The Leap Frog

When it comes to safeguarding against a critical data breach, we often focus our primary efforts and investment on protecting networks from external threats.  Statistics show that 73% of data breaches are external attackers [1]. But, as this month’s issue of the Tech Grinch proves, the danger can also be lurking right under our noses.

Hotel giant Marriott International learnt this for themselves last September. In response to an internal IT security alert, they discovered an attacker had successfully maintained undetected access to their Starwood guest reservations system since 2014 [2]:

  • A reservation system containing data on up to 500 million guests across multiple Marriott group brands including W Hotels, St. Regis, Sheraton, Westin, Le Méridien and Four Points.
  • Guest data which included names, addresses, phone numbers, email addresses, passport numbers, account information, date of birth, gender, arrival and departure information and some (encrypted) payment card information.

Following a detailed cyber security investigation, Marriott discovered that the unauthorised party had copied and encrypted information and taken steps towards removing it. The aim of the attack was to target multiple components on the organisations network. The sensitivity level of this data combined with the volume of data breached and the length of the attack could pose serious GDPR-related fines for the hotel chain.

So how is such a breach possible for such a large organisation?

The technical term is “island hopping”. Island hopping (or leap frogging) is when an attacker initially gains access to one business, with the explicit aim of targeting another associated business up the chain.

For Marriott, the attacker could either have posed as an employee to physically gain access to the company’s main database, or hacked into one of their smaller hotels or affiliate businesses. Starwood operates its reservation database to independently process reservations for guests of that book their stay via an Online Travel Agency or other company that acts as an agency, broker or exchange service. So, the attacker could have infiltrated the network from any of these angles.

And once the attacker was in, they successfully moved their way through the Starwood network, accessing data across the hotel’s multiple chains whilst remaining undetected.

This may make you alarmed about your own company’s data security. So how do we better protect against these carefully engineered “insider” attacks? And how could Marriott International have prevented this hack?

A good first step is to ensure you have implemented a Cyber Essentials focussed strategy which should include gaining the NCSC-approved Cyber Essentials Plus certification. Cyber Essentials is a set of government-backed control strategies focussing on boundary firewalls and gateways, secure configuration, access control, malware protection and patch management. By evidencing that as an organisation you are Cyber Essentials Plus certified (search all UK organisations that hold the certification here) you ensure your security defences are correctly configured to be able to stand up to common cyber threats. Without implementing basic security controls, you are allowing easy access to your organisation’s data.

To further enhance your company’s security posture the NCSC (National Cyber Security Centre, a part of GCHQ) has also published the 10 Steps To Reduce Cyber Risk https://www.ncsc.gov.uk/guidance/10-steps-cyber-security  to outline cyber security best practices.

Part of implementing these best practices involves improving your security in the key areas of Incident Management and Monitoring. We would recommend deploying a Security Information and Event Management (SIEM) solution with log management tools and performing regular Penetration Tests. Both of these solutions would have assisted the Marriott hotel in identifying the vulnerability and breach:

Security Incident and Event Management

An automated SIEM solution will provide you with the valuable security information necessary to identify and prevent threats from their earliest point.  AlienVault is one of the most effective SIEM solutions for companies lacking extensive internal cyber security resources. AlienVault’s Unified Security Management platform saves your organisation time and money by providing pre-written correlation rules which detect the threats in your environment and give you overall security monitoring of your networks and endpoints which helps you to better protect your data.

Penetration Testing

Refer to Issue 1 of the Tech Grinch for more on Pen Testing: https://autodata.co.uk/the-identity-bandits/

To learn more about Cyber Essentials Plus or the 10 steps to reduce cyber risk, including SIEM solutions and Penetration Testing,  please get in touch.

Sources:
[1] 2018 Data Breach Investigations Report, Verizon.com
[2] https://www.ncsc.gov.uk/guidance/ncsc-advice-marriott-international-customers