The objective of this paper was to carry out a comprehensive assessment of the possible security vulnerabilities that an organization’s computer and network operating systems may have; and also to provide appropriate techniques in order to boost protection based on the findings of the said assessment. The organization, whose computer and network operating system framework would be focused on, that was chosen is Target, operator of one of the largest network of malls in the United States’ retail industry. What makes this computer and network operating system security case analysis significant is that any form of risk involving the company may also be considered as a risk that may affect the millions of people visiting the company’s vast network of brick and mortar shops, among its other services. Just like any computer and network operating system or program, there is a front end and a back end. These are terms used in software engineering that essentially divide the type and nature of processes that users can access and interact with; and even the very people who developed the said software can modify and work on. From the perspective of the end user of the company’s services (i.e. Target), for example, their employees and users would be able to make use of frontend computer and network operating systems by actually interacting with them. In a web-based service, this may include the actual website itself, including all the widgets and applets that provide additional features for the site visitors. The three different measures that the author of this paper identified were: use of Point of Service Systems, Encryption, and Tokenization.
Point of Service Systems
Relating this to Target’s case, this would include their actual electronic commerce website, the shopping cart that the customers use to calculate their online purchases, and the payment processing program that they are going to use—this is often regardless whether they are in partnership with a third party payment processing system such as PayPal or an in-house one. It is worth noting that Target caters to both and although this presents as a point of convenience for the end-users and perhaps a higher level of marketability for the company’s products and services (because that would practically enable it to reach out to customer segments who use varying payment processing systems other than the more conventional cash-based ones), this may still present itself as a possible risk factor, or even a yellow flag for the integrity of the company’s computer and network operating system. The backend part of the division of the company’s computer and network operating system, on the other hand, caters to the server and data processing-related side. Examples of typical processes involved in the back-end portion would be everything that the user cannot see and have access to such as security, service structure, and even content or in Target’s case, product management.
For this paper, the author focused on the front end portion of Target’s computer and network operating system because that is where the greatest security vulnerability lies. It is worth noting that all security measures have loopholes and Target, as a business, is not an exemption to this doctrine. In fact, the author of this paper has reason to believe that large-scale companies like Target have the tendency to magnify even the smallest security vulnerabilities just because of the fact that it would often be rewarding to be able to successfully infiltrate their computer or network operating system. Malicious entities such as cyber criminals are mainly motivated by money, or in this case, cyber theft. In order to maximize their gains from any single operation, they would most likely roll out an attack on a large company like Target, especially if they reckon that it does not have the necessary tools and standards to safeguard the data and information that passes through its systems.
A Point of Sale POS System is, at its core, a network of computers operated by one or a cluster of main computers and is linked to various checkout terminals. Naturally, an organization or business like Target would have a larger POS System than other small to medium size enterprises, and this is actually its major advantage. It improves the efficiency by which Target’s business partners such as the vendors interact with the company. The problem with companies that have a larger than usual POS System is that they are harder to monitor and the attacks can come from various checkout terminals. That may be translated to an argument that suggests that the bigger a POS System or network becomes, the more vulnerable to attacks the organization that is using it becomes. This is definitely the case for Target. Every day, millions of people’s information pass through and get processed in these POS Systems.
The inability to detect vulnerabilities and possibly successful breaches is one of the greatest security vulnerabilities in Target’s network. This can be likened to establishing a business in a cyber space where basically anything can happen. The cyber space is full of malicious entities from identity thefts to hackers. What is common among them is that they are all after the money that they can get from black hat activities, unless their main motive is to spread fear or in some cases engage in acts of terror. Target is a particularly attractive target for these malicious entities and using a security framework that disregards its ability to detect vulnerabilities and breaches that have already been made can easily be considered as one of the biggest mistakes that Target can make. This is one of the greatest disadvantages of their former network. They managed to create a network of vendors so large that they inevitable failed to secure their Point of Service systems. In the past, Target actually became prey to Point of Service-related attacks already, the most recent of which was in 2014 when millions of credit card information and some eleven gigabytes’ worth of data were stolen from their network when a group of attackers breached their systems through their vendor POS access points . The worst thing about it was that they were not even aware when the breach occurred—meaning, they failed to detect it.
