The Home Depot data breach compromised over 56 million payment cards after malware was installed on over 7,500 POS terminals. Similar to the Target breach, stolen third-party credentials were used to access Home Depot's network and install RAM scraping malware on POS systems. Home Depot could have prevented the breach by implementing point-to-point encryption, properly configuring antivirus software, upgrading outdated operating systems, and segregating the payment network.
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
Home Depot Data Breach Case Study
1. Interested in learning more
about cyber security training?
SANS Institute
InfoSec Reading Room
This paper is from the SANS Institute Reading Room site.
Reposting is not permitted without express written permission.
Case Study: The Home Depot Data Breach
The theft of payment card information has become a common
issue in today's society. Even after the lessons
learned from the Target data breach, Home Depot's Point of
Sale systems were compromised by similar
exploitation methods. The use of stolen third-party vendor
credentials and RAM scraping malware were
instrumental in the success of both data breaches. Home Depot
has taken multiple steps to recover from its
data breach, one of them being to enable the use of EMV Chip-
and-PIN payment cards. Is the use of EMV
paymen...
Copyright SANS Institute
Author Retains Full Rights
A
D
http://www.sans.org?utm_source=Print&utm_medium=Reading+
Room+Paper&utm_content=Case_Study_The_Home_Depot_Dat
a_Breach+Cover&utm_campaign=SANS+Training
http://www.sans.org/info/36909
http://www.sans.org/info/36914
2. http://www.sans.org/reading-room/click/657
Case Study: The Home Depot Data Breach | 1
Brett
Hawkins,
[email protected]
Case Study: The Home Depot Data Breach
GIAC (GSEC) Gold Certification
Author: Brett Hawkins, [email protected]
Advisor: Christopher Walker
Accepted: January 2015
Abstract
The theft of payment card information has become a common
issue in today’s society. Even after
the lessons learned from the Target data breach, Home Depot’s
Point of Sale systems were
compromised by similar exploitation methods. The use of stolen
third-party vendor credentials
and RAM scraping malware were instrumental in the success of
both data breaches. Home Depot
has taken multiple steps to recover from its data breach, one of
them being to enable the use of
EMV Chip-and-PIN payment cards. Is the use of EMV payment
cards necessary? If P2P (Point-
3. to-Point) encryption is used, the only method available to steal
payment card data is the
installation of a payment card skimmer. RAM scraping malware
grabbed the payment card data
in the Home Depot breach, not payment card skimmers.
However, the malware would have
never been installed on the systems if the attackers did not
possess third-party vendor credentials
and if the payment network was segregated properly from the
rest of the Home Depot network.
The implementation of P2P encryption and proper network
segregation would have prevented
the Home Depot data breach.
Case Study: The Home Depot Data Breach | 2
Brett
Hawkins,
[email protected]
1. Introduction
On September 8th, 2014, Home Depot released a statement
indicating that its
payment card systems were breached. They explained that the
investigation started on
4. September 2nd and they were still trying to discover the actual
scope and impact of the
breach. Home Depot explained that they would be offering free
credit services to affected
customers who used their payment card as early as April of
2014 and apologized for the
data breach. They also indicated that their Incident Response
Team was following its
Incident Response plan to contain and eradicate the damage and
was working with
security firms for the investigation ("The Home Depot, Inc. -
News Release," 2014). This
is one of many retail breaches that have occurred and will
continue to occur, until
retailers become proactive in safeguarding their environments.
1.1 Making money with stolen credit cards
Payment card information is sold by cyber-criminals frequently.
In more recent retail
breaches, they have been able to steal payment card information
from millions of
customers and sell it online in what is known as the “Darknet.”
Once the cyber-criminal
has stolen the payment card information, there is a process that
takes place in order to put
5. the information on sale on the Darknet and for the cyber-
criminals to make money.
The first step in the process is selling the payment card
information to brokers. The
brokers buy the payment card information in bulk and sell the
information to “carders” on
carder websites (Westin, 2013).
The definition from “How ‘carders’ trade your stolen personal
info” says, “Carders
are the people who buy, sell, and trade online the credit card
data stolen from phishing
sites or from large data breaches at retail stores” (Vamosi,
2008). An example of a carder
website is Rescator shown in Figure 1 below (Lawrence, 2014).
As you can see, the site
has full search capabilities based on the type of card you are
searching for.
Case Study: The Home Depot Data Breach | 3
Brett
6. Hawkins,
[email protected]
Figure 1 (Lawrence, 2014)
Once the carder has bought a payment card on the carder
website, they will buy a
pre-paid credit card using that stolen payment card information.
The pre-paid credit card
is used to buy gift cards at stores like Amazon or Best Buy. The
gift cards are then used
to buy items at those stores, typically electronics, which are
then resold on sites like
EBay, Craigslist, or similar sites.
After the cyber-criminal purchases the items to be resold, they
need the items
shipped to a location that cannot be traced back to them. The
items are shipped to a “re-
shipper.” These re-shippers receive the items to be sold and ship
them to the person who
bought the items posted by the cyber-criminal. This process is
difficult to track. By the
time a breach is detected and the stolen payment card has been
blocked, the cyber-
criminal has already bought the items to be resold with the gift
7. card (Westin, 2013). This
is a well-known process and is used frequently because it has
been proven to make a
profit for cyber-criminals.
1.2 Hasn’t this happened before?
Ever since the Target data breach was disclosed by Brian Krebs
on December 18,
2013, occurrences of similar retail data breaches have been on
the rise. Until the Home
Depot data breach, the Target breach was the largest retail
breach in U.S. history
(Bloomberg, 2014). In the Target data breach, 40 million
payment cards were stolen
Case Study: The Home Depot Data Breach | 4
Brett
Hawkins,
[email protected]
(Krebs, 2014). The Home Depot data breach topped that by
having 56 million payment
cards stolen (Krebs, 2014). Some of the most notable retail data
breaches that occurred
after the Target breach are shown in Figure 2 below.
8. Figure 2 – Timeline of large retail data breaches after the Target
breach
These companies should have used the Target data breach as a
learning opportunity
and applied the knowledge to their own payment card systems.
The impact these data
breaches had on each of the companies was significant. After
the Target data breach, it
posted profits that quarter which were 46 percent below
expected profits (Gertz, 2014).
That is a large impact. I remember the day of the Target breach,
looking at the Target
stock price take a significant hit. I saw the same thing when the
Home Depot breach
happened. Large retail breaches like the ones shown above in
Figure 2 have a large
impact and they will only continue to happen, unless the proper
countermeasures are in
place.
October
2014
-‐
10. March
2014
-‐
Sally
Beauty
Supply
January
2014
-‐
Neiman
Marcus,
Michael's
Case Study: The Home Depot Data Breach | 5
Brett
Hawkins,
[email protected]
1.3 Better ways to take card payments, because that’s what
customers want
The standard payment card in the U.S. has always used the
magnetic stripe. These
magnetic stripes are also called “magstripes”. On that magstripe
there are three tracks that
contain different data, although track 3 is hardly ever used.
11. Some of the data included on
the magstripe is name of credit card owner, credit card type
(Visa, MasterCard, etc.),
expiration date, and credit card number. The problem with these
magstripes is they are
extremely easy for the criminals to read data from. The
traditional magstripe credit card
has been under a lot of scrutiny since the large-scale retail data
breaches have started to
occur more often. There are alternative methods to accepting
payment cards. There is
even a method to accepting traditional magstripe cards that will
protect card data from
being exposed.
1.3.1 Chip-and-Pin Cards
A new type of credit card is starting to become more familiar in
the Unites States,
called a chip-and-PIN card. The chip-and-PIN cards contain an
embedded security chip
and a traditional magstripe. This embedded security chip
ensures that the card cannot be
duplicated, as it masks the payment data uniquely each
transaction (CreditCardForum,
2014). The problem with this alternative is that they cost
12. significantly more to make than
traditional payment cards and most merchants do not have
systems that are capable of
accepting the new chip-and-PIN cards. However, in October of
2015 if you have not
changed your systems to support chip-and-PIN cards, the
liability of the data breach now
falls on the merchant, rather than the banks (Picchi, 2014).
1.3.2 Mobile Payments
Another alternative method to taking payment cards is by using
mobile payment
methods, like Apple Pay and Google Wallet. With each of these
you have a “virtual
wallet” in your smart device. This smart device could be a
phone, tablet, or even a
watch. With both of these mobile payment systems, they never
pass your credit card
number to the merchant. The problem is Apple Pay and Google
Wallet are only accepted
at a handful of places. Until more merchants adopt mobile
payments, this method of
payment will not see any traction gained (Lee, 2014).
13. Case Study: The Home Depot Data Breach | 6
Brett
Hawkins,
[email protected]
1.3.3 Point-to-Point Encryption
There is a way you can take traditional magstripe credit cards,
while still protecting
card data. This method is called point-to-point (P2P)
encryption. P2P encryption
encrypts card data at the point of swipe, all the way to the bank
for approval/denial of
the transaction. With P2P encryption, payment card data is
never exposed and is
encrypted before it reaches memory. The only risk that still
remains with P2P encryption
is if someone were to install a credit card skimmer on the actual
pin-pad. However,
proper security awareness training for staff and having proper
controls in place, will
prevent skimmers from being installed. The creations of these
alternative methods were
outcomes of the most common method used in the large-scale
retail breaches.
1.4 The latest way to steal credit cards
14. There are several methods to stealing credit cards. From
hacking an online database
of a website that stores credit card information, to physically
stealing somebody’s credit
card out of their purse. No matter which method is used, the
goal is always the same;
steal payment card information for personal gain. A known
method of stealing payment
card information arose in the discovery of the Target data
breach, although this method
did not get much attention before Target. This method continued
to be discovered in
thousands of other breaches, both large and small. The method
used “memory scraping
malware”.
1.4.1 Memory Scraping Malware
Memory scraping malware has been the key component in
stealing payment card
information in the large retail data breaches of 2014. This
malware is able to read the
contents of RAM on a POS terminal when the payment card data
is present in clear text.
