Target’s Network Breach

Target’s corporate network was breached between November 27th, 2013 to December 15th, 2013 that resulted in 110 million credit cards and personal records being stolen. This data breach happened during the busiest days for retailers between the hours of 10:00am to 6:00pm. When I heard about this data breach in the news, I assumed that the attack was so sophisticated that it might have been difficult for Target to preempt it. But as I started to read articles on the breach, it became clear that although the attack used a combination of social engineering, phishing, and malware techniques it was not a sophisticated attack.

The articles indicate that intruders obtained stolen login credentials from one of Target’s vendors. This vendor accessed information on Target’s intranet via a portal that was set up for Target’s vendors. Once the intruders were able to get into the network, they were able to access Target’s Point-Of-Sale (POS) payment systems. The intruders were able to install malware on these systems that provided them with consumer information.

From a technology perspective, a few gaps that standout include:

  • The lack of segmentation of the network to avoid access to payment systems
  • The inability to identify data transfers to an unauthorized File Transfer Protocol (FTP) server
  • The failure to detect that intruders were testing their malware on a few POS systems before they launched a full attack
  • The deliberate ignoring of malware warnings from their internal systems

From a business perspective, a few gaps that standout include:

  • The data breach was not made public until Brian Krebs (a blogger) broke the news
  • Lack of adherence to security processes and practices
  • Too much reliance on just security certifications

The following figure shows the network and the route intruders took to access Target’s POS systems.

Intruders path used for Target's breach
Intruders path used for Target’s breach

From the figure, we can visualize the multiple issues with Target’s network. Although Target cannot be held accountable for any vulnerabilities caused due to its vendors it should have considered the potential of exploits that may be caused due to its vendors. Since the underlying network was the same, it had to be secure and constantly monitored for systems spikes and unusual network traffic activities. What is interesting about this attack is that although a large number of consumer records were stolen it has not been reported that how many corporate accounts were stolen too. Since 54% of businesses are small in the US, I am sure there have been corporate accounts that have been compromised as well.

As I have looked at what happened in this case, security is a management issue. In Target’s case, its management failed to see beyond their corporate environment and did not see holistically how the business processes that they put in place could be their downfall. Management also failed to inform the consumer. How long management would have waited to inform the consumers? My guess is that if the story had not been leaked, Target management would have conveniently forgotten about it.

In conclusion, there are three broader issues that come to mind (1) organizations are only as strong as their weakest link especially when that link is the corporate network (2) although organizations provide credit monitoring typically for a year but they assume that the intruders would only use this exploited information for a year and (3) consumers are left to fend for themselves during and after the one year period when their credit scores decline. In short, these data breaches have to be significantly eliminated since they not only cause loss of reputation but also loss of consumer confidence in an organization’s role as the protectors of our data. This is possible by not only credentialing but repetitively checking various ways how systems can be exploited from within and external to the organization even if the underlying network is perceived to be secure.

References:

http://www.computerworld.com/s/article/9246074/Target_breach_happened_because_of_a_basic_network_segmentation_error

http://blogs.wsj.com/corporate-intelligence/2013/12/27/targets-data-breach-timeline/

Click to access Target_Kill_Chain_Analysis_FINAL.pdf

http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/

http://www.sba.gov/offices/headquarters/ocpl/resources/13493

5 Questions to Ask About Predictive Analytics

Predictive Analytics is a branch of data mining that uses a variety of statistical and analytical techniques to develop models that help predict future events and/or behaviors. It helps find patterns in recruitment, hiring, sales, customer attrition, optimization, business models, crime prevention and supply chain management to name a few. As we move to self-learning organizations, it is imperative that we understand the value of Business Analytics in general and Predictive Analytics in particular.

