Question

“Marriott International announced in November 2018 that attackers had stolen data

on approximately 500 million customers. The breach initially occurred on systems

supporting Starwood hotel brands starting in 2014. The attackers remained in the

system after Marriott acquired Starwood in 2016 and were not discovered

until September 2018.”(sourced from a published report)

Referring to the case given, list and explain 2 steps that can help prevent data breach like this.

Answer 1

If you have used the site and it’s available in your country, it makes sense to take the WebWatcher access. Other tools are also available such as ‘Have I Been Pwned’.

It goes without saying that users should change passwords used for the site -and the same goes if these details are used elsewhere. In addition, watch your
bank account for any suspicious activity and be wary of emails claiming to be from Marriott: cyber criminals will often use incidents such as these to orchestrate scams and phishing emails.

​​​​​​Steps to reduce risk:

Due deligence on acquisitions:

Marriott is not the first company to discover that an acquired company had already been breached. Avast software acquired software tools vendor piriform in 2016 and subsequently discovered that its software system was breached.

A primary activity for any company conducting M&A activity needs to be a cybersecurity assessment to fully understand the state of the company and its vulnerabilities. A full cybersecurity assessment must be part of any modern business acquisition.

Consider DLP tools:
The fact that it took some time after the initial warning signs before the data loss was detected was a major shortcoming.
Sensitive data within an organization, including personally identifiable information (PII), payment card data and other user information, should be protected with data loss
prevention (DLP) technology. With a proper DLP system in place, PII data cannot leave an organization, and access attempts will be monitored and logged.

Privileged account management:
Even without DLP, database information that contains PII should only be accessible by privileged accounts, a common IT best practice.With privileged account management (PAM) tools and technologies, access attempts are monitored and credentials for privileged accounts are more tightly controlled.

PCI compliance:
Given that payment card data was involved in the data breach, PCI-DSS (Payment Card Institute Data Security Standard) is involved. Was Starwood assessed as being
PCI-DSS compliant, or was it even assessed at all recently? Those facts are not yet known.

According to Verizon, no company that has been quantitatively proven to be PCI-DSS compliant has ever been breached. Rather breaches occur when companies fall out of compliance.

Penetration testing:
A good best practice to keep organizations secure is to have active third-party penetration testing activities. It's an activity that organizations behind the Ashley Madison website now use to help keep that site, which was the victim of a massive breach itself, secure.

By actively taking an adversarial approach and benefiting from third-party resources, additional vulnerabilities can be uncovered.

Threat hunting:
Beyond having a third-party conduct penetration testing, active threat hunting tools can expedite how quickly potential and actual threats are found.

With threat hunting tools that are sometimes built into SIEM systems, data can be enriched with additional context from different sources to help correlate multiple sets of information, which is useful for finding threats.

Breach and attack simulation (BAS):
Another good IT security best practice is to use breach and attack simulation (BAS) and employee training tools. Such tools might not have found the exact flaw that led to the Starwood breach, but inevitably it's an exercise that helps harden enterprise networks and train IT security staff. By combing networks looking for flaws and simulating what could happen, responses become routine and the time an attacker might get to spend in a network can be limited.

The root cause of the Starwood data breach is currently unknown and no doubt additional details will emerge in the weeks and months ahead. One thing is certain: A breach of this size is hardly ever the result of a single flaw. Rather it's the result of a threat actor that somehow got into the network and then was able to move around laterally without being detected.

Making use of the tools and techniques listed above might not prevent an intrusion, buthaving defense in depth and multiple layers of cybersecurity activities might well help to reduce the dwell time and limit impact.