hsn risk assessment report

Click here to load reader

Post on 06-May-2015

2.457 views

Category:

Technology

0 download

Embed Size (px)

DESCRIPTION

Term Paper examining the security risk assessment of the Home Shopping Network (HSN)

TRANSCRIPT

  • 1.Running head: HSN RISK ASSESSMENT REPORT1 Home Shopping Network Risk Assessment Report Belinda EdwardsUniversity of MarylandUniversityCollegeAugust19, 2010

2. HSN Risk Assessment Report2EXECUTIVE SUMMARY A detailed risk assessment was performed on the security of the Home ShoppingNetworks (HSN) internet and shop by remote functionality. HSN was established theelectronic retailing industry in 1977 and is now considered the worlds most widelydistributed TV shopping network (Endeca, 2002). The corporation has grown into a globalmultichannel retailer that offers a live television broadcast that reaches 94 million homes 24hours a day, 7 days a week, 364 days a year selling 50 million products annually (Endeca,2002). HSN Inc. (HSNI) major subsidiary, HSN.com streams in three channels: television, theinternet, and mobile (Crowell, 2010). This assessment focuses primarily on the internet channel,but discusses system vulnerabilities within both the television and mobile channels. HSN.comprovides its customers with an interactive shopping experience; offering consumers a video-guided shopping from it 13,000 online video library. HSN.com has been rated as a Top-10trafficked e-commerce website: #25 on Internet Retailer Top 100, with 2nd highest traffic growthbehind only Amazon.com. HSN.com gets 200,000 unique users daily and 5 million page viewsper day (Crowell, 2010). The HSN call center is located in St. Petersburg, FL. HSN initially used an IBMSystem/36. Its main order entry system was written in a 4GL code generator called the Logicand Information Network Compiler (LINC)since renamed Agile Business Suite by Unisys(Wikipedia, 2010). Since HSN currently processes approximately 44 million calls each year,HSN selected the GoldenGate solution to upgrade its CRM software. This migration alsoincluded a transition to Siebel CRM v8.0 and Oracle Database 10g. The HSN business model isdemands zero downtime, therefore a systems upgrades must be performed in parallel with the oldsystem (BusinessWire, 2008). It is assumed that the Oracle database 10g holds huge amount ofsensitive customer data, such as username, passwords, pins, and credit card information foraccount access. HSN also utilizes Endecas InFront, a guided navigation and advanced searchsolution, to enable customers to easily navigate HSN.coms online catalog of 13,000 products.The goal of this implementation is to increase impulse purchase, thus generating additionalrevenue. HSNs success and leadership in retail innovation attracts hackers and career criminals toexploit system vulnerabilities to steal personally identifiable information (PII) for identity theftactivities. As a leader in multichannel retailing, HSN is a practical target for identity theft, bankand individual fraud, security breaches, and mobile phone replication. The HSN chiefinformation assurance officer (CIAO) has the overwhelming task of securing systems andapplications integrity, as well as protecting the confidentiality of customer data. This assessment focused on system risks of the application, email, and web servers; enduser systems, mobile devices, and cable and satellite service providers. High risks and impactshave been identified at the client side (SANS, 2010). Client (or end user) systems are especiallyvulnerable due to the customers not fully understanding the risks of delaying patchimplementation (SANS, 2010). Customers, in addition to financial institutions, are susceptible tovarious phishing attacks that could result in the loss of valuable data, not just personallyidentifiable information (SANS, 2010). Data integrity could be compromised with any securitybreach. If a breach occurs, it could result in a negative impact on customer trust of systemsavailability and data confidentiality. 3. HSN Risk Assessment Report 3 This evaluation offers recommendations of risk mitigation to each of the identifiedsystem vulnerabilities. The opinion is to address risks toward valuable data, which extendsbeyond personally identifiable information. The outlook is to secure HSN servers and customerdata, partner (service provider) systems, ecommerce transactional data, and customers systems.For each service provider, it is important to insist on that all input received from remote sourcesis sanitized of data meaningful prior to storage in the backend database; (2) pledge appropriatelayered protections to prevent/detect attacks aimed at web servers; (3) consider vulnerableapplications, define actions within the incident response report and/or business continuity planand remediated in a timely manner (SANS, 2010). 4. HSN Risk Assessment Report 4Table of ContentsEXECUTIVE SUMMARY ............................................................................................................ 2INTRODUCTION .......................................................................................................................... 6The Purpose ................................................................................................................................ 6Scope of the risk assessment ....................................................................................................... 6RISK ASSESSMENT APPROACH............................................................................................... 6The Participants .......................................................................................................................... 6The Techniques Used .................................................................................................................. 6The Risk Model ........................................................................................................................... 7Threat Likelihood.................................................................................................................................. 7Impact Definitions ................................................................................................................................ 8Risk Level Matrix ................................................................................................................................. 8Description of Risk Levels .................................................................................................................... 9SYSTEM CHARACTERIZATION ............................................................................................. 10The Proposed HSN Network System Architecture .................................................................... 10Technology Components ........................................................................................................... 11Users ......................................................................................................................................... 12THREAT STATEMENT .............................................................................................................. 12RISK ASSESSMENT RESULTS ................................................................................................ 13Observation 1: Client side software remains unpatched. ........................................................ 13Observation 2: Web applications are vulnerable to SQL injections. ...................................... 13Observation 3: Customer identifiable data is vulnerable to phishing attacks......................... 14Observation 4: User data and account information could be stolen from various serviceprovider databases .................................................................................................................... 14Observation 5: User data and account information could be stolen during mobile ecommercetransactions ............................................................................................................................... 15Observation 6: E-commerce transactional data could be stolen............................................. 16Observation 7: Shop by Remote exposes operating system procedures within the cableindustry. .................................................................................................................................... 17Observation 8: HSN.com is subject to denial of service attacks. ............................................ 17Observation 9: Power failure due to a natural disaster affect business processing. .............. 18Observation 10: HSN.com is subject to man in the middle (MITM) attacks. .......................... 18SUMMARY .................................................................................................................................. 19REFERENCES ............................................................................................................................. 19FiguresFigure 1: Proposed HSN Network Architecture ........................................................................... 10 5. HSN Risk Assessment Report 5TablesTable 1: Threat Likelihood Definitions ......................................................................................... 7Table 2: Magnitude of Impact Definitions...................................................................................... 8Table 3: Risk Level Matrix ............................................................................................................. 8Table 4: Risk Scale and Necessary Actions .................................................................................... 9 6. HSN Risk Assessment Report6INTRODUCTIONThe PurposeThe purpose of this risk assessment is to identify threats and vulnerabilities applicable tothe three HSN channels: television, the internet, and mobile. The HSN.com site is the primarysource of revenue generation, although there are four store fronts throughout Florida.Scope of the risk assessment HSN has three channels: internet, mobile, and television. The risk assessment willreview vulnerabilities against all three channels. Due t