Assignment

Assignment 2

Name:

Institution:

Assignment 2

Question 1

            The data breach that occurred at TJX is considered the largest in history because it affected more than 46 million customers across six countries. In addition to the millions of dollars paid as fines to the respective parties, this phenomenon ruined the company’s reputation and forced a reevaluation of network security systems worldwide. Cashiers at this corporation failed to identify the bogus credit card holders by refusing to insist of other verification items such as driving licenses. In particular, they did not insist on using photographic evidence available on the licenses as proof of ownership during purchases at various stores. Their assumption that the bearers of the cards were the rightful owners facilitated the illegal transfer of data as well as cost the businesses dearly through the issuance of merchandise to illegitimate consumers. In addition, network analysts at TJX were complacent in detecting the presence of malicious software in their databases thereby enhancing the transmission of content from multiple points over the databases (Ciampa, 2008). In fact, it was shocking that such computer worms were left undetected for more than 18 months.

Similarly, employees at different stores exhibited laxity in their handling of returned goods. They were inattentive to the fact that some 451,000 customers returned items without the relevant receipts and offered cash. While these consumers pretended to have noticed defects in some of these goods, the workers did not follow the firm’s policy by insisting on being given the accompanying receipts. Rather, they casually accepted the commodities and exchanged them for pricier ones or handed back cash payments. By so doing, they had been duped into transacting in nonexistent entries because the attackers had provided the minimal card details necessary to prove authorization for the purchases. Likewise, structural failures within the TJX networks were exposed. Their encryptions were weak since the decryption tool and the decryption key were not properly stored. Consequently, the certificate server was in a compromising location thereby granting it easy access by the intruders. Moreover, the choice of shared-key cryptography did not have a firewall or any backup verification mechanism that would have allowed access to personnel with the right type of clearance only. The presence of such a loophole managed to make the systems vulnerable to penetrations. Additionally, the company erred in using the Data Encryption Standard, which has a small 56-bit key size yet it was a global chain handling large transactions (Delta & Matsuura, 2009). The wireless communication networks were also not shielded from unauthorized entry due to their weak signal outreach and less protection requirements.

Question 2

            The firm should regularly create a backup system to replace the existing one in order to eliminate infected files. Furthermore, it should install an on-demand antivirus software program with an on-access scanner that would make it easy for early detection of computer worms to mitigate the threats before further damage is done. To prevent the infection of hard drives and servers, the boot up procedure on the CMOS settings needs to be changed to the C drive as well. Additionally, the web browser should be set in a manner that it does not automatically run programs since this makes it susceptible to attacks. Consequently, it should also adopt the Advanced Encryption Standard because this has superior protective features that form a defense against external intrusion. The IT systems should be configured to request for multiple access keys that are only internally known to block outsiders from compromising information using fraudulently obtained identities too.

The above measures can be implemented in the short term. Payment Card Industry (PCI) security standards will also have to be incorporated immediately to prevent a repeat of the above breaches. However, TJX needs to switch to the Wi-Fi Access Protocol that has superior qualities. In addition, IT technicians will have to conduct regular log analysis to determine the source and destination of various data within their networks. This tactic is helpful in ascertaining the authenticity of information especially from third parties. Similarly, it needs to outsource the storage of sensitive personal data about clients as well as workers to avoid duplication by hackers. Having this content in the possession of a secure entity especially the details stored in a card’s magnetic strip makes it difficult for counterfeits to be produced. Regardless of the large investment that may needed, the firm could design a payment system that requires a PIN for every transaction made thereby limiting the level of access to such data to their legitimate owners. Moreover, retention of customer data for long periods will have to be scrapped as this exposure leads to more breaches. Changes at points of sale departments in its outlets will have to be effected as well to reflect e new policies and workers trained afresh in malware detection. In the latter, this would be a company wide exercise to make the workforce informed on possible hacking techniques in order for them to apply early detection techniques that may save the firm a lot of time and money from potential compromises.

Question 3

            When a security breach occurs at a large multinational company, people tend to blame it for not putting adequate safeguards against the attack. Sometimes, they are justified and other times they are not. In this incidence, TJX was responsible for the hacking mishap due to the lazy work ethic of its software analysts and its reluctance to conduct log analysis within its systems (Ciampa, 2008). It is possible that it relied on assumptions of safety in order to avoid paying the high audit fees that were to be charged for conducting a forensic probe of its global operations. Additionally, the cashiers were less bothered to demand stricter identification measures at all times due to their desire to boost sales projections and thus hike their commissions. By so doing, they had jeopardized the integrity of their systems and compromised the details and cash reserves of their clients. Moreover, their lack of adherence to the PCI standards as envisioned by all stakeholders reflects a lack of commitment to incur expenses aimed at securing data under their care. In fact, the attackers noticed these loopholes and capitalized on them thereby succeeding in their mission.