The malware uses regular expressions to grab the payment card
information. Once that
15. data is captured, it is sent to servers owned by the attacker, or
the attacker’s associates
(Huq, 2013). This malware has been effective, as evidence of
the recent retail data
breaches has shown. It continues to be effective on POS systems
that are not properly
locked down.
Case Study: The Home Depot Data Breach | 7
Brett
Hawkins,
[email protected]
2. The Home Depot Data Breach
Home Depot was one of the many victims to a retail data breach
in 2014. The
unfortunate thing is the way the attacker’s infiltrated the POS
networks and how the
attackers were able to steal the payment card data, were the
same methods used in the
Target data breach. The attackers were able to gain access to
one of Home Depot’s
vendor environments by using a third-party vendor’s logon
credentials. Then they
16. exploited a zero-day vulnerability in Windows, which allowed
them to pivot from the
vendor-specific environment to the Home Depot corporate
environment.
Once they were in the Home Depot network, they were able
install memory scraping
malware on over 7,500 self-checkout POS terminals (Smith,
2014). This malware was
able to grab 56 million credit and debit cards. The malware was
also able to capture 53
million email addresses (Winter, 2014). The stolen payment
cards were used to put up for
sale and bought by carders. The stolen email addresses were
helpful in putting together
large phishing campaigns.
2.1 Prevention & Detection
There were several countermeasures Home Depot could have
had in place to prevent
the breach from happening and to have been able to detect the
breach sooner, minimizing
the impact. Home Depot didn’t have secure configuration of the
software or hardware on
the POS terminals. There was no proof of regularly scheduled
vulnerability scanning of
17. the POS environment. They didn’t have proper network
segregation between the Home
Depot corporate network and the POS network. The last two
controls that were lacking
were proper monitoring capabilities and the management of
third-party vendor identities
and access.
2.1.1 What would have worked?
The secure configuration of software and hardware is vital to
securing any
environment, especially an environment dealing with sensitive
data. Home Depot did
have Symantec Endpoint Protection installed in their
environment. Symantec Endpoint
Protection (SEP) is an antivirus solution. The problem is that
they did not have an
important feature turned on in the product called “Network
Threat Protection” (Elgin,
Riley, & Lawrence, 2014). This module acts as a host intrusion
prevention system
Case Study: The Home Depot Data Breach | 8
18. Brett
Hawkins,
[email protected]
(HIPS). Having configured POS devices with this feature
activated at my own
organization, I can attest to the success of this feature when
doing vulnerability
assessments on these systems.
Another secure configuration missing was the use of Point-to-
Point (P2P)
encryption. This allows payment card data to be encrypted at
the point of swipe and
allows the data to be encrypted in memory. To be able to use
this technology, it requires
hardware that is capable of using the technology. In Home
Depot’s case, an upgrade to
the operating system of the POS devices was also needed.
Home Depot had another software configuration that was not
secure on the POS
devices, the operating system. An operating system is the most
important software on a
device. The operating system running on the POS devices was
Windows XP Embedded
SP3 (Mick, 2014). Windows XP machines are highly vulnerable
19. to attacks, so the fact
that Home Depot’s POS registers were still running this
operating system, is just asking
to get compromised. They should have upgraded to a more
current Windows operating
system for their POS devices. Some examples of more current
Windows POS operating
systems are Windows Embedded POSReady 2009, Windows
Embedded POSReady 7,
and Windows Embedded 8 Industry (Wikipedia, 2014, p. xx). I
have successfully
upgraded POS devices in my own organization to more current
embedded operating
systems. The newer operating systems are compatible with P2P
encryption, antivirus, and
many other applications that are vital to locking down your POS
systems.
In all of the sources I have looked at regarding the Home Depot
breach, none have
mentioned Home Depot having a vulnerability management
program in place. If Home
Depot had a vulnerability management program, performing
monthly vulnerability scans
of the POS environment; they could have used the results of
20. those scans to show
leadership the significance of the gaps in that environment and
possibly started to
mitigate the risk of that environment before the breach
occurred.
Network segregation is another big gap in this breach. I will
touch on this in more
detail later, but Home Depot should have had the POS
environment in its own restricted
virtualized local area network (VLAN) and restricted access
between the POS
environment and the Home Depot corporate environment.
Case Study: The Home Depot Data Breach | 9
Brett
Hawkins,
[email protected]
Another question arises from this breach. How did the attackers
steal third party
vendor credentials from Home Depot? Home Depot was not
properly managing its third
party vendor credentials and should have allowed minimal
access to that vendor account.
21. I will touch on this in more detail later.
Prevention is ideal, but detection is a must. Even if Home Depot
couldn’t have
prevented the attack, they still should have had monitoring
capabilities, so that it did not
take 5 months to detect an intrusion (Elgin, Riley, & Lawrence,
2014). Having the
capability to forward any network or host activity in the POS
environment to a SIEM,
would have been beneficial to Home Depot and could have
allowed them to detect the
breach sooner, minimizing the impact.
2.1.2 What is working?
The fact I have actual experience locking down POS
environments during my
professional career and have been successful in securing those
environments, I can tell
you first-hand what is working. A defense-in-depth approach
needs to be implemented.
First, upgrading your POS devices to a current, supported
operating system is a
must. If you are not running a current, supported operating
system, all other system
22. hardening you do is a waste. Second, ensure you have up-to-
date antivirus software with
HIPS capability. If an attacker penetrates your POS network,
this will add another layer
of defense in preventing the compromise of your POS devices.
Third, you need to have
automatic updates activated on the POS devices. It is vital that
you follow patch
management best practices and keep the POS devices on the
most current patches. This is
required for PCI compliance. Fourth, you need to enable P2P
encryption on the POS
devices. This requires a pin-pad that supports this technology.
The fifth thing that you will need to implement is the disabling
of all unnecessary
ports and services on the POS devices. There is no reason the
POS devices need to have
services such as NetBIOS running. Another important system
hardening configuration is
to disable the use of USB ports on the POS devices. You can do
this physically by
installing USB port blockers, or through software that blocks
the use of USB ports. In
most cases, you will need to leave just 1 USB port active for the
23. connectivity from the
POS register to the pin-pad device. If somebody were able to
circumvent your physical or
software-based USB protection, you need a way to notify your
security team of such an
Case Study: The Home Depot Data Breach | 10
Brett
Hawkins,
[email protected]
act. Software can be installed on your POS registers that alerts
you if a USB device has
been inserted into the POS register. You also need to make sure
that proper password and
account policies are set on the POS devices. Now that all the
host-based protections are in
place, let’s talk about the networking-based countermeasures
that need implemented.
First, you need to segregate the POS network from your
corporate network. You can
do this by making the POS network its own private VLAN.
Second, once you have
segregated the POS network, you need to apply rules on the
24. networking device
responsible for the VLAN, so that you can restrict access
between your corporate
network and POS network. Third, you need to have all outbound
Internet access coming
from your POS network restricted at your corporate firewall.
Firewall rules should be in
place to only allow connections for the vital functions, such as
credit card processing and
Windows Updates. Having all of these preventive
countermeasures in place is great, but
you also need to be able to detect potentially malicious activity.
You should have a SIEM in place that is able to retrieve
Windows event logs,
Domain Controller logs, anti-virus logs, DNS logs, firewall
logs, and other networking
device logs. This will give visibility into the real-time activity
in your POS environment
and will allow you to create alarms within your SIEM to alert
your security team of any
malicious activity.
2.1.3 What will work in the future?
I would like to think that the current methods of prevention and
detection of POS
25. environments will work in the future. The reality is that the bad
guys find new ways to
exploit vulnerabilities every day and technology advances at a
significant rate. Credit
cards may not even exist in the future. There might be a
significant vulnerability found in
the chip-and-PIN cards down the road, which causes us to
question how to take
payments, just as the traditional magstripe card is causing
questioning now.
I think we are getting a glimpse into the future with Apple Pay
and Google Wallet.
The magnifying glass will shift from credit card security to
mobile device security. The
idea of a virtual wallet seems like it could be 5-10 years from
having a significant
adoption rate. How will mobile device manufacturers and
mobile payment software
companies react to the bad guys finding vulnerabilities in their
systems? Will they be able
to quickly release patches that fix security vulnerabilities
related to the virtual wallet? I
26. Case Study: The Home Depot Data Breach | 11
Brett
Hawkins,
[email protected]
think it is a large change that will heavily impact the retail
landscape and will happen
sooner than people think.
2.2 Preventing Home Depot, Target, and Other Retail Breaches
I previously stated many countermeasures that Home Depot
should have had in
place, but wanted to go into detail on 3 that I thought were the
most important and could
have been applied to all retailers that experienced a breach in
the past year. The 3 main
preventive measures that should have been in place were P2P
encryption, proper network
segregation, and managing third party vendor credentials
appropriately.
2.2.1 Point to Point Encryption
The protection of credit card data is continuing to get more
attention, since these
large retail breaches have been occurring. Even after the
attackers infiltrated the POS
environments and installed the memory scraping malware on the
27. POS registers, 1
countermeasure could have been in place to prevent the
attackers from stealing credit
cards. That countermeasure is P2P encryption.
P2P encryption provides encryption at the point of swipe when
using your credit or
debit card. In the use case of debit cards, it even encrypts your
4-digit PIN code you
enter. All of this is done before the data reaches memory, which
prevents data from being
captured in memory. The device that is used for swiping the
credit card is injected with a
derived unique key per transaction. This is only used for the
payment card encryption and
is not the same key used for the PIN encryption when using a
debit card. Once you swipe
your card, the payment card data is encrypted inside a tamper-
resistant security module
with the payment card industry standard 3DES algorithm, using
the derived unique key
for the transaction (TSYS, 2014). That encrypted data is then
sent securely to an off-site
hardware security module owned by the POS solution provider,
where the payment card
28. data is decrypted (Knopp, 2013). The decrypted card data is
then encrypted again using
the bank’s encryption key(s) and sent to the bank where the data
is decrypted again. The
bank then sends the approval/denial back for the payment card.
