0

12/11/2017
Target Corporation
SABSA Component Security Architecture
Implementation

Strategy without tactics is the slowest route to

victory. Tactics without strategy is the noise before
defeat
~ Sun Tzu

Antony Kungu – CSOL520 Final Project

PRIMETIME TECHNOLOGIES LLC
Minneapolis MN
akungu@sandiego.edu
 TARGET CORPORATION

Table of Contents
Abstract ......................................................................................................................................................... 2
The concept of Enterprise Security Architecture .......................................................................................... 2
SABSA MATRIX ......................................................................................................................................... 3
The Tradesman’s/Component layer view ..................................................................................................... 4
The Tradesman’s/Component layer Deliverables ......................................................................................... 5
Target Corp Business Risk Model ................................................................................................................ 0
Security Products and Tools ......................................................................................................................... 1
Conclusion .................................................................................................................................................... 0
References ..................................................................................................................................................... 0

CONFIDENTIAL: FOR INTERNAL USE ONLY. 1

 TARGET CORPORATION

Abstract
SABSA is a methodology for developing risk-driven enterprise information security and
information assurance architectures and for delivering security infrastructure solutions that
support critical business initiatives at Target Corporation. It is an open standard, comprising a
number of frameworks, models, methods and processes, free for use by all, with no licensing
required for end-user organizations who make use of the standard in developing and
implementing architectures and solutions.
SABSA is unique in that it fulfils ALL of the following criteria:
 It is an open standard, comprising frameworks, models, methods and processes, free for
use by all, with no licensing required for end-user organizations who make use of the
standard in developing and implementing architectures and solutions;
 The SABSA framework is not related to any IT solutions supplier and is completely
vendor-neutral,
 The SABSA framework is scalable, that is, it can be introduced in subsequent areas and
systems and implemented incrementally,
 The SABSA framework may be used in any industry sector and in any organization
whether privately or publicly owned, including commercial, industrial, government,
military or charitable organizations;
 The SABSA framework can be used for the development of architectures and solutions at
any level of granularity of scope, from a project of limited scope to an entire enterprise
architectural framework;
 SABSA education, training and certification can be obtained through any one of the
worldwide network of Accredited Education Partners (AEPs) of the SABSA Institute, by
registering for and attending the SABSA Institute courses offered through those AEPs
and by sitting the appropriate examinations also offered through the AEP network,
 SABSA may be incorporated into any appropriate computer software tool by a software
tool vendor who wishes to offer such a tool to the open market.

The concept of Enterprise Security Architecture

The concept can be applied effectively at Target Corporation and other organizations of any
type, including commercial or industrial businesses, public services, governments and their
various departments and charitable trusts. The aims of an enterprise security architecture are to
optimize all parts of the organization in a harmonious, coherent way, rather than to achieve local
optimization at business unit level. The benefits of the enterprise security architecture approach
are: improved overall organizational performance, increased competitiveness in the marketplace
and operational excellence in service and product delivery to customers. With specific reference
to risk management, the benefit is the optimization of the basket of risks (the balance between
opportunities and threats) by the diversification of risks across Target Corporation. Thus, when i

CONFIDENTIAL: FOR INTERNAL USE ONLY. 2

 TARGET CORPORATION

talk about ‘enterprise architecture’ ‘or ‘enterprise security architecture’, it is with this concept of
enterprise in mind that I do so. Enterprise security architecture is a business-driven and a
structured inter-relationship between the technical and procedural solutions that support the long-
term needs of the business. If the architecture is to be successful, then it must provide a rational
framework within which decisions can be made upon the selection of security solutions. The
decision criteria should be derived from a thorough understanding of the business requirements,
including:

 The need for cost reduction

 Modularity
 Scalability
 Ease of component re-use
 Operability
 Usability
 Inter-operability both internally and externally
 Integration with the enterprise IT architecture and its legacy systems

SABSA MATRIX

CONFIDENTIAL: FOR INTERNAL USE ONLY. 3

 TARGET CORPORATION

The Tradesman’s/Component layer view

This is the layer where the Target Corporation needs to assemble a series of products from
specific vendors and a team with the integration skills to join these products together during an
implementation of the design. The component security architecture is concerned with what data
fields (data structures), why the security standards, how will the hardware and software be
implemented, who will be subject of this, where will this be processed, and when will it take
place in terms of timings and sequencing. The ‘tradesmen’ work with a series of components that
are hardware items, software items, and interface specifications and standards. Hence this layer
of the architectural model is called the component security architecture as it will support the
overall security architecture requirements of Target Corporation. The component security
architecture layer as shown on the SABSA model is shown in the image below;

The diagram below shows the SABSA operation of controls and how they can enhance the
security posture of Target Corporation.

