Target’s Data Security Issues Review

Introduction

When building a system for ensuring information security, along with the processes of implementing protective measures, personnel training, implementing security policies, etc., the processes of monitoring and checking the state of information security are important. This allows checking the adequacy of the selected measures and means of protection, and enables identification of vulnerabilities in the existing information system (IS).

This report is intended to draw recommendations to protect the corporate information of the Target retail chain and prevent critical situations in the information system. The following tasks were identified as key in relation to conducting a comprehensive audit of IS:

• Obtaining an assessment of the current level of the network infrastructure security;
• Development of recommendations to increase the level of security and eliminate identified vulnerabilities.

Data Assets and Business Process

The information system used in the Target network is a solution for managing goods distribution and internal logistics in retail outlets of any size. The main goals of a functioning information system can be summarized as the following:

1. Information integration of geographically distributed stores, warehouses, and other retail facilities in order to operate within a single logistics system.
2. Full control, accounting, and analysis of all types of goods movement in quantitative and cost terms, up to management in real time.
3. Acceleration and improvement of the quality of customer service, increasing level of customers’ loyalty.
4. An increase in labor productivity and a decrease in the number of personnel errors.
5. Protection against dishonest actions of personnel.

Internal financial data, information on interaction with contractors, personal information of registered buyers, as well as those who make online purchases, represent Target’s critical information assets.

The functionality of the information system under consideration allows for the operation of a multi-format network (supermarket, hypermarket, and neighborhood store), as well as the taking into account peculiarities of other formats, in particular DIY (Do It Yourself ‑ self-service stores with an assortment of 10 thousand or more items of goods for interior, household, gardening, dishes, souvenirs, building materials, etc.). Also, the system supports modern management standards for retail chains ‑ a centralized management principle with a single database server (DB) ‑ namely with its help, one can most efficiently organize the management of a network trading company, even with management facilities located in different regions.

Our estimates of the total cost of information system ownership, built on the principle of centralized architecture, showed its significantly lower values compared to distributed one, not to mention the savings on managerial personnel, increased turnover, and overall performance of the company.

The system is deployed on a global computer network with remote access to a single database and works effectively in a client-server architecture. It uses a remote resident interface with cash registers installed in stores, which allows managing cash registers directly from the center. At the same time, the exchange of information between the system and cash registers takes place almost instantly and does not interfere with the work of the cashier.

The structure of the system allows presenting several accounting objects with different legal entities with many departments that have a single financial responsibility. All network objects use common reference information, which allows connecting a new object, for example, a newly opened store, to the general network in a matter of hours. Moreover, the system provides the consolidation of any analytical reports on any set of accounting objects.

The introduction of mobile solutions provides an increase in the efficiency of store personnel by simplifying access to the corporate database. Thanks to this, the time required to complete routine operations is reduced, the risk of errors is diminished, and the quality of data analysis is improved for more accurate planning of the outlet. This allows providing personnel with quick access to all necessary information, including access to the corporate database, regardless of their location, as well as greatly simplifying the transfer of feedback from stores to the office. Target has a solution for mobile business process management. However, mobile management is associated with increased vulnerability, especially considering the use of cloud technology.

Legal Government to Comply

The problem of a corporate system information security is usually solved in two planes. First, formal criteria are considered that secure information technologies must meet, and secondly, the practical aspect ‑ a specific set of security measures (Insurance Data Management Association, 2017). Formal criteria are subject to standardization. Currently, the international standard ISO/IEC 17799:2005 (BS 7799-1:2002) Information Technology – Information Security Management is the most famous standard in the field of IS (Susanto & Almunawar, 2018). This standard belongs to the new generation of information security standards for computer information systems. The current version of the standard ISO/IEC 17799:2005 (BS 7799-1:2002) addresses the following relevant issues of ensuring information security of organizations and enterprises:

• The need to ensure information security;
• Basic concepts and definitions of information security;
• Company’s information security policy;
• Organization of IS at the enterprise;
• Classification and management of corporate information resources;
• Safety issues related to personnel.

Key fields of applications of the ISO 17799 standard include the following: physical security; security administration of corporate information systems; access control; security requirements for corporate information systems during their development, operation and maintenance; managing company business processes in terms of information security (Susanto & Almunawar, 2018).

The second part of the BS 7799-2: 2002 defines the possible functional specifications of corporate information security management systems from the point of view of their verification for compliance with the requirements of the first part of this standard. In accordance with the provisions of this standard, the procedure for auditing the security of information corporate systems is also regulated.

The results of security assessments make it possible for a company to determine the adequacy of protection for a corporate information system. The approach to information security management is currently defined by two interrelated standards: ISO/IEC 27001 and ISO/IEC 27002 (Wiggins, 2016).

The main role here is played by standard 27001, which contains recommendations on information security management in an organization based on the PDCA (Plan, Do, Check, Act) quality management cycle widely used in the corporate environment. The ISO/IEC 27002 standard is more of a reference character, describing a set of possible information protection measures from which the organization can choose the ones that are necessary for it (Alturise & Clder, 2015). It should be noted that in the regulatory requirements and recommendations of national regulators, the same principles and approaches to the organization of information protection activities are used.

