or running outdated [web server] software such as Apache, IBM WebSphere, and PHP. These services were hosted on web servers, databases, and other critical infrastructure. These services have many known 14 vulnerabilities associated with them. In several of these instances where Verizon discovered these outdated services or unpatched systems, they were able to gain access to the affected systems without needing to know any authentication credentials. Verizon and the Target Red Team exploited several vulnerabilities on the internal network, from an unauthenticated standpoint. The consultants were able to use this initial access to compromise additional systems. Information on these additional systems eventually led to Verizon gaining full access to the network – and all sensitive data stored at on network shares – through a domain administrator account. (Krebs, 2015) Given the previously stated vulnerabilities, the attackers were able to access point of sale terminals and install malware directly on all machines across the network. Given the timing of the alerts triggered by Target’s anti-malware software in late November and early December, it is likely that the malware was installed on the terminals at this time. The malware contained memory-scraping functionality that allowed the attackers to intercept cardholder information before it was sent for processing by a payment processor. The PCI-DSS specifically requires payment card processors to “encrypt transmission of cardholder data across open, public networks” (Security Standards Council, 2016). However, the configuration of point of sale terminals at Target did not provide the ability to immediately encrypt cardholder data upon registering a card swipe. Because of this, card data remained in plain text within the POS terminal’s memory. This data was only encrypted upon preparation for transit to external card processing systems (as required under PCIDSS). Since the malware was installed directly on POS terminals and allowed the ability to scrape data from memory of these machines, the attackers were able to intercept unencrypted cardholder data for all card swipes registered in Target stores. 5.5 The Fallout Target has claimed that up to 70 million individuals may have been impacted by this data breach (Target, 2015a). At the time, this was one of the top ten largest data breaches recorded (Quick et al., 2016). In the aftermath of the breach, consumer confidence in Target was impaired significantly. According to Kantar Retail, a consulting group researching consumer spending behaviors, the percentage of U.S. households shopping at Target in January 2014 was 33%. This was down from 43% for the same month the preceding year (Malcolm, 2014). In Target’s annual report filed with the SEC on March 14, 2014, the company stated: We believe the Data Breach adversely affected our fourth quarter U.S. Segment sales. Prior to our December 19, 2013, announcement of the Data Breach, our U.S. Segment fourth quarter comparable sales were positive, followed by meaningfully negative comparable sales results following the announcement. Comparable sales began to recover in January 2014. The collective interaction of year-overyear changes in the retail calendar (e.g., the number of Journal of Information Systems Education, Vol. 29(1) Winter 2018 days between Thanksgiving and Christmas), combined with the broad array of competitive, consumer behavioral and weather factors makes any quantification of the precise impact of the Data Breach on sales infeasible. (United States Securities and Exchange Commission, 2014) Data security is a top priority at Target, so we continue to invest heavily in top talent, as well as technology, and focus on continually evaluating and evolving our processes as the landscape changes. It’s an important part of the $1 billion Target plans to invest in technology and supply chain this year. (Target, 2015b) While it is difficult to quantify the exact impact of the breach on Target’s financials, the company experienced a 1% decrease in revenues from 2012 to 2013, and its net income decreased 34.3% in that same time period. The large impact to net income was largely attributable to the additional costs associated with investigating and remediating the security breach. The financial impacts were not limited to the few months following the breach, however. Over the course of the next two years, Target continued to incur costs related directly to the security breach. According to Target’s 10-Q and 10-K filings with the SEC, the company has incurred $291 million in cumulative expenses related to this breach. Of this, approximately $90 million was offset by insurance coverage, leaving Target with a total direct cost of just over $200 million (United States Securities and Exchange Commission, 2016). The breakdown of costs reported by Target for each quarter from the announcement of the breach to May 2015 are displayed in Figure 1: Figure 1: Cumulative Costs Related to Security Breach, by Quarter 5.6 Lessons Learned Even though Target experienced one of the biggest data breaches in history, it is still a successful business with almost 1,800 stores in North America in 2015 (Target, 2016). While the attack did impact the company, there are some key factors that had a positive impact on Target’s image. For example, customer loyalty is something that