Tjx Case Study

Question 1. What are the (a) people, (b) work process and (c) technology failure points in TJX’s security that require attention and contributed toward the security breach. [20 points]

People Failure Points:

TJX did not meet 9 Payment Card Industry Data Security Standards out of a dozen requirements which covers encryption, access controls and firewalls. If these are not taken care of properly, there is an increased rate of loopholes and vulnerabilities which are advantageous to the intruders. The people here are responsible for TJX's data breach and failed to comply with the PCC DSS. The hackers had the access to the company's central networks for several months. TJX's people could not monitor the networks properly and detect the situation which indicates that the intrusion detection or prevention program has failed to work. The people who designed this program are also responsible for the breach. The intruders have set up many user accounts on the central network and gained access to several large files. The reason for this was that the people at TJX's did not have any user account internal control in place. The HR and IT department also did not detect the excess number of user accounts on the network than the actual staff. The auditors whose responsibility is to make sure that the client internal controls are working effectively also failed to detect the excess user accounts situation.

Work process Failures:

Encryption process Failure: TJX's used wireless equivalency privacy (WEP) software in order to defend its wireless networks. WEP encryption algorithm is usually more suitable for wireless networks at home but not for a company which stores information on millions of customers. The hackers also had the decryption key for the software used by the company. The encryption of all the payment cards and cheque transactions was started only after April 2004. According to PCI DSS, the data should not be retained too long. TJX's did not purge the data records of the year 2002 which were not actually encrypted and made the access even more easier to the intruders.

Processing Logs Process Failures: Logs provide the information about the files on the system - when they have been added, deleted, changed, accessed. TJX's did not have the log data which otherwise would have given better understanding of the situation.

In-store kiosk process failures: At the in-store kiosks the intruders used USB drives to hack into the network. The USB drives which had the utility program has let the hackers to gain control over the computer kiosks and turn into remote terminals which connected to the TJX's networks.

Firewall Process failures: The firewalls on the TJX's main network were not set to defend the traffic coming from the kiosks which increased the vulnerability to the networks.

No business