Uploaded bytheodorelove43763
DOCX, PDF35 views

Cybersecurity Research Paper instructionsSelect a research topic.docx

The document outlines instructions for a cybersecurity research paper focusing on the TJX security breach incident, requiring a minimum of five authoritative sources. It details the vulnerabilities that led to the breach, including inadequate wireless security, improper data storage practices, and failure to encrypt customer data. Additionally, the paper emphasizes the lessons learned for auditors and retailers regarding data protection and compliance with industry standards.

Education◩

Embed presentation

Download to read offline
Cybersecurity Research Paper instructions Select a research topic from the list below. After selecting your topic, research the incident using news articles, magazine articles (trade press), journal articles, and/or technical reports from government and industry. TJ Maxx Security breach For a grade of A, a minimum of five authoritative sources are required. Your research is to be incorporated into the students' 3- to 5- page written analysis of the attack or incident. Your report is to be prepared using basic APA formatting (see below) and submitted as an MS Word attachment to the Cybersecurity Research Paper entry in your assignments folder. This paper must be plagiarism free. I will have to turn it in using turnitin.com! Below is one source that should be used for this paper. I will also send the full text pdf for the source. Source 1 Berg, G. G., Freeman, M. S., & Schneider, K. N. (2008). Analyzing the TJ Maxx Data Security Fiasco. CPA Journal, 78(8), 34-37. A C C O U N T I N G & A U D I T I N G a u d i t i n g Analyzing the TJ Maxx Data Security Fiasco Lessons for Auditors
By Gary G. Berg. Michelle S. Freeman, and Kent N. Schneider I n January 2007, TJX Companies,Inc. (TJX), the parent company ofretail chains such as T,J. Maxx and Marshalls, issued a press release announc- ing that its computer systems had been breached and that customer information had heen stolen. As the investigation into the crime continued during 2007, estimates of the number of customers affected sky- rocketed. Other reports indicated that at least 94 million Visa and MasterCard accounts had been compromised, with loss- es projected to approach $4.5 biilion. As expected, Visa and MasterCard are seek- ing to recoup these losses from TJX. The sheer scale of the security breach should cause auditors to wonder about the impli- cations for their professional practice. What Went Wrong at TJX? Investigations into the TJX case appear to indicate that the company was not in compliance with the Payment Card Industry (PCI) data security standards established in 2004 by American Express, Discover Financial Services. JCB. MasterCard Worldwide, and Visa Intemational. Repxirts identified three major areas of vulnerability: inadequate wireless network security, improper storage of customer data, and failure to encrypt cus- tomer account data.
Inadequate wireless network security. The store where the initial breach occurred was using a wireless network that was inadequately secured. Specifically, the net- work was using a security protocol known as wired equivalent privacy (WEP), One problem with WEP security is that it is easy to crack. In fact, researchers at Darmstadt Technical University in Germany have demonstrated that a WEP key can be broken in less than a minute. More important. WEP does not satisfy industry standards that require the use of the much stronger WPA (Wi-Ei Protected Access) protocol. After breaking into the store's network, the hackers then breached security at the corporate headquarters and Security Standard 3.2 clearly states that after payment authorization is received, a merehant is not to store sensitive data, such as the CVC. PIN. or full-track infonnation. Exhibit I shows a comparison of key data items believed to have been stored by TJX, obtained the customer account information stored there. According to a May 4, 2007, Wall Street Joumal article, the intruders had access to the TJX records for 18 months without being detected. Improper storage of customer daia. The TJX data storage practices also appear to have violated industry standards. Reports
indicate that the company was storing the full-track contents scanned from each customer's card. Moreover, customer records appear to have included the card- validation code (CVC) number and the per- sonal identification numbers (PIN) associ- ated with the customer cards. PCI Data along with the relevant PCI standards. Most likely. TJX did not retain this information with malicious intent. The company may have been using older point- of-sale (POS) software that had been designed to capture all card data and that could not be reconfigured to comply with PCI standards. This problem has been linked to credit-card security breaches at other retailers. Another possibility is that the POS software was adequate, but improperly configured. Failure to encrypt customer data. Even if the hackers had been able to infiltrate the TJX corporate network and access the 34 AUGUST 2008 / THE CPA JOURNAL improperly stored customer records, it is likely that no harm would have resulted, had the customer data been securely encrypted. Given the large number of fraudulent transactions traced back to the TJX breach, it is obvious that either the data had not been