As far as the ease of implementation of Point of Service-based Systems is concerned, it is far easy to create a POS-based network. What is needed is a group of networked computers; each network would basically represent a single company or a vendor that would connect to a main terminal which would be Target.
They would interact with each other swapping information such as payment details, credit card information, and other machine codes related to the type of business transactions that the network they created was meant to facilitate. In this case, it would not be hard to imagine that those machine transactions would be retail-related. The vendors would essentially interact with target, using the POS network, by providing them with their products. Target would then be the purchaser—the point of which is to sell the products that they purchased from the vendors for a profit to the consumers. This is based on the common understanding of Target’s business model as a business operating in the retail industry. However, in this case, the fact that the POS system was that easy to implement may mean that it would also be proportionally easy to infiltrate.
The truth is that POS systems can be highly flexible. They can be created based on how secured or access-free the administrator or in some cases the participants want it to be. Its security depends heavily on how many people know the exact steps to access the information of other participants within the network. Once an outsider knows or gains access to those steps (plus the necessary authentication codes), it would be fairly easy to infiltrate the system; this was actually the mistake that Target did in the past. They made public the way how they do business with their vendors through their own POS System. This was in itself a self-created vulnerability. A group of attackers used that information to target one of Target’s partners who has access to and is a part of the POS system. It is worth noting that what they targeted was the one with the most lax security measures. They basically used that partner’s access as their own gateway to steal information from Target. Today, Target still makes use of the same POS System but with a lot of changes so that the previous methods of circumvention would not work anymore.
Encryption
There are numerous types of encryption. Target makes use of these encryption methods in their internal servers. As far as advantages are concerned, they can be pretty obvious for encryption. Firstly, it enhances the ability of the organization to secure the information it stores and handles by using cryptographic codes in a way that only authorized people can directly access the protected information. This is practically the main reason why internal security frameworks exist and this is their main objective. Another advantage of encryption is that it enables hierarchization. Large organizations like Target are composed of various departments. There are clusters of information that are shared with the entire organization regardless of the department and there are those that are specific to and intended to be accessed only by certain ones. That is where the hierarchization feature comes in handy. With various types of encryption, Target can block certain departments’ access to a cluster of information so that only the ones it authorized to have access can do so.
One of the latest Encryption methods is the use of Public Key Infrastructure type of Encryption. PKI Encryption makes use of a complex system that creates, manages, and validates encryption certificates that automatically identifies individuals trying to access an encrypted network operating system. With PKI encryption, there is going to be one certificate authority whose role would be to manage the certificates that the servers would recognize. Those certificates would essentially be the basis of other members of the infrastructure in validating whether the other parties they are interacting with are authorized members and whether their traffic should be encrypted or otherwise. This prevents one of the most common vulnerabilities in network operating systems which are the man in the middle attacks. Man in the middle attacks are basically a form of interception wherein a malicious entity captures the identity of a supposed target and in the process gains access to information that should was intended to be sent to a legitimate target .
The disadvantages of encryption can be pervasive. In most cases, however, the disadvantages can only be so if the encryption measures are being excessively tight. One of the major disadvantages of encryption is that it carries the potential to make the authentication requirements of a network operating system to the point that it becomes hard even for a legitimate user to establish access. Of course, the benefit of that is that the organization can ensure that cyber-attacks would be greatly minimized if not totally eradicated. However, for an organization that is the size of Target, and considering the number of vendors and customer information it has to process every day, the encryption method that was just described may not be for them. It has the potential to cripple the company’s productivity and functionality—these two are important metrics that the company cannot trade with mere network security.
In terms of ease of access, encryption and other cryptographic-based network operating systems can require a huge amount of effort and capital. The total amount of effort and capital that an organization has to exert in order to come up with a decent and working PCI encryption-based network would greatly depend on the range of operations it aims to cover with the said encryption method. The larger the network is the more labor and capital-intensive it would be. What would require a lot of time and effort the most would be the setting up and configuration of the certificates—basically instructing the system how it would recognize the legitimacy of various users.
Considering Target’s business model, it would also be safe to assume that its in-house encryption network would require constant monitoring and active administration. This is because the list of vendors and other parties intended to access their network, for example, would most likely be dynamic (i.e. frequently changing). This means that the process cannot be left fully automated. This further adds to the cost of managing the system. However, considering the profitability of the organization’s operations, this should not come as a big concern for them because after all, it would be their reputation that is going to be at stake.