builds over time and even such a massive security flaw could be overlooked by the most devoted and dedicated individuals who associate themselves with the company. Some of them even perceived Target as a victim of the attackers and sympathized with the company during the hard times it was experiencing. On Target’s end, the company invested heavily in improving its cybersecurity operations, and in 2015 created the first Cyber Fusion Center, which is dedicated to preventing similar attacks from happening again. Brian Cornell, chairman and CEO of the company, said: 15 Brad Maiorino, Target’s Chief Information Security Officer, added: We’ve got teams of Cyber Security analysts working round the clock. They use a mix of human intelligence, analytics and state-of-the-art technology to detect, investigate and contain threats to our business. Much of the work they do takes place in our newly opened Cyber Fusion Center (CFC). (Target, 2015b) Another improvement that Target made was adding chip readers with PIN codes for customers. In fact, Target became the first major U.S. issuer to use chip and PIN credit cards in 2015 (DiGangi, 2015), even as most card issuers in the United States were issuing less secure chip and signature cards. The addition of an EMV chip makes a card more difficult and more expensive to counterfeit. However, adding a PIN code on top of the EMV chip makes it even less likely that card information can be stolen and used to make unauthorized purchases. Last but not least, the attack impacted Target’s profits and caused some top management turnover. Target’s CEO at the time of the breach, Gregg Steinhafel, a 35-year employee of the company with the last 6 at the helm, resigned in May 2014. The CIO was also replaced with Bob DeRodes, an executive with a very strong background in information security. The Target board of directors was also under significant pressure. A proxy firm, Institutional Shareholder Services, had recommended that investors oust seven board members. The firm said the board failed to protect the company from the data breach. The board members were able to convince shareholders to re-elect them, however, although the message to them was clear that future data security breaches were considered to be their responsibility (Basu, 2014). The full press release from Target regarding the managerial changes is available in Appendix B. Although Target never shared directly any lessons learned, the examples above illustrate the company’s ambition to improve its security practices and offer more protection for its customers. Taking responsibility for the breach at the highest level was something that is still uncommon in organizations of such scale. Overall, the breach enforced many new rules and practices with regards to information security, as both retailers and customers were now aware of the consequences of such an attack. 6. CONCLUSION While the security breach at Target impacted a single corporation, it is important to note that such breaches have now become part of our everyday lives. It is not a matter of if, but when a breach will occur. Thus, the authors believe that Journal of Information Systems Education, Vol. 29(1) Winter 2018 the lessons learned from Target are valid and can be generalized to other organizations as well. For instance, the breach stimulated other retailers such as Wal-Mart and Home Depot to install chip readers on their POS terminals. Such best practices show that others realize the importance of strengthening their security posture and providing better protection against individuals with malicious intents. Further, Target demonstrated that they have the capacity to recover from such serious events due to having up-to-date disaster recovery/business continuity plans. These best practices should be followed by others who want to prepare themselves for the inevitable. In conclusion, this case study provides an objective view of the events surrounding the 2013 Target breach and outlines both the adequate and inadequate actions taken by the corporation. The authors’ goal is to increase students’ knowledge on how major organizations are impacted by such attacks, what can be done to limit these breaches in the future, and how to be better prepared to respond when they happen. The case study adds value to the cybersecurity curriculum as it requires students to put into practice the knowledge they gained from the classroom and apply it to a real world scenario. The case study reveals the complexity of the security breach and its impact on the business processes and customer trust – factors that any business professional should understand before going to the industry. 