TJ Maxx security incident impact?

An interesting conversation that I had with a friend revolved around a simple question: did TJX have a financial loss from the computer security incident in 2007?

Sales? Since the event, TJ Maxx’s sales actually increased. Stock price? After a dip during the initial press fall-out, the stock price rose. Comparing to the Dow Jones shows value being driven by the market rather than by media fall-out. When the news hit, the market responded. The stock then returned to its normal levels. Profitability? Check the annual statements from 2006 thru 2010. Revenue and profit are both up, year over year, for the time period. In sum, no long term impact was felt.

I am surprised to find little evidence supporting a business impact. It could be that TJX’s growth simply outpaced the situation. Perhaps their marketing team simply did a great job in handling the crisis. Or perhaps, just perhaps, security incidents are not the business extinction event that security vendors like to suggest.

Some links:

TJX Companies Income Statement
http://ycharts.com/financials/TJX/annual_income_statement
http://finance.yahoo.com/q/is?s=TJX&annual

Google Finance — TJX versus the DJIA
http://www.google.com/finance?chdnp=1&chdd=1&chds=1&chdv=1&chvs=maximized&chdeh=0&chfdeh=0&chdet=1295730063672&chddm=493051&chls=IntervalBasedLine&cmpto=NYSE:TJX&cmptdms=0&q=INDEXDJX:.DJI&ntsp=0

The simple answer is yes, you can capture all the traffic on your network. I do it all day, every day, with my network monitoring servers. But it is a little more complicated that the short answer.

The first consideration is bandwidth. Let’s assume 200 client computers are attached to 50 servers. The clients are at 100 Mbps and the servers are at 1 Gbps. Quickly doing the math, you can see that the maximum bandwidth is 70 Gbps. Each packet will be mirrored (or copied) to the network monitor port. To avoid missing packets, that port would need a 70 Gbps uplink. Such an uplink exceeds the budgets of SMB IT departments.

The second consideration is storage. Let’s assume that the through put for client computers is, on average, 5% of the available bandwidth. For servers, we will use 25%. Given 3,600 seconds in an hour, do the math, and you’ll see we need 439.5 GB an hour for clients and 5.5 TB an hour for servers. Call that an even 6 TB an hour, 142 TB a day, 1 PB a week. Such disk storage costs exceed the budgets of SMB IT departments.

Given these numbers, how do I capture the packets that travel across my network? First, I use a 10 Gbps uplink to get the mirrored traffic. There are times when the traffic overwhelms the uplink and packets are lost. Second, I keep only a few hours of packets in storage. I maintain the packet summary (time, source IP and port, destination IP and port, byte count, application details) for a few weeks. The summary is significantly smaller than the actual traffic.

The more complex answer is yes and no. You can log all the packets. But even for relatively small networks, the required hardware for the resulting through put and storage requirements will be cost prohibitive.

In hindsight, maybe switching to NetFlows is not such a bad idea.

Net Neutrality is the concept of end-to-end delivery without prioritization, throttling, or censorship. Tim Berners-Lee, the originator of the World Wide Web, has come out in favor of the concept. “Yes, regulation to keep the Internet open is regulation. And mostly, the Internet thrives on lack of regulation. But some basic values have to be preserved. For example, the market system depends on the rule that you can’t photocopy money. Democracy depends on freedom of speech. Freedom of connection, with any application, to any party, is the fundamental social basis of the Internet, and, now, the society based on it.”

Berners-Lee, T. (2006, June 21). Net Neutrality: This is serious.
http://dig.csail.mit.edu/breadcrumbs/node/144

There is tough rhetoric on both sides of the debate. The pro group feels that Net Neutrality is about protecting freedom and democratizing TCP/IP connectivity. The con group feels that it is unnecessary regulation that will open the Net up to further regulatory restrictions. Not surprisingly, both groups have funded research studies that support their positions. One such study (Lasar, 2010) found that the economic impact would result in reduced profitability and employment at major telecoms. The reasoning is traffic prioritization, throttling, et cetera, are service enablers. No throttle, no service, and no income.

Lasar, M. (2010, June 17). Study: net neutrality could lead to ‘devastating’ job losses.
http://arstechnica.com/tech-policy/news/2010/06/study-net-neutrality-could-lead-to-devastating-job-losses.ars

Personally, I am in favor of Net Neutrality. I do not have much trust for ISPs, nor care to have my inbound and outbound connections filtered. Freedom over financials is my vote. “Save my Internet” has a booklet that describes ways to pursuade non-IT people to that point of view. They advise: “Talk about small business owners who risk financial ruin if they cannot reach customers because their Web site is blocked or slowed down.” Another piece of advice: “Seek out the stories of grassroots campaigners who, if censored online by ISPs, would not be able connect with their constituencies, threatening their political or social struggles.”

Cleverly, E. (2010, July 28). Net Neutrality For The Win.
http://savemyinternet.com/guide/Net%20Neutrality%20For%20The%20Win-High%20Res.pdf

The debate continues.

J Wolfgang Goerlich

Do you remember the World War II poster with the slogan “loose lips sink ships”? Every errant word or a disclosure of sensitive information is a threat to an organization. Before social networking, such threats were limited to the employees’ social circle. With the advent of social networking and blogging technologies, the disclosure of sensitive information has no practical limit. Any outsider with access to the Internet can see what any insider shared. While this may not sink the ship, it certainly can cause embarrassment, a loss of competitive advantage, a scuttled deal, or a fine for insider trading.

Focus has several tips on an individual improving their security: “be discreet, be skeptical, be thoughtful, be professional, be wary, and check privacy policies.”

An update to the SANS Investigative Forensic Toolkit (SIFT) Linux distro has been released. SIFT 2.0 is built on Ubuntu and features the major Linux incident response and forensics tools. It is available as a live disc ISO and as a VMware virtual appliance. Being based on Ubuntu, SIFT also runs under Hyper-V. Click here for a complete listing of the tools included with the distro.

SIFT is available from SANS forensics website.

http://computer-forensics.sans.org/community/downloads