Using the information bellow - answer bullet points.

• What are the risk types associated with this incident.
• What are the primary performance characteristics of an appropriate organization-wide risk management system?
• Tell what could the company have done better to approached strategic risk management to avoid this scenario?
• What could the company have done to better approached the defining risk appetite and tolerance in this scenario?

The systems and networks of Target Corp. were breached in November and December, 2013, which results in 40 million card numbers and 70 million personal records stolen [9]. Multiple parties get involved in the federal investigation of the incident. The list includes United State Secret Service, iSIGHT Partners, DELL Secure- Works, Seculert, the FBI, etc. In addition, companies like HP, McAfee and IntelCrawler provide analysis of the discovered malware, i.e., BlackPOS, and the marketing of the stolen cards.

There are multiple theories on how the criminals ini- tially hacked into Target, and none of them have yet been confirmed by Target Corporation. However, the primary and most well-supported theory is that the initial breach didnt actually occur inside Target [10].

At some point the Fazio Mechanical Services system was compromised by what is believed to be a Citadel Trojan [11]. This Trojan was initially installed through a phishing attempt. Due to the poor security training and security system of the third party, the Trojan gave the attackers full range of power over the companys system [10]. It is not known if Fazio Mechanical Services was targeted, or if it was part of a larger phishing attack to which it just happened to fall victim. But it is certain that Fazio Mechanical had access to Targets Ariba external billing system, or the business section of Target network.

Instead, it occurred in a third party vendor, Fazio Me- chanical Services, which is a heating, ventilation, and air-conditioning firm. According to this theory, we present the timeline of the incident in Fig. 1 and steps of the plot in Fig. 2. Attackers first penetrated into the Target network with compromised credentials from Fazio Mechanical. Then they probed the Target network and pinpointed weak points to exploit. Some vulnerabilities were used to gain access to the sensitive data, and others were used to build the bridge transferring data out of Target. Due to the weak segmentation between non-sensitive and sensitive networks inside Target, the attackers accessed the point of sale networks.

2.1.2 Phase II: PoS Infection the closest FTP Server [12]. The stolen card information is Due to Target's poor segmentation of its network, all that then relayed to other compromised machines and finally the attackers needed in order to gain access into Target's pushed to drop sites in Miami and Brazil [13]. entire system was to access its business section. From there, they gained access to other parts of the Target 2.1.5 Phase V: Monetization network, including parts of the network that contained Sources indicate the stolen credit card information was sensitive data. Once they gained access into 'Target's aggregated at a server in Russia, and the attackers colnetwork they started to test installing malware onto the lected 11GB data during November and December 2013. point of sales devices. The attackers used a form of The credit cards from the Target breach were identified point of sales malware called BlackPOS, which is further on black market forums for sell [14]. At this point, it is discussedinSection.2.1.3PhaseIII:Datacollectionunclearhowthesesellers,e.g.,Rescator(nickname),isconnectedwiththestolencardandpersonalinformation.InSection4.3,wedescribethewellstudiedcaseofTJXOnceBlackPOSwasinstalled,updatedandtested.TheTheditcardbreach.Ithintspossiblepathsofpeddling malware started to scan the memory of the point of sales stolen credit cards in the black market. to read the track information, especially card numbers, of the cards that are scanned by the card readers connected 2.2 Targets Security The card numbers were then encrypted and moved area networks (VLAN) [7]. Target also deployed Fire- from the point of sales devices to internal reposito- Eye, a well-known network security system, six months from the point of sales devices to internal reposito- Eye, a well-known network security system, six months ries, which were compromised machines. During the prior to the breach. FireEye provides multiple levels of ries, which were compromised machines. During the prior to the breach. FireEye provides multiple levels of breach the attackers took over three FTP servers on security from malware d Target's internal network and carefully chose backdoor detection system (NIDS). user name "Best1_user" with password "BackupU\$r", However, the breach demonstrates that sensitive data which are normally created by IT management software in Target, e.g., credit card information and personal Performance Assurance for Microsoft Servers. During peak records, is far from secure. Target failed at detecting or times of the day, the malware on the point of sale preventing the breach at several points, among which devices would send credit card information in bulk to we list the four most vital ones