encrypted, or the hackers stole the encryp- tion key. In either case, industry standards were not maintained hy TJX. PCI Data Sectirity Standard 3.4 i-et]uires that at min- imum, the customer's "primary account number" (i.e.. the customer's card number) be "rendered unreadable.'' Furtheniiore. PCI Data Security Standards 3.5 and 3.6 nitjuire merchants to pnMect tlie encryption keys used for protecting customer data from disclosure and misuse. How the TJX Breach Affects Audit Practices At firNt. the TJX fiasco appears to offer an object lesson for retailers" IT departments, rather tkui auditors. After all, aistomeni' cred- it card numbeis are not the retailer's asset to protect; rather, the sales transaction itself is what accounting intentai controls have tradi- tionally sought to secure. With the atlvent of Statement on Auditing Standaitl (SAS) 109, UnderstíUKÜng ¡Iw Entity and ¡ts Envimntnent and Assessing the Risks of Material Misstatemctu. internal control clearly extends beyond protecting one's own assets. SAS 109 requires auditors to "audit die business, and not just the books'" when evaluating the risks of a client's financial statements containing a material misstate- ment. Specifically, SAS 109 requires an understanding of: 1 ) the entity and its envi- ronment: 2) the entity's intemal control
environment: and 3) susceptibility of the entity's ñnancial statements to material misstatement resulting from liabilities. Understanding the entity and its envi- ronment. RetaileiN ciinnot continue to oper- ate by kxïking after only their own assets. as seen in the TJX debacle. Customer cred- it and debit card information is a valued target of data thieves. Technology bas made purchasing information more valu- able than actual cuirency. because it can be used to nin up huge bills for the origi- nal cardholders. These victims are left with the lengthy, painful task of restoring their good credit ratings. To protect against data theft, consumers can refrain from using debit and credit cards (an inconvenient option), or refrain from shopping at stores that suffer data breaches. In other words, it is ultimately in the best interest of retailers to follow industry standards and protect customer credit and debit card records. Understanding the entity s intemal con- trol environment. In the digital economy. retailers must implement both physical and electronic controls. For example, stores should have physical control over the cred- it card scanners at checkout Itxrations by bolting them to the counter. Otherwise, a thief could replace a retailer's scanner with an identical-looking scanner that also stores scanned customer infonnation on a hidden
^JVlinutes FOCUSED LEGAL COUNSEL *': a IN nĂŒUH Ja ‱ we are a law firm, that's all. we form california incorporation Determine Name Avallabiitty and Reserve Nar^e Prepare and File Articles/Certificate of Formation Ail Secretary of State Filing Fees Custom Bylaws Custom Organizational Minutes, authorizing the election ot officers and directors, establishment of bartk accounts, issuance of stock, and other matters Preparation and Issuance of Share Certificates Statement ol Information and Filing Fees Preparation ol 25iO2(f) Certificate and Filing Fees'
Prepare 1RS Form SS-4 and Obtain Tax Identification Na Prepare and Rle IHS Form Z553 (NY State CT-6) to make "S" Election Ancillary Documents, including Pmmissory Notes. Medical E<pense Reimbursement Plan, Employment Agreement Resident Agent Services for one year Follow up to ensure all documents are prtqierlY signed, filed, fees are paid, ano formation is properly completed Experienced Counsel handling every formation and avaiiable to consult on aii aspects of the process Corporate Kit Seal, and duplicate Set of Documents on CO Accountan! Copy of AN Documents Delivered on CD-ROM eMinutes Entity Management System (with online document iihrary. real-time monitoring ot corporate deadiines) via secure web-based Interface Automatic Enrollment tn Annual Minutes System i/ x/ x/ ‱ ‱
x/ * / and maintain entities. non-lawyer delaware new york ! incorporation ncorporation incorpora lion online service ^/ i / ^ n/a n/B ‱ I %/ x/ i / */ s/ n/a n/a
‱ ‱ ^^ ^^ ^^ ĂȘ ^ t/ Cost 'For capitaliistiDn up to $100,000 J E 4 ? Í ! I ) aS.A7>tĂ­' Ă©t^Ít Admitted to practice law in Callfornia and New York, www.eMinutes.com Toil-Free 877 UNGERLAW AUGUST 2008 / THE CPA JOURNAL 35 chip. Later, the thief could retum to the store and switch scanners again, walking away with the customer data accumulated in the interim. Understatiding the risk of material mis- statement resulting from contingent lia- bilities. Although customer purchasing infomiation is not an asset of the retailer, possession of that information imposes great responsibility on the retailer, and fail- ure to protect that information can result in huge liabilities.
EXHIBIT 1 Suspected TJX Data Retention Practice Compared with PCI Standards Î; Cardholdar Data LP Sensitive Authentication Datñt Data hern Primary Account Number (PAN) Cardholder Name* Service Code* Expiration Date* Full Magnetic Stripe CVC2yCW2/CID PIN/PIN Block Data Retained by TJX Yes
Yes Yes Yes Yes Yes Yes PCI Retention Standards Yes Yes Yes Yes No No No * Must be protected if stored in conjunction with PAN. [. t Sensitive authenticaton data must not be stored after authorization (even if encrypted]. EXHIBIT 2
Auditor's Checklist Exposure to Contingent Liabilities from Theft of Customer Data Is there wireless access to the company's network? Is the company's wireless network secured using WPA encryption and a strong password? Does it conform to PCI standards? Are the company's data storage practices and security over stored customer data reasonable? Does the company have reasonable data-retention policies and practices? Does the company retain customer data for a reasonable length of time? Are policies in place to notify customers of possible security breaches? Does the company conduct background checks on employees? Does the company train employees on the importance 1 of maintaining confidentiality of customer data? Higher
Exposure Yes No No No No No No No No Lower Exposure No Yes Yes Yes Yes Yes