CONFIDENTIAL: FOR INTERNAL USE ONLY. 4

 TARGET CORPORATION

The Tradesman’s/Component layer Deliverables

The deliverables for this layer in relation to Target Corporation and that I would recommend be
implemented are;

a) Updated dictionary defining the syntax rules of all data structures required by the security
architecture.
b) Framework for security standards and a list for all the security standards that are required.
c) A list with descriptions and specifications for all security products and tools.
d) A naming scheme and framework for defining identities, functions, actions and ACL’s.
e) Detailed design of the security infrastructure.i.e. processes, nodes, addresses, and
protocols.
f) Detailed specification of procedural step timings and sequencing needed to implement
the control structure execution model from the layer above.

Security architecture at Target Corporation is driven by the following business risk factors;

 Competitive factor and Reputation

 Technology Investments and Infrastructure
 Data Security and Privacy
 Supply Chain and Third-Party vendors
 Legal, Regulatory, Global and Other External

These risk factors mentioned above lead to the business risk model for Target Corporation as
shown below. The component security architecture layer of the SABSA model falls in line with
Target Corporation component layer that happened to be the vulnerable network segment. The
component layers failures and poor vendor security and compliance auditing led to a massive
security breach that started at one of their vendors. The Vendor was compromised by a phishing
attack, attacker was able to steal admin login credentials to the Ariba vendor portal that gave the
attacker access to the internal Target Corporation infrastructure from where the attacker was able
to upload malware that was used to exfil PII data of Target Corp customers. There were multiple
failures in the component layer of target corporation. My organization is experienced and
prepared to provide and deliver a well-designed component security architecture layer that will
ensure that another breach won’t happen if implemented as we will design it. I am grateful as the
senior leadership are onboard with the component layer security architecture over whole.

CONFIDENTIAL: FOR INTERNAL USE ONLY. 5

0

Target Corp Business Risk Model

ID Business Business Business High level Business Impact Potential high- High level
Driver Attribute requirements Threat level control
Risks Vulnerability
1 Competitive positive continue to Another consumer boycotts, adverse Enhance
and perceptions preserve, security breach lost sales, loss of mainstream and commitment to
reputation of Target grow, and new store and social media the four primary
leverage the technology publicity, constituencies:
value of development governmental guests, team
Target’s opportunities. investigations, or members,
reputation litigation. shareholders,
2 Technology Vetted support our Technology disruption in our Implementing continually
Investments technologies omnichannel failure computer systems significant system make significant
and that will help efforts, and our inability to changes increases technology
Infrastructure us excel and implement adequately the risk of investments
recover from improvements maintain and computer system that will help
the 2014 to our update those disruption. maintain and
breach guest-facing systems could update our
technology, adversely affect our existing
and evolve our operations and our computer
inventory ability to maintain systems
management guest confidence.
system
3 Data Security Compliance protect the Unauthorized costly government Third party Vetting all
and Privacy to data security of access enforcement vendors being vendors and
protection information actions and private compromised and ensuring that
laws about our litigation, and our trickling down to lessons learnt in
guests, team sales and us 2014 breach are
members, and reputation could implemented
vendors suffer.
 TARGET CORPORATION

4 Supply Chain Diversification vendors to Political or disrupt port large portion of Diversify
and Third- of our supply supply financial activities and affect our merchandise vendor base
Party chain merchandise instability, foreign trade is sourced, directly
vendors to our trade beyond our control or indirectly, from
distribution restrictions, the affecting our outside the United
centers, stores outbreak of bottom line States, and
and our guests pandemics, political instability
in a timely and labor unrest. can affect our
efficient operations
manner
5 Legal, Auditing and Compliance to earnings are Deterioration in failure to comply U.S. consumer
Regulatory, compliance all rules and highly macroeconomic with federal, confidence and
Global and regulations susceptible to conditions or state, local, and the health of
Other that govern the state of consumer international laws, the U.S.
External our operations macroeconomic confidence could or changes in economy.
compliance conditions and negatively affect these laws could
consumer our business in increase our costs,
many ways, reduce our
including slowing margins, and
sales growth. lower our sales

Security Products and Tools

The table below shows the security tools and products that I would recommend implemented at the component security architecture
layer of Target Corporation. These tools will help to reduce the attack surface while mitigating most security threats by implementing
component security layer architecture.