Figure 3 below shows
the process.
Case Study: The Home Depot Data Breach | 12
Brett
Hawkins,
[email protected]
Figure 3 – P2P Encryption Data Flow
As you can see this is a robust solution. It could have prevented
the attackers from
stealing card data. Home Depot actually started to implement
encryption before the
breach occurred, as it was rolled out to a quarter of their stores.
The problem was when
the breach actually began was before the encryption was fully
29. implemented (Bluefin
News & Blog, 2014). This is 1 of the 3 main countermeasures
that should have been in
place to prevent the retail breaches.
2.2.2 Network Segregation
The protection of the perimeter is a vital component in
preventing the large retail
breaches that have occurred and is also critical when
implementing a defense-in-depth
approach. The POS network should be properly segregated from
the rest of the corporate
network. The use of private VLAN’s comes into use with this
type of countermeasure.
Using a networking switch, you can place the devices on the
POS network into their own
VLAN. Static IP addresses should be assigned to all POS
devices within the IP range you
specify. Once the devices are in their own VLAN, network
traffic between the corporate
environment and the POS environment should be restricted
using an Access Control List
(ACL) on the networking switch. This setup is shown below in
Figure 4.
30. Case Study: The Home Depot Data Breach | 13
Brett
Hawkins,
[email protected]
Figure 4 – Network Segregation of Corporate and POS
Networks
The ACL should deny all traffic between the 2 environments,
except traffic needed
with necessary devices. An example of a necessary device could
be your corporate anti-
virus server, so that anti-virus definitions can be pushed to the
POS devices.
Logging should be enabled on the networking switch and
configured to forward
those logs to your SIEM, so you can see accepted and denied
connections between your
corporate network and POS network.
Network segregation also allows you to configure firewall rules
for that environment
easier. You can setup special firewall rules for that VLAN, such
as denying all outbound
31. Internet access through the firewall, except for the necessary
connections. An example of
a necessary connection would be the hosts needed to
communicate with for the credit
card processing. Segregation of the network is good, but the
need to restrict user access to
those trusted corporate hosts is also critical.
2.2.3 Managing Third Party Vendor Credentials
Poor management of third-party vendor credentials was a
common fault in the Home
Depot and Target data breaches. The attackers were able to gain
access to a vendor-
specific environment used by the retailers and were then able to
pivot to the corporate
networks. This demonstrates the importance of having sufficient
controls in place. The
least privileged principle needs to be used. All third-party
vendors should be allowed the
minimal access needed to perform their tasks and should be
denied access to internal
resources, unless required.
An identity and access management solution should be used to
manage the identities
and access of all internal and external employees (third-party
32. vendors). Each external
employee should have their own account, so that there is
accountability for anything
performed on their behalf. Account review procedures should
also be in place,
Case Study: The Home Depot Data Breach | 14
Brett
Hawkins,
[email protected]
specifically for third party vendor accounts. Auditing of these
third-party vendors is
critical. This will allow the detection of abnormal behavior.
Having all of these controls
in place for managing and monitoring the third party vendor
accounts, will detect any
misuse of third-party vendor credentials. This would have been
vital in detecting an
intrusion earlier in the Home Depot and Target breaches.
3. Conclusion
The key takeaway from this paper is that the Home Depot
breach could have been
prevented by taking a proactive approach. Learning how Target
33. was breached in
December of 2013 should have immediately prompted Home
Depot to assess their
environment and address the gaps that existed before becoming
compromised. Taking the
preventive measures that I have outlined could have prevented
the Home Depot breach
and will be able to prevent other retail data breaches in the
future. These types of retail
breaches are becoming more common. I hope that retailers will
learn lessons from
previous breaches to safeguard their environment and prevent it
from happening to them.
34. Case Study: The Home Depot Data Breach | 15
Brett
Hawkins,
[email protected]
References
Bloomberg. (2014, May 14). Target's Data Breach: The Largest
Retail Hack in U.S. History –
Bloomberg. Retrieved from
http://www.bloomberg.com/infographics/2014-05-14/target-
data-breach.html
Bluefin News & Blog. (2014, September 15). Home Depot Had
Started Payment Encryption
Work Before EMV Implementation - Bluefin Payment Systems :
Bluefin Payment Systems.
Retrieved from https://www.bluefin.com/2014/09/15/home-
depot-started-payment-
encryption-work-emv-implementation/
CreditCardForum. (2014, December 2). 2014 Chip and PIN
Credit Cards In The USA: Who
Offers Them [Blog post]. Retrieved from
http://creditcardforum.com/blog/chip-and-pin-
credit-cards-usa/
Elgin, B., Riley, M., & Lawrence, D. (2014, September 18).
35. Home Depot Hacked After Months
of Security Warnings - Businessweek. Retrieved from
http://www.businessweek.com/articles/2014-09-18/home-depot-
hacked-wide-open
Gertz, A. (2014, July 30). The Real Cost of a Retail Data
Breach | The Art of Data Protection.
Retrieved from http://data-protection.safenet-
inc.com/2014/07/the-real-cost-of-a-retail-
data-breach/#sthash.pw1r5hAM.dpbs
Huq, N. (2013, July 16). A look at Point of Sale RAM scraper
malware and how it works |
Naked Security. Retrieved from
https://nakedsecurity.sophos.com/2013/07/16/a-look-at-
point-of-sale-ram-scraper-malware-and-how-it-works/
Knopp, J. (2013). Point-to-Point Encryption: A Merchant’s Path
to Cardholder Data
Environment Scope Reduction | MasterCard | Security Matters.
Retrieved from
http://arm.mastercard.com/securitymatters/compliance/pci-
dss/point-point-encryption-
merchants-path-cardholder-data-environment-scope-reduction/
Krebs, B. (2014, May 14). The Target Breach, By the Numbers.
Retrieved from
36. krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/
Krebs, B. (2014, September 14). Home Depot: 56M Cards
Impacted, Malware Contained.
Retrieved from krebsonsecurity.com/2014/09/home-depot-56m-
cards-impacted-
malware-contained/
Case Study: The Home Depot Data Breach | 16
Brett
Hawkins,
[email protected]
Lawrence, D. (2014, September 4). The Amazon.com of Stolen
Credit Cards Makes It All So
Easy - Businessweek. Retrieved from
http://www.businessweek.com/articles/2014-09-
04/the-amazon-dot-com-of-stolen-credit-cards-makes-it-all-so-
easy
Lee, N. (2014, October 29). Dabbling in the future of payment:
A week of Apple Pay and
Google Wallet. Retrieved from
http://www.engadget.com/2014/10/29/week-apple-pay-
google-wallet/
37. Mick, J. (2014, September 8). DailyTech - Appalling
Negligence: Decade-Old Windows XPe
Holes Led to Home Depot Hack. Retrieved from
http://www.dailytech.com/Appalling+Negligence+DecadeOld+
Windows+XPe+Holes+L
ed+to+Home+Depot+Hack/article36517.htm
Picchi, A. (2014, September 5). Why new "chip-and-pin" cards
won't protect you -- yet - CBS
News. Retrieved from http://www.cbsnews.com/news/why-new-
chip-and-pin-cards-
wont-protect-you-yet/
Smith, M. (2014, November 10). Home Depot IT: Get hacked,
blame Windows, switch execs to
MacBooks | Network World. Retrieved from
http://www.networkworld.com/article/2845620/microsoft-
subnet/home-depot-it-get-
hacked-blame-windows-switch-execs-to-macbooks.html
The Home Depot, Inc. - News Release. (2014, September 8).
Retrieved from
http://phx.corporate-ir.net/phoenix.zhtml?c=63646&p=irol-
newsArticle&ID=1964976
TSYS. (2014). Point-to-Point Encryption (P2PE). Retrieved
38. from
http://www.tsys.com/acquiring/engage/white-papers/Point-to-
Point-Encryption.cfm
Vamosi, R. (2008, September 29). How 'carders' trade your
stolen personal info - CNET.
Retrieved from http://www.cnet.com/news/how-carders-trade-
your-stolen-personal-info/
Westin, K. (2013, December 21). Stolen Target Credit Cards
and the Black Market: How the
Digital Underground Works - The State of Security. Retrieved
from
http://www.tripwire.com/state-of-security/vulnerability-
management/how-stolen-target-
credit-cards-are-used-on-the-black-market/
Wikipedia. (2014). Windows Embedded Industry. In Wikipedia,
the free encyclopedia. Retrieved
December 26, 2014, from
http://en.wikipedia.org/wiki/Windows_Embedded_Industry
Winter, M. (2014, November 7). Home Depot hackers used
vendor log-on to steal data, e-mails.
Case Study: The Home Depot Data Breach | 17
40. Case Study: The Home Depot Data Breach | 18
Brett
Hawkins,
[email protected]
Appendix A
Data Breach Cost Calculator
Based on the results generated from the Symantec Data Breach
Calculator
(http://www.databreachcalculator.com), the average cost per
data breach at Home Depot,
according to its risk profile before it was breached, was
$23,506,667. The average cost
per compromised record was calculated at $196 as shown in the
chart below.
Companies in the same industry with a similar risk profile to
Home Depot have a
9.7% likelihood of experiencing a data breach in the next 12
months. One of the key
factors affecting this calculation is the absence of a CISO at
41. Home Depot. This increases
the cost of a data breach significantly. You will see evidence of
this in the chart below,
which shows the cost per compromised record, if an
organization similar to Home Depot
were to be breached and did not have a CISO. If Home Depot
would have performed a
risk-based cost-benefit analysis, they would have realized the
cost to implement adequate
controls highlighted in this case study would have been far less
than the cost of a breach.