Thus, an organization’s inability to streamline communication channels with its affiliates forms the basis of such errors. For example, it was established that the initial breach occurred at a Minnesota store. Were there to be elaborate feedback mechanisms in place, this problem would have been detected and dealt with as an isolated incident before deterioration. Likewise, inconsistent supervision of subordinates results in a lax work ethic, which is detrimental to a company. Poor oversight by supervisors makes junior workers to behave erratically. In the above case study, there is minimal indication that managers conducted follow-up activities to try to establish the circumstances under which consumers returned goods that lacked receipts (Delta & Matsuura, 2009). Consequently, managements need to schedule regular meetings with their field managers in order to review weekly challenges as well as discuss impending forecasts. At such forums, branch managers need to give an account of the activities of their departments and provide proof that vital aspects of the firm’s operations are functional. This devolved system of governance ensures that accountability is entrenched in the institution and problems are noticed early enough for resolving. The leadership should also make budgetary provisions for unpredictable outcomes that may pose a risk to the existence of the corporation. For example, a miscellaneous fund should have been available in TJX to cover the rigorous auditing process that was launched. Having such schemes facilitates the upgrade of existing systems as and when the development of new technologies occurs thereby updating the business’ culture to the current safer environment.

Question 4

            In the aftermath of the attack, it would be justifiable to be concerned about the whereabouts of people’s finances (Ciampa, 2008). Since the credit card and debit cardholders had money in their accounts, it is possible that the hackers could have gained access to these funds thereby depleting them. In particular, these could be the only savings for most of the victims hence plunging them into poverty. Similarly, the invasion of privacy through the theft of personal details could lead to the creation of more serious online crimes. In fact, the intruders could assume the identities and use them to conduct other suspicious activities against innocent civilians. Furthermore, these details could be anonymously posted online whereupon criminals could use them to track the victims’ locations aiming to either steal property or cause bodily harm. As such, this breach raises the level of insecurity within communities. Moreover, the attackers could open new social media accounts or compromise already existing ones to post scandalous content that could be damaging to one’s life, marriage, or career prospects. The global reach of the internet would be disastrous to organizations and the victims’ reputations and may result in psychological illnesses, which may take long to recover.

As a way of limiting the damage from such attacks, people should immediately contact their local banks and seek to change their account details while authorizing a prohibition of card payments. By so doing, the money can only be retrieved by presenting oneself in person in any bank branch and this would have allowed the card company enough time to repair their systems by placing measures that are more protective. Victims should alter their passwords for all electronic communication platforms such as emails as well in order to bar the intruders from gaining further access to such amenities. Simultaneously, they need to issue alerts to their correspondence partners to be wary of malicious contents about them purporting to have originated from the ideal owners. In the case of companies, they need to make press releases urging members of the public to contact the firms through emergency official communication channels provided. Such actions would derail the hackers’ intentions while salvaging a few assets.

Question 5

            PCI-DSS is an effective tool in protecting cardholder data because it outlines a series of measures that enhance the safety of such content. For instance, it directs companies to install robust firewalls to prevent their systems from contacting malicious data. Similarly, it prohibits the use of default passwords and personal identification numbers (PIN) that have been provided for by vendors because they are known by more than one party. It also makes specialized firewalls for wireless Local Area Networks available thereby making it difficult for eavesdropping to occur. Digital encryption of customer data is another feature of this module that ensures maiden names, dates of birth, phone numbers and social security numbers are hidden from the public’s view and only accessible to authorized personnel (Delta & Matsuura, 2009). Likewise, it is compatible with common anti-spyware programs, which facilitate the discovery of bugs and aid in their elimination. It also stipulates that unnecessary customer information should not be given to businesses nor should it be physically exposed as well to ensure that it is only available through a secure network. The monitoring of networks and their regular testing is another feature that seeks to reduce the vulnerability of such incidents too. Moreover, by mandating corporations to implement an information security policy and issuing penalties for any slight non-compliance, the PCI-DSS has fostered a robust software regimen to help the ecommerce industry to carry out legitimate transactions.

However, to improve on its effectiveness, the firms need to reduce the amount of data stored in their systems as this limits the amount of content to be breached. It also minimizes the routes that potential hackers could use. Similarly, it is advisable to categorize the different information into compartments and assigning them different networks in order to avoid infiltration among them. This would significantly reduce the amount of workload to be performed during auditing sessions since the scoping exercises will be focused on specific aspects of the business. It involves mapping cardholder data flows across various systems thereby offering insight into the business as well as making a distinct identification of weak spots (Ciampa, 2008). Furthermore, the compliance should be an ongoing affair rather than a periodical initiative to keep track of system changes and developments in the market place. This would reduce the cost of maintenance while making data protection sustainable within the firm. Investment in the latest computer infrastructure is also recommended as this improves coordination among different networks thereby streamlining compliance.

References

Ciampa, D. (2008). Security+ guide to network security fundamentals. Clifton Park, N.Y: Delmar Learning.

Delta, B., & Matsuura, H. (2009). Law of the Internet. New York: Aspen Law & Business.