A number of data breaches have been disclosed over the course of 2018, but none have been as big or had as much impact as the one disclosed on Nov. 30 by hotel chain Marriott International.
A staggering 500 million people are at risk as a result of the breach, placing it among the largest breaches of all time, behind Yahoo at 1 billion. While the investigation and full public disclosure into how the breach occurred is still ongoing, there are lots of facts already available, and some lessons for other organizations hoping to avoid the same outcome.
Marriott breach began years ago
What is known at this point is that the Starwood hotel network was breached as far back as 2014, although Marriott did not discover the breach until Sep. 8, 2018. Such advanced persistent threats are an IT security nightmare.
Marriott acquired Starwood in 2016, two years after the breach is believed to have occurred. Starwood hotel brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
Although Marriott first got a signal from one of its security tools that there was an issue on Sept. 8, it wasn't until Nov. 19 that the hotel chain was able to determine that data had been stolen, as attackers had apparently encrypted the data that they were taking out of the network.
Of the 500 million customers affected by the data breach, there is varying impact. For 327 million individuals, the information stolen includes name, mailing address, phone number, email address, passport number and data of birth. Marriott has also stated that payment card data was stolen in the breach.
According to Marriott, the payment card information in its database was encrypted with a system that requires two different components in order to decrypt the payment card numbers.
"At this point, Marriott has not been able to rule out the possibility that both were taken," Marriott stated in an advisory.
Steps to reduce risk
So what steps can organizations take to reduce the risk of suffering the same fate as Marriott?
Due diligence on acquisitions
Marriott is not the first company to discover that an acquired company had already been breached. Avast software acquired software tools vendor piriform in 2016 and subsequently discovered that its software system was breached.
A primary activity for any company conducting M&A activity needs to be a cybersecurity assessment to fully understand the state of the company and its vulnerabilities. A full cybersecurity assessment must be part of any modern business acquisition.
Consider DLP tools
The fact that it took some time after the initial warning signs before the data loss was detected was a major shortcoming.
Sensitive data within an organization, including personally identifiable information (PII), payment card data and other user information, should be protected with data loss prevention (DLP) technology. With a proper DLP system in place, PII data cannot leave an organization, and access attempts will be monitored and logged.
Privileged account management
Even without DLP, database information that contains PII should only be accessible by privileged accounts, a common IT best practice.
With privileged account management (PAM) tools and technologies, access attempts are monitored and credentials for privileged accounts are more tightly controlled.
Given that payment card data was involved in the data breach, PCI-DSS (Payment Card Institute Data Security Standard) is involved. Was Starwood assessed as being PCI-DSS compliant, or was it even assessed at all recently? Those facts are not yet known.
According to Verizon, no company that has been quantitatively proven to be PCI-DSS compliant has ever been breached. Rather breaches occur when companies fall out of compliance.
A good best practice to keep organizations secure is to have active third-party penetration testing activities. It's an activity that organizations behind the Ashley Madison website now use to help keep that site, which was the victim of a massive breach itself, secure.
By actively taking an adversarial approach and benefiting from third-party resources, additional vulnerabilities can be uncovered.
Beyond having a third-party conduct penetration testing, active threat hunting tools can expedite how quickly potential and actual threats are found.
With threat hunting tools that are sometimes built into SIEM systems, data can be enriched with additional context from different sources to help correlate multiple sets of information, which is useful for finding threats.
Breach and attack simulation (BAS)
Another good IT security best practice is to use breach and attack simulation (BAS) and employee training tools. Such tools might not have found the exact flaw that led to the Starwood breach, but inevitably it's an exercise that helps harden enterprise networks and train IT security staff. By combing networks looking for flaws and simulating what could happen, responses become routine and the time an attacker might get to spend in a network can be limited.
The root cause of the Starwood data breach is currently unknown and no doubt additional details will emerge in the weeks and months ahead. One thing is certain: A breach of this size is hardly ever the result of a single flaw. Rather it's the result of a threat actor that somehow got into the network and then was able to move around laterally without being detected.
Making use of the tools and techniques listed above might not prevent an intrusion, but having defense in depth and multiple layers of cybersecurity activities might well help to reduce the dwell time and limit impact.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.