Last Updated: October 16th, 2018
Upcoming SANS Training
Click here to view a list of all SANS Courses
SANS Houston 2018 Houston, TXUS Oct 29, 2018 - Nov 03,
2018 Live Event
SANS Gulf Region 2018 Dubai, AE Nov 03, 2018 - Nov 15,
2018 Live Event
SANS Sydney 2018 Sydney, AU Nov 05, 2018 - Nov 17, 2018
Live Event
SANS DFIRCON Miami 2018 Miami, FLUS Nov 05, 2018 -
42. Nov 10, 2018 Live Event
SANS London November 2018 London, GB Nov 05, 2018 - Nov
10, 2018 Live Event
SANS Dallas Fall 2018 Dallas, TXUS Nov 05, 2018 - Nov 10,
2018 Live Event
Pen Test HackFest Summit & Training 2018 Bethesda, MDUS
Nov 12, 2018 - Nov 19, 2018 Live Event
SANS Mumbai 2018 Mumbai, IN Nov 12, 2018 - Nov 17, 2018
Live Event
SANS Rome 2018 Rome, IT Nov 12, 2018 - Nov 17, 2018 Live
Event
SANS Osaka 2018 Osaka, JP Nov 12, 2018 - Nov 17, 2018 Live
Event
SANS San Diego Fall 2018 San Diego, CAUS Nov 12, 2018 -
Nov 17, 2018 Live Event
SANS November Singapore 2018 Singapore, SG Nov 19, 2018 -
Nov 24, 2018 Live Event
SANS ICS410 Perth 2018 Perth, AU Nov 19, 2018 - Nov 23,
2018 Live Event
SANS Paris November 2018 Paris, FR Nov 19, 2018 - Nov 24,
2018 Live Event
SANS Stockholm 2018 Stockholm, SE Nov 26, 2018 - Dec 01,
2018 Live Event
SANS Austin 2018 Austin, TXUS Nov 26, 2018 - Dec 01, 2018
43. Live Event
SANS San Francisco Fall 2018 San Francisco, CAUS Nov 26,
2018 - Dec 01, 2018 Live Event
European Security Awareness Summit 2018 London, GB Nov
26, 2018 - Nov 29, 2018 Live Event
SANS Khobar 2018 Khobar, SA Dec 01, 2018 - Dec 06, 2018
Live Event
SANS Dublin 2018 Dublin, IE Dec 03, 2018 - Dec 08, 2018
Live Event
SANS Santa Monica 2018 Santa Monica, CAUS Dec 03, 2018 -
Dec 08, 2018 Live Event
SANS Nashville 2018 Nashville, TNUS Dec 03, 2018 - Dec 08,
2018 Live Event
Tactical Detection & Data Analytics Summit & Training 2018
Scottsdale, AZUS Dec 04, 2018 - Dec 11, 2018 Live Event
SANS Frankfurt 2018 Frankfurt, DE Dec 10, 2018 - Dec 15,
2018 Live Event
SANS Cyber Defense Initiative 2018 Washington, DCUS Dec
11, 2018 - Dec 18, 2018 Live Event
SANS Bangalore January 2019 Bangalore, IN Jan 07, 2019 - Jan
19, 2019 Live Event
SANS Sonoma 2019 Santa Rosa, CAUS Jan 14, 2019 - Jan 19,
2019 Live Event
SANS Amsterdam January 2019 Amsterdam, NL Jan 14, 2019 -
44. Jan 19, 2019 Live Event
SANS Threat Hunting London 2019 London, GB Jan 14, 2019 -
Jan 19, 2019 Live Event
Secure DevOps Summit & Training 2018 OnlineCOUS Oct 22,
2018 - Oct 29, 2018 Live Event
SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced
http://www.sans.org/courses?utm_source=Print&utm_medium=
Reading+Room+Paper&utm_content=Case_Study_The_Home_D
epot_Data_Breach+Cover&utm_campaign=SANS+Courses
http://www.sans.org/link.php?id=51210&rrpt=Case_Study_The_
Home_Depot_Data_Breach&rret=SANS_Houston_2018
http://www.sans.org/link.php?id=51210&rrpt=Case_Study_The_
Home_Depot_Data_Breach&rret=SANS_Houston_2018
http://www.sans.org/link.php?id=53330&rrpt=Case_Study_The_
Home_Depot_Data_Breach&rret=SANS_Gulf_Region_2018
http://www.sans.org/link.php?id=53330&rrpt=Case_Study_The_
Home_Depot_Data_Breach&rret=SANS_Gulf_Region_2018
http://www.sans.org/link.php?id=49935&rrpt=Case_Study_The_
Home_Depot_Data_Breach&rret=SANS_Sydney_2018
http://www.sans.org/link.php?id=49935&rrpt=Case_Study_The_
Home_Depot_Data_Breach&rret=SANS_Sydney_2018
http://www.sans.org/link.php?id=51215&rrpt=Case_Study_The_
Home_Depot_Data_Breach&rret=SANS_DFIRCON_Miami_201
8
http://www.sans.org/link.php?id=51215&rrpt=Case_Study_The_
Home_Depot_Data_Breach&rret=SANS_DFIRCON_Miami_201
8
http://www.sans.org/link.php?id=53325&rrpt=Case_Study_The_
Home_Depot_Data_Breach&rret=SANS_London_November_20
18
http://www.sans.org/link.php?id=53325&rrpt=Case_Study_The_
Home_Depot_Data_Breach&rret=SANS_London_November_20
50. was concerned with a critique of the economic system, anti-
global-
ism attacks what is perceived as a larger ideology of globalism
that
allegedly promotes free trade as well as cultural and racial
mixing.
From the view of the leftist anti-globalization movement,
globaliza-
tion was driven by the institutions that backed the Washington
Con-
sensus (such as the International Monetary Fund, the World
Bank,
and the US Treasury), global corporations that exploited the
waning
sovereignty of nation-states, and national governments that
colluded
with the forces of global capital, for instance by entering into
inter-
national free trade agreements, such as the North American Free
522 COLLEGE LITERATURE | 44.4 Fall 2017
Trade Agreement. The targets of that earlier movement were
there-
fore the profiteers and structures of economic globalization.
This economic understanding of globalization opened up a space
for alternative conceptions of globalization that could compete
with
the economic version. It is no coincidence, therefore, that it was
also
in the late 1990s and early 2000s that the academic field of
Amer-
ican Studies turned to the transnational as an emerging
51. paradigm.
American Studies entered its transnational phase by engaging in
profound soul-searching about the possibilities of altering the
object
of study seemingly prescribed by the field’s name (see, for
instance,
Janice Radway’s 1998 Presidential Address at the American
Studies
Association, titled “What’s in a Name?”). Although rather
diverse
manifestos appeared in quick succession, there emerged a
consensus
that sticking to the nation form was a sign of ideological
backward-
ness, whereas transcending the nation held out the potential for
pro-
gressive change. From the get-go, transnational American
Studies
aimed to transcend the nation on two different conceptual
planes:
first, on the level of methodology, where transnationalism in
essence
meant adopting a particular perspective; second, on the level of
the
object of study, where transnationalism referred to phenomena
that
went beyond the limits of the nation. This blending of method
and
object of study meant in effect that the transnational wasn’t
some-
thing one could neutrally observe, describe, and chart. Rather,
studying the transnational meant affirming the transnational.
This
is because the approval for the new method jumped over, as it
were,
52. to an approval of the phenomena studied. If, in other words, the
transnational perspective of scholars was greeted as the
successful
overcoming of critical parochialism, then phenomena
embodying
the transnational were themselves to be commended. This valua-
tion guided the choice of what was to be studied: Preferred
objects
included oppositional social movements that traversed national
boundaries, aesthetic forms that traveled beyond the confines of
the
nation, and ideas that circulated in similarly unbounded ways
(clearly,
this list is not meant to be comprehensive). In short,
transnational
American Studies provided the opportunity to salvage a
“globaliza-
tion from below” (to use a phrase popular with the anti-
globalization
movement), and to favorably contrast it to both nationalism and
eco-
nomic globalization (or “globalization from above”).
One of the problems faced—but rarely addressed—by propo-
nents of transnationalism emerged from this differentiation of
eco-
nomic and cultural globalization. Did the idea that these two
forms
of globalization are principally different really hold up? Didn’t
both
Johannes Voelz | CRITICAL FORUM 523
visions of globalization rely on some of the very same images:
53. flows
(of goods, people, ideas) as something natural, borders and
bound-
aries as artificial? Wasn’t there, in fact, a deep affinity between
the
longing for cultural transnationalism and the ideology of
economic
globalization, despite the political differences that seemed to
keep
them both neatly separated? I have argued elsewhere that
conceptu-
ally (though not politically) transnational American Studies is
indeed
indebted to economic globalization, and that it is nonetheless
advis-
able to pursue the project of transnationalism, albeit in a self-
re-
flexive manner (Voelz 2011). But rather than revisiting this
debate
at this point, suffice it to say that the question of
transnationalism’s
oppositional purity emerged from the somewhat tenuous
conceptual
framework shared by the anti-globalization movement and
transna-
tional Americanists: globalization, according to this framework,
had
an economic and a cultural aspect, which were to be seen as
opposed
to one another.
Quite some time has passed since the early 2000s. By now, aca-
demic transnationalism in American literary and cultural stud-
ies has been solidly institutionalized. Think only of the Journal
of
Transnational American Studies, the recent Cambridge
54. Companion to
Transnational American Literature, edited by Yogita Goyal
(2017), or
the founding of the “Obama Institute for Transnational
American
Studies” at the University of Mainz, Germany. Meanwhile, pre-
dictably, the hype that initially attended the “transnational turn”
has faded rather quickly. The anti-globalization movement, on
the
other hand, has largely run out steam, mostly because center-
left
parties across North America and Europe failed to support it;
they
embraced neoliberal reforms instead, a decision which has cost
many
of them a good share of their votes. (One could add that the
move-
ment only petered out after the demise of Occupy, or that, in
fact,
it has survived in places like Spain, where Podemos has
managed
to transform the protest against neoliberal globalization into
party
politics—but these are nuances that don’t change the big
picture.)