Yes Yes Yes One source of potential liability is the contracts that the retailer makes with card issuers in order for the store to accept cred- it and debit cards as payment for iransac- tions. Typically, these contracts require that merchants comply with PCI Data Security Stiindards. Failure to comply with the stan- dai'ds exposes a merchant to two types of liability. First, the contract with the card issuer provides for substantial penalties if the merchant does not comply with PCI standard.s. Second, and more significant- ly, merchants ai'e subject to "push-back" liability for damages suffered by the card issuer as a result of the merchant's data breach. These tosses sustained by card issuers include not only the fraudulent charges made on the accounts of the vic- tims of identity theft, but also the admin- istrative costs associated with the issutmce of new cards to cu.stomers whose person- al infomiation may have been compro- mised. For TJX. the bulk of its liability will likely result from such push-back losses sustiiined by issuers. Another source of risk to retailers is the growing number of state laws regard- ing notification of security breaches.
According to the National Conference of State Legislatures "State Security Breach Notification Laws" webpage (w ww.ncsi.org/programs/lis/cip/priv/ breachlaws.htm), as of May I, 2008, at least 42 states, the District of Columbia, and Puerto Rico have legislation requir- ing notification of security breaches involving personal infomiation. The New York statute (New York State General Busine.ss Law section 899- aa. subsections 2 and 3) is fairly typical. It applies to any New York businesses that own, license, or maintain computer- ized data containing "private informa- tion," such as an individual's Social Security number, driver's license num- ber, or account number, along with the required access code or password need- ed to permit access to an individual's financial account. These businesses must notify any New York resident whose private information was acquired, or believed to have been acquired, by someone without valid authorization. If the business fails to promptly notify the affected parties, the statute authorizes damages for actual costs or losses, includ- ing "consequential financial losses" [New 3 6 AUGUST 2008 / THE CPA JOURNAL York State General Business Law section
8')9-aa, subsection 6{a)j. What Auditors Can Learn from the TJX Fiasco When evaluating the risks iissociated with a retailer's btisiness, valuable lessons can be leiuiied from the mistakes of TJX. Altliough TJX is a huge organiration, these risks are equally applicable to mom-and-pop opera- tions. Exhibit 2 summarizes these lessons. First, check to see if there is wireless access to the company network. Even if company policy prohibits wireless routers, a renegade router installed by an employee may be connected. If wire- less access does exist, evaluate the type of encryption used by the router. Make sure that a method prescribed by PCI standards, such as WPA or WPA2, is in use. Under no circumstances should WEP encryption be used. In addition, evaluate the strength of the log-on password and make sure that the router doesn't broad- cast its network name or service set iden- tifier (SSID). Where practical, the authors recommend configuring the router to restrict access to specific computers, using the unique media access control (MAC) address assigned to eaeh autho- rized computer. Second, evaluate the company's data storage practices and security for stored
customer data. Ascertain that the com- pany complies with PCI security stan- dards and is not retaining excess data scanned from customer credit and debit cards. Under no circumstances should a merchant retain a customer's debit card PIN. Also, make sure that customer dala stored by the retailer are encrypted using a strong key. Finally, review the company's data- retention [xilicies and practices. Make sure die merchiuit divs not retain ctistomer data any longer than permitted by the card issuers. Even better, do not retain data any longer than necessiuy to dtK'ument the underlying transaction. Ensure that policies lu-e in place to notify customers of possi- ble security breaches and that a prtx;ess is in place to implement the policies if a breach occurs. Ultimately, the security of a company's infonnation system relies upon the com- petency and honesty of its employees. Therefore, it is important lo conduct background checks on employees and to train them about tlie possibility of securi- ty breaches and how to avoid them. Ü Gary G. Berg, PhD, CPA, is an associ- ate professor of accountancy at East Teiini's.see State University. Jolm.wn City. Tenn. Michelle S. Freeman, EdD, CPA (inaetive), is an assistant professor of lyusi-
ness administration at Tusculwn College. Grecneville. Tenn. Kent N. Schneider, JD, CPA, is a professor of accountancy, also at East Tennessee Stale University, Johnson City, Tenn. Personal Financial Planning Community SAVE Join the AICPA Personal Financial Planning Membership Section 1st Edition! Get a discount on the AICPA Moss Adams PFP Planning Practice Study Access Forefield Advisor, a world-class client education and communication tool {$399 value) Stay informed about PFP legislation and developments Receive valuable resources, templates and turnkey client tools tailored for CPA financial planners Attend Web seminars on cutting-edge topics SAVE $200 Become a CPA Personal Financial Specialist Credential Holder (PFS) Enjoy complimentary membership in the PFP Section
Differentiate yourself from other financial planners: only a CPA can become a PFS Access marketing tools to promote yourself and increase new business Receive media training and opportunities to participate in public relations activities Network with other thought leaders in the industry :AICPA: Menlion ptonio code RHX Questions? e-mail [email protected] ISO Certified AUGUST 2008 / THE CPA JOURNAL 37

