Home Depot by Emma Butler

SANS Institute Infosec Case Study Critique: The Home Depot Data Breach

After reading through and thinking about the SANS Institute InfoSec Case Study: The Home Depot Data Breach, I thought I would respond to it with my own analysis and commentary. If you have any comments, add them below.

Abstract

Home Depot’s point of sale systems were compromised in 2014 by a similar exploitation method in an earlier breach at Target. The hackers stole third-party vendor credentials and used RAM scraping malware to grab credit card information. The article states that if P2P encryption was used and proper network segregation the Home Depot data breach could have been prevented.

Effectiveness of the Solution

Using a P2P solution would encrypt confidential payment card data before it is sent to memory preventing hackers from using malware to scrape unencrypted card information from RAM. Having the POS environment in its own restricted (VLAN) without access to the Home Depot corporate environment that third party vendors have access to would have also helped prevent the data breach even if third-party vendor credentials were stolen.

Drawback of the Solution

P2P encryption requires a sizable financial investment in order to get up and running. While P2P encryption can reduce the need to secure remote networks, it does not eliminate the need for security controls. If a hacker is able to gain access to the decryption key, a P2P encryption solution is rendered useless.

Segmenting networks can make routine security scans more difficult. Segmenting using a VLAN does not guarantee hackers from getting access to a particular network. Once the IP addressing scheme is known it would be fairly easy to jump over to another network once one network is compromised.

Conclusion

The solutions proposed in this case study should have been implemented along with other security measures at Home Depot especially after understanding the details of the Target breach. While P2P encryption and network segmentation have some shortcomings the benefits far outweigh the drawbacks.

Editors Note: Put a WEBGAP between you and the malware with a browser isolation technology or by leveraging a remote browser service.