Along with the overall decline of anti-globalization came the
rise of
anti-globalism (itself a movement of transnational scope), and
thus
the seemingly miraculous transformation of a left-wing into a
right-
wing movement.
How in the world could that happen? In moving the critique
of globalization across the political spectrum, anti-globalists
have
55. rejected the foundational premise of anti-globalization and
academic
transnationalism: they refuse to differentiate between two
differ-
ent kinds of globalization, be they “from below and from
above,”
524 COLLEGE LITERATURE | 44.4 Fall 2017
“cultural and economic,” or simply “good and bad.” As London-
based
blogger Jacob Stringer has aptly summarized it on
opendemocracy.
net: “[Anti-]Globalisation refers to certain processes in the
interests
of corporate trade. [Anti-]Globalism refers to a global outlook,
bor-
ders too open, a feared mingling of cultures, implied dangerous
liai-
sons with aliens” (March 26, 2017). Anti-globalists, in other
words,
have tied the critique of economic globalization to xenophobia,
rac-
ism, and a disdain for global elites, and have thus
conceptualized
economic and cultural globalization as hanging together.
Anti-globalists’ longing for cultural isolationism, it must be
admitted, has rendered the economic dimension of anti-
globalism
strikingly toothless. It is as if they offered cultural anti-
globalism as
a solution to the problems caused by global capitalism: their
implied
56. economic platform seems to be limited to the call for
protectionism
(the economic dimension of “America First!”) and the hope for
more
high-paying manufacturing jobs. In Strangers in Their Own
Land,
sociologist Arlie Russell Hochschild (2016) has recently shown
just
how deeply the Tea Party members and Trump supporters she
inter-
viewed in Louisiana are invested in the free market, and how
much
they detest the welfare state. Their critique of economic
globaliza-
tion spares multinational corporations (even if these
corporations,
like the petrochemical companies in Louisiana, ruin the
environ-
ment and cause a virtual cancer epidemic) because they are seen
as
the older siblings of small businesses run by local
entrepreneurs.
Though the anti-globalists’ mix of economic and cultural anti-
glo-
balism may be rife with logical faults and moral deficiencies,
their
triumph should not be simply dismissed as racist and
xenophobic
(though it is that, too). Instead, their rise should prompt
scholars
of transnationalism to reflect on the involvement of the idea of
the
transnational in the political struggle that divides the United
States
and, increasingly, other countries in which right-wing populism
57. has taken hold. In this context, it becomes newly significant
that
transnational Americanists have tended to politically identify
with
the transnational formations they study and that they have thus,
as
described earlier, conflated method and object of study. As a
result
of this conflation, academic transnationalism has come to
embody
the idea of globalism targeted by the anti-globalist agenda.
Econom-
ically, transnationalism encapsulates the privileged status of a
global
elite (here, transnationalism refers to the scholars) and
culturally, it
raises fears of migration, hybridity, and the demise of white
hege-
mony (here, transnationalism refers to the phenomena studied).
Seen in this light, the idea of globalism embodied by
transnational
Johannes Voelz | CRITICAL FORUM 525
American Studies becomes a tailor-made point of attack for
what
John Judis, in The Populist Explosion (2016), has described as
the tri-
angular scapegoating of right-wing populism. Right-wing
populism
is triangular in that it claims to defend “the people” against two
per-
ceived enemies: the elites (situated above) and undeserving
“others”
58. (situated below).
The challenge of anti-globalism, then, is not only that it rejects
transnationalism’s starting premise of the two kinds of
globaliza-
tion, but, more crucially, that it brings to light the degree to
which
transnationalism is itself involved in the divisive struggle
currently
rocking the United States. This challenge, I think, can be seen
as
a welcome opportunity to generate a new kind of knowledge
from
within transnational American Studies. It calls for an approach
that
is more self-reflexive than the identificatory stance taken by
many
scholars of transnationalism so far. Rather than starting from
the
presumption that studying transnational formations means
helping
to fight the good fight, transnational American Studies could
begin to
chart how the transnational itself has become a currency, or
capital,
in the struggle for symbolic advantages in a starkly divided
society.
This isn’t to devalue the study of transnational formations, but
rather to come to realize that embracing and valuing the
transna-
tional is a maneuver that helps secure symbolically
advantageous
positions. This is the case both in the academic field of
American
Studies, which has long been organized around a moral
59. economy of
political engagement, and in the larger public sphere of the
United
States. The idea (taken from Bourdieu) is not that we
consciously
try to amass as much symbolic capital as possible—as if we
were
rational-choice actors in the field of symbolic capital—but
instead
that trying to carve out for ourselves a recognized position in
the
field of transnational American Studies is what it means to
“have
an investment in the game” (Bourdieu and Wacquant 1992, 98).
The same goes for the other side of the divide: the embrace of
anti-globalism speaks to the specific value of the ideas and
princi-
ples captured by the term transnationalism in the broader
political
discourse of the United States. Here, too, the currency of the
idea
of transnationalism has a particular valuation. The fact that we
may
think of this value as “negative” when used by anti-globalists
begins
to suggest that taking stock of transnationalism as a currency
helps
us capture its political existence. I am suggesting, in other
words,
to incorporate a self-reflexive and relational sociology of the
trans-
national into the program of transnational American literary and
cultural studies.
60. 526 COLLEGE LITERATURE | 44.4 Fall 2017
One of the welcome ramifications of such an extension of
Amer-
icanist transnationalism, it seems to me, would be to overcome
the
harmful dualism of nation and trans-nation. Ultimately, this
dualism
suggests that by turning to the transnational, we will have to
learn
to stop worrying about the nation-state. But Trump’s rise to
power
should make it apparent that American Studies needs to be able
to provide explanations of what goes on inside the United
States.
The truly surprising suggestion to be taken away from the rise
of
anti-globalism is this: a self-reflexively and relationally
revamped
transnational American Studies may provide a necessary tool for
coming to terms with the nationalist resurgence.
WORKS CITED
Bourdieu, Pierre, and Loïc Wacquant. 1992. An Invitation to
Reflexive Sociol-
ogy. Chicago: University of Chicago Press.
Goyal, Yogita, ed. 2017. The Cambridge Companion to
Transnational American
Literature. New York: Cambridge University Press.
Hochschild, Arlie Russell. 2016. Strangers in their Own Land:
Anger and
Mourning on the American Right. New York: The New Press.
61. Judis, John. 2016. The Populist Explosion: How the Great
Recession Transformed
American and European Politics. New York: Columbia Global
Reports.
Ebook.
Radway, Janice. 1999. “What’s in a Name? Presidential Address
to the
American Studies Association, 20 November, 1998.” American
Quarterly
51.1: 1–32.
Stringer, Jacob. “Why did anti-globalisation fail and anti-
globalism suc-
ceed?” Open Democracy. March 26, 2017. Opendemocracy.net.
Last vis-
ited: May 28, 2017.
Voelz, Johannes. 2011. “Utopias of Transnationalism and the
Neoliberal
State.” In Re-Framing the Transnational Turn in American
Studies, edited
by Winfried Fluck, Donald E. Pease, and John Carlos Rowe.
Hanover,
NH: University Press of New England.
JOHANNES VOELZ is Heisenberg-Professor of American
Studies,
Democracy, and Aesthetics at Goethe-University Frankfurt,
Ger-
many. He is the author of Transcendental Resistance: The New
Amer-
icanists and Emerson’s Challenge (UP New England, 2010) and
The
Poetics of Insecurity: American Fiction and the Uses of Threat
(Cambridge
62. UP, forthcoming 2017).
3
SHORTENED TITLE
Week 1 Assignment Two
Importance of Becoming a Global Citizen
Student’s Name
GEN499 General Education Capstone
Professor’s Name
Running head: SHORTENED TITLE 1
Date
Note: This assignment should be written in the correct format
per APA guidelines. Please click on the Writing Center tab at
the left-hand toolbar of the course. You will then click on the
“Writing a Paper” tab, which goes over the basics of writing an
essay. For information on how to write in-text citations in APA
format, click on the “Citing Within Your Paper” link under the
Writing Center & Library tab. This paper needs to consist of
750 – 1,000 words (excluding the title and reference page).
Start your paper with the title of this assignment:
Importance of Becoming a Global Citizen
The introduction paragraph of this paper should inform the
reader of the topic you are writing about while providing
background information and the purpose or importance of
addressing this topic of global citizenship. You should prepare
the reader by stating the concepts you are about to address
further in your paper. Typically a good introduction paragraph
is made up of 5 – 7 sentences.
63. Short Title of First Prompt (i.e. Distinction between
“Globalism” and “Globalization”)
After viewing the required video “Globalization at a
Crossroads”, you need write a paragraph of 5 – 7 sentences
addressing the distinction between “globalism” and
“globalization” It’s important to cite the video per APA
guidelines within this paragraph.
Short Title of Second Prompt
Write a paragraph (about 5 sentences) describing how being a
global citizen in the world of advanced technology can be
beneficial to your success in meeting your persona, academic,
and professional goals.
Short Title of Third Prompt
After reading the article by Reysen and Katzarska-Miller,
you need to write a paragraph of 5 – 7 sentences explaining why
there has been a disagreement between theorists about the
definition of global citizenship. Within the article, the authors
address how specific schools of thought define global
citizenship. It would be a good idea to paraphrase this
information in your own words and cite the article per APA
guidelines. Also, within this paragraph, you should provide your
own definition of global citizenship after reading what other
ideas are from the article.
Short Title of Fourth Prompt
Note: Based on the article, you need to write two paragraphs: a
paragraph on each of the two outcomes of global citizenship you
chose (intergroup empathy, valuing diversity, social justice,
environmental sustainability, intergroup helping, and the level
of responsibility to act for the betterment of this world).
Name of First Outcome Addressed (i.e. Valuing Diversity)
Within this paragraph you need to explain why this outcome is
important in becoming a global citizen. It’s a good idea to first
define the outcome in your own words and then provide a
thorough explanation on why it’s important for your own
development as a global citizen.