More Related Content

PPTX
The-TJX-Data-Breach-A-Case-Study-in-Cybersecurity (1).pptx
byjagratp
 
PDF
ProjectReport_Finalversion
byMamoon Ismail Khalid
 
PPT
Identity Theft business
byMatt Smith
 
PPT
How We Did It: The Case of the Credit Card Breach
byTeradata
 
PDF
PCI Compliance Report
byHolly Vega
 
PPT
TJX Attack
byjoevest
 
PPT
Powerpoint mack jackson
byaiimnevada
 
PPTX
Target_Company_Data_breach_2013_110million
byADANI INSTITUTE OF DIGITAL TECHNOLOGY MANAGMENT
 
The-TJX-Data-Breach-A-Case-Study-in-Cybersecurity (1).pptx
byjagratp
 
ProjectReport_Finalversion
byMamoon Ismail Khalid
 
Identity Theft business
byMatt Smith
 
How We Did It: The Case of the Credit Card Breach
byTeradata
 
PCI Compliance Report
byHolly Vega
 
TJX Attack
byjoevest
 
Powerpoint mack jackson
byaiimnevada
 
Target_Company_Data_breach_2013_110million
byADANI INSTITUTE OF DIGITAL TECHNOLOGY MANAGMENT
 

Similar to Cybersecurity Research Paper instructionsSelect a research topic.docx

PPTX
The Easy WAy to Accept & Protect Credit Card Data
byTyler Hannan
 
PPTX
Cyber Security for Local Gov SAMFOG
byDonald E. Hester
 
PPTX
The Target Breach - Follow The Money EU
byResilient Systems
 
PPT
PCI Compliance Seminar
bydlinehan2
 
PDF
Payment card industry data security standard 1
bywardell henley
 
PDF
Protecting Personal Information: A Guide for Business
by- Mark - Fullbright
 
PPT
George Gavras 2010 Fowler Seminar
byDon Grauel
 
PDF
Data Breaches
bysstose
 
PPTX
Core Elements of Retail LP Shortened version 15MB
byAlan Greggo
 
PDF
Cybersecurity for Local Gov for SAMFOG
byDonald E. Hester
 
PPT
Pci Europe 2009 Underside Of The Compliance Ecosystem
bykpatrickwheeler
 
PDF
CyberID-Sleuth
bybtr-security
 
PDF
Why Have A Digital Investigative Infrastructure
byKevin Wharram
 
PDF
1. PCI Compliance Overview
byokrantz
 
PDF
2016 Maze Live Cyber-security for Local Governments
byMaze & Associates
 
PDF
2016 Maze Live Cyber-security for Local Governments
byDonald E. Hester
 
PDF
Responding to a Data Breach, Communications Guidelines for Merchants
by- Mark - Fullbright
 
DOC
Log Management for PCI Compliance [OLD]
byAnton Chuvakin
 
PDF
The Target Breach – Follow The Money
byResilient Systems
 
PPTX
Certified Banking Security C-Suite - Module 1.pptx
bytrevor501353
 
The Easy WAy to Accept & Protect Credit Card Data
byTyler Hannan
 
Cyber Security for Local Gov SAMFOG
byDonald E. Hester
 
The Target Breach - Follow The Money EU
byResilient Systems
 
PCI Compliance Seminar
bydlinehan2
 
Payment card industry data security standard 1
bywardell henley
 
Protecting Personal Information: A Guide for Business
by- Mark - Fullbright
 
George Gavras 2010 Fowler Seminar
byDon Grauel
 
Data Breaches
bysstose
 
Core Elements of Retail LP Shortened version 15MB
byAlan Greggo
 
Cybersecurity for Local Gov for SAMFOG
byDonald E. Hester
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
bykpatrickwheeler
 
CyberID-Sleuth
bybtr-security
 
Why Have A Digital Investigative Infrastructure
byKevin Wharram
 
1. PCI Compliance Overview
byokrantz
 
2016 Maze Live Cyber-security for Local Governments
byMaze & Associates
 
2016 Maze Live Cyber-security for Local Governments
byDonald E. Hester
 
Responding to a Data Breach, Communications Guidelines for Merchants
by- Mark - Fullbright
 
Log Management for PCI Compliance [OLD]
byAnton Chuvakin
 
The Target Breach – Follow The Money
byResilient Systems
 
Certified Banking Security C-Suite - Module 1.pptx
bytrevor501353
 

More from theodorelove43763

DOCX
Exam Questions1. (Mandatory) Assess the strengths and weaknesse.docx
bytheodorelove43763
 
DOCX
Evolving Leadership roles in HIM1. Increased adoption of hea.docx
bytheodorelove43763
 
DOCX
exam 2 logiWhatsApp Image 2020-01-18 at 1.01.20 AM (1).jpeg.docx
bytheodorelove43763
 
DOCX
Evolution of Terrorism300wrdDo you think terrorism has bee.docx
bytheodorelove43763
 
DOCX
Evidence-based practice is an approach to health care where health c.docx
bytheodorelove43763
 
DOCX
Evidence-Based EvaluationEvidence-based practice is importan.docx
bytheodorelove43763
 
DOCX
Evidence TableStudy CitationDesignMethodSampleData C.docx
bytheodorelove43763
 
DOCX
Evidence SynthesisCritique the below evidence synthesis ex.docx
bytheodorelove43763
 
DOCX
Evidence Collection PolicyScenarioAfter the recent secur.docx
bytheodorelove43763
 
DOCX
Everyone Why would companies have quality programs even though they.docx
bytheodorelove43763
 
DOCX
Even though technology has shifted HRM to strategic partner, has thi.docx
bytheodorelove43763
 
DOCX
Even though people are aware that earthquakes and volcanoes typi.docx
bytheodorelove43763
 
DOCX
Evaluative Essay 2 Grading RubricCriteriaLevels of Achievement.docx
bytheodorelove43763
 
DOCX
Evaluation Title Research DesignFor this first assignment, .docx
bytheodorelove43763
 
DOCX
Evaluation is the set of processes and methods that managers and sta.docx
bytheodorelove43763
 
DOCX
Evaluation Plan with Policy RecommendationAfter a program ha.docx
bytheodorelove43763
 
DOCX
Evaluating 19-Channel Z-score Neurofeedback Addressi.docx
bytheodorelove43763
 
DOCX
Evaluate the history of the Data Encryption Standard (DES) and then .docx
bytheodorelove43763
 
DOCX
Evaluate the Health History and Medical Information for Mrs. J.,.docx
bytheodorelove43763
 
