Wednesday, May 6, 2015

Security: The Backstory to Home Depot

The class action lawsuit filed in court against Home Depot reveals a telling backstory that made a hacker's dream come true, and it started with a new chief of IT security in 2011:

  • hired an "enforcer" manager
    • "bullying" and "abrasive" - descriptions of Jeff Mitchell, CISO (Chief Information Security Officer)
    • high attrition
      • around 50% loss of IT security employees after 3 months of Mitchell's promotion to CISO in 2011
      • additional talent loss continuing to 2013
    • perceived IT security as discretionary spending 
      • "We sell hammers." Matthew Carey, CIO
        • Mr. Carey focused on technological improvements in the company’s supply chain
      • "it’s going to interrupt the business”, Jeff Mitchell, CISO
      • cost cutting in IT security
        • loss of ability to hire top talent
        • suspension of computer asset inventorying (Symantec Control Compliance Suite)
        • suspension of regular risk analysis & reporting
      • shelving IT security projects
        • deferred POS encryption project
        • suspended privileged computer account access auditing system (Cyber-Ark Software purchased but not implemented)
        • ignored advanced intrusion detection firewall (Symantec NTP purchased but functionality never enabled)
    • ignored IT security risks
      • ignoring (and penalizing) a whistleblower in 2011
        • both legal and IT security departments made no-action when an employee  reported critical vulnerabilities in retails stores, except to dismiss the employee
      • non-action on confidential POS vulnerability reports
        • from FBI in early 2014
        • from VISA in 2013
      • non-action on remediation recommended by 3rd party IT auditors
        • auditors / consultants flagged company software as outdated and unpatched
          • FishNet Security consulted
          • Symantec Corp consulted
      • random & incomplete internal security audits
    • computer systems "desperately out of date" - Francis Drake, CEO 
      • near EOL (End Of Life) softwares in production
        • the POS machines targeted by hackers used Microsoft Windows XPe "XP Embedded", an OS that was 13 years old
        • the version of anti-virus, Symantec EndPoint, was 7 years old at the time of the hacking
      • routine software patching replaced with ad hoc updates
    Posted by at
    Labels: , , , , , , ,

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)