Name of Second Outcome Addressed (i.e. Social Justice)
64. Same instructions as the first paragraph above.
Short Title for Fifth Prompt
First Personal Example on (Name First Outcome)
You need to write a short paragraph describing a personal
experience that has corresponds to the first outcome you
addressed in the third prompt and has assisted or resulted in
your development as a global citizen.
Second Personal Example on (Name of Second Outcome)
You need to write a short paragraph describing a personal
experience that has corresponds to the second outcome you
addressed in the third prompt and has assisted or resulted in
your development as a global citizen.
Short Title of Sixth Prompt
You need to write a 5 – 7 sentence paragraph that identifies two
specific education courses and explains how each of those
courses assisted or influenced your development in becoming a
global citizen.
Conclusion
In this paragraph, you need to summarize the main points of this
assignment and include a description of why this topic is
important to address when it comes to the development of
global citizenship. Typically a good conclusion paragraph
consists of 5 – 7 sentences. Keep in mind that you should not
share new information in the conclusion paragraph. This means
that there should not be any in-text citations. You are basically
summarizing what you have written.
References
Note: References are written below in the correct format per
APA guidelines. In addition to these two required resources,
you must locate another scholarly source from the Ashford
University Library that applies to this topic and can be used to
support your perspective.
Reysen, S., & Katzarska-Miller, I. (2013). A model of global
65. citizenship: Antecedents and outcomes. International Journal of
Psychology, 48(5), 858-870.
doi:10.1080/00207594.2012.701749
Stucke, K. (Writer). (2009). Globalization at a crossroads
[Series episode]. In M. Stucke & Claudin, C. (Executive
Producers), Global issues. Retrieved from
https://fod.infobase.com/OnDemandEmbed.aspx?token=39350&
wID=100753&plt=FOD&loid=0&w=640&h=480&fWidth=660&
fHeight=530
Interested in learning more
about cyber security training?
SANS Institute
InfoSec Reading Room
This paper is from the SANS Institute Reading Room site.
Reposting is not permitted without express written permission.
Case Study: The Home Depot Data Breach
The theft of payment card information has become a common
issue in today's society. Even after the lessons
learned from the Target data breach, Home Depot's Point of
Sale systems were compromised by similar
exploitation methods. The use of stolen third-party vendor
credentials and RAM scraping malware were
instrumental in the success of both data breaches. Home Depot
has taken multiple steps to recover from its
data breach, one of them being to enable the use of EMV Chip-
and-PIN payment cards. Is the use of EMV
paymen...
Copyright SANS Institute
Author Retains Full Rights
67. and RAM scraping malware were instrumental in the success of
both data breaches. Home Depot
has taken multiple steps to recover from its data breach, one of
them being to enable the use of
EMV Chip-and-PIN payment cards. Is the use of EMV payment
cards necessary? If P2P (Point-
to-Point) encryption is used, the only method available to steal
payment card data is the
installation of a payment card skimmer. RAM scraping malware
grabbed the payment card data
in the Home Depot breach, not payment card skimmers.
However, the malware would have
never been installed on the systems if the attackers did not
possess third-party vendor credentials
and if the payment network was segregated properly from the
rest of the Home Depot network.
The implementation of P2P encryption and proper network
segregation would have prevented
the Home Depot data breach.
Case Study: The Home Depot Data Breach | 2
68. Brett
Hawkins,
[email protected]
1. Introduction
On September 8th, 2014, Home Depot released a statement
indicating that its
payment card systems were breached. They explained that the
investigation started on
September 2nd and they were still trying to discover the actual
scope and impact of the
breach. Home Depot explained that they would be offering free
credit services to affected
customers who used their payment card as early as April of
2014 and apologized for the
data breach. They also indicated that their Incident Response
Team was following its
Incident Response plan to contain and eradicate the damage and
was working with
security firms for the investigation ("The Home Depot, Inc. -
News Release," 2014). This
is one of many retail breaches that have occurred and will
continue to occur, until
retailers become proactive in safeguarding their environments.
1.1 Making money with stolen credit cards
Payment card information is sold by cyber-criminals frequently.
In more recent retail
69. breaches, they have been able to steal payment card information
from millions of
customers and sell it online in what is known as the “Darknet.”
Once the cyber-criminal
has stolen the payment card information, there is a process that
takes place in order to put
the information on sale on the Darknet and for the cyber-
criminals to make money.
The first step in the process is selling the payment card
information to brokers. The
brokers buy the payment card information in bulk and sell the
information to “carders” on
carder websites (Westin, 2013).
The definition from “How ‘carders’ trade your stolen personal
info” says, “Carders
are the people who buy, sell, and trade online the credit card
data stolen from phishing
sites or from large data breaches at retail stores” (Vamosi,
2008). An example of a carder
website is Rescator shown in Figure 1 below (Lawrence, 2014).
As you can see, the site
has full search capabilities based on the type of card you are
searching for.
70. Case Study: The Home Depot Data Breach | 3
Brett
Hawkins,
[email protected]
Figure 1 (Lawrence, 2014)
Once the carder has bought a payment card on the carder
website, they will buy a
pre-paid credit card using that stolen payment card information.
The pre-paid credit card
is used to buy gift cards at stores like Amazon or Best Buy. The
gift cards are then used
to buy items at those stores, typically electronics, which are
then resold on sites like
EBay, Craigslist, or similar sites.
After the cyber-criminal purchases the items to be resold, they
need the items
shipped to a location that cannot be traced back to them. The
items are shipped to a “re-
shipper.” These re-shippers receive the items to be sold and ship
71. them to the person who
bought the items posted by the cyber-criminal. This process is
difficult to track. By the
time a breach is detected and the stolen payment card has been
blocked, the cyber-
criminal has already bought the items to be resold with the gift
card (Westin, 2013). This
is a well-known process and is used frequently because it has
been proven to make a
profit for cyber-criminals.
1.2 Hasn’t this happened before?
Ever since the Target data breach was disclosed by Brian Krebs
on December 18,
2013, occurrences of similar retail data breaches have been on
the rise. Until the Home
Depot data breach, the Target breach was the largest retail
breach in U.S. history
(Bloomberg, 2014). In the Target data breach, 40 million
payment cards were stolen
Case Study: The Home Depot Data Breach | 4
Brett
72. Hawkins,
[email protected]
(Krebs, 2014). The Home Depot data breach topped that by
having 56 million payment
cards stolen (Krebs, 2014). Some of the most notable retail data
breaches that occurred
after the Target breach are shown in Figure 2 below.
Figure 2 – Timeline of large retail data breaches after the Target
breach
These companies should have used the Target data breach as a
learning opportunity
and applied the knowledge to their own payment card systems.
The impact these data
breaches had on each of the companies was significant. After
the Target data breach, it
posted profits that quarter which were 46 percent below
expected profits (Gertz, 2014).
That is a large impact. I remember the day of the Target breach,
looking at the Target
stock price take a significant hit. I saw the same thing when the
Home Depot breach
happened. Large retail breaches like the ones shown above in
Figure 2 have a large
73. impact and they will only continue to happen, unless the proper
countermeasures are in
place.
October
2014
-‐
Dairy
Queen,
Staples,
Kmart
September
2014
-‐
Home
Depot,
Jimmy
John's
August
2014
-‐
SuperValu,
The
UPS
Store
July
2014
-‐
75. 1.3 Better ways to take card payments, because that’s what
customers want
The standard payment card in the U.S. has always used the
magnetic stripe. These
magnetic stripes are also called “magstripes”. On that magstripe
there are three tracks that
contain different data, although track 3 is hardly ever used.
Some of the data included on
the magstripe is name of credit card owner, credit card type
(Visa, MasterCard, etc.),
expiration date, and credit card number. The problem with these
magstripes is they are
extremely easy for the criminals to read data from. The
traditional magstripe credit card
has been under a lot of scrutiny since the large-scale retail data
breaches have started to
occur more often. There are alternative methods to accepting
payment cards. There is
even a method to accepting traditional magstripe cards that will
protect card data from
being exposed.
1.3.1 Chip-and-Pin Cards
A new type of credit card is starting to become more familiar in
the Unites States,
called a chip-and-PIN card. The chip-and-PIN cards contain an
76. embedded security chip
and a traditional magstripe. This embedded security chip
ensures that the card cannot be
duplicated, as it masks the payment data uniquely each
transaction (CreditCardForum,
2014). The problem with this alternative is that they cost
significantly more to make than
traditional payment cards and most merchants do not have
systems that are capable of
accepting the new chip-and-PIN cards. However, in October of
2015 if you have not
changed your systems to support chip-and-PIN cards, the
liability of the data breach now
falls on the merchant, rather than the banks (Picchi, 2014).
1.3.2 Mobile Payments
Another alternative method to taking payment cards is by using
mobile payment
methods, like Apple Pay and Google Wallet. With each of these
you have a “virtual
wallet” in your smart device. This smart device could be a
phone, tablet, or even a
watch. With both of these mobile payment systems, they never
pass your credit card
number to the merchant. The problem is Apple Pay and Google
77. Wallet are only accepted
at a handful of places. Until more merchants adopt mobile
payments, this method of
payment will not see any traction gained (Lee, 2014).
Case Study: The Home Depot Data Breach | 6
Brett
Hawkins,
[email protected]
1.3.3 Point-to-Point Encryption
There is a way you can take traditional magstripe credit cards,
while still protecting
card data. This method is called point-to-point (P2P)
encryption. P2P encryption
encrypts card data at the point of swipe, all the way to the bank
for approval/denial of
the transaction. With P2P encryption, payment card data is
never exposed and is
encrypted before it reaches memory. The only risk that still
remains with P2P encryption
is if someone were to install a credit card skimmer on the actual
pin-pad. However,
proper security awareness training for staff and having proper
78. controls in place, will
prevent skimmers from being installed. The creations of these
alternative methods were
outcomes of the most common method used in the large-scale
retail breaches.
