Case 6.4 C
docx
keyboard_arrow_up
School
Miami Dade College, Miami *
*We aren’t endorsed by this school
Course
MISC
Subject
Information Systems
Date
Feb 20, 2024
Type
docx
Pages
2
Uploaded by ShiniCoco
Case 6.4: Autopsy of a Data Breach: The Target Case Part 1: Sources of Risk: Analyze every source of risk: Well-meaning Employees, Malicious Employees, Targeted Attacks, Partners (Business and Technology) and Technology Components and see how they were relevant in the Target Data Breach. (2 points)
Incompetent Employees
: In this breach, access to Target's systems was obtained by attackers through a phishing email sent to an HVAC contractor, Fazio Mechanical Services. The attackers took advantage of the contractor's inadequate security protocols and lack of sufficient training to detect phishing attempts. Consequently, they were able to establish a presence within Target's network, ultimately resulting in the breach.
The failure of the contractor's staff to identify and appropriately address phishing attacks provided the attackers with an opportunity to infiltrate the system.
Rogue Employees
: Although not a prominent factor in this particular breach, rogue employees have the potential to play a role in data breaches by deliberately abusing their access privileges to pilfer or disclose sensitive data. While external actors were the primary facilitators of the Target breach, the possibility of involvement by rogue employees cannot be entirely discounted.
Hackers
: The perpetrators of the Target breach were adept hackers who capitalized on weaknesses in Target's network infrastructure. Employing malware, they infiltrated the point-of-sale (POS) systems, enabling them to extract payment card data. Their proficiency in technology and knack for pinpointing vulnerabilities enabled them to breach Target's security measures and obtain access to confidential information.
Business and Technology Partners
: The breach commenced with an assault on a third-party HVAC contractor, Fazio Mechanical Services, which held entry privileges to Target's network. This highlights how attackers can leverage the inadequate security measures of business associates to breach the primary target's systems. In this scenario, the HVAC contractor's network possessed lower security standards, serving as a vulnerable entry point into Target's systems once compromised.
Technology Components
: The breach entailed the compromise of point-of-sale (POS) systems, suggesting that
vulnerabilities or inadequate security configurations within these components were exploited. Through these systems, the attackers acquired access to customer payment data. The insecure condition of these technological components facilitated the perpetrators in executing their nefarious actions. interconnected nature of cybersecurity risks and the need for comprehensive security measures across all potential sources of risk.
Part 2: How could have Target protected itself based on the 5 sources of risk: Well-meaning Employees, Malicious Employees, Targeted Attacks, Partners (Business and Technology) and Technology Components and see how they were relevant in the Target Data Breach. (2 points)
Target, based on the 5 sources of risk, I feel, could have implemented several key measures to bolster its defenses against this and future data breaches. Firstly, comprehensive cybersecurity training for employees and contractors, including those at Fazio Mechanical Services, could have been provided to enhance awareness and knowledge of phishing attempts and proper security protocols. Secondly, robust access controls and monitoring mechanisms could have been implemented to restrict unauthorized access to systems and sensitive data, along with regular reviews of access privileges and user activity monitoring. Additionally, thorough due diligence on third-party vendors and technology partners, including security assessments and audits, would have been crucial
to ensure adherence to adequate security standards. Strengthening network infrastructure, implementing encryption technologies, and ensuring regular patch management could have further bolstered Target's security posture. Lastly, robust data protection measures, such as encryption and tokenization, would have been essential
for safeguarding sensitive customer information stored in POS systems. By adopting a comprehensive approach
to cybersecurity across all potential sources of risk, Target could have significantly mitigated its vulnerability to data breaches and better protected its customers' sensitive information.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help