Learning Some Lessons from the Home Depot Data Breach

By Patrick McCulley |

Introduction

This column, like its predecessors, is intended for the C-level audience, or senior IT management at both startups and successful organisations. The author intends to communicate sound security concepts and strategies on a broad, easy to grasp level, focusing on their impacts to business profitability.

More Saving, Less Security

Home Depot’s slogan ‘More Saving, More Doing’ is intended to portray a budget-friendly business, delivering savings to the consumer which, in their words, allows the consumer to do more. Sadly, it seems that The Home Depot applied a flawed version of this business mindset towards its handling of security: A New York Times article by Julie Creswell and Nicole Perlroth describes a culture of security missteps, much like those of Target. Creswell and Perlroth interview a number of employees formerly with Target’s Information Security Team, who allege a corporate culture towards security which could be described as willful neglect, never mind due diligence.

According to the article, after the Target breach, Home Depot CEO Frank Blake “assembled a team to determine how to protect the company’s network from a similar attack.” Reactionism is always the wrong answer, as it accomplishes little more than to make missteps discovered during incident post-mortem all the more obvious.

Every sound security strategy relies on executive and managerial due diligence to be effective: your security will only be as thorough as the persons responsible for upholding and directing its compliance. A tale as old as the industry itself, Home Depot management allegedly dismissed security concerns, despite being warned for years by multiple information security professionals in their own employ.

When the management of any corporation undermines the ability of its skilled workers to perform their due diligence, they put the entire corporation at risk. Home Depot’s stock will doubtlessly fall, revenue will be impacted, quarterly earnings will take a hit – and its CEO may resign. Ultimately, the CEO is responsible for the health of the corporation, and this includes its security posture.

If the CEO is undermined by the lower rungs of management, a corporation’s security strategy amounts to nothing more than empty words which lack authoritative enforcement – security in name only.

Due Diligence – At Every Level, In Every Domain

Internet-centric criminals love management which ignore security warnings. They love CEOs who under-fund the IT department. They cheer their good fortune in breaching a company whose security staff are either unqualified for or lax about their duties. They cheer the CIO who has only soft skills and lacks the technical knowledge to vet security policy implementation. Why?

Individuals who display a lack of eagerness to perform due diligence will likely be lax in other areas, as will the corporation as a whole. A skilled tech worker – an information security professional – who is able to remain employed despite lack of qualifications or performance, stays employed because the management also lacks the requisite knowledge and experience to see them for what they are: ill-suited for the task at hand. This problem of skilled management and labor is self-compounding, putting the corporation at serious risk. Can you honestly tell your customers “We take security seriously” if your management can’t even spot the charlatans in their midst, or worse, undermine valuable employees?

Every level of the Information Security process must be vetted and audited, both internally and externally. This means ensuring that your employees display the appropriate skills and motivations for their positions, ensuring that your CIO displays both the soft skills to deliver compliance reports to the board and the hard skills to be able to spot employee malfeasance, and by proxy the unqualified.

Just as an effective security policy must be enforced and audited at every level of responsibility, an effective security policy must cover every effective domain – from the type and number of security mechanisms your office is equipped with, to assigning a person responsible for auditing the list of authorised remote VPN users. Every aspect of every potential entry point must be examined: oversight, whether it be from unqualified or unmotivated personnel, will ultimately contribute to a catastrophic data breach.

Worst Practices

Ultimately, corporations like Target and Home Depot can serve as learning mechanisms for the rest of us – should we choose to do so.

As noted by security researcher Brian Krebs, who first broke both the Target and Home Depot data breach stories, some security researchers suspect the same group of individuals are behind both incidents – indeed, even the missteps by the retailers fall into the same broad categories; management ignoring warnings, unqualified or malfeasant personnel a part of the equation, outdated or inappropriate antivirus software being used… the list of poor decisions seemingly made is extensive.

Unsurprisingly, both situations resulted in the same outcome: a catastrophic data breach. The CEO of Home Depot is now the owner of the largest credit card data breach in history, totalling some 56 million compromised accounts – a significant, if not large percentage of their total customer-base. According to the article by Creswell and Perlroth, Home Depot marked a number of systems as off-limits to its required quarterly security audits for Payment Card Industry compliance standards, saying that its corporate systems were separate from the Point of Sale network; ultimately, such a decision harms only the customer.

A corporation has nothing to lose from performing a security audit, especially one it thinks it doesn’t need: hubris in the age of information leads only to disaster (or worse, the Streisand Effect). Security audits performed by professional penetration testers will attempt to break into your organisation from both the outside and the inside, doing their best to access data you don’t want falling into the hands of criminals. These professionals will find – and help you fix – the holes in your security which leave you vulnerable to the ways that Target and Home Depot were apparently compromised.

Regardless of the domain in which they occur, lapses in security which result in a catastrophic data breach will ultimately bear responsibility upon senior management: the CISO, the CIO and the CEO – and in both cases, Home Depot and Target, management takes a pivotal role. Target’s former CIO Beth Jacob resigned after the data breach, yet it was not widely reported that she lacked any background in Information Technology. Similarly, management at Home Depot is described as having repeatedly ignored warnings from multiple information security professionals over a period of years – a systematic and catastrophic series of poor decisions.

If you’re the CEO, learn from the mistakes of your peers: build information security into your corporation’s culture from the ground up, starting with leadership: embrace sound security concepts, vet your personnel and espouse the importance of doing so… your corporation will follow your example.