J Wolfgang Goerlich's thoughts on Information Security
TJ Maxx security incident impact?

By wolfgang. 23 December 2010 17:19

An interesting conversation that I had with a friend revolved around a simple question: did TJX have a financial loss from the computer security incident in 2007?

Sales? Since the event, TJ Maxx's sales actually increased. Stock price? After a dip during the initial press fall-out, the stock price rose. Comparing to the Dow Jones shows value being driven by the market rather than by media fall-out. When the news hit, the market responded. The stock then returned to its normal levels. Profitability? Check the annual statements from 2006 thru 2010. Revenue and profit are both up, year over year, for the time period. In sum, no long term impact was felt.

I am surprised to find little evidence supporting a business impact. It could be that TJX's growth simply outpaced the situation. Perhaps their marketing team simply did a great job in handling the crisis. Or perhaps, just perhaps, security incidents are not the business extinction event that security vendors like to suggest.

Some links:

TJX Companies Income Statement
http://ycharts.com/financials/TJX/annual_income_statement
http://finance.yahoo.com/q/is?s=TJX&annual

Google Finance -- TJX versus the DJIA
http://www.google.com/finance?chdnp=1&chdd=1&chds=1&chdv=1&chvs=maximized&chdeh=0&chfdeh=0&chdet=1295730063672&chddm=493051&chls=IntervalBasedLine&cmpto=NYSE:TJX&cmptdms=0&q=INDEXDJX:.DJI&ntsp=0

Tags:

Security

Can you capture all the packets on your network?

By wolfgang. 12 December 2010 18:52

The simple answer is yes, you can capture all the traffic on your network. I do it all day, every day, with my network monitoring servers. But it is a little more complicated that the short answer.

The first consideration is bandwidth. Let’s assume 200 client computers are attached to 50 servers. The clients are at 100 Mbps and the servers are at 1 Gbps. Quickly doing the math, you can see that the maximum bandwidth is 70 Gbps. Each packet will be mirrored (or copied) to the network monitor port. To avoid missing packets, that port would need a 70 Gbps uplink. Such an uplink exceeds the budgets of SMB IT departments.

The second consideration is storage. Let’s assume that the through put for client computers is, on average, 5% of the available bandwidth. For servers, we will use 25%. Given 3,600 seconds in an hour, do the math, and you’ll see we need 439.5 GB an hour for clients and 5.5 TB an hour for servers. Call that an even 6 TB an hour, 142 TB a day, 1 PB a week. Such disk storage costs exceed the budgets of SMB IT departments.

Given these numbers, how do I capture the packets that travel across my network? First, I use a 10 Gbps uplink to get the mirrored traffic. There are times when the traffic overwhelms the uplink and packets are lost. Second, I keep only a few hours of packets in storage. I maintain the packet summary (time, source IP and port, destination IP and port, byte count, application details) for a few weeks. The summary is significantly smaller than the actual traffic.

The more complex answer is yes and no. You can log all the packets. But even for relatively small networks, the required hardware for the resulting through put and storage requirements will be cost prohibitive.

In hindsight, maybe switching to NetFlows is not such a bad idea. 

Tags:

Security | Security Information Management

    Log in