CONFIDENTIAL: FOR INTERNAL USE ONLY. 1

0

Logical Logical Security Physical security Components Types Component Type/current tools
Security services mechanisms
strategy
Prevention  Entity security  Naming  Cryptographic  RSA hard token
services standards and hardware  RSA software token
 Communication procedures  Cryptographic  MS Active Directory
security  Registration software tool systems
services policy, kits  ArcSight/Splunk/LogRythm
 Application and procedure and  Directory SIEM
system security authority system products  IBM Guardium Data
services  Certificate  Enterprise Encryption
 Security policy, syntax, security  Bitlocker
management procedure, management  Sophos safe Guard
services. authority system, tools  Dell Encryption Enterprise
revocation list,  File encryption  McAfee Complete Data
publishing and products Protection
management  Personal  HPE Secure Data
authentication  Bitdefender Gravity Zone
tokens and  Dual factor authentication
devices
 CCTV cameras
Containment  Entity  Secure premises  Intrusion  Cisco NIDS/IDS/NIPS
authorization with locks detection  Night Vision CCTV
 Stored data  Authorization systems Camera, Infrared, Analog
confidentiality procedures  Physical security 1000 TVL / 960H & HD
 Software  Secure alarms 1080p
integrity management  Personal  Outdoor Motion Sensor,
 Physical protocols authentication Weatherproof PIR Motion
security  Fire prevention, tokens and Detector, Alarm Output
 Environmental detection, devices  RSA hard token
security quenching  Security  Network segmentation
auditing tools
 TARGET CORPORATION

 Security  Login procedure  Biometric

training and and devices
awareness authentication  Directory
protocols products
 Directory system  Smart cards
Detection  Message  Hashing  Firewalls  Symantec Endpoint
and integrity  Message  Intrusion protection
notification protection integrity detection  Cisco IDS/NIDS
 Stored data checksums systems  Symantec HIPS
integrity  Digital  Physical security  FireEye
protection signatures alarms  Nessus Pro
 Security  Alarms  Security  Nexpose vulnerability
monitoring  Realtime auditing tools scanner
 Intrusion monitoring  Risk assessment  ArcSight SIEM
detection systems tools  Absolute Lojack
 Security alarm  Intrusion  Network traffic  Physical laptop lock
management signature monitoring  Website code embedded
 Security analysis  Vulnerability canary token
training and  Behavioral scanning tools  Imbedded signatures via
awareness network traffic  Boot protection steganography
 Security analysis software  Water marking
measurement  Management  Antivirus  Vendor security control
and metrics event logs scanners vetting.
 User activity  Antitheft  User Access monitoring of
logs devices the Ariba vendor platform
 Training and  Anti-piracy tools
awareness
Event  Audit trails  Event logs  Cryptographic  RSA hardware token
collection  Security  Reporting tools hardware  RSA software token
and event operations  Event log  Cryptographic  ArcSight SIEM
tracking management integrity software tools  Splunk

CONFIDENTIAL: FOR INTERNAL USE ONLY. 1

 TARGET CORPORATION

 Security protection  Enterprise  LogRythm

monitoring mechanisms security  Cisco State full packet
 Security  Event log management inspection firewalls
measurement browsing tools tools  Network Proxy servers
and metrics  Operator  LAN security  Symantec HIPS
authentication products  Cisco IPS/NIDS/NIPS
mechanisms  Kali Linux platform
Recovery  Incident  Data collection  Uninterruptible  APC Back-UPS Pro
and response and analysis power supply 1500VA UPS
Restoration  Data  Incident  Fault tolerant  Virtualization of servers
replications and assessment computing  Server clustering
backup procedures solution  Bitlocker encryption
 Software  Response action  Data back up  Sophos safe Guard
replication and management and management  Dell Encryption Enterprise
backup procedures systems  McAfee Complete Data
 Disaster  Data and  Enterprise Protection
recovery software backups security
 HPE Secure Data
 Crisis  Data restoration management
management procedures tools  Table top exercises on
 Redundancy of  Document safes disaster recovery and
hardware  File encryption response
products
Assurance  Audit trails  Events logs  LAN security  Kali Linux platform
 Security audit  Regular scanning products  Third party vendors like
 Security with system  Operating Rapid7, whitehat, NetSPI
monitoring audit tools platforms  Nessus Pro
 Security  Independent  Fault tolerance  Nexpose vulnerability
measurement inspection computing scanner
and metrics.  Statistical tests solutions  Rapid7 Vulnerability VM
 Penetration  Enterprise machine
testing security  Systems patching
management

CONFIDENTIAL: FOR INTERNAL USE ONLY. 2

0

Conclusion
In conclusion, I can say that the component security architecture layer of the SABSA model
deals with tool protection, operational risk management tools, tool deployment, personnel
deployment, security management tools and service monitoring tools that I have recommended
to be implemented at Target Corporation infrastructure as shown on the security products and
tools table. This was made possible by strict adherence to all relevant component security
architecture standards. My analysis shows that all the components that I have recommended to
be implemented do have compatibility, consistency and inter-operability between them. I am
grateful that the senior leadership at Target Corporation was onboard with this plan and its
implementation henceforth will enhance security posture of Target Corporation to an acceptable
level.

References
Item 1A. Risk Factors. (2014, June 18th). Retrieved December 10th, 2017, from Target 2014 Annual
report: https://corporate.target.com/annual-reports/2014/10-k/10-K-Part-I/Item-1A-Risk-
Factors
Sherwood, J., Clark, A., & Lynas, D. (2005). Enterprise Security Architecture. Boca Raton: CRC. Retrieved
October 26th, 2017