It turns out that Predictive Analytics is about Business Transformation.  But in order for this Business Transformation to take place, you have to take into account the organizational contexts in the following ways:

  1. Strategic Perspectives: Not all organizations are the same and thus what works in one organization might not work in yours. Based on the knowledge of your organization’s maturity, you have to decide if Predictive Analytics is going to be a top-down, bottom-up, cross-functional or a hybrid approach. Additionally, take into account what should be measured and for how long but be flexible in understanding those insights might be gained from data that might initially seem unrelated.
  2. Tactical Perspectives: One of the key factors in Business Transformation is change management. You need to understand how a change would affect your organization in terms of people, processes, and technologies. You have to take into account the practical implications of this change and what kind of training is needed within your organization.
  3. Operational Perspectives: It is all about how the execution of Predictive Analytics is done within your organization. To fully integrate Predictive Analytics into your organization, you have to learn from best practices, learn the pros and cons of your technology infrastructure and determine if the necessary tools are intuitive enough for people to make use of them.

Now that you understand the different organizational perspectives, it is time to ask the following:

 

Today

Tomorrow

Who uses Predictive Analytics to make decisions? Who should use Predictive Analytics to make decisions?
What happens to decisions when Predictive Analytics is used? What would happen to decisions if Predictive Analytics will be used?
Where does the data for Predictive Analytics come from? Where should the data for Predictive Analytics come from?
When is Predictive Analytics relevant? When should Predictive Analytics be relevant?
Why Predictive Analytics is being used? Why Predictive Analytics should be used?

When you ask the above questions, keep in mind that the reliability of the information and how it is used within the organization is paramount. A pretty picture does not guarantee that the insights you get are correct but you can reduce decision-making errors by having people who understand what the data actually means and what it does not.

Measurement
Measurement

 

5 Questions to Ask About Your Information

Information collection, understanding and sharing has been a worthwhile pursuit since the dawn of humanity. In the beginning, now and in the foreseeable future, this pursuit will continue, even if the “tools” change. We will continue to use the information to make short-term and long-term decisions for our groups and ourselves. But depending upon the sources of the information, we might make good decisions or we might not. It is only until the results of the decisions are evident that we will know if where we ended is where we wanted to be. Sometimes we will make quick decisions and sometimes we will take our own time to make a decision. But in all of these circumstances, we will always hope that the information sources that we used to make our decisions are credible.

In order to understand the information, we need to understand the various “flavors” of information that we receive. Let’s explore them below:

  1. Redundant Information: Think about how many times you have received the same information from two different secondary sources. In your mind, you might be thinking that since two different secondary sources are providing the same information then it must be true. But what if the primary source of the information is the same? What if nothing new has been added to the information that you received? This is the concept of Redundant Information where the primary source of the information is the same and nothing new has been added to it.
  2. Corroborated Information: Think about how many times you have received the same information from two different secondary sources and are sure that the primary sources of the information are different. In your mind, you might be thinking that since the two primary sources are different then it must be true. This is the concept of Corroborated Information where the primary sources of the information are not dependent on each other.
  3. Contradicting Information: Think about how many times you have received the same information from two different secondary sources and found out that they were saying the opposite things. This is the concept of Contradicting Information where the information that we receive does not agree with each other.
  4. Perspective-Dependent Information: Think about how many times you have received the same information from two different secondary sources and determine that there are various versions of the truth. One version might be at a high level while another version might be at a lower level. This is the concept of Perspective-Dependent Information where information that you receive has been looked at from top-down, bottom-up and horizontal perspectives.
  5. Biased Information: Let’s face it, everyone has biases at some level based on their history, culture, societal norms, politics, religion, age, experiences, interactions with others and various other factors. These biases can creep into the information that we receive from others but also influence us when we make our own decisions. This is the concept of Biased Information where even in front of mounting evidence that challenges your views, you are still holding on to your conscious and unconscious thought processes to make decisions.

Now that you understand the various flavors of the information that you receive, it is time to ask the following:

 

Today

Tomorrow

Who receives the information? Who should receive information?
What happens to the information? What would happen to the information?
Where does information come from? Where would information come from?
When is information being shared? When would information be shared?
Why information is collected? Why should the information be collected?

