The Home Depot breach is the latest "largest ever," but it is really just another example of "you can pay me now, or you can pay me a lot more later" proving out once again as the details come out.
The root cause of the breach can be traced to Home Depot's failure to implement the first subcontrol under Critical Security Control 2:
Deploy application whitelisting technology that allows
systems to run software only if it is included on the whitelist and prevents execution of all other software on the system.
The whitelist may be very extensive (as is available from
commercial whitelist vendors), so that users are not
inconvenienced when using common software. Or, for some special-purpose systems (which require only a small number of programs to achieve their needed business functionality), the whitelist may be quite narrow.
Home Depot was relying primarily on anti-viral software, as required by the PCI DSS regime, but reports say even internal Home Depot security staff knew it was not sufficient. Since no AV software will recognize and stop custom attack code, the attackers were able to load and run malicious software on Home Depot's self service registers.
How Much Was at Risk?
Home Depot's investigation reported 56M card numbers were exposed. The latest Ponemon Institute Cost of a Data Breach report estimates the cost per exposed account to be roughly $200 - a predicted cost of $11.2B! That is obviously way high - the cost per account drops when tens of millions of accounts are involved.
Cyberpoint has developed an innovative tool called CyberVaR that can produce a "Value at Risk" figure after modeling an environment and vulnerabilities. The Cyberpoint tool allows existing or missing Critical Controls to be considered in the analysis.
Using publicly available information, Cyberpoint produced a CyberVaR run that shows a $246M cost of this type of incident - a more realistic $4/account breached at these large numbers. A full copy of the CyberVaR run is here.
How Much Would It Have Cost Home Depot to Avoid This Breach?
Focusing only on Critical Security Control 2 and whitelisting, I made some worst case assumptions of what Home Depot's cost of preventing this breach would have been. Whitelisting isn't the only way it could have been prevented, but on single purpose systems like point of sales registers whiltelisting is actually probably the most effective and efficient approach.
- Home Depot has 2,200 stores
- Eight devices per store would require whitelisting software, rounded up to 10,000 total.
- $30/device/year cost of the whitelisting software - Signacert list pricing - $300K per year
- 1 server for every 10 stores at $5K/server - Signacert list pricing - $1M
- 2 man weeks of integration/installation effort at 2,200 stores - my estimate - $22M, the biggest cost
- Total Cost - call it $25 million, with ongoing yearly costs of under $1M/year
While whitelisting on PCs has been nearly impossible to make work on business PCs (even though it works great on iPads and iPhones that those same business people use...), whitelisting on servers and single function servers or appliances has proven to cause near zero business or IT administration disruption - heck, I gave Ritz Camera a Gartner Innovation award for putting Bit9 whitelisting on in-store PC demo stations back in 2008.
$25M Is Much Less Than $246M
Now, even for an $80 billion per year company like Home Depot, $25M is a big number. In fact, it is almost as much as Home Depot spent on Google ads ($40M) in 2013. Businesses take risks - spending on advertising is betting on more sales coming in than ad dollars going out, and not spending on security is betting on an attack not happening.
However, after the Target breach become public, any rational risk assessment would have significantly raised the probability of the bad thing happening - to pretty close to 100%!