According to an article in ARS technica this past weekend, Home Depot has some interesting factoids in their security background.
Just to be clear, this is only one side of the story, and I suspect they are neither the best nor the worst when it comes to security – but I don’t have any insider knowledge.
First, the article says that their senior IT security architect had been fired from his previous job and that he sabotaged his former employer’s network in revenge. You might think this is hearsay, but he was indicted and pleaded guilty, which would tend to confirm those facts. He continued to work in security at Home Depot for a year after his indictment. There may be HR issues if they fired him at that point (innocent till proven guilty) but they are a big company – move him or put him on paid leave. Under those circumstances don’t leave him in that position.
Again, according to the article, Home Depot ran out of date AV software (from 2007) and the company did not perform network behavior monitoring to detect unusual traffic to its POS system. Assuming these facts and others in the article are true, Home Depot has a lot of explaining to do if they wind up getting sued (at least one suit has been filed and it is seeking class action status).
Maybe I don’t understand things well, but my thought is the POS system should be sandboxed and it should be locked down with respect to IP addresses that it can talk to. Seems to me that it should be able to only talk to its service providers and those should come from known IPs. Support should come over a VPN as an additional layer of defense. That would reduce the likelihood that even if the bad guys get in, that they would be able to get data out.
Security usually shows up as a cost and not a profit center so you can usually do more that you can afford, but Target, Home Depot and others should be a clear message that the bad guys are out there and likely after you.
I think it is a story of pay me now or pay me later.