Home Depot by Emma Butler

SANS Institute Infosec Case Study Critique: The Home Depot Data Breach

Dave Poortvliet
Jan 30, 2018 · 2 min read

After reading through and thinking about the SANS Institute InfoSec Case Study: The Home Depot Data Breach, I thought I would respond to it with my own analysis and commentary. If you have any comments, add them below.

Abstract

Home Depot’s point of sale systems were compromised in 2014 by a similar exploitation method in an earlier breach at Target. The hackers stole third-party vendor credentials and used RAM scraping malware to grab credit card information. The article states that if P2P encryption was used and proper network segregation the Home Depot data breach could have been prevented.

Effectiveness of the Solution

Using a P2P solution would encrypt confidential payment card data before it is sent to memory preventing hackers from using malware to scrape unencrypted card information from RAM. Having the POS environment in its own restricted (VLAN) without access to the Home Depot corporate environment that third party vendors have access to would have also helped prevent the data breach even if third-party vendor credentials were stolen.

Drawback of the Solution

P2P encryption requires a sizable financial investment in order to get up and running. While P2P encryption can reduce the need to secure remote networks, it does not eliminate the need for security controls. If a hacker is able to gain access to the decryption key, a P2P encryption solution is rendered useless.

Segmenting networks can make routine security scans more difficult. Segmenting using a VLAN does not guarantee hackers from getting access to a particular network. Once the IP addressing scheme is known it would be fairly easy to jump over to another network once one network is compromised.

Conclusion

The solutions proposed in this case study should have been implemented along with other security measures at Home Depot especially after understanding the details of the Target breach. While P2P encryption and network segmentation have some shortcomings the benefits far outweigh the drawbacks.

Editors Note: Put a WEBGAP between you and the malware with a browser isolation technology or by leveraging a remote browser service.

Dave Poortvliet

Written by

Provides technical direction and oversight of university web operations. Ensures design and development of custom web applications align with strategic goals.

secjuice™

secjuice™ is your daily shot of opinion, analysis & insight from some of the sharpest wits in cybersecurity, information security, network security and OSINT.

Dave Poortvliet

Written by

Provides technical direction and oversight of university web operations. Ensures design and development of custom web applications align with strategic goals.

secjuice™

secjuice™ is your daily shot of opinion, analysis & insight from some of the sharpest wits in cybersecurity, information security, network security and OSINT.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store