Tokenization
In light of the recent attacks that successfully hit Target, particularly the network it uses to interact with its customers and vendors, they have decided to resort to Tokenization. Tokenization is a fairly new cyber-security method. According to Rouse (2016), “tokenization is the process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security” . It has been mentioned earlier that businesses like Target has to keep track and in some cases even store huge amounts of customer and other third party data to their servers for later use.
This can be classified as a form of vulnerability because those data can later on be picked up by a malicious entity who for some reason managed to infiltrate their networks. This vulnerability gets directly addressed by Tokenization. With it, the volume of data that the organization needs to keep on hand would be greatly minimized because sensitive data, instead of being presented in their raw and decipherable forms, would be replaced with unique identification symbols (i.e. tokens, hence the name tokenization). That way, only the people who know how the internal tokenization system works would be able to decipher what those unique identification symbols actually mean. Moreover, the organization would not have to be wary about storing confidential information because they would practically be unusable by any outsider who by some reason gains access to them.
One of the clear advantages of tokenization is that it greatly limits the cost and complexity of storing supposedly private information . The costs of storing huge volumes of supposedly private information can be large; it can also easily eat up a significant portion of an otherwise profitable company’s income. This is why this can come in handy for small and medium business enterprises, especially those that rely on electronic commerce transactions ; a case in point would be Target who despite its large network of traditional brick and mortar stores is now rapidly transitioning to become an e-commerce entity. Moreover, it does so in a way that does not compromise security. For companies that make use of online payment services for example (e.g. Target) their users’ transaction would still be protected because there is still a certain form of encryption (i.e. using unique unidentifiable symbols) that secures the connection.
The main disadvantage of tokenization, however, is that it only directs the attention of the attackers to another party. If before, they are turning their scopes on the companies that store the valuable information, today, with the booming popularity of tokenization, they would simply have to turn their attention on the token holders or those who have the key to interpret the unique identifiable symbols used in the traceable transactions.
Once they access to such key, they would be able to circumvent this network security measure. Additionally (and this also pertains to the ease of use part of the discussion), one of the main concerns of companies planning to resort to tokenization is the cost. Because it is a fairly new security measure, it still costs a lot. This deters companies from using it despite its great benefits. This cost comes as a result of the need for tokens to be created for each vendor or merchant and for each card account. This has to be the case because every time a transaction gets initiated by a card account holder, the information has to be tokenized and then de-tokenized in order for the transaction to be considered legitimate. This is the part of tokenization that makes it simpler, more cost effective, and at the same time (and ironically) more expensive to put up.
Conclusions
The ranking of the measures above (from best to worst: POS Systems, Encryption, Tokenization) is based on their effects on the operations, productivity, and profitability of Target. POS Systems are the most helpful because they have the largest impact on the company’s bottom line. Despite the fact that this is also were most vulnerabilities exist, the company cannot afford to replace its POS Systems because that would mean changing a huge part of the company’s systems which would not only be costly but also disruptive to the business’ operations. Encryption comes as a close second because it still serves as a gold standard in the field of cyber security. Despite its drawbacks, large organizations still enjoy handsome rates of returns in the form of customer and stakeholder assurance that their cyber-transactions with Target would be secured. And tokenization would be the last because it is still a developing technology. There may come a time when it will replace traditional encryption measures as the most preferred form of network security but considering how costly it is right now, that may still take a long time.
References
Asokan, N., Niemi, V., & Nyberg, K. (2003). Man in the Middle in Tunnelled Authentication Protocols. International Workshop on Security Protocols.
Basit, H., & Jarzabek, S. (2007). Efficient token based clone detection with flexible tokenization. Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering. ACM.
Caulderwood, K. (2014). Retail Data Breaches: What has Target Done to Protect Consumers. International Business Times, Retrieved from http://www.ibtimes.com/retail-data-breaches-what-has-target-done-protect-consumers-1684942.
Kovacs, E. (2014). Tokenization: Benefits and Challenges for Securing Transaction Data. Security Week, Retrieved from http://www.securityweek.com/tokenization-benefits-and-challenges-securing-transaction-data.
Rouse, M. (2016). Tokenization. Tech Target, Retrieved from http://searchsecurity.techtarget.com/definition/tokenization.