1.4 The latest way to steal credit cards
There are several methods to stealing credit cards. From
hacking an online database
of a website that stores credit card information, to physically
stealing somebody’s credit
card out of their purse. No matter which method is used, the
goal is always the same;
steal payment card information for personal gain. A known
method of stealing payment
card information arose in the discovery of the Target data
breach, although this method
did not get much attention before Target. This method continued
to be discovered in
thousands of other breaches, both large and small. The method
used “memory scraping
malware”.
1.4.1 Memory Scraping Malware
Memory scraping malware has been the key component in
stealing payment card
79. information in the large retail data breaches of 2014. This
malware is able to read the
contents of RAM on a POS terminal when the payment card data
is present in clear text.
The malware uses regular expressions to grab the payment card
information. Once that
data is captured, it is sent to servers owned by the attacker, or
the attacker’s associates
(Huq, 2013). This malware has been effective, as evidence of
the recent retail data
breaches has shown. It continues to be effective on POS systems
that are not properly
locked down.
Case Study: The Home Depot Data Breach | 7
Brett
Hawkins,
[email protected]
2. The Home Depot Data Breach
Home Depot was one of the many victims to a retail data breach
in 2014. The
unfortunate thing is the way the attacker’s infiltrated the POS
networks and how the
80. attackers were able to steal the payment card data, were the
same methods used in the
Target data breach. The attackers were able to gain access to
one of Home Depot’s
vendor environments by using a third-party vendor’s logon
credentials. Then they
exploited a zero-day vulnerability in Windows, which allowed
them to pivot from the
vendor-specific environment to the Home Depot corporate
environment.
Once they were in the Home Depot network, they were able
install memory scraping
malware on over 7,500 self-checkout POS terminals (Smith,
2014). This malware was
able to grab 56 million credit and debit cards. The malware was
also able to capture 53
million email addresses (Winter, 2014). The stolen payment
cards were used to put up for
sale and bought by carders. The stolen email addresses were
helpful in putting together
large phishing campaigns.
2.1 Prevention & Detection
There were several countermeasures Home Depot could have
had in place to prevent
81. the breach from happening and to have been able to detect the
breach sooner, minimizing
the impact. Home Depot didn’t have secure configuration of the
software or hardware on
the POS terminals. There was no proof of regularly scheduled
vulnerability scanning of
the POS environment. They didn’t have proper network
segregation between the Home
Depot corporate network and the POS network. The last two
controls that were lacking
were proper monitoring capabilities and the management of
third-party vendor identities
and access.
2.1.1 What would have worked?
The secure configuration of software and hardware is vital to
securing any
environment, especially an environment dealing with sensitive
data. Home Depot did
have Symantec Endpoint Protection installed in their
environment. Symantec Endpoint
Protection (SEP) is an antivirus solution. The problem is that
they did not have an
important feature turned on in the product called “Network
Threat Protection” (Elgin,
82. Riley, & Lawrence, 2014). This module acts as a host intrusion
prevention system
Case Study: The Home Depot Data Breach | 8
Brett
Hawkins,
[email protected]
(HIPS). Having configured POS devices with this feature
activated at my own
organization, I can attest to the success of this feature when
doing vulnerability
assessments on these systems.
Another secure configuration missing was the use of Point-to-
Point (P2P)
encryption. This allows payment card data to be encrypted at
the point of swipe and
allows the data to be encrypted in memory. To be able to use
this technology, it requires
hardware that is capable of using the technology. In Home
Depot’s case, an upgrade to
the operating system of the POS devices was also needed.
Home Depot had another software configuration that was not
83. secure on the POS
devices, the operating system. An operating system is the most
important software on a
device. The operating system running on the POS devices was
Windows XP Embedded
SP3 (Mick, 2014). Windows XP machines are highly vulnerable
to attacks, so the fact
that Home Depot’s POS registers were still running this
operating system, is just asking
to get compromised. They should have upgraded to a more
current Windows operating
system for their POS devices. Some examples of more current
Windows POS operating
systems are Windows Embedded POSReady 2009, Windows
Embedded POSReady 7,
and Windows Embedded 8 Industry (Wikipedia, 2014, p. xx). I
have successfully
upgraded POS devices in my own organization to more current
embedded operating
systems. The newer operating systems are compatible with P2P
encryption, antivirus, and
many other applications that are vital to locking down your POS
systems.
In all of the sources I have looked at regarding the Home Depot
84. breach, none have
mentioned Home Depot having a vulnerability management
program in place. If Home
Depot had a vulnerability management program, performing
monthly vulnerability scans
of the POS environment; they could have used the results of
those scans to show
leadership the significance of the gaps in that environment and
possibly started to
mitigate the risk of that environment before the breach
occurred.
Network segregation is another big gap in this breach. I will
touch on this in more
detail later, but Home Depot should have had the POS
environment in its own restricted
virtualized local area network (VLAN) and restricted access
between the POS
environment and the Home Depot corporate environment.
Case Study: The Home Depot Data Breach | 9
Brett
Hawkins,
85. [email protected]
Another question arises from this breach. How did the attackers
steal third party
vendor credentials from Home Depot? Home Depot was not
properly managing its third
party vendor credentials and should have allowed minimal
access to that vendor account.
I will touch on this in more detail later.
Prevention is ideal, but detection is a must. Even if Home Depot
couldn’t have
prevented the attack, they still should have had monitoring
capabilities, so that it did not
take 5 months to detect an intrusion (Elgin, Riley, & Lawrence,
2014). Having the
capability to forward any network or host activity in the POS
environment to a SIEM,
would have been beneficial to Home Depot and could have
allowed them to detect the
breach sooner, minimizing the impact.
2.1.2 What is working?
The fact I have actual experience locking down POS
environments during my
professional career and have been successful in securing those
environments, I can tell
86. you first-hand what is working. A defense-in-depth approach
needs to be implemented.
First, upgrading your POS devices to a current, supported
operating system is a
must. If you are not running a current, supported operating
system, all other system
hardening you do is a waste. Second, ensure you have up-to-
date antivirus software with
HIPS capability. If an attacker penetrates your POS network,
this will add another layer
of defense in preventing the compromise of your POS devices.
Third, you need to have
automatic updates activated on the POS devices. It is vital that
you follow patch
management best practices and keep the POS devices on the
most current patches. This is
required for PCI compliance. Fourth, you need to enable P2P
encryption on the POS
devices. This requires a pin-pad that supports this technology.
The fifth thing that you will need to implement is the disabling
of all unnecessary
ports and services on the POS devices. There is no reason the
POS devices need to have
services such as NetBIOS running. Another important system
87. hardening configuration is
to disable the use of USB ports on the POS devices. You can do
this physically by
installing USB port blockers, or through software that blocks
the use of USB ports. In
most cases, you will need to leave just 1 USB port active for the
connectivity from the
POS register to the pin-pad device. If somebody were able to
circumvent your physical or
software-based USB protection, you need a way to notify your
security team of such an
Case Study: The Home Depot Data Breach | 10
Brett
Hawkins,
[email protected]
act. Software can be installed on your POS registers that alerts
you if a USB device has
been inserted into the POS register. You also need to make sure
that proper password and
account policies are set on the POS devices. Now that all the
host-based protections are in
place, let’s talk about the networking-based countermeasures
88. that need implemented.
First, you need to segregate the POS network from your
corporate network. You can
do this by making the POS network its own private VLAN.
Second, once you have
segregated the POS network, you need to apply rules on the
networking device
responsible for the VLAN, so that you can restrict access
between your corporate
network and POS network. Third, you need to have all outbound
Internet access coming
from your POS network restricted at your corporate firewall.
Firewall rules should be in
place to only allow connections for the vital functions, such as
credit card processing and
Windows Updates. Having all of these preventive
countermeasures in place is great, but
you also need to be able to detect potentially malicious activity.
You should have a SIEM in place that is able to retrieve
Windows event logs,
Domain Controller logs, anti-virus logs, DNS logs, firewall
logs, and other networking
device logs. This will give visibility into the real-time activity
in your POS environment
89. and will allow you to create alarms within your SIEM to alert
your security team of any
malicious activity.
2.1.3 What will work in the future?
I would like to think that the current methods of prevention and
detection of POS
environments will work in the future. The reality is that the bad
guys find new ways to
exploit vulnerabilities every day and technology advances at a
significant rate. Credit
cards may not even exist in the future. There might be a
significant vulnerability found in
the chip-and-PIN cards down the road, which causes us to
question how to take
payments, just as the traditional magstripe card is causing
questioning now.
I think we are getting a glimpse into the future with Apple Pay
and Google Wallet.
The magnifying glass will shift from credit card security to
mobile device security. The
idea of a virtual wallet seems like it could be 5-10 years from
having a significant
adoption rate. How will mobile device manufacturers and
mobile payment software
90. companies react to the bad guys finding vulnerabilities in their
systems? Will they be able
to quickly release patches that fix security vulnerabilities
related to the virtual wallet? I
Case Study: The Home Depot Data Breach | 11
Brett
Hawkins,
[email protected]
think it is a large change that will heavily impact the retail
landscape and will happen
sooner than people think.
2.2 Preventing Home Depot, Target, and Other Retail Breaches
I previously stated many countermeasures that Home Depot
should have had in
place, but wanted to go into detail on 3 that I thought were the
most important and could
have been applied to all retailers that experienced a breach in
the past year. The 3 main
preventive measures that should have been in place were P2P
encryption, proper network
segregation, and managing third party vendor credentials
appropriately.
91. 2.2.1 Point to Point Encryption
The protection of credit card data is continuing to get more
attention, since these
large retail breaches have been occurring. Even after the
attackers infiltrated the POS
environments and installed the memory scraping malware on the
POS registers, 1
countermeasure could have been in place to prevent the
attackers from stealing credit
cards. That countermeasure is P2P encryption.
