By reading below case study describe the risk that was exploited. Also, tell how you think that exploit could be avoided using proper technology and security policies
Private Sector Case Study:
A franchisee of a national hamburger chain in the southern United States was notified by Visa U.S.A, Inc. and the U.S. Secret Service of the theft of credit card information in August 2008. The franchisee has a chain of eight stores with annual revenue of $2 million. The chain focused on the technology of its point-of-sale (POS) system. A leading vendor that allowed for centralized financial and operating reporting provided the POS system. It used a secure high-speed Internet connection for credit card processing. The company determined that neither the POS nor credit card authorization connection was the source of the breach. Although the POS was infected, the source of the breach was the network. Each of the franchisees stores provided an Internet hotspot to its customers. It was determined that this Wi-Fi hotspot was the source of the breach. Although considerable care was given to the POS and credit card authorization process, the Wi-Fi hotspot allowed access to these systems. It was determined the probable cause of the breach was malware installed on the POS system through the Wi-Fi hotspot. The malware collected the 232credit card information, which was later retrieved by the thief. This was a PCI DSS framework violation. The PCI DSS framework consists of over 200 requirements that outline the proper handling of credit card information. It was clear that insufficient attention was given to the network to ensure it met PCI DSS requirements. For discussion purposes, the focus is on the network. The PCI DSS outlines other standards that may have been violated related to the hardening of the POS server itself. The following four PCI DSS network requirements appear to have been violated: Network segregation Penetration testing Monitoring Virus scanning PCI requires network segments that handle credit cards be segmented. It was unclear whether there was a complete absence of segmentation or if weak segmentation had been breached. PCI DSS outlines the standards to ensure segmentation is effective. If the networks had been segmented, this breach would not have occurred. PCI requires that all public-facing networks be penetration tested. This type of testing would have provided a second opportunity to prevent the breach. This test would have uncovered such weaknesses within a Wi-Fi hotspot that allowed the public to access back-end networks. PCI also requires a certain level of monitoring. Given the size of the organization, monitoring might have been in the form of alerts or logs reviewed at the end of the day. Monitoring could include both network and host-based intrusion detection. Monitoring may have detected the network breach. Monitoring may also have detected the malware on the POS system. Both types of monitoring would have provided opportunities to prevent the breach. PCI requires virus protection. It was unclear if this type of scanning was on the POS system. If it was not, that would have been a PCI DSS violation. Such scanning provides one more opportunity to detect the malware. Early detection would have prevented the breach. The PCI DSS requirements are specific and adopt many of the best practices from other frameworks such as ISO. The approach is to prevent a breach from occurring. Early detection of a breach can prevents or minimize card losses. For example, early detection of the malware in this case study would have prevented card information from being stolen. Some malware takes time to collect the card information, which must then be retrieved. Quick reaction to a breach is an opportunity to remove the malware before any data can be retrieved.
500 words and APA format with references needed.
