Read the Target case study at the end of Chapter 10 (p. 414). Define terms such as threats, safeguards and targets. What type of threat(s) did Target face? Which specific techniques did the hackers use?

CASE STUDY 1O Hitting the Target On December 18. 2013, Target Corporation announced that it had lost 40 million credit and debit card numbers to attack- ers. Less than a month later Target announced an additional 70 million customer accounts were stolen that included names. emails, addresses. phone numbers. and so on. After accounting for some overlap between the two data losses. it turns out that about 98 million customers were affected.21 That's 31 percent of all 318 million people in the United States [including children and those without credit cards]. This was one of the largest data breaches in 11.8. history. These records were stolen from point-of-sale (P08) systems at Target retail stores during the holiday shopping season (November 27 to December 1 5. 201 3). If you were shopping at a Target during this time. it's likely your data was lost. Following is a short summary of how attackers got away with that much data. How Did They Do It? The attackers first used spearphishing to infect a Target third-party vendor named Fazio Mechanical Services (refrigeration and HVAC services).22 Attackers placed a piece of malware called Citadel to gather keystrokes, login creden- tials. and screenshots from Fazio users.23 The attackers then used the stolen login credentials from Fazio to access a vendor portal (server) on Target's network. The attackers escalated privileges on that server and gained access to Target's internal network. Malvvare Writers 3. Phishing Malvvare Credentials 1D. Stolen Data Fazio Mechanical Services Drop Sewers Russia, Brazil. FIGURE 10-17 and Miami Target Data Breach Once in, the attackers compromised an internal Windows le server. From this server the attackers used malware named TrojanPOSRAM (a variant of BlackPOS) to extract information from POS terminals. BlackPOS was developed by a 1 7-yearold from St. Petersburg. Russia. and can be purchased from under- ground sites for about $2,000.34 The customer data was continuously sent from the P08 ter minals to an extraction server within Target's network. It was then funneled out of Target's network to drop servers in Russia. Brazil. and Miami. From there the data was taken and sold on the black market. [See Figure 101 7.] The Damage For the attackers. the \"damage" was great. It's estimated that the attackers sold about 2 million credit cards for about $26.8 5 each for a total prot of S 5 3.7M.25 Not bad for a few weeks of work. Incentives for this type of criminal activity are substantial. Pay offs like these encourage even more data breaches. Target. on the other hand. incurred much greater losses than the hacker's gains. [t was forced to upgrade its payment ter minals to support chip-andelN enabled cards (to prevent cloning cards from stolen information]. which cost more than $ 100M. In 2015. Target lost a legal battle with banks over reimbursement of costs associated with the data breach. which could exceed 5 1 60M. It also had to pay increased insurance premiums. pay 5. Stolen Credentials 8: Malware 9. Stolen Data 415 Case Study 10 Target's Network Vendor Server 6. Malvvare Windows Server P05 Terminals we Extraction Serv er 8. Stolen Data legal fees, pay for consumer credit monitoring. and pay regula- tory nes. Target faced a loss of customer condence and a drop in its revenues (a 46 percent loss for that quarter]. Analysts put the direct loss to Target as high at $4 50M.26 The company lost its C10 Beth jacob and paid its CEO Gregg Steinhafel $1 6M to leave.\" And in late 201 S . Target paid banks $ 3 9 million for losses related to the data breach.28 The data breach affected more than just Target. The amount of media coverage related to the Target data breach likely acceler ated the shift from magnetic swipe cards to EMV-compliant smart cards begun in 201 S. This shift will force the eventual replace ment of 800 million payment cards and 14 million POS termi- nals at a cost of 557B.29 The good news is that the adoption of EMU-compliant smart cards will greatly reduce the $103 in credit card fraud that occurs each year. It will also likely reduce the amount of credit card theft by hackers because stolen credit card numbers would be of little value without the physical card. Just like car accidents. data breaches may not be viewed as important until after they occur. The data breach affected Target enough that it upgraded its infrastructure. changed internal sys- tems. and hired a Chief Information Security Ofcer (080).\") Will there be a more severe data breach in the future? Prob- ably. Are organizations ready for it? Based on past performance. we won't be ready for it until after it happens