Presentation is loading. Please wait.

Presentation is loading. Please wait.

Case Study - Target.

Published byAsher Perry Modified over 6 years ago

Similar presentations

Presentation on theme: "Case Study - Target."— Presentation transcript:

1 Case Study - Target

2 Hacking through an hvac vendor
Article summary: Fazio Mechanical (HVAC vendor) had data connections with Target’s network Attackers accessed Target’s network with stolen vendor credentials (user name and password) With network access, malware was uploaded on point of sale systems Article available at

3 Case study – target breach

4 Case study – target breach
Breach Costs Numerous firings (Some Board of Directors, CEO, & CIO) Trustwave (PCI Compliance Auditor) – Sued by Target Bank Vendors more than $200 million in costs DoJ Investigations on Target Over 140 lawsuits Profits dropped 46% during 4th quarter of 2013 Customer visits down entire year of 2014 Stock down 15% after incident

5 Case study – target breach
Important Information Target had a static defense and checklists for baseline security Target passed PCI compliance audit before breach discovery Claimed a level of compliance on Critical Security Controls Network access to third party vendors Network integration with vendors

6 Missed opportunities

7 Case study – tEams Team 1 is the senior IT acquisition advisors for another major retailer. The team is the responsible for advising the Board of Directors and senior corporate leadership for IT operations. Focus on being proactive. Team 2 is the software development team for the Target Corporation. The team is the responsible for legacy and new development systems. Focus on understanding the vulnerabilities of your system. Team 3 is the senior IT Operations that owns Target’s Security Operation Center (SOC). Focus on Incident Response and Operations. Team 4 is the testing group for Target. The team is the responsible for auditing and testing. Focus on testing and auditing. Team 5 is the senior Corporate Operations group. The team is led by the Target Director of Operations and controls others on your network. Focus on operations of others on your network.

8 Questions

9 Team 1 – Being proactive Team 1: Senior Acquisition Team to the Board of Directors and Senior Company Leadership for another major commercial retailer (not Target) How would you describe Target’s situation to your Board of Directors? How could you assure senior leadership that our company is in a better situation? What would do with Target’s information to be proactive? How would you prove that you are secure enough?

10 Team 2 – understand vulnerabilities
Team 2: Target IT Programs – Legacy and New Development How would you assess current vulnerabilities of your current development projects and legacy programs? How would you do manage risk going forward? The Board of Directors and Senior Leadership want to provide assurances that the breach cannot occur again. What assurances can you provide? What would you want different in your testing and audits?

11 Team 3 – incident response
Team 3: Cybersecurity Risk Management of Incident Response How would you describe your current processes for incident response? What do you want change in your incident response plans and processes? What exercises do you want to conduct going forward? How do you plan to work with others to ensure that you can better respond and recover?

12 Team 4 – testing and auditing
Team 4: Senior Testing and Internal Audit How would you describe your current testing and auditing to your Senior Leadership? What would you like to change for testing going forward? How would you test your interactions with vendors and suppliers? What assurances can your testing provide to your leadership?

13 Team 5 – interfaces and trust
Team 5: Senior Corporate Operations Group What is the best way to manage the risk of others interfacing with our network and systems? How should you control others on your network for access and authorization? What should be required of vendors and sub-contractors to work with your systems? How do you ensure proper training and certification of sub-contractors and vendors?

Download ppt "Case Study - Target."

Similar presentations

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is.

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is.
Managed Security Monitoring. 2 ©2015 EarthLink. All rights reserved. Today’s top IT concerns — sound familiar? Source: IT Security Risks 2014: A Business.

Managed Security Monitoring. 2 ©2015 EarthLink. All rights reserved. Today’s top IT concerns — sound familiar? Source: IT Security Risks 2014: A Business.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Peter Brudenall & Caroline Evans- Simmons & Simmons Marsh Technology Conference 2005 Zurich, Switzerland. Managing the Security Landscape – Legal and Risk.

Peter Brudenall & Caroline Evans- Simmons & Simmons Marsh Technology Conference 2005 Zurich, Switzerland. Managing the Security Landscape – Legal and Risk.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Information Security in Real Business Yuri & The Cheeseheads.

Information Security in Real Business Yuri & The Cheeseheads.
Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.

Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
Presenter: Nick Cavalancia Auditing Evangelist 3 Ways Auditing Needs to be a Part of Your Security Strategy Brought to You by.

Presenter: Nick Cavalancia Auditing Evangelist 3 Ways Auditing Needs to be a Part of Your Security Strategy Brought to You by.
DATE: 3/28/2014 GETTING STARTED WITH THE INTEGRITY EASY PCI PROGRAM Presenter : Integrity Payment Systems Title: Easy PCI Program.

DATE: 3/28/2014 GETTING STARTED WITH THE INTEGRITY EASY PCI PROGRAM Presenter : Integrity Payment Systems Title: Easy PCI Program.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
© 2015 ForeScout Technologies, Page 2 Source: Identity Theft Resource Center Annual number of data breaches Breaches reported Average annual cost of security.

© 2015 ForeScout Technologies, Page 2 Source: Identity Theft Resource Center Annual number of data breaches Breaches reported Average annual cost of security.
Cyber Security Nevada Businesses Overview June, 2014.

Cyber Security Nevada Businesses Overview June, 2014.
INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435.

INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435.
Dr. Bill Curtis Director, Consortium for IT Software Quality Standardize Software Quality and Productivity Measurement.

Dr. Bill Curtis Director, Consortium for IT Software Quality Standardize Software Quality and Productivity Measurement.
℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.

℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.
Pro-active Security Measures

Pro-active Security Measures
Enterprise Cybersecurity Strategy

Enterprise Cybersecurity Strategy

Similar presentations

Ads by Google