SANS Institute Infosec Case Study Critique: The Home Depot Data Breach
After reading through and thinking about the SANS Institute InfoSec Case Study: The Home Depot Data Breach, I thought I would respond to it with my own analysis and commentary. If you have any comments, add them below.
Home Depot’s point of sale systems were compromised in 2014 by a similar exploitation method in an earlier breach at Target. The hackers stole third-party vendor credentials and used RAM scraping malware to grab credit card information. The article states that if P2P encryption was used and proper network segregation the Home Depot data breach could have been prevented.
Effectiveness of the Solution
Using a P2P solution would encrypt confidential payment card data before it is sent to memory preventing hackers from using malware to scrape unencrypted card information from RAM. Having the POS environment in its own restricted (VLAN) without access to the Home Depot corporate environment that third party vendors have access to would have also helped prevent the data breach even if third-party vendor credentials were stolen.
Drawback of the Solution
P2P encryption requires a sizable financial investment in order to get up and running. While P2P encryption can reduce the need to secure remote networks, it does not eliminate the need for security controls. If a hacker is able to gain access to the decryption key, a P2P encryption solution is rendered useless.
Segmenting networks can make routine security scans more difficult. Segmenting using a VLAN does not guarantee hackers from getting access to a particular network. Once the IP addressing scheme is known it would be fairly easy to jump over to another network once one network is compromised.
The solutions proposed in this case study should have been implemented along with other security measures at Home Depot especially after understanding the details of the Target breach. While P2P encryption and network segmentation have some shortcomings the benefits far outweigh the drawbacks.