CSI2102- Information Security
Assignment 01 – Information Security Case Study Semester 02, 2019
Title: Information Security Assignment 1
The purpose of this assignment is to support the following unit Learning Outcomes (LO) for this unit:
LO 1: Evaluate the advantages, disadvantages, threats and vulnerabilities associated with various IT environments.
LO 2: Apply concepts, principles and techniques relating to the security of information.
LO 3: Synthesise data gathered from a variety sources.
LO 4: Identify the importance of information to organisations and society in general. LO 5: Outline the ethical and legal issues associated with information security and analyse their implications.
Task: Target Case Study
This assignment will rely on material from week 1 through 4 and additional research. In Week 2 we briefly looked at an article, Target Investigating Data Breach. Assignment 1 will extend on week 2 where you are required to further investigate the Target breach and complete the following tasks.
Note: You will need to read about the Target breach from multiple sources,do not reply on one paperalone.
Using the unit material (particularly the first four modules) and academic literature, present a small report on the Target breach.
Your report should address:
Must show the unit codeand title, assignment title, your nameand student number,due date and the title of your topic.
Table of Contents
Introduce the report, define its scope and state any assumptions. Use in- text references
Main report content
The report should address the task outlined above.
A listof end-text references formatted according to the ECU requirements usingAPA 6th format. It is recommended that Endnote is used tomanage references. Your references should ideally comprise of books, journal articles and conference papers.
This report should be between 1000 and 1500 words (excluding references and diagrams) and labelled as <lastname_firstname_StudentID_CSI2102_Assignment_1
>.docx and should be in a single file.
Your assignments must be word-processed and the diagrams be developed using graphics software (most word-processors provide this facility). The text must be no
smaller than 12pt and font Times New Roman
This report has shed light on security breach occurred in Target stores. The report has provided brief information on target breach that resulted in POS intrusion and vulnerability of vendor portals of Target. It has also provided the implication of CIA (Confidentiality, Integrity and Availability) which can be utilised to secure information in computerised environment. The latter section has discussed the protective framework of Target that worked and also identified failed protection.
The development of technological environment has increased illegal intrusion of system employed in organisations and institutions. This report has considered the data security breach occurred in Target in 2013 and breached the information of individuals that are mostly consumer and business information. It has provided a brief overview on target breach and also discussed the correlation between securing computer information and CIA (Confidentiality, Integrity and Availability) triad.
The security breach of informative data in Target was primarily conducted to acquire information of consumer data. The hacking activity focussed on acquisition of consumer information that shopped in Target store with credit and debit cards. It has been stated by Pandya & Patel (2018) that breach of retail store often regulates the business performance and also brings down the faith of consumers over business organisation. The opinion of author can be resonated with the breach in Target because information breach has compromised the POS (Point of Sale) system implied by Target. Target has been operational in United States and Canada with a total retail store of more than 1800 (target.com, 2019). The negative impact on consumer trust and interruption of social as well as business function has led management of Target to sack CEO and other employees deployed to create secured technical environment. It has been found out that Target breach has led to stealing of 41 million regular consumers (bankinfosecurity.com, 2013). The informative content that were reported to have been stolen from Target IS are three electronic card information and three digital codes along with passwords of consumers that were utilised to make transactions.
The breach on POS system of Target was organised to acquire first hand information on customer purchase and their personal information stored in computer database of Target. As per the opinion of Safa, Von Solms & Furnell (2016) breach on POS system can impose financial losses from future sales and psychological impact on consumer. The highlighting factor can be termed authentic for Target case that POS intrusion has resulted in brand popularity as they are mostly active in US and Canada.
Loss of Vendor portal confidentiality
Vendor portal is supposed to be secured by organisations to increase the trust between relationship of company with vendors and suppliers. However, breach of vendor portal could not only propagate false information but also reduced the supply chain process of Target. As per the case of data breach in Target, it exposed hackers with sensitive information such as virtualisation software details and security patches that were implied by Target to make secure communication with vendors (Radichel, 2014). Loss of specific detail has not only introduced negative impact on vendor details but also revealed information regarding the operational process in Target.
The infiltrated network of Target has empowered the attackers to take charge of administrative procedure. Soomro, Shah & Ahmed (2016) has advised that administrative privileges of any organisation need to be managed securely so as to avoid complications in business activity. This access has allowed attackers to bypass highly encrypted stage of IS security in Target.