When you ask the above questions, keep in mind that the information flavors and contexts are closely related. Even if you understand the information flavors being used but do not understand the context around them then your decisions will be skewed. On the other hand, be mindful of only looking at information that confirms your views (aka cherry-picking) since you will miss something that might have helped you better understand the world around you.

Information Flavors Information Flavors

5 Questions to Ask About Your Business Processes

The term business process is used to describe the connectivity of the various “steps” performed to achieve a certain goal. These steps are performed by information systems (e.g., calculate products sold per region), individuals (e.g., print/read reports) or a combination of both. The basis for these steps comes from policies (e.g., thou shall not eat at the computer), procedures (e.g., after you have created a report make a list of people who actually read it), governance (e.g., when information comes in or created by the organization then who and how it should be distributed), etc. These steps can be for a particular division (e.g., finance) and/or cross-functional (e.g., financial reports used by HR to make offers to potential hires). On the other hand, these steps can be wasteful (e.g., a division is creating reports for an individual who is not with the organization any more).

In order to understand the complexities of the business processes that are ingrained into the organization, the following questions need to be asked about your current and future business processes:

 

Today

Tomorrow

Who follows business processes? Who should follow business processes?
What happens in business processes? What should happen in business processes?
Where do business processes take place? Where should business processes take place?
When do business processes happen? When should business processes happen?
Why business processes happen? Why business processes should happen?

When you are asking the above questions across all levels of the organization, keep in mind that there is an interconnectedness among the information that you are collecting even if it is not evident at first glance. During or after the collection of this information, it is useful to create business process maps to show what happens and what would happen in the future. These maps should not be created just to be created but should be created to make intelligent decisions. These maps should be kept at a central place where people can easily have access to them and should be able to understand them without the need for an expert.

Another thing to be cognizant of who you talk to in the organization since depending upon who you talk to their definition of “a business process” might be different than what you are trying to understand. Yet one more term that is interchangeably used for the business process is workflow. For technical folks, this can also mean the business process that happens within an information system.

In conclusion, too often it is seen that organizations are struggling because of the ineffective communication and management mechanisms in place. By mapping the business processes, determining their qualitative and quantitative values, you will be able to see these gaps and make decisions that can prove to be beneficial to you as an individual and the organization as a whole.

Process

5 Questions to Ask About Your Information Supply Chain

Today’s organizations fundamentally revolve around people, processes and technologies. The underlying common thread across all of these areas is the ability to communicate and manage information. Information is used to make decisions that can be either good or bad. Based on the article Bad Decisions Arise from Faulty Information, Not Faulty Brain Circuits, we can decipher that sometimes in organizations there is so much information aka “noise” that decisions either get delayed or are made without understanding holistically how that information can affect the organization. Specifically, organizations need to understand the end-to-end flow of information through an Information Supply Chain lens and then leverage that information for competitive advantage. The concept of Information Supply Chain is derived from Supply Chain Management (SCM) that focuses on the coordinated and smooth flow of products. In the Information Supply Chain, we are interested in the coordinated and smooth flow of information within and across the organizations. In order to understand and take advantage of this Information Supply Chain, organizations need to ask the following 5 questions:

  1. Where does my information reside? (hint: it is not all documented)
  2. How is my information managed across people, processes, and technologies? (hint: look at your formal and informal information governance structures)
  3. How easily does information flow from when it is first created/consumed to how it is used to help me make decisions? (hint: think beyond information systems)
  4. What information you had in the past that resulted in good and bad decisions? (hint: hindsight is 20/20 only if you replicate the successes and reduce failures)
  5. What are you doing right now to avoid information duplication and increase information flow? (hint: capturing lessons learned is an exercise in futility if you cannot decipher intelligence from those lessons for your next endeavor)

Another thing to think about is…if we turn back the pages of time, we will realize that organizations are not that much different then what has existed in the past. The only thing that continuously changes is technology. Technology does not mean Information Technology(IT) only but also any methodologies and tools that make you manage information more effectively and scale-up quickly. A case in point is paper which changed the direction of mankind and was once considered a “technology”. Information Supply Chain considerations

%d bloggers like this: