Security Analysis and Recommendations

PB’s&J Presenters & Topics David Bihm User Account Management Nathan Julson Data Classification Firewall Architectures and Connections with Public Networks Brandon Buckley Reaccreditation Ryan Passehl Trusted Path Protection of Security Functions

Key Incident Details Breach of wireless network Exploitation of existing user accounts Implantation of data mining applications Creation of unauthorized access accounts Capture of confidential customer data PCI non-compliancy

Recommendations 5.4 User Account Management CONTROL OBJECTIVE Management should establish procedures to ensure timely action relating to requesting, establishing, issuing, suspending and closing user accounts. A formal approval procedure outlining the data or system owner granting the access privileges should be included. The security of third- party access should be defined contractually and address administration and nondisclosure requirements. Outsourcing arrangements should address the risks, security controls and procedures for information systems and networks in the contract between the parties. Recommendations: It was obvious during our investigation that the processes in place, during the time of the breach, were not successful with identifying the unauthorized account creation and utilization by the perpetrators. While the possibility exists that an unauthorized account be created, it did concern us that the accounts may have been utilized for an unexcused length of time. For this reason we believe that TJX would benefit from the basic account management processes discussed on the next slide.

Continued: 5.4 User Account Management A.New user account requests must be requested by management personnel only. Proper forms must be completed and signed prior to account creation. B.Leave of Absence 1. When an employee requests a leave of absence, management is required to notify the Human Resources department. 2. HR will document the dates of absence and provide notice to the systems administrator. 3. The associated accounts are disabled beginning on the date specified by HR. A separate request is required upon the return of the employee from leave, at which time their accounts will be enabled and a new password set. C.Termination 1. Upon termination, management is required to notify Human Resources. 2. Human resources will process the request for termination and notify systems administrators, at which time all user accounts associated are disabled and moved to a designated archive location until authorized for deletion. D.Required as part of new user orientation 1. New users are provided training on required systems. 2. New users are provided a copy of the system usage and security policy. A signature is required by the employee verifying they understand the security requirements and that misuse will result in disciplinary action; possibly termination. E.Reoccurring Training 1. Users will be required to attend bi-annual continued education of systems operation and policies. 2. Users will provide a signature verifying attendance. The mere fact that evidence showed the perpetrators accessed TJX’s systems multiple times over the course of 2 years questions whether there was a process in place, at the time of the breach, to monitor and audit access rights to systems and resources. If such a process were in place, and adequately executed, the accounts created and utilized by the thieves should have been identified do to the sensitive nature of the information being accessed. Our recommendation is to implement at a minimum a quarterly internal audit of account access rights do to the high turnover and number of promotions that are common in retail businesses. Also recommended, at least until all damage claims have ceased, is an annual audit performed from an outside source.

5.8 Data Classification CONTROL OBJECTIVE Management should implement procedures to ensure that all data are classified in terms of sensitivity by a formal and explicit decision by the data owner according to the data classification scheme. Even data needing “no protection” should require a formal decision to be so designated. Owners should determine disposition and sharing of data, as well as whether and when programs and files are to be maintained, archived or deleted. Evidence of owner approval and data disposition should be maintained. Policies should be defined to support reclassification of information, based on changing sensitivities. The classification scheme should include criteria for managing exchanges of information between organizations, addressing both security and compliance with relevant legislation. Recommendations: TJX did not follow many of the PCI DSS requirements that a business of their size should be. When working with so much customer data, it is imperative that the data is safely secured. TJX needs to change the data storage and retention policies to align with the PCI DSS requirements. Highly sensitive information needs to be classified as such and stored accordingly. Customer data should not be kept any longer than needed and a standard process for this data handling needs to be implemented.

5.2 Firewall Architectures and Connections with Public Networks CONTROL OBJECTIVE If connection to the Internet or other public networks exists, adequate firewalls should be operative to protect against denial of services, unauthorized access to the internal resources and control any application and infrastructure management flows in both directions. Recommendations: It appears that sensitive customer data was not protected as it should be from outside intruders. Although this was not addressed sufficiently by the company previously, going forward this may be the most important step in preventing another intrusion. TJX needs to install the firewall software which had been previously purchased and work with that vendor to ensure its setup and operating correctly. Proper monitoring and auditing of the firewall must occur on a regular basis to ensure suspicious activity is detected early. TJX was also lacking security in their wireless setup. To prevent further intrusions, it is recommended that TJX purchase new wireless access points for all their retail stores. In addition, they need to ensure they are setup to utilize a higher level of wireless encryption than the WEP they were currently using. These access points should also be setup to allow secure, remote monitoring from a central location to ensure the configuration is correct upon inspection.

5.12 Reaccreditation CONTROL OBJECTIVE Management should ensure that reaccreditation of security (e.g., through “tiger teams”) is periodically performed to update the formally approved security level and the acceptance of residual risk. Recommendations: TJX should comply with the PCI DSS standards that are set in place for major companies that handle customer credit card data. TJX should be PCI compliant in all 12 areas in order to gain reaccreditation which can cost $150 a year to be certified. TJX also has to take a proactive approach by implementing a secure wireless network complete with WPA security and firewalls to protect against intruders. Proactive processes should also be implemented by reviewing access logs to catch any unfamiliar behavior on intrusion attempts and act on them immediately. (Vijayan, 2007)

5.16 Trusted Path CONTROL OBJECTIVE Organizational policy should ensure that sensitive transaction data are exchanged only over a trusted path. Sensitive information includes security management information, sensitive transaction data, passwords and cryptographic keys. To achieve this, trusted channels may need to be established using encryption between users, between users and systems, and between systems. Recommendations: TJX needs to first upgrade their wireless security to WPA2 security at all stores. This is especially vital given the original break-in occurred via a wireless connection. All internal data exchange needs to be done over secure LAN and WAN links with security at a strong level and managed by their network infrastructure team. All work done from remote machines needs to be done via secured VPN connection requiring login authentication. All web pages containing customer data must use SSL to protect customer data.

5.17 Protection of Security Functions CONTROL OBJECTIVE Security-related hardware and software should at all times be protected against tampering and against disclosure of secret keys to maintain their integrity. In addition, organizations should keep a low profile about their security design, but should not base their security on the design being secret. Recommendations: All software, hardware and firmware need to be updated on a regular basis across all devices (preferably once a month). Software managing their wireless access points needs immediate attention to be made more secure (stronger passwords) with the goal of moving to WPA2 security in the near future. Once WPA2 is implemented the software needs to be fully secured with password information given out to very limited staff with the passwords for this (and all passwords across all systems) being forced to change on a regular basis. All workstations must be password protected and forced to use a login ID that can be traced to an individual. All workstations must be locked and not easily accessible for non-approved people.