DOCX
Evaluate the environmental factors that contribute to corporate mana.docx
bytheodorelove43763
 
Exam Questions1. (Mandatory) Assess the strengths and weaknesse.docx
bytheodorelove43763
 
Evolving Leadership roles in HIM1. Increased adoption of hea.docx
bytheodorelove43763
 
exam 2 logiWhatsApp Image 2020-01-18 at 1.01.20 AM (1).jpeg.docx
bytheodorelove43763
 
Evolution of Terrorism300wrdDo you think terrorism has bee.docx
bytheodorelove43763
 
Evidence-based practice is an approach to health care where health c.docx
bytheodorelove43763
 
Evidence-Based EvaluationEvidence-based practice is importan.docx
bytheodorelove43763
 
Evidence TableStudy CitationDesignMethodSampleData C.docx
bytheodorelove43763
 
Evidence SynthesisCritique the below evidence synthesis ex.docx
bytheodorelove43763
 
Evidence Collection PolicyScenarioAfter the recent secur.docx
bytheodorelove43763
 
Everyone Why would companies have quality programs even though they.docx
bytheodorelove43763
 
Even though technology has shifted HRM to strategic partner, has thi.docx
bytheodorelove43763
 
Even though people are aware that earthquakes and volcanoes typi.docx
bytheodorelove43763
 
Evaluative Essay 2 Grading RubricCriteriaLevels of Achievement.docx
bytheodorelove43763
 
Evaluation Title Research DesignFor this first assignment, .docx
bytheodorelove43763
 
Evaluation is the set of processes and methods that managers and sta.docx
bytheodorelove43763
 
Evaluation Plan with Policy RecommendationAfter a program ha.docx
bytheodorelove43763
 
Evaluating 19-Channel Z-score Neurofeedback Addressi.docx
bytheodorelove43763
 
Evaluate the history of the Data Encryption Standard (DES) and then .docx
bytheodorelove43763
 
Evaluate the Health History and Medical Information for Mrs. J.,.docx
bytheodorelove43763
 
Evaluate the environmental factors that contribute to corporate mana.docx
bytheodorelove43763
 

Recently uploaded

PPTX
West Hatch High School -- GCSE Geography
byWestHatch
 
PDF
Chapter 05 Drug Acting on CNS Sedatives & Hypnotics | Antipsychotics.pdf
bySandeshSul
 
PDF
Unit Plan and Unit Test-pdf-Dr. Rajashekhar Shirvalkar, Principal, SMRS B.Ed ...
byRajashekhar Shirvalkar
 
PPTX
How Physician Assistants in the USA Earn CME Credits Online.pptx
byCME4Life
 
PPTX
Reimagining Academic Library Services through Artificial Intelligence: A Case...
byDon Bosco College, Itanagar
 
PPTX
West Hatch High School - GCSE Art Presentation
byWestHatch
 
PPTX
MEMORY &FORGETTING. Shilpa Hotakar.Psychology pptx
bySHILPA HOTAKAR
 
PDF
Radio Ceylon Finals (An Indian Subcontinent Quiz).pdf
byConquiztadors- the Quiz Society of Sri Venkateswara College
 
PPTX
How to Track Team Performance Analysis in Odoo 18 Recruitment
byCeline George
 
PDF
Information about Presentation strategies
bymansivaja18126
 
PDF
TỔNG HỹP 156 ĐỀ CHÍNH THỚC Ká»Č THI CHỌN HỌC SINH GIỎI TIáșŸNG ANH LỚP 12 CÁC TỈN...
byNguyen Thanh Tu Collection
 
PPTX
Toba Tek Singh - Visualising Partition through Manto's Lens
bymiraljoshi48
 
PDF
Sharad Bisen_Soil Sterilization_Objectives_ICAR Course, Sixth Dean Committee.pdf
bybisensharad
 
PDF
Schrodinger's Capital Finals (SciBiz Quiz).pdf
byConquiztadors- the Quiz Society of Sri Venkateswara College
 
PPTX
That long silence - Novel by Shashi Deshapande
bysanjanavaghela65
 
PPTX
Central Line Associated Bloodstream Infection
bynabinabhaila40
 
PPTX
"Aristotle : Father Of Western Philosophy"
bymitalbarathod28
 
PDF
Q4_LE_English 5_Lesson 1_Week 1.pdf learning instruction
byMichelleCajefe2
 
PPTX
literary theory and criticism by Vivek p
byvivekrathodborda
 
PPTX
Drug Distribution in Pharmacology: Mechanisms, Barriers, Factors & Volume of ...
byamrin3379
 
West Hatch High School -- GCSE Geography
byWestHatch
 
Chapter 05 Drug Acting on CNS Sedatives & Hypnotics | Antipsychotics.pdf
bySandeshSul
 
Unit Plan and Unit Test-pdf-Dr. Rajashekhar Shirvalkar, Principal, SMRS B.Ed ...
byRajashekhar Shirvalkar
 
How Physician Assistants in the USA Earn CME Credits Online.pptx
byCME4Life
 
Reimagining Academic Library Services through Artificial Intelligence: A Case...
byDon Bosco College, Itanagar
 
West Hatch High School - GCSE Art Presentation
byWestHatch
 
MEMORY &FORGETTING. Shilpa Hotakar.Psychology pptx
bySHILPA HOTAKAR
 
Radio Ceylon Finals (An Indian Subcontinent Quiz).pdf
byConquiztadors- the Quiz Society of Sri Venkateswara College
 
