Home Depot Data Breach Probe Likely Narrowly Focused, Experts Say

The digital forensics team probing Home Depot's systems to discern whether a security lapse was the root cause of a massive dump of stolen credit card numbers are very likely focused on narrow objectives, say security experts frequently involved in such investigations.

The home improvement giant continues to remain silent about its ongoing investigation being conducted by consultants from Symantec and Fishnet Security. If the analysis uncovers evidence of a data leak, the security lapse could potentially amount to tens of millions of credit and debit card numbers, a massive scope some experts speculate is likely to eclipse the high-profile breach at retail giant Target.

Investigators will be looking narrowly at the likely source of any lapse to get it contained and closed as quickly as possible, said Tom Arnold, co-founder and principal of San Jose, Calif.-based PSC, a firm specializing in payment industry security incident investigations and compliance assessments. PSC is one of about two dozen digital forensics firms authorized by the credit card carriers to conduct independent forensics investigations through the Payment Card Industry Forensic Investigator (PFI) Program.

[Related: Symantec, FishNet Security Part Of Home Depot Probe]

"The objective of the PFI is to find out what happened, what was lost, who did it and where did it go," Arnold told CRN. "Once there are feet on the ground, you establish a plan and you begin researching and identifying evidence and the systems that may be involved."

The certified investigators are often called in once anti-fraud teams from a card brand or payment processor identify a common point of purchase. The common point is established when investigators can trace fraudulent activity from stolen cards to the locations where all the cards were last used.

Criminals in a suspected Ukrainian-based hacking forum were having success buying bundles of stolen credit cards that flooded the black market. Some hackers bragged on the forum of buying thousands of dollars in electronics with the stolen cards. The success began to wane once news of the massive dump surfaced and the source of the activity was traced to a potential Home Depot breach. Those close to the investigation said the scale of the card dump suggests the breach could span all 2,200 Home Depot stores.

NEXT: Home Depot Investigators Find Target Breach Malware On Systems

Home Depot said it retained Symantec and Fishnet to conduct an unbiased investigation for them. The investigations also sometimes require additional expertise, Arnold said, such as specialists to reverse engineer malware discovered on systems. Once completed, the forensics team will report on their findings to the retailer, the card brands, the payment processors and all the affected issuing banks.

"The classic objective is to figure out where the bleeding is and stop it and what to do going forward," Arnold said. "Objectives can be different depending on the nature of what you are dealing with, such as a physical compromise like someone plugging in a device versus malicious software or an employee who has accidentally loaded something unauthorized onto a machine."

Investigators close to the Home Depot investigation determined that some of the retailer's store registers had a variant of BlackPOS malware running on them, according to Brian Krebs, the investigative reporter who was the first to report the potential Home Depot breach. The memory-scraping malware was used in the Target breach during the 2013 holiday shopping season.

The kind of malware used in many of the attacks has been around for years and could have been detected by software designed to block executable files from running on payment terminals, said Alex Moss, a managing partner at Chicago-based security consultancy and Symantec partner, Conventus. Besides using a skimmer to record card data, malware that can steal a snapshot of system memory every 10 or 15 seconds is the only place where that card data is often unencrypted, Moss said.

Moss and other resellers that have established strong security practices will often come in after a breach to analyze the forensics report findings and help customers prioritize recommendations based on risk and budget constraints, Moss said. Additional security often crosses multiple network layers and must span one to three years.

"It's going to be very rare that company is going to be able to afford -- not just financially but operationally -- all the changes without materially impacting business operations," Moss said. "In our industry, the worst thing you can do is take something offline; you have to assess the risk they are facing and prioritize them based on the amount of available spend."

Breach investigations frequently probe small and midsize businesses and consistently involve older, outdated operating systems that are not properly patched, Arnold said. Payment systems are frequently found running on the same PCs used by employees to browse the Web or the merchant has Web access enabled on its servers. Resellers of point-of-sale systems are also targeted. Investigators sometimes find those resellers using weak and default passwords to access remote management software to service the devices.

"There's an entire litany of bad practices that can get retailers into trouble," Arnold said. "It's not just the large businesses having this problem; there's a ton of small companies having breaches and security incidents happening to them too."

PUBLISHED SEPT. 8, 2014