P2P encryption provides encryption at the point of swipe when
using your credit or
debit card. In the use case of debit cards, it even encrypts your
4-digit PIN code you
enter. All of this is done before the data reaches memory, which
prevents data from being
captured in memory. The device that is used for swiping the
credit card is injected with a
derived unique key per transaction. This is only used for the
payment card encryption and
is not the same key used for the PIN encryption when using a
debit card. Once you swipe
your card, the payment card data is encrypted inside a tamper-
resistant security module
92. with the payment card industry standard 3DES algorithm, using
the derived unique key
for the transaction (TSYS, 2014). That encrypted data is then
sent securely to an off-site
hardware security module owned by the POS solution provider,
where the payment card
data is decrypted (Knopp, 2013). The decrypted card data is
then encrypted again using
the bank’s encryption key(s) and sent to the bank where the data
is decrypted again. The
bank then sends the approval/denial back for the payment card.
Figure 3 below shows
the process.
Case Study: The Home Depot Data Breach | 12
Brett
Hawkins,
[email protected]
Figure 3 – P2P Encryption Data Flow
As you can see this is a robust solution. It could have prevented
93. the attackers from
stealing card data. Home Depot actually started to implement
encryption before the
breach occurred, as it was rolled out to a quarter of their stores.
The problem was when
the breach actually began was before the encryption was fully
implemented (Bluefin
News & Blog, 2014). This is 1 of the 3 main countermeasures
that should have been in
place to prevent the retail breaches.
2.2.2 Network Segregation
The protection of the perimeter is a vital component in
preventing the large retail
breaches that have occurred and is also critical when
implementing a defense-in-depth
approach. The POS network should be properly segregated from
the rest of the corporate
network. The use of private VLAN’s comes into use with this
type of countermeasure.
Using a networking switch, you can place the devices on the
POS network into their own
VLAN. Static IP addresses should be assigned to all POS
devices within the IP range you
specify. Once the devices are in their own VLAN, network
94. traffic between the corporate
environment and the POS environment should be restricted
using an Access Control List
(ACL) on the networking switch. This setup is shown below in
Figure 4.
Case Study: The Home Depot Data Breach | 13
Brett
Hawkins,
[email protected]
Figure 4 – Network Segregation of Corporate and POS
Networks
The ACL should deny all traffic between the 2 environments,
except traffic needed
with necessary devices. An example of a necessary device could
be your corporate anti-
virus server, so that anti-virus definitions can be pushed to the
POS devices.
Logging should be enabled on the networking switch and
configured to forward
those logs to your SIEM, so you can see accepted and denied
connections between your
95. corporate network and POS network.
Network segregation also allows you to configure firewall rules
for that environment
easier. You can setup special firewall rules for that VLAN, such
as denying all outbound
Internet access through the firewall, except for the necessary
connections. An example of
a necessary connection would be the hosts needed to
communicate with for the credit
card processing. Segregation of the network is good, but the
need to restrict user access to
those trusted corporate hosts is also critical.
2.2.3 Managing Third Party Vendor Credentials
Poor management of third-party vendor credentials was a
common fault in the Home
Depot and Target data breaches. The attackers were able to gain
access to a vendor-
specific environment used by the retailers and were then able to
pivot to the corporate
networks. This demonstrates the importance of having sufficient
controls in place. The
least privileged principle needs to be used. All third-party
vendors should be allowed the
96. minimal access needed to perform their tasks and should be
denied access to internal
resources, unless required.
An identity and access management solution should be used to
manage the identities
and access of all internal and external employees (third-party
vendors). Each external
employee should have their own account, so that there is
accountability for anything
performed on their behalf. Account review procedures should
also be in place,
Case Study: The Home Depot Data Breach | 14
Brett
Hawkins,
[email protected]
specifically for third party vendor accounts. Auditing of these
third-party vendors is
critical. This will allow the detection of abnormal behavior.
Having all of these controls
in place for managing and monitoring the third party vendor
accounts, will detect any
misuse of third-party vendor credentials. This would have been
97. vital in detecting an
intrusion earlier in the Home Depot and Target breaches.
3. Conclusion
The key takeaway from this paper is that the Home Depot
breach could have been
prevented by taking a proactive approach. Learning how Target
was breached in
December of 2013 should have immediately prompted Home
Depot to assess their
environment and address the gaps that existed before becoming
compromised. Taking the
preventive measures that I have outlined could have prevented
the Home Depot breach
and will be able to prevent other retail data breaches in the
future. These types of retail
breaches are becoming more common. I hope that retailers will
learn lessons from
previous breaches to safeguard their environment and prevent it
from happening to them.
98. Case Study: The Home Depot Data Breach | 15
Brett
Hawkins,
[email protected]
References
Bloomberg. (2014, May 14). Target's Data Breach: The Largest
Retail Hack in U.S. History –
Bloomberg. Retrieved from
http://www.bloomberg.com/infographics/2014-05-14/target-
data-breach.html
Bluefin News & Blog. (2014, September 15). Home Depot Had
Started Payment Encryption
Work Before EMV Implementation - Bluefin Payment Systems :
Bluefin Payment Systems.
Retrieved from https://www.bluefin.com/2014/09/15/home-
depot-started-payment-
encryption-work-emv-implementation/
99. CreditCardForum. (2014, December 2). 2014 Chip and PIN
Credit Cards In The USA: Who
Offers Them [Blog post]. Retrieved from
http://creditcardforum.com/blog/chip-and-pin-
credit-cards-usa/
Elgin, B., Riley, M., & Lawrence, D. (2014, September 18).
Home Depot Hacked After Months
of Security Warnings - Businessweek. Retrieved from
http://www.businessweek.com/articles/2014-09-18/home-depot-
hacked-wide-open
Gertz, A. (2014, July 30). The Real Cost of a Retail Data
Breach | The Art of Data Protection.
Retrieved from http://data-protection.safenet-
inc.com/2014/07/the-real-cost-of-a-retail-
data-breach/#sthash.pw1r5hAM.dpbs
Huq, N. (2013, July 16). A look at Point of Sale RAM scraper
malware and how it works |
Naked Security. Retrieved from
https://nakedsecurity.sophos.com/2013/07/16/a-look-at-
point-of-sale-ram-scraper-malware-and-how-it-works/
Knopp, J. (2013). Point-to-Point Encryption: A Merchant’s Path
to Cardholder Data
Environment Scope Reduction | MasterCard | Security Matters.
100. Retrieved from
http://arm.mastercard.com/securitymatters/compliance/pci-
dss/point-point-encryption-
merchants-path-cardholder-data-environment-scope-reduction/
Krebs, B. (2014, May 14). The Target Breach, By the Numbers.
Retrieved from
krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/
Krebs, B. (2014, September 14). Home Depot: 56M Cards
Impacted, Malware Contained.
Retrieved from krebsonsecurity.com/2014/09/home-depot-56m-
cards-impacted-
malware-contained/
Case Study: The Home Depot Data Breach | 16
Brett
Hawkins,
[email protected]
Lawrence, D. (2014, September 4). The Amazon.com of Stolen
Credit Cards Makes It All So
Easy - Businessweek. Retrieved from
http://www.businessweek.com/articles/2014-09-
04/the-amazon-dot-com-of-stolen-credit-cards-makes-it-all-so-
101. easy
Lee, N. (2014, October 29). Dabbling in the future of payment:
A week of Apple Pay and
Google Wallet. Retrieved from
http://www.engadget.com/2014/10/29/week-apple-pay-
google-wallet/
Mick, J. (2014, September 8). DailyTech - Appalling
Negligence: Decade-Old Windows XPe
Holes Led to Home Depot Hack. Retrieved from
http://www.dailytech.com/Appalling+Negligence+DecadeOld+
Windows+XPe+Holes+L
ed+to+Home+Depot+Hack/article36517.htm
Picchi, A. (2014, September 5). Why new "chip-and-pin" cards
won't protect you -- yet - CBS
News. Retrieved from http://www.cbsnews.com/news/why-new-
chip-and-pin-cards-
wont-protect-you-yet/
Smith, M. (2014, November 10). Home Depot IT: Get hacked,
blame Windows, switch execs to
MacBooks | Network World. Retrieved from
http://www.networkworld.com/article/2845620/microsoft-
subnet/home-depot-it-get-
102. hacked-blame-windows-switch-execs-to-macbooks.html
The Home Depot, Inc. - News Release. (2014, September 8).
Retrieved from
http://phx.corporate-ir.net/phoenix.zhtml?c=63646&p=irol-
newsArticle&ID=1964976
TSYS. (2014). Point-to-Point Encryption (P2PE). Retrieved
from
http://www.tsys.com/acquiring/engage/white-papers/Point-to-
Point-Encryption.cfm
Vamosi, R. (2008, September 29). How 'carders' trade your
stolen personal info - CNET.
Retrieved from http://www.cnet.com/news/how-carders-trade-
your-stolen-personal-info/
Westin, K. (2013, December 21). Stolen Target Credit Cards
and the Black Market: How the
Digital Underground Works - The State of Security. Retrieved
from
http://www.tripwire.com/state-of-security/vulnerability-
management/how-stolen-target-
credit-cards-are-used-on-the-black-market/
Wikipedia. (2014). Windows Embedded Industry. In Wikipedia,
the free encyclopedia. Retrieved
December 26, 2014, from
http://en.wikipedia.org/wiki/Windows_Embedded_Industry
103. Winter, M. (2014, November 7). Home Depot hackers used
vendor log-on to steal data, e-mails.
Case Study: The Home Depot Data Breach | 17
Brett
Hawkins,
[email protected]
Retrieved from
http://www.usatoday.com/story/money/business/2014/11/06/ho
me-depot-
hackers-stolen-data/18613167/
104. Case Study: The Home Depot Data Breach | 18
Brett
Hawkins,
[email protected]
Appendix A
Data Breach Cost Calculator
Based on the results generated from the Symantec Data Breach
Calculator
(http://www.databreachcalculator.com), the average cost per
data breach at Home Depot,
according to its risk profile before it was breached, was
$23,506,667. The average cost
per compromised record was calculated at $196 as shown in the
chart below.