7. ACKNOWLEDGEMENTS Research reported in this publication was supported by the Sykes College of Business Faculty Collaboration Grant at the University of Tampa for the 2016-2017 academic year. 8. REFERENCES Anderson, J. M. (2003). Why We Need a New Definition of Information Security. Computers & Security, 22, 308-313. Basu, E. (2014). Target CEO Fired – Can you be Fired if your Company is Hacked? Retrieved Ocober 29, 2017, from https://www.forbes.com/sites/ericbasu/2014/06/15/targetceo-fired-can-you-be-fired-if-your-company-ishacked/#709e3f37c9fa. Da Veiga, A. & Eloff, J. H. (2010). A Framework and Assessment Instrument for Information Security Culture. Computers & Security, 29, 196-207. Dhillon, G. & Backhouse, J. (2000). Technical Opinion: Information System Security Management in the New Millennium. Communications of ACM, 43, 125-128. DiGangi, C. (2015). Target Becomes First Major U.S. Issuer to Use Chip & PIN Credit Cards. Retrieved January 31, 2017, from http://blog.credit.com/2015/10/target-becomesfirst-major-u-s-issuer-to-use-chip-pin-credit-cards-127551/. Fazio Mechanical Services. (2014). Statement on Target data breach. Retrieved January 31, 2017, from http://faziomechanical.com/Target-Breach-Statement.pdf. Finkle, J. & Henry, D. (2013). Exclusive: Target Hackers Stole Encrypted Bank PINs – Source. Retrieved January 31, 2017, from http://www.reuters.com/article/us-targetdatabreach-idUSBRE9BN0L220131225. 16 Greig, A., Renaud, K., & Flowerday, S. (2015). An Ethnographic Study to Assess the Enactment of Information Security Culture in a Retail Store. In Internet Security (WorldCIS), 2015 World Congress (61-66). Krebs, B. (2015). Inside Target Corp., Days After 2013 Breach. Retrieved January 31, 2017, from http://krebsonsecurity.com/2015/09/inside-target-corp-daysafter-2013-breach/. Malcolm, H. (2014). Target Sees Drop in Customer Visits after Breach. Retrieved January 31, 2017, from http://www.usatoday.com/story/money/business/2014/03/11 /target-customer-traffic/6262059/. Quick, B. (2014). Target CEO Defends 4-day Wait to Disclose Massive Data Hack. Retrieved January 31, 2017, from http://www.cnbc.com/2014/01/12/target-ceo-defends-4-daywait-to-disclose-massive-data-hack.html. Quick, M., Hollowood, E., Miles, C., & Hampson, D. (2016). World's Biggest Data Breaches. Retrieved January 31, 2017, from http://www.informationisbeautiful.net/visualizations/worlds -biggest-data-breaches-hacks/. Quirk, M. B. (2014). Non-Target Customers Wondering how Target got Contact Info to Send Email about Hack. Retrieved January 31, 2017, from https://consumerist.com/2014/01/17/non-target-customerswondering-how-target-got-contact-info-to-send-emailabout-hack/. Riley, M., Elgin, B., Lawrence, D., & Matlack, C. (2014). Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It. Bloomberg Businessweek, 13. Security Standards Council. (2016). PCI DSS Quick Reference Guide. Retrieved January 31, 2017, from https://www.pcisecuritystandards.org/documents/PCIDSS_ QRGv3_2.pdf?agreement=true&time=1476207333578. Statista. (2016). Total Number of Target Stores in North America from 2006 to 2015. Retrieved January 31, 2017, from https://www.statista.com/statistics/255965/totalnumber-of-target-stores-in-north-america/. Sumra, I. A., Hasbullah, H. B., & AbManan, J. B. (2015). Attacks on Security Goals (Confidentiality, Integrity, Availability) in VANET: A Survey. In Vehicular Ad-Hoc Networks for Smart Cities (51-61): Springer, Singapore. Target. (2014). Target Provides Update on Data Breach and Financial Performance. Retrieved January 31, 2017, from https://corporate.target.com/press/releases/2014/01/targetprovides-update-on-data-breach-and-financia. Target. (2015a). Data Breach FAQ. Retrieved January 31, 2017, from https://corporate.target.com/about/shoppingexperience/payment-card-issue-FAQ. Target. (2015b). Inside Target’s Cyber Fusion Center. (2015). Retrieved January 31, 2017, from https://corporate.target.com/article/2015/07/cyber-fusioncenter. Target. (2016). Target through the Years. Retrieved January 31, 2017, from https://corporate.target.com/about/history/Target-throughthe-years. Target. (2017). Awards and Recognition. Retrieved January 31, 2017, from https://corporate.target.com/about/awardsrecognition. Journal of Information Systems Education, Vol. 29(1) Winter 2018 United States Securities and Exchange Commission. (2014). FORM 10-K. Retrieved January 31, 2017, from https://www.sec.gov/Archives/edgar/data/27419/000002741 914000014/tgt-20140201x10k.htm. United States Securities and Exchange Commission. (2016). FORM 10-Q. Retrieved January 31, 2017, from http://investors.target.com/phoenix.zhtml?c=65828&p=irolSECText&TEXT=aHR0cDovL2FwaS50ZW5rd2l6YXJkL mNvbS9maWxpbmcueG1sP2lwYWdlPTEwOTYwNzg0Jk RTRVE9MCZTRVE9MCZTUURFU0M9U0VDVElPTl9F TlRJUkUmc3Vic2lkPTU3. Von Solms, B. (2000). Information Security – The Third Wave? Computers & Security, 19, 615-620. Von Solms, R. & Van Niekerk, J. (2013). From Information Security to Cyber Security. Computers & Security, 38, 97102. Vroom, C. & Von Solms, R. (2004). Towards Information Security Behavioural Compliance. Computers & Security, 23, 191-198. AUTHOR BIOGRAPHIES Miloslava Plachkinova is an Assistant Professor of Cybersecurity in the Sykes College of Business at the University of Tampa, FL. She holds a Ph.D. in Information Systems and Technology from Claremont Graduate University, CA. She is a Certified Information Systems Security Professional (CISSP), a Certified Information Security Manager (CISM), and a Project Management Professional (PMP). Dr. Plachkinova’s research focuses on information security and healthcare. She investigates how human behavior leads to data breaches, and her work in the healthcare field investigates security and privacy issues in mobile health (mHealth) and electronic health records (EHR) on the cloud. Dr. Plachkinova also has extensive industry experience working for both the private and the public sectors. Chris Maurer is an Assistant Professor in the McIntire School of Commerce at the University of Virginia. He received his Ph.D. from the University of Georgia and was previously an Assistant Professor at the University of Tampa. His research interests include cybersecurity controls, the impact of cybersecurity breaches, enterprise systems, and IT-business alignment. His previous research has appeared in journals and conference proceedings including MIS Quarterly Executive, the International Conference on Information Systems, the Americas Conference on Information System, and the Hawaii International Conference on System Sciences. 