How to Track Team Performance Analysis in Odoo 18 Recruitment
byCeline George
 
Information about Presentation strategies
bymansivaja18126
 
TỔNG HỹP 156 ĐỀ CHÍNH THỚC Ká»Č THI CHỌN HỌC SINH GIỎI TIáșŸNG ANH LỚP 12 CÁC TỈN...
byNguyen Thanh Tu Collection
 
Toba Tek Singh - Visualising Partition through Manto's Lens
bymiraljoshi48
 
Sharad Bisen_Soil Sterilization_Objectives_ICAR Course, Sixth Dean Committee.pdf
bybisensharad
 
Schrodinger's Capital Finals (SciBiz Quiz).pdf
byConquiztadors- the Quiz Society of Sri Venkateswara College
 
That long silence - Novel by Shashi Deshapande
bysanjanavaghela65
 
Central Line Associated Bloodstream Infection
bynabinabhaila40
 
"Aristotle : Father Of Western Philosophy"
bymitalbarathod28
 
Q4_LE_English 5_Lesson 1_Week 1.pdf learning instruction
byMichelleCajefe2
 
literary theory and criticism by Vivek p
byvivekrathodborda
 
Drug Distribution in Pharmacology: Mechanisms, Barriers, Factors & Volume of ...
byamrin3379
 

