Repeat Defender: Lessons From Home Depot Data Breach

The same type of malware attack that stole the personal data of millions of Target customers last year could have been thwarted the second time around when it penetrated Home Depot’s network this year. Worse yet, many companies are still at risk of a similar breach.

Details are still emerging on the full scope and scale of the data breach, but we do know that Home Depot launched an investigation Sept. 2, immediately after the retail giant received reports from its banking partners and law enforcement that criminals may have hacked its payment data systems. “Since then, the company’s internal IT security team has been working around the clock with leading IT security firms, its banking partners, and the Secret Service to rapidly gather facts and provide information to customers,” Home Depot said in a statement.

Security experts say the type of malware attack that infiltrated the networks of Target and Home Depot could have—and should have—been prevented. “Home Depot should have learned from Target’s data breach,” says Stu Sjouwerman, CEO of the data security firm KnowBe4.

For its part, Home Depot says it had been fortifying its payment systems prior to the breach, which may have started months ago. The company previously confirmed it would roll out chip-and-PIN technology to all U.S. stores by the end of this year, well in advance of the October 2015 deadline established by the payments industry.

Chip-and-PIN cards (also called EMV cards for Europay, MasterCard, and Visa) include an embedded microchip that stores customer data, the idea being that the card must be present for a transaction to take place. For the chip-enabled cards to work, however, retailers must install checkout terminals that can process them—upgrades most retailers have not yet made.

Aside from Home Depot, Target similarly announced plans to adopt chip-and-PIN technology in all of its nearly 1,800 U.S. stores by early 2015, at a cost of $100 million. Other retailers that already have installed chip-enabled technology include Walmart and Sam’s Club.

According to the Payments Security Task Force, which represents a diverse group of U.S. electronic payment industry players, more than 575 million chip-enabled payment cards will be issued by the end of 2015 by a variety of large banks: Bank of America, Capital One, Chase, Citi, Discover, and more.

“The type of attacks criminals are using, and the techniques that they’re using, are able to circumvent a lot of the tools and capabilities that retailers have in place.”
Rob Sadowski, Director of Marketing, RSA

Despite commendable efforts made in the payment industry, however, “companies still have a long way to go,” says Dwayne Melancon, chief technology officer of TripWire. They need time to assess how to strengthen network security, acquire the tools to implement those measures, and configure everything properly. “That means they’re still vulnerable to these types of attacks,” he says. 

Meanwhile, the tactics hackers use are “getting smarter and more organized,” says Ulf Mattsson, chief technology officer at Protegrity, a provider of data-security solutions. “Software attacks are getting more sophisticated.”

What’s more, the malware itself is becoming easier to acquire and use. “You have a lot of organized crime groups sharing information in an open-source fashion,” Melancon says. Anyone who wants to take advantage of known weaknesses in a payment card system can download all manner of malware toolkits available on the black market, he says, “and use it to compromise a system and harvest cardholder data.”

TARGET’S TECH ENHANCEMENTS

Since the initial confirmation of the data breach, Target has taken significant actions to further strengthen security across the network. These actions include:

Enhancing monitoring and logging, including implementation of additional rules, alerts, centralizing log feeds and enabling additional logging capabilities;

Installation of application white-listing point-of-sale systems, including deploying to all registers, point-of-sale servers and development of white-listing rules;

Implementation of enhanced segmentation, including development of point-of-sale management tools, review and streamlining of network firewall rules and development of a comprehensive firewall governance process;

Reviewing and limiting vendor access, including decommissioning vendor access to the server impacted in the breach and disabling select vendor access points; and

Enhanced security of accounts, including coordinated reset of 445,000 Target team member and contractor passwords, broadening the use of two-factor authentication, expansion of password vaults, disabled multiple vendor accounts, reduced privileges for certain accounts, and developing additional training related to password rotation.
Source: Target.

Improved Security

While Home Depot continues to study how its breach happened, other companies can defend their networks in numerous ways. Data securities experts recommend the following measures:

Strong access controls. Start with consistent policies and procedures that define who should have access to what systems, Melancon says. This means being able to “validate not only the logical, but physical, access to the systems,” he says.

Take Target as an example. Cyber-criminals executed their attack by gaining access through an HVAC contractor linked remotely to the company’s computer systems for electronic billing purposes. “There really wasn’t a good business reason that type of contractor should have had access to the cardholder environment,” Melancon says.

Be more deliberate when setting access to certain accounts, to minimize the damage in the event of a data breach. “That’s a core best practice that’s overlooked by a lot of companies,” he says.

Protect the data itself. Traditionally, many companies have focused their efforts only on defending the perimeter of their network; that is no longer enough. A better way to reduce the risk of data breach is to protect cardholder data at the point of sale with encryption. “If we focus more on protecting the data at its core, our defense would be much more powerful,” Mattsson says. “We can actually protect ourselves from future attacks.”

Some companies are moving beyond encryption toward tokenization, which is essentially a more sophisticated version of encryption. The main difference: Where encryption is based on a mathematical formula, tokenization is based on a random code, or “token.”

Tokenization is arguably more secure than encryption because encryption can be broken if someone steals the cryptographic key to decode the date. In contrast, stolen tokens have no value to cyber-thieves, akin to a stolen casino chip having no value, Mattsson explains. “Those casino chips aren’t worth anything outside the casino,” he says. “Tokenization is a way to replace real data with fake data.”

Melancon cautions, however, that “tokenization is not a silver bullet. You still have to deal with physical attacks like card skimmers on ATMs or point-of-sale systems.” It’s about taking a step back and looking at the whole process systemically, keeping an eye out for potential weak points, he says.

Protect the internal network. Various breach detection software on the market has the ability to scan a company’s network for a potential breach, such as an account that shouldn’t exist or new malware that appears on a system. “A large retailer like Home Depot should have breach detection software in place,” Sjouwerman says.

Continuously monitor the network.  Companies should monitor constantly for any new accounts that might appear on their systems. Sometimes cyber-criminals are able to use their own devices to join a company’s network, and then use that as a base of operation to attack the rest of your network, Melancon says. Monitoring in real-time for any new applications that show up alerts a company if a breach occurs, he says.

Companies connected to the payment card industry can make a concerted effort to block cyber-attacks by keeping current on tactics cyber-criminals use, says Rob Sadowski, director of marketing at RSA, the security division of EMC. No two data breaches will be exactly alike, he says, but attackers will to try to use the same types of tools and techniques that have proven successful in the past—such as memory-scraping malware that captures cardholder data at the point of sale.

By now, Sadowski says, everyone knows that cyber-crime is a pervasive problem, for all companies and all industries. Above all, he says, “we need to share information, share techniques, and share knowledge” to help defend against cyber-attacks.