On November 30th, Marriott, owner of Starwood (SPG), announced a substantial breach of their loyalty program system, revealing names, email address, and other sensitive information. There are many articles posted regarding this breach, but here is one to start our discussion: https://www.pcworld.com/article/3324609/security/marriott-starwood-hotel-data-breach-faq.html
After reading this, or another article, what takeaways or lessons learned do you have?
- From the viewpoint of an ethical hacker – How can you learn and use (or avoid) techniques in your engagements?
- From the viewpoint of an architect or defender of systems, What lessons learned do you glean from this breach?
Duy Nguyen says
Based on the article Marriott and SPG has released limited information. It does not even know how they were compromised. The article mentioned a good chance that exploited credential accessed the data and duplicated encryption keys. They seem to be unclear of when and the scope of lost, but the unauthorized access date all the way back to 2014. Based on the limited information given, there are a couple of things that we can assess such as poor identification and authorization management on Marriott’s part. If credentials were from pass employees or exploited credentials of current employees, it has not been caught for 4 years. Possible mitigation techniques could be password management policies such as yearly review of employee’s credentials or change passwords every 90 days. Another assumption was that Marriott did not have Detection software or if they did, it was not effective.
One possible positive point was that they did use encryption for card numbers and expiration dates.
Vince Kelly says
…great points Duy. Yea, this one definitely hit me – I’ve been staying at their hotels for *years*. Anyway I think your observations/mitigation suggestions are spot on. Looks like they got caught up in DNS spoofing. You’ve already made mention of this but I think that detection is as important and even in some cases MORE important than prevention – you can’t stop what you can’t see.
The other point here is that until companies/company leadership is actually held accountable for negligence like the Marriott and Equifax blunders failures like this will be the new normal. I think most people have become so desensitized to these breaches that it doesn’t even register with them now.
