In: Accounting
“Marriott International announced in November 2018 that attackers had stolen data
on approximately 500 million customers. The breach initially occurred on systems
supporting Starwood hotel brands starting in 2014. The attackers remained in the
system after Marriott acquired Starwood in 2016 and were not discovered
until September 2018.”(sourced from a published report)
Referring to the case given, list and explain 2 steps that can help prevent data breach like this.
If you have used the site and it’s available in your country, it makes sense to take the WebWatcher access. Other tools are also available such as ‘Have I Been Pwned’.
It goes without saying that users should change passwords used
for the site -and the same goes if these details are used
elsewhere. In addition, watch your
bank account for any suspicious activity and be wary of emails
claiming to be from Marriott: cyber criminals will often use
incidents such as these to orchestrate scams and phishing
emails.
Steps to reduce risk:
Due deligence on acquisitions:
Marriott is not the first company to discover that an acquired company had already been breached. Avast software acquired software tools vendor piriform in 2016 and subsequently discovered that its software system was breached.
A primary activity for any company conducting M&A activity needs to be a cybersecurity assessment to fully understand the state of the company and its vulnerabilities. A full cybersecurity assessment must be part of any modern business acquisition.
Consider DLP tools:
The fact that it took some time after the initial warning signs
before the data loss was detected was a major shortcoming.
Sensitive data within an organization, including personally
identifiable information (PII), payment card data and other user
information, should be protected with data loss
prevention (DLP) technology. With a proper DLP system in place, PII
data cannot leave an organization, and access attempts will be
monitored and logged.
Privileged account management:
Even without DLP, database information that contains PII should
only be accessible by privileged accounts, a common IT best
practice.With privileged account management (PAM) tools and
technologies, access attempts are monitored and credentials for
privileged accounts are more tightly controlled.
PCI compliance:
Given that payment card data was involved in the data breach,
PCI-DSS (Payment Card Institute Data Security Standard) is
involved. Was Starwood assessed as being
PCI-DSS compliant, or was it even assessed at all recently? Those
facts are not yet known.
According to Verizon, no company that has been quantitatively proven to be PCI-DSS compliant has ever been breached. Rather breaches occur when companies fall out of compliance.
Penetration testing:
A good best practice to keep organizations secure is to have active
third-party penetration testing activities. It's an activity that
organizations behind the Ashley Madison website now use to help
keep that site, which was the victim of a massive breach itself,
secure.
By actively taking an adversarial approach and benefiting from third-party resources, additional vulnerabilities can be uncovered.
Threat hunting:
Beyond having a third-party conduct penetration testing, active
threat hunting tools can expedite how quickly potential and actual
threats are found.
With threat hunting tools that are sometimes built into SIEM systems, data can be enriched with additional context from different sources to help correlate multiple sets of information, which is useful for finding threats.
Breach and attack simulation (BAS):
Another good IT security best practice is to use breach and attack
simulation (BAS) and employee training tools. Such tools might not
have found the exact flaw that led to the Starwood breach, but
inevitably it's an exercise that helps harden enterprise networks
and train IT security staff. By combing networks looking for flaws
and simulating what could happen, responses become routine and the
time an attacker might get to spend in a network can be
limited.
The root cause of the Starwood data breach is currently unknown and no doubt additional details will emerge in the weeks and months ahead. One thing is certain: A breach of this size is hardly ever the result of a single flaw. Rather it's the result of a threat actor that somehow got into the network and then was able to move around laterally without being detected.
Making use of the tools and techniques listed above might not prevent an intrusion, buthaving defense in depth and multiple layers of cybersecurity activities might well help to reduce the dwell time and limit impact.