Capstone for IT Security

1. P r e p a r e d fo r : D r. T h e o O w u s u
P r e s e n t e r s
S a n t o s C a l d e r o n
B re t t C h i c ke y
D a v e D e l v a
I v e t t e D u ra n
Ve r o n i c a P e r e i ra
Capstone Experience: Security and Network Assurance - ISM4331
Target Capstone Presentation

2. Resolution
Threat Analysis &
Overview of the 2013 Target Breach Events…
What data was compromised, and why incident happened
Steps of Target’s incident response measures
Introduction of new incident response plan
Mitigate future risks and strengthen defenses
Lessons learned & consequences
Additional measures implemented
Resources to enhance security
Protection against future breaches
Key Findings

3. Step ONE
Gather all available information.
Step TWO
Carefully analyze public, peer reviewed case studies
and legal documentation.
Step THREE
Lay out Target Breach event including Attackers, Tactics,
Techniques, and Procedures.
Step FOUR
Display failures surrounding the breach i.e., technical,
compliance, policy, software, & human error issues.
Step SIX
Presentation demonstrating Vulnerability Scan and
other best practices.
Step FIVE
Develop a plan and implement recommendations.
Analysis
Research &

4. Overview
Incident
The 2013 Target breach was one of the
biggest breaches of all time.
2.
70 million – The number of records stolen that
included the name, address, email address and phone
number of Target shoppers.
3.
2.5% − The percentage drop in profits at Target during
the fourth quarter of 2013, compared with the
previous year.
1.
40 million – The number of credit and debit cards
thieves stole from Target between Nov. 27 and
Dec. 15, 2013.
4
200 million – Estimated dollar cost to credit unions
and community banks for reissuing 21.8 million cards,
about half of the total stolen in the Target breach.4.

5. 5
Initial Alert
Target
Main Target Headquarters:
Minneapolis, MN, USA
Target’s Minneapolis headquarters is
where they manage more than 1800+
Target stores around the United States and
where the main security team is located.
Fire Eye Team:
Bangalore, India
India notified Target’s
Minneapolis security team about
the infiltration, but the signs were
ignored, and Target continued
normal operations.
Digital Privacy Environment revealed
that more than half of United States
citizens had encountered fraudulent
charges on their credit cards or
notices that their sensitive
information had been compromised
(Smith, 2017).

6. 6
Send phishing Email to Fazio
Mechanical employee; installs
Citadel malware to steal credentials
Target’s Web services
HVAC vendors
(administrative system)
Exploit web app through Xmlrpc.php;
add Web shell backdoor and
execute arbitrary OS commands
AD
Active Directory
New admin access created,
access Domain Admin credentials
Bypass
firewall
Data base
PCI Compliant
FTP-enabled machine
to transfer stolen
items to attackers
Attackers’ FTP server
ATTACK ON TARGET SYSTEMS
BREAKDOWN
POS:
Black POS malware
to steal credit card
info

7. 7
Financial Impact
Target’s
Total Impact of Breach
$292,000,000.00
$18,500,000.00
Other Settlements
Cost to Mastercard
Cost to Visa
Cost to Banks Class Action Lawsuits
$19,000,000.00
$39,400,000.00
$67,000,000.00
$10,000,000.00
$138,100,000.00
Other Costs to Target

8. $1.6M
$10M
$19.5M
Neiman Marcus
8
Summary
Created and filled the position of the
CISO (Chief Information Security
Officer) with the primary task to
protect customers’ personal
information (Schuman, 2017).
The hiring of a new IT security
team to build an information
security organization that
reports to the executives.
Equipped all locations with POS
devices that accept chip-and-pin
cards (Schuman, 2017).
Acquired a new tool to collect
and analyze Neiman Marcus
systems for potential threats.
Neiman Marcus
Target
Home Depot
Financial payouts incurred by each company
as a result of their individual breaches.