Risk Analysis

Although Target uses “heavy” IT solutions that are important for the retail supply chain endpoints, the issue of cybersecurity, unfortunately, is not considered a priority for them. The components of information system are integrated quite efficiently in technical and cost terms and are potentially sustainable in the absence of malicious attacks. However, the Company does not have a clearly formulated information security policy, as a result of which the mobile part of information system is characterized by a high level of vulnerability.

One of the vulnerabilities was identified in relation to the external perimeter associated with the use of information system on mobile devices. It consists of an insecure authentication method: the remote server allows the use of unencrypted credentials transmitted over an insecure protocol. This allows attackers to obtain information about the user name and password by listening.

One of the earliest possible and most dangerous attacks is when attackers disable built-in security features (a process known as “jailbreaking” for Apple iOS or “rooting” for Google Android). It allows installing applications and system extensions that are prohibited by the security policy. Such installations may result in malicious or accidental injection of malicious code. These threats have a high level of risk and can represent noticeable negative implications for the Company, resulting in sharp reduction of reputation due to data leakage.

Anti DNS Pinning attack is also possible. The server is vulnerable to bypassing the Same Origin Policy security policy restrictions by using the Anti DNS Pinning (DNS rebinding) attack. It allows an attacker to manipulate the mapping between an IP address and a DNS host name (FQDN) in order to launch active content in the security context of a vulnerable site. Using this technique, an attacker can use the victim’s browser to gain access to secure sites (for example, located behind firewalls or requiring authentication).

In contrast to the Cross-Site Request Forgery (CSRF) attack, the Anti DNS Pinning attack is aimed at receiving data (privacy violation) and not at taking any actions with the application (integrity violation). However, in conjunction with CSRF, the Anti DNS Pinning attack can be used to fully access the web application through the user’s browser.

Among the conceptual problems, it should be noted that IP is not certified according to the ISO system, which means the lack of integration of a quality management system and IS. Thus, proper accounting, assessment, and forecasting of complex risks and losses due to IP vulnerability is not maintained.

Recommendations to Achieve Appropriate Level of Information System Security

Recommendations for modifying the system can be presented in the form of the following concept:

1. All protective equipment used should be accessible to users and easy to maintain.
2. Each user must be provided with the minimum privileges necessary to perform a specific job.
3. The protection system must be autonomous.
4. Security system developers must take into account the maximum degree of hostility of the environment, that is, assume the worst intentions of attackers and the ability to circumvent all defense mechanisms.
5. The presence and location of protective mechanisms should be confidential.

At the same time, however, the cost of the protective system should not exceed the amount of possible damage and the costs of its operation and maintenance. At the same time, the corporate standard of IS organization should apply to all security zones. All of them should be equally strong, that is, have the same degree of reliable protection with the probability of a real threat.

It is advisable to introduce the Mobile Device Management solution, which is designed to safely integrate users’ mobile gadgets into the corporate environment, to make it safe and manageable. For example, this solution allows creating an encrypted container on the device that contains confidential information, which will not allow access to it in case of losing smartphone or tablet (ASI Solutions, 2019).

In this case, the IT security service has the additional ability to initiate the deletion of all data on the device. Moreover, the solution allows applying corporate security policies. For example, a user will not be able to connect to corporate mail if his/her device is not password protected, or will not be able to use the camera at a specific geolocation point.

After taking these measures, it is recommended that documentation be prepared for information system certification according to the ISO standard. Today, the presence of a certificate of compliance is both an effective marketing solution and a mechanism for monitoring production processes. Since the ISO 9001 standard has long taken a leading position in the number of certificates in the world, and the ISO 27001 standard shows a tendency to increase certification of the information security management system, it is advisable to consider the possible interaction and integration of the quality management system and IS management system.

Conclusion

Based on the results of the analysis, the following conclusions can be drawn:

1. The current management of information security of the Company has systemic problems.
2. The Company does not have the basic elements of information security management: IS standards, policies and procedures, rules, a system for monitoring compliance with IS standards.
3. The organizational and technical systems of IS require significant improvement.
4. As a result, the current level of information systems protection is below the generally accepted basic level.

Organizational and technical measures must be taken as described in the Recommendations section. A conceptual recommendation is to ensure the integration of a quality management system and IS management system, which in its structure has the potential for development, transparency of management, and flexibility to any changes.

References

Alturise, F., & Clder, P. (2015). Overview of ISO standards and their impact on ICT and engineering practices. International Journal of Advanced Research in Computer Science & Technology, 3(4), 40-45.

ASI Solutions (2019). Mobile device management: Are your employee’s smartphones an open door to your secure network & critical data? ASI Solutions. Web.

Insurance Data Management Association (2017). Introduction to data management functions and tools: IDMA 201 course textbook. Basking Ridge, NJ: Technics Publications.

Susanto, H. & Almunawar, M.N. (2018). Information security management systems: A novel framework and software as a tool for compliance with information security standard. Palm Bay, FL: Apple Academic Press.

Wiggins, B. (2016). Effective document and data management: Unlocking corporate content. Abingdon-on-Thames, UK: Routledge.