Cybersecurity Research Paper instructionsSelect a research topic.docx

  • 1.
    Cybersecurity Research Paperinstructions Select a research topic from the list below. After selecting your topic, research the incident using news articles, magazine articles (trade press), journal articles, and/or technical reports from government and industry. TJ Maxx Security breach For a grade of A, a minimum of five authoritative sources are required. Your research is to be incorporated into the students' 3- to 5- page written analysis of the attack or incident. Your report is to be prepared using basic APA formatting (see below) and submitted as an MS Word attachment to the Cybersecurity Research Paper entry in your assignments folder. This paper must be plagiarism free. I will have to turn it in using turnitin.com! Below is one source that should be used for this paper. I will also send the full text pdf for the source. Source 1 Berg, G. G., Freeman, M. S., & Schneider, K. N. (2008). Analyzing the TJ Maxx Data Security Fiasco. CPA Journal, 78(8), 34-37. A C C O U N T I N G & A U D I T I N G a u d i t i n g Analyzing the TJ Maxx Data Security Fiasco Lessons for Auditors
  • 2.
    By Gary G.Berg. Michelle S. Freeman, and Kent N. Schneider I n January 2007, TJX Companies,Inc. (TJX), the parent company ofretail chains such as T,J. Maxx and Marshalls, issued a press release announc- ing that its computer systems had been breached and that customer information had heen stolen. As the investigation into the crime continued during 2007, estimates of the number of customers affected sky- rocketed. Other reports indicated that at least 94 million Visa and MasterCard accounts had been compromised, with loss- es projected to approach $4.5 biilion. As expected, Visa and MasterCard are seek- ing to recoup these losses from TJX. The sheer scale of the security breach should cause auditors to wonder about the impli- cations for their professional practice. What Went Wrong at TJX? Investigations into the TJX case appear to indicate that the company was not in compliance with the Payment Card Industry (PCI) data security standards established in 2004 by American Express, Discover Financial Services. JCB. MasterCard Worldwide, and Visa Intemational. Repxirts identified three major areas of vulnerability: inadequate wireless network security, improper storage of customer data, and failure to encrypt cus- tomer account data.
  • 3.
    Inadequate wireless networksecurity. The store where the initial breach occurred was using a wireless network that was inadequately secured. Specifically, the net- work was using a security protocol known as wired equivalent privacy (WEP), One problem with WEP security is that it is easy to crack. In fact, researchers at Darmstadt Technical University in Germany have demonstrated that a WEP key can be broken in less than a minute. More important. WEP does not satisfy industry standards that require the use of the much stronger WPA (Wi-Ei Protected Access) protocol. After breaking into the store's network, the hackers then breached security at the corporate headquarters and Security Standard 3.2 clearly states that after payment authorization is received, a merehant is not to store sensitive data, such as the CVC. PIN. or full-track infonnation. Exhibit I shows a comparison of key data items believed to have been stored by TJX, obtained the customer account information stored there. According to a May 4, 2007, Wall Street Joumal article, the intruders had access to the TJX records for 18 months without being detected. Improper storage of customer daia. The TJX data storage practices also appear to have violated industry standards. Reports
  • 4.
    indicate that thecompany was storing the full-track contents scanned from each customer's card. Moreover, customer records appear to have included the card- validation code (CVC) number and the per- sonal identification numbers (PIN) associ- ated with the customer cards. PCI Data along with the relevant PCI standards. Most likely. TJX did not retain this information with malicious intent. The company may have been using older point- of-sale (POS) software that had been designed to capture all card data and that could not be reconfigured to comply with PCI standards. This problem has been linked to credit-card security breaches at other retailers. Another possibility is that the POS software was adequate, but improperly configured. Failure to encrypt customer data. Even if the hackers had been able to infiltrate the TJX corporate network and access the 34 AUGUST 2008 / THE CPA JOURNAL improperly stored customer records, it is likely that no harm would have resulted, had the customer data been securely encrypted. Given the large number of fraudulent transactions traced back to the TJX breach, it is obvious that either the data had not been
  • 5.
    encrypted, or thehackers stole the encryp- tion key. In either case, industry standards were not maintained hy TJX. PCI Data Sectirity Standard 3.4 i-et]uires that at min- imum, the customer's "primary account number" (i.e.. the customer's card number) be "rendered unreadable.'' Furtheniiore. PCI Data Security Standards 3.5 and 3.6 nitjuire merchants to pnMect tlie encryption keys used for protecting customer data from disclosure and misuse. How the TJX Breach Affects Audit Practices At firNt. the TJX fiasco appears to offer an object lesson for retailers" IT departments, rather tkui auditors. After all, aistomeni' cred- it card numbeis are not the retailer's asset to protect; rather, the sales transaction itself is what accounting intentai controls have tradi- tionally sought to secure. With the atlvent of Statement on Auditing Standaitl (SAS) 109, UnderstíUKÜng ¡Iw Entity and ¡ts Envimntnent and Assessing the Risks of Material Misstatemctu. internal control clearly extends beyond protecting one's own assets. SAS 109 requires auditors to "audit die business, and not just the books'" when evaluating the risks of a client's financial statements containing a material misstate- ment. Specifically, SAS 109 requires an understanding of: 1 ) the entity and its envi- ronment: 2) the entity's intemal control
  • 6.
    environment: and 3)susceptibility of the entity's ñnancial statements to material misstatement resulting from liabilities. Understanding the entity and its envi- ronment. RetaileiN ciinnot continue to oper- ate by kxïking after only their own assets. as seen in the TJX debacle. Customer cred- it and debit card information is a valued target of data thieves. Technology bas made purchasing information more valu- able than actual cuirency. because it can be used to nin up huge bills for the origi- nal cardholders. These victims are left with the lengthy, painful task of restoring their good credit ratings. To protect against data theft, consumers can refrain from using debit and credit cards (an inconvenient option), or refrain from shopping at stores that suffer data breaches. In other words, it is ultimately in the best interest of retailers to follow industry standards and protect customer credit and debit card records. Understanding the entity s intemal con- trol environment. In the digital economy. retailers must implement both physical and electronic controls. For example, stores should have physical control over the cred- it card scanners at checkout Itxrations by bolting them to the counter. Otherwise, a thief could replace a retailer's scanner with an identical-looking scanner that also stores scanned customer infonnation on a hidden
  • 7.
    ^JVlinutes FOCUSED LEGAL COUNSEL *': a IN nĂŒUH Ja‱ we are a law firm, that's all. we form california incorporation Determine Name Avallabiitty and Reserve Nar^e Prepare and File Articles/Certificate of Formation Ail Secretary of State Filing Fees Custom Bylaws Custom Organizational Minutes, authorizing the election ot officers and directors, establishment of bartk accounts, issuance of stock, and other matters Preparation and Issuance of Share Certificates Statement ol Information and Filing Fees Preparation ol 25iO2(f) Certificate and Filing Fees'
  • 8.
    Prepare 1RS FormSS-4 and Obtain Tax Identification Na Prepare and Rle IHS Form Z553 (NY State CT-6) to make "S" Election Ancillary Documents, including Pmmissory Notes. Medical E<pense Reimbursement Plan, Employment Agreement Resident Agent Services for one year Follow up to ensure all documents are prtqierlY signed, filed, fees are paid, ano formation is properly completed Experienced Counsel handling every formation and avaiiable to consult on aii aspects of the process Corporate Kit Seal, and duplicate Set of Documents on CO Accountan! Copy of AN Documents Delivered on CD-ROM eMinutes Entity Management System (with online document iihrary. real-time monitoring ot corporate deadiines) via secure web-based Interface Automatic Enrollment tn Annual Minutes System i/ x/ x/ ‱ ‱