9. -2.5%
$20M
$6M
$27.25M
Stock Drops
After Attack
Payment to
Customers
Bank
Settlement
Monitoring
Costs
Total
Cost
$179M
Home Depot 9
• Black POS also effected Home Depot
• Home Depot’s perimeter network was accessed
after gaining third party vendor’s credentials.
• Attackers exploited a Microsoft Windows
Vulnerability to gain direct access to the POS
system..

10. Incident Response
“Attackers are always in disguise”
Identify the legal implications
Patient Privacy Rights , Disclosure of confidential information.
Loss of stored data, Physical loss of theft of portable devices.
Thumb drives, laptops, hard drives, opening case files.
Tools
Nessus Vulnerability Scan- Find vulnerabilities in your websites and
web APIs, Kali Linux tools, Industry vulnerabilities scanners. Manual
and automatic virus scanning systems, IDS-intrusion detection system.
10
Legal Implication
Security Incidents
Live Attack Tools
Over the past 10 years,
there have been 300 DATA
BREACHES involving the
theft of 100,000 OR MORE
RECORDS.
-Forbes
Signs to detect security incidents
Privileged account abuse, copied files or read. Access a system not
associated with their work, large numbers of manipulations with
personal data, old accounts become active.
Questions to Ask
Questions
When did the event the event happen, How was it discovered
How long has it been since discovery, Does it effect business
operations, was there an entry point to the attack?

11. Prepare
• Finalize team roles, prioritize assets, and
ensure open communication between
team members and the team and
stakeholders.
• Information to be gathered: baseline of
normal network activity, all users with
administrative access, what
vulnerabilities were exploited, the scope
of impact.
Report
• Who? What? Where? When? Why? How?
• Share analysis amongst teams
Identify
• Legal implications – privacy rights, disclosure
of confidential information, loss of data.
• Security incidents – privileged account
abuse, improperly accessed or copied files or
systems, data manipulation, activation of old
accounts.
CIO, Legal, Risk manager
Hire different skills sets (Networking, pen testing)
Find the best way to work with legal, HR, and Security
11
Methods
Preparation, Identification, and Reporting

12. • Strengthen infrastructure, increase staff
training, improved security requirements.
• Improve monitoring, vulnerability patching,
more proactive about anomalous behaviors.
• Submit a full incident report to all required
entities and stakeholders.
Recovery
• Shutdown and remove infected systems.
• Investigate and determine operational
status and monitor activities.
Containment
• Mitigate future threats by resetting all
user accounts, blocking IP addresses
from known threats, close ports, scan for
other vulnerabilities, and implementing
new security requirements.
Eradication
Solutions for Success
Containment, Eradication, Recovery
12

13. TSRM
Tamper Resistant
Security Module
EMV
Europay,
Mastercard, Visa
Login Attempts
Predetermined
Quantity
Secure Link
Third Party
Remote Access
Encryption & Access Control
13
Access ControlEncryption Access ControlEncryption
Action Plan

14. Yubikey
Usage
Isolating Administrator
Accounts
Continuous
Training
Storing Audit
Records
Administrator Accounts
Action Plan

15. Vendor
Penetration
Test verified
Separate
networks
For PCI
environment
15
Vendor rights
removed within
a set time frame
Chain of
Command
notification
Software Center
Configuration Manager
Do not allow
installation of
unneeded
applications
Migration to
newest version
Separate IIS site
System off the site
server
Restrict access,
implement
read/write only to
appropriate users
SCCM
Action Plan
Backdoors

16. VM Software
16
Centralized
Name Resolution
16
Each account
must have a
separate, unique
password
Separation by
sensitivity levels
AD forests will
be segmented
Private keys are
stored with
encryption
Zone data protection
through digital
signatures
Limit resources
through different
zones
Action Plan

