TJX: - sp09tcs401601pbj
Download
Report
Transcript TJX: - sp09tcs401601pbj
Security Analysis and Recommendations
PB’s&J Presenters & Topics
David Bihm
User Account Management
Nathan Julson
Data Classification
Firewall Architectures and Connections with Public Networks
Brandon Buckley
Reaccreditation
Ryan Passehl
Trusted Path
Protection of Security Functions
Key Incident Details
Breach of wireless network
Exploitation of existing user accounts
Implantation of data mining applications
Creation of unauthorized access accounts
Capture of confidential customer data
PCI non-compliancy
Recommendations
5.4 User Account Management
CONTROL OBJECTIVE
Management should establish procedures to ensure timely action relating to requesting,
establishing, issuing, suspending and closing user accounts. A formal approval procedure outlining
the data or system owner granting the access privileges should be included. The security of thirdparty access should be defined contractually and address administration and nondisclosure
requirements. Outsourcing arrangements should address the risks, security controls and procedures
for information systems and networks in the contract between the parties.
Recommendations:
It was obvious during our investigation that the processes in place, during the time of the breach,
were not successful with identifying the unauthorized account creation and utilization by the
perpetrators. While the possibility exists that an unauthorized account be created, it did concern us
that the accounts may have been utilized for an unexcused length of time. For this reason we
believe that TJX would benefit from the basic account management processes discussed on the next
slide.
Continued: 5.4 User Account Management
A. New user account requests must be requested by management personnel only. Proper forms must be completed and
signed prior to account creation.
B. Leave of Absence
1. When an employee requests a leave of absence, management is required to notify the Human Resources
department.
2. HR will document the dates of absence and provide notice to the systems administrator.
3. The associated accounts are disabled beginning on the date specified by HR. A separate request is required
upon the return of the employee from leave, at which time their accounts will be enabled and a new
password set.
C. Termination
1. Upon termination, management is required to notify Human Resources.
2. Human resources will process the request for termination and notify systems administrators, at which time all user
accounts associated are disabled and moved to a designated archive location until authorized for deletion.
D. Required as part of new user orientation
1. New users are provided training on required systems.
2. New users are provided a copy of the system usage and security policy. A signature is required by the employee
verifying they understand the security requirements and that misuse will result in disciplinary action; possibly
termination.
E. Reoccurring Training
1. Users will be required to attend bi-annual continued education of systems operation and policies.
2. Users will provide a signature verifying attendance.
The mere fact that evidence showed the perpetrators accessed TJX’s systems multiple times over the course of 2 years
questions whether there was a process in place, at the time of the breach, to monitor and audit access rights to systems and
resources. If such a process were in place, and adequately executed, the accounts created and utilized by the thieves should
have been identified do to the sensitive nature of the information being accessed. Our recommendation is to implement at a
minimum a quarterly internal audit of account access rights do to the high turnover and number of promotions that are
common in retail businesses. Also recommended, at least until all damage claims have ceased, is an annual audit performed
from an outside source.
5.8 Data Classification
CONTROL OBJECTIVE
Management should implement procedures to ensure that all data are classified in terms of
sensitivity by a formal and explicit decision by the data owner according to the data
classification scheme. Even data needing “no protection” should require a formal decision to
be so designated. Owners should determine disposition and sharing of data, as well as
whether and when programs and files are to be maintained, archived or deleted. Evidence of
owner approval and data disposition should be maintained. Policies should be defined to
support reclassification of information, based on changing sensitivities. The classification
scheme should include criteria for managing exchanges of information between organizations,
addressing both security and compliance with relevant legislation.
Recommendations:
TJX did not follow many of the PCI DSS requirements that a business of their size should be.
When working with so much customer data, it is imperative that the data is safely secured.
TJX needs to change the data storage and retention policies to align with the PCI DSS
requirements. Highly sensitive information needs to be classified as such and stored
accordingly. Customer data should not be kept any longer than needed and a standard
process for this data handling needs to be implemented.
5.2 Firewall Architectures and Connections with Public Networks
CONTROL OBJECTIVE
If connection to the Internet or other public networks exists, adequate firewalls should be
operative to protect against denial of services, unauthorized access to the internal resources
and control any application and infrastructure management flows in both directions.
Recommendations:
It appears that sensitive customer data was not protected as it should be from outside
intruders. Although this was not addressed sufficiently by the company previously, going
forward this may be the most important step in preventing another intrusion. TJX needs to
install the firewall software which had been previously purchased and work with that vendor
to ensure its setup and operating correctly. Proper monitoring and auditing of the firewall
must occur on a regular basis to ensure suspicious activity is detected early.
TJX was also lacking security in their wireless setup. To prevent further intrusions, it is
recommended that TJX purchase new wireless access points for all their retail stores. In
addition, they need to ensure they are setup to utilize a higher level of wireless encryption
than the WEP they were currently using. These access points should also be setup to allow
secure, remote monitoring from a central location to ensure the configuration is correct upon
inspection.
5.12 Reaccreditation
CONTROL OBJECTIVE
Management should ensure that reaccreditation of security (e.g., through “tiger teams”) is
periodically performed to update the formally approved security level and the acceptance of
residual risk.
Recommendations:
TJX should comply with the PCI DSS standards that are set in place for major companies
that handle customer credit card data. TJX should be PCI compliant in all 12 areas in
order to gain reaccreditation which can cost $150 a year to be certified. TJX also has to
take a proactive approach by implementing a secure wireless network complete with
WPA security and firewalls to protect against intruders. Proactive processes should also
be implemented by reviewing access logs to catch any unfamiliar behavior on intrusion
attempts and act on them immediately. (Vijayan, 2007)
5.16 Trusted Path
CONTROL OBJECTIVE
Organizational policy should ensure that sensitive transaction data are exchanged only over a
trusted path. Sensitive information includes security management information, sensitive
transaction data, passwords and cryptographic keys. To achieve this, trusted channels may
need to be established using encryption between users, between users and systems, and
between systems.
Recommendations:
TJX needs to first upgrade their wireless security to WPA2 security at all stores. This is
especially vital given the original break-in occurred via a wireless connection. All internal data
exchange needs to be done over secure LAN and WAN links with security at a strong level and
managed by their network infrastructure team. All work done from remote machines needs
to be done via secured VPN connection requiring login authentication. All web pages
containing customer data must use SSL to protect customer data.
5.17 Protection of Security Functions
CONTROL OBJECTIVE
Security-related hardware and software should at all times be protected against tampering
and against disclosure of secret keys to maintain their integrity. In addition, organizations
should keep a low profile about their security design, but should not base their security on the
design being secret.
Recommendations:
All software, hardware and firmware need to be updated on a regular basis across all devices
(preferably once a month). Software managing their wireless access points needs immediate
attention to be made more secure (stronger passwords) with the goal of moving to WPA2
security in the near future. Once WPA2 is implemented the software needs to be fully
secured with password information given out to very limited staff with the passwords for this
(and all passwords across all systems) being forced to change on a regular basis. All
workstations must be password protected and forced to use a login ID that can be traced to
an individual. All workstations must be locked and not easily accessible for non-approved
people.