CSI2102 Security Breach Occurred in Target Stores Assignment 1 Answer
This report has shed light on security breach occurred in Target stores. The report has provided brief information on target breach that resulted in POS intrusion and vulnerability of vendor portals of Target. It has also provided the implication of CIA (Confidentiality, Integrity and Availability) which can be utilised to secure information in computerised environment. The latter section has discussed the protective framework of Target that worked and also identified failed protection.
The development of technological environment has increased illegal intrusion of system employed in organisations and institutions. This report has considered the data security breach occurred in Target in 2013 and breached the information of individuals that are mostly consumer and business information. It has provided a brief overview on target breach and also discussed the correlation between securing computer information and CIA (Confidentiality, Integrity and Availability) triad.
Description of target breach
The security breach of informative data in Target was primarily conducted to acquire information of consumer data. The hacking activity focussed on acquisition of consumer information that shopped in Target store with credit and debit cards. It has been stated by Pandya & Patel (2018) that breach of retail store often regulates the business performance and also brings down the faith of consumers over business organisation. The opinion of author can be resonated with the breach in Target because information breach has compromised the POS (Point of Sale) system implied by Target. Target has been operational in United States and Canada with a total retail store of more than 1800 (target.com, 2019). The negative impact on consumer trust and interruption of social as well as business function has led management of Target to sack CEO and other employees deployed to create secured technical environment. It has been found out that Target breach has led to stealing of 41 million regular consumers (bankinfosecurity.com, 2013). The informative content that were reported to have been stolen from Target IS are three electronic card information and three digital codes along with passwords of consumers that were utilised to make transactions.
Threats faced by target and depiction of threat with mind map
The breach on POS system of Target was organised to acquire first hand information on customer purchase and their personal information stored in computer database of Target. As per the opinion of Safa, Von Solms & Furnell (2016) breach on POS system can impose financial losses from future sales and psychological impact on consumer. The highlighting factor can be termed authentic for Target case that POS intrusion has resulted in brand popularity as they are mostly active in US and Canada.
Loss of Vendor portal confidentiality
Vendor portal is supposed to be secured by organisations to increase the trust between relationship of company with vendors and suppliers. However, breach of vendor portal could not only propagate false information but also reduced the supply chain process of Target. As per the case of data breach in Target, it exposed hackers with sensitive information such as virtualisation software details and security patches that were implied by Target to make secure communication with vendors (Radichel, 2014). Loss of specific detail has not only introduced negative impact on vendor details but also revealed information regarding the operational process in Target.
The infiltrated network of Target has empowered the attackers to take charge of administrative procedure. Soomro, Shah & Ahmed (2016) has advised that administrative privileges of any organisation need to be managed securely so as to avoid complications in business activity. This access has allowed attackers to bypass highly encrypted stage of IS security in Target.
Mis-configuration of domain control
The unwanted activity of domain control has compromised the business facility to communicate with stakeholders of Target. This threat has allowed attackers to take charge of Target’s central authorization procedure and also changed the endpoint services implied for monitoring the business process.
Threats of TARGET
Loss of Vendor portal confidentiality
Mis-configuration of domain control
|Information on customer purchase|
|Propagation of false information|
|Complication in supply chain process|
|Administrative privileges to attackers|
|Bypass highly encrypted stage|
|Compromised communication with stakeholders|
|charge of central authorization portal|
Figure 1: Mind map
(Source: Created by author)
Discussion of CIA triad
The information security of a particular system is mainly applied to acquire confidentiality, protecting the integrity and make information available for only authorised person. The trinity of CIA triad helps in following the technological policy implied by the governing body of network. According to the views of Safa et al. (2015) CIA triad allows an operator to ensure accuracy, availability and possession of correct information. These by-products of CIA triad do not only help in accessing the informative content without any disturbance but also result in securing the data being occupied by crashed hard drives. The principle of CIA is also considered to be three key principles of Confidentiality, Integrity and Availability.
This principle signifies the secured nature of information that cannot be accessed due to protection mechanism implied for data. McCormac et al. (2017) has considered Confidentiality principle as the crucial aspect of CIA triad and also attacked by various hackers. Some of the techniques such as encrypted framework is implied to secure data.
Integrity principle ensures that data secured are of authentic nature and cannot be subjected to change from original source. The provision of integrity result in maintaining the trust of receiver
This principle is relevant to ensure that secured information can be made available for individuals with authorisation.
Relation of CIA triad principles with information security
The secured access of informative content in computerised environment requires the confidentiality of company information so that exploitation from competitive companies can be avoided. It can be mentioned that confidentiality principle helps in understanding the methods that can be employed to secure company data. The security breach occurred in Target business can be relatable to confidentiality principle because it mostly acquired control of administration and consumer data. Mosenia & Jha (2016) has stated that confidentiality breach of consumer data does not only expose them to financial transaction that took place between company and consumer. This information breach along with threat of vulnerability in vendor portal has not only disclosed vendor information to hackers. It also resulted in trust breach of consumers and suppliers from Target. Therefore, breach of security also made consequential effect on integrity of Target consumers. Loss of consumer trust has not only resulted in derailment of popularity but also loss of potential consumer base. On the contrary, Tan et al. (2018) has stated that relations between breach of security and availability are required to ensure information can be available to consumers. The need to meet consumer demand can be acquired by Target through proper use of availability of information.
Protections employed and identification of failure
The protection of confidential information from illegal hacking was generally blocked by installation of defence in depth security mechanism. This particular system is more of a single layered protection wall that allowed Target employees to detect minor issues in illegal activity during monetary transaction and also control the monitoring system of cameras employed in Target. It has been pointed by Kumar, Raj & Jelciana (2018) that defence in depth ensures the encryption of documents. Therefore, it can also be mentioned that Target has also employed encryption algorithm for securing the physical access of hardware components. Encryption of documents allowed Target to reduce the availability of information to third party components.
Implementation of defence in depth content in Target has worked in identifying the source of hacking activity that acquired access to consumer data. It has also resulted in better infrastructure for management of customer data by alerting them about the breach. On the other hand, Tan et al. (2018) has stated that failure of encryption often result in illegal acquisition of personalised information of company. This viewpoint points out that encryption mechanism has not worked in Target as it could not be able maintain CIA principle and resulted in theft of consumer and vendor data.
Legal and ethical constraints with security breach
The legal aspect provided by National Conference of State Legislation in United States is being utilised as a key legal boundary for attackers and private companies to refrain from illegal intrusion of computer. It has been noticed that legislative department of US has instructed private companies to employ relevant security measures that could help them in avoiding data breach. As per section 21 of Data Security and Notification Act, companies that are intruded by illegal activity have to inform their consumers regarding the breach (congress.gov, 2019). One of the major ethical issues that can be associated with Target breach is that they have not paid necessary attention to antimalware and data protection system to protect their consumer data. Target has not also followed CIA principle to ensure firewall against illegal access of vendor and consumer information.
CIA triad is the most relevant aspect of information system as it manages the secured nature, trust and information availability. Report has pointed to the conclusion that Target has only implemented single layer protection system for managing the illegal intrusion of hackers. The primary reason that motivates hackers to acquire information data through unethical means is to acquire personal information of user. These data can either be sold to third party or manipulated to create ransom ware demands.