17. 1
2
3
1
2
3
Patches are tested and department
liaisons notified before deployment.
Scheduled, planned and phased patching in stages
Routine Monthly Patching
Isolation of unpatched assets
Emergency Patching
Automatic updates not suggested in an
enterprise environment. Update by
priority, after testing and verification.
Isolate and backup with snapshots
Critical alerts indicated with different
colors and are animated or flashing.
Time limit for alerts
Adaptive Warnings
Inform directly and non-directly
involved staff.
Collaboration meeting on alerts
Team Communication
Monitor traffic on a daily schedule,
log access, notification of elevated
accounts, all FireEye and similar
alerts are prioritized.
Traffic authorized
Traffic Identified
17
Patches Alerts
Asset Identification and assessment.
Migrate Legacy Systems
Action Plan

18. 18
Recommendation
Active Directory
I created an Organization Unit (OU) called
Administrator in the Domain Control. I included
all team members' names in that OU to permit
Administrative access to Target's domain. In
addition, I created a second OU called Domain
Users and I added the User account Fazio
Vendor. Least privilege access is applied here
since this account does not have administrative
privileges.

19. 19
Active Directory
Recommendation (cont.)

20. Must be complex (capital and lowercase
letters, numerals, & special characters)
Initial Training
Refresher Training
More than eight characters
60
DAYS
Max. Password Age
6
MONTHS
If breach occurs,
password will be reset
to 30-day age.
Recommendations
20
Password Requirements
Employee Training
Best Practices
Policy

21. Policy Recommendation
Training Employees on Phishing Emails 21

22. 228
DAYS
Mean Time
to Identify
$102k
Estimated Cost
Average yearly salary for
a tier-one Analyst
83
DAYS
Mean Time
to Contain
Cost Estimates
Lifecycle Cost
$3.334 Million
22
Recommendations

23. Confidential
Information
Standards
Corporations today store their Intangible assets, intellectual property, and valuable
assets electronically. This information is collected effectively and is fundamental to
life today. One of the most important assets that a company holds is PII.
Right to Privacy
With growing technology, companies can
face data breaches with just one mishap.
Right-to-privacy is a fundamental right of
the people. The right-to-privacy is an
appropriate use of personal information.
Standards
There is no real mechanism for
enforcement. Security has no mandatory
standards for cyber ethics.
Confidential Information
A data breach occurs when there is an
unauthorized acquisition of computerized data
that compromises security, confidentiality, and
integrity of PII.
Roles and Responsibility
Selecting the proper staff and roles with
responsibilities associated with each task.
Not falling prey to a phishing attack.
Implications
Possible Ethical
23
Right to Privacy
Roles and
Responsibility

24. Desired Skills
• Vulnerability scanning (Nessus, Nmap, Acunetix, WhatsupGold)
• Virtual machine creation and maintenance
Requirements surrounding consumer payment system encryption and isolation
• System Center Configuration Manager
• User and administrator account safety and management in
multiple network environments
+
Centralized Name Resolution
implementation and
maintenance
IPS/IDS System
implementation
Advanced knowledge
surrounding antivirus and
anti-malware strategies
24
Firewall implementation
and maintenance
Detection and Safe Removal
Understanding of technical
Documentation and writing

25. 25
Vulnerability Scanner
Nessus
Essentials
$0 / yearly
Scan 16 IP addresses
High speed, in-depth
assessment
Free training and
guidance
Support via Tenable
Community
Education & Individuals
Tenable.io
249 assets
Unlimited Nessus
Scanners
Role-Based Access
Control
Enterprise Scalability
$16,994 / 2 years
Enterprise
Professional
Use anywhere
Advanced support
$5,440 / 2 years
Consultants, Pen Testers
Unlimited assessments
Configurable Reports
https://www.tenable.com/products/nessus

26. https//www.acunetix.com/ordering
50+ websites assets starts at $26,995
Target 1,898 stores in the U.S. with 44
distribution centers in the U.S.
Acunetix – Enterprise Web Security
https://www.whatsupgold.com/editions
Basic: $500
Bronze: $1,800
Silver: $2,700
Gold: $3,600
WhatsupGold
26
Tools
Acunetix WhatsupGold

27. 27
Nessus Vulnerability Scan
Nmap
Demonstration