  • 9.
    x/ * / and maintainentities. non-lawyer delaware new york ! incorporation ncorporation incorpora lion online service ^/ i / ^ n/a n/B ‱ I %/ x/ i / */ s/ n/a n/a
  • 10.
    ‱ ‱ ^^ ^^ ^^ ĂȘ ^ t/ Cost'For capitaliistiDn up to $100,000 J E 4 ? Í ! I ) aS.A7>tĂ­' Ă©t^Ít Admitted to practice law in Callfornia and New York, www.eMinutes.com Toil-Free 877 UNGERLAW AUGUST 2008 / THE CPA JOURNAL 35 chip. Later, the thief could retum to the store and switch scanners again, walking away with the customer data accumulated in the interim. Understatiding the risk of material mis- statement resulting from contingent lia- bilities. Although customer purchasing infomiation is not an asset of the retailer, possession of that information imposes great responsibility on the retailer, and fail- ure to protect that information can result in huge liabilities.
  • 11.
    EXHIBIT 1 Suspected TJXData Retention Practice Compared with PCI Standards Î; Cardholdar Data LP Sensitive Authentication Datñt Data hern Primary Account Number (PAN) Cardholder Name* Service Code* Expiration Date* Full Magnetic Stripe CVC2yCW2/CID PIN/PIN Block Data Retained by TJX Yes
  • 12.
    Yes Yes Yes Yes Yes Yes PCI Retention Standards Yes Yes Yes Yes No No No * Mustbe protected if stored in conjunction with PAN. [. t Sensitive authenticaton data must not be stored after authorization (even if encrypted]. EXHIBIT 2
  • 13.
    Auditor's Checklist Exposure toContingent Liabilities from Theft of Customer Data Is there wireless access to the company's network? Is the company's wireless network secured using WPA encryption and a strong password? Does it conform to PCI standards? Are the company's data storage practices and security over stored customer data reasonable? Does the company have reasonable data-retention policies and practices? Does the company retain customer data for a reasonable length of time? Are policies in place to notify customers of possible security breaches? Does the company conduct background checks on employees? Does the company train employees on the importance 1 of maintaining confidentiality of customer data? Higher
  • 14.
  • 15.
    Yes Yes Yes One source ofpotential liability is the contracts that the retailer makes with card issuers in order for the store to accept cred- it and debit cards as payment for iransac- tions. Typically, these contracts require that merchants comply with PCI Data Security Stiindards. Failure to comply with the stan- dai'ds exposes a merchant to two types of liability. First, the contract with the card issuer provides for substantial penalties if the merchant does not comply with PCI standard.s. Second, and more significant- ly, merchants ai'e subject to "push-back" liability for damages suffered by the card issuer as a result of the merchant's data breach. These tosses sustained by card issuers include not only the fraudulent charges made on the accounts of the vic- tims of identity theft, but also the admin- istrative costs associated with the issutmce of new cards to cu.stomers whose person- al infomiation may have been compro- mised. For TJX. the bulk of its liability will likely result from such push-back losses sustiiined by issuers. Another source of risk to retailers is the growing number of state laws regard- ing notification of security breaches.
  • 16.
    According to theNational Conference of State Legislatures "State Security Breach Notification Laws" webpage (w ww.ncsi.org/programs/lis/cip/priv/ breachlaws.htm), as of May I, 2008, at least 42 states, the District of Columbia, and Puerto Rico have legislation requir- ing notification of security breaches involving personal infomiation. The New York statute (New York State General Busine.ss Law section 899- aa. subsections 2 and 3) is fairly typical. It applies to any New York businesses that own, license, or maintain computer- ized data containing "private informa- tion," such as an individual's Social Security number, driver's license num- ber, or account number, along with the required access code or password need- ed to permit access to an individual's financial account. These businesses must notify any New York resident whose private information was acquired, or believed to have been acquired, by someone without valid authorization. If the business fails to promptly notify the affected parties, the statute authorizes damages for actual costs or losses, includ- ing "consequential financial losses" [New 3 6 AUGUST 2008 / THE CPA JOURNAL York State General Business Law section
  • 17.
    8')9-aa, subsection 6{a)j. WhatAuditors Can Learn from the TJX Fiasco When evaluating the risks iissociated with a retailer's btisiness, valuable lessons can be leiuiied from the mistakes of TJX. Altliough TJX is a huge organiration, these risks are equally applicable to mom-and-pop opera- tions. Exhibit 2 summarizes these lessons. First, check to see if there is wireless access to the company network. Even if company policy prohibits wireless routers, a renegade router installed by an employee may be connected. If wire- less access does exist, evaluate the type of encryption used by the router. Make sure that a method prescribed by PCI standards, such as WPA or WPA2, is in use. Under no circumstances should WEP encryption be used. In addition, evaluate the strength of the log-on password and make sure that the router doesn't broad- cast its network name or service set iden- tifier (SSID). Where practical, the authors recommend configuring the router to restrict access to specific computers, using the unique media access control (MAC) address assigned to eaeh autho- rized computer. Second, evaluate the company's data storage practices and security for stored
  • 18.
    customer data. Ascertainthat the com- pany complies with PCI security stan- dards and is not retaining excess data scanned from customer credit and debit cards. Under no circumstances should a merchant retain a customer's debit card PIN. Also, make sure that customer dala stored by the retailer are encrypted using a strong key. Finally, review the company's data- retention [xilicies and practices. Make sure die merchiuit divs not retain ctistomer data any longer than permitted by the card issuers. Even better, do not retain data any longer than necessiuy to dtK'ument the underlying transaction. Ensure that policies lu-e in place to notify customers of possi- ble security breaches and that a prtx;ess is in place to implement the policies if a breach occurs. Ultimately, the security of a company's infonnation system relies upon the com- petency and honesty of its employees. Therefore, it is important lo conduct background checks on employees and to train them about tlie possibility of securi- ty breaches and how to avoid them. Ü Gary G. Berg, PhD, CPA, is an associ- ate professor of accountancy at East Teiini's.see State University. Jolm.wn City. Tenn. Michelle S. Freeman, EdD, CPA (inaetive), is an assistant professor of lyusi-
  • 19.
    ness administration atTusculwn College. Grecneville. Tenn. Kent N. Schneider, JD, CPA, is a professor of accountancy, also at East Tennessee Stale University, Johnson City, Tenn. Personal Financial Planning Community SAVE Join the AICPA Personal Financial Planning Membership Section 1st Edition! Get a discount on the AICPA Moss Adams PFP Planning Practice Study Access Forefield Advisor, a world-class client education and communication tool {$399 value) Stay informed about PFP legislation and developments Receive valuable resources, templates and turnkey client tools tailored for CPA financial planners Attend Web seminars on cutting-edge topics SAVE $200 Become a CPA Personal Financial Specialist Credential Holder (PFS) Enjoy complimentary membership in the PFP Section
  • 20.
    Differentiate yourself fromother financial planners: only a CPA can become a PFS Access marketing tools to promote yourself and increase new business Receive media training and opportunities to participate in public relations activities Network with other thought leaders in the industry :AICPA: Menlion ptonio code RHX Questions? e-mail [email protected] ISO Certified AUGUST 2008 / THE CPA JOURNAL 37