17 Journal of Information Systems Education, Vol. 29(1) Winter 2018 APPENDIX A – Email to Target Customers Source: https://consumermediallc.files.wordpress.com/2014/01/targetemailgrab.png, Accessed on January 31, 2017. 18 Journal of Information Systems Education, Vol. 29(1) Winter 2018 APPENDIX B – Target Press Release “Today we are announcing that, after extensive discussions, the board and Gregg Steinhafel have decided that now is the right time for new leadership at Target. Effective immediately, Gregg will step down from his positions as Chairman of the Target board of directors, president and CEO. John Mulligan, Target’s chief financial officer, has been appointed as interim president and chief executive officer. Roxanne S. Austin, a current member of Target’s board of directors, has been appointed as interim non-executive chair of the board. Both will serve in their roles until permanent replacements are named. We have asked Gregg Steinhafel to serve in an advisory capacity during this transition and he has graciously agreed. The board is deeply grateful to Gregg for his significant contributions and outstanding service throughout his notable 35-year career with the company. We believe his passion for the team and relentless focus on the guest have established Target as a leader in the retail industry. Gregg has created a culture that fosters innovation and supports the development of new ideas. Under his leadership, the company has not only enhanced its ability to execute, but has broadened its strategic horizons. He also led the company through unprecedented challenges, navigating the financial recession, reacting to challenges with Target’s expansion into Canada, and successfully defending the company through a high-profile proxy battle. Most recently, Gregg led the response to Target’s 2013 data breach. He held himself personally accountable and pledged that Target would emerge a better company. We are grateful to him for his tireless leadership and will always consider him a member of the Target family. The board will continue to be actively engaged with the leadership team to drive Target’s future success and will manage the transition. In addition to the appointments of the exceptional leaders noted above, we have also retained Korn Ferry to advise the board on a comprehensive CEO search. The board is confident in the future of this company and views this transition as an opportunity to drive Target’s business forward and accelerate the company’s transformation efforts.” http://www.forbes.com/sites/clareoconnor/2014/05/05/target-ceo-gregg-steinhafel-resigns-in-wake-of-data-breachSource: fallout/#6abeced46e61, Accessed on January 31, 2017. 19 Journal of Information Systems Education, Vol. 29(1) Winter 2018 20 Information Systems & Computing Academic Professionals STATEMENT OF PEER REVIEW INTEGRITY All papers published in the Journal of Information Systems Education have undergone rigorous peer review. This includes an initial editor screening and double-blind refereeing by three or more expert referees. Copyright ©2018 by the Information Systems & Computing Academic Professionals, Inc. (ISCAP). Permission to make digital or hard copies of all or part of this journal for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial use. All copies must bear this notice and full citation. Permission from the Editor is required to post to servers, redistribute to lists, or utilize in a for-profit or commercial use. Permission requests should be sent to the Editor-in-Chief, Journal of Information Systems Education, editor@jise.org. ISSN 2574-3872
Purchase answer to see full attachment
Explanation & Answer:
3 Questions
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Hi, please see the attached paper. Have a look at it and in case of any edit, please let me know. Otherwise, it is my pleasure to have you as my buddy now and future. Until the next invite, Bye!

Outline: Information Security


The case is an epitome of vulnerability of data stored in information systems.


Outline: Information Security


Retail stores have to ensure that they put in place proper data security measures


Running Head: INFORMATION SECURITY

1

Information Security
Name
Institution
Date

INFORMATION SECURITY

2
Information Security
Case 1

The case is an epitome of the vulnerability of data stored in information systems. The
first threat is the accessibility of HIPAA protected data by unauthorized parties. The data was not
encrypted, and anybody who looked in the right place would access it, thus endangering it
(O'Hara, 2017). Institutions such as hospitals should always ensure that data is passwordprotected to prevent ease of access for unauthorized persons. There was also the risk of...


Anonymous
Excellent! Definitely coming back for more study materials.

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Related Tags