Mis-configuration of domain control
The unwanted activity of domain control has compromised the business facility to communicate with stakeholders of Target. This threat has allowed attackers to take charge of Target’s central authorization procedure and also changed the endpoint services implied for monitoring the business process.
Threats of TARGET
Loss of Vendor portal confidentiality
Mis-configuration of domain control
|Information on customer purchase|
|Propagation of false information|
|Complication in supply chain process|
|Administrative privileges to attackers|
|Bypass highly encrypted stage|
|Compromised communication with stakeholders|
|charge of central authorization portal|
Figure 1: Mind map
(Source: Created by author)
The information security of a particular system is mainly applied to acquire confidentiality, protecting the integrity and make information available for only authorised person. The trinity of CIA triad helps in following the technological policy implied by the governing body of network. According to the views of Safa et al. (2015) CIA triad allows an operator to ensure accuracy, availability and possession of correct information. These by-products of CIA triad do not only help in accessing the informative content without any disturbance but also result in securing the data being occupied by crashed hard drives. The principle of CIA is also considered to be three key principles of Confidentiality, Integrity and Availability.
This principle signifies the secured nature of information that cannot be accessed due to protection mechanism implied for data. McCormac et al. (2017) has considered Confidentiality principle as the crucial aspect of CIA triad and also attacked by various hackers. Some of the techniques such as encrypted framework is implied to secure data.
Integrity principle ensures that data secured are of authentic nature and cannot be subjected to change from original source. The provision of integrity result in maintaining the trust of receiver
This principle is relevant to ensure that secured information can be made available for individuals with authorisation.
The secured access of informative content in computerised environment requires the confidentiality of company information so that exploitation from competitive companies can be avoided. It can be mentioned that confidentiality principle helps in understanding the methods that can be employed to secure company data. The security breach occurred in Target business can be relatable to confidentiality principle because it mostly acquired control of administration and consumer data. Mosenia & Jha (2016) has stated that confidentiality breach of consumer data does not only expose them to financial transaction that took place between company and consumer. This information breach along with threat of vulnerability in vendor portal has not only disclosed vendor information to hackers. It also resulted in trust breach of consumers and suppliers from Target. Therefore, breach of security also made consequential effect on integrity of Target consumers. Loss of consumer trust has not only resulted in derailment of popularity but also loss of potential consumer base. On the contrary, Tan et al. (2018) has stated that relations between breach of security and availability are required to ensure information can be available to consumers. The need to meet consumer demand can be acquired by Target through proper use of availability of information.
The protection of confidential information from illegal hacking was generally blocked by installation of defence in depth security mechanism. This particular system is more of a single layered protection wall that allowed Target employees to detect minor issues in illegal activity during monetary transaction and also control the monitoring system of cameras employed in Target. It has been pointed by Kumar, Raj & Jelciana (2018) that defence in depth ensures the encryption of documents. Therefore, it can also be mentioned that Target has also employed encryption algorithm for securing the physical access of hardware components. Encryption of documents allowed Target to reduce the availability of information to third party components.
Implementation of defence in depth content in Target has worked in identifying the source of hacking activity that acquired access to consumer data. It has also resulted in better infrastructure for management of customer data by alerting them about the breach. On the other hand, Tan et al. (2018) has stated that failure of encryption often result in illegal acquisition of personalised information of company. This viewpoint points out that encryption mechanism has not worked in Target as it could not be able maintain CIA principle and resulted in theft of consumer and vendor data.
The legal aspect provided by National Conference of State Legislation in United States is being utilised as a key legal boundary for attackers and private companies to refrain from illegal intrusion of computer. It has been noticed that legislative department of US has instructed private companies to employ relevant security measures that could help them in avoiding data breach. As per section 21 of Data Security and Notification Act, companies that are intruded by illegal activity have to inform their consumers regarding the breach (congress.gov, 2019). One of the major ethical issues that can be associated with Target breach is that they have not paid necessary attention to antimalware and data protection system to protect their consumer data. Target has not also followed CIA principle to ensure firewall against illegal access of vendor and consumer information.
CIA triad is the most relevant aspect of information system as it manages the secured nature, trust and information availability. Report has pointed to the conclusion that Target has only implemented single layer protection system for managing the illegal intrusion of hackers. The primary reason that motivates hackers to acquire information data through unethical means is to acquire personal information of user. These data can either be sold to third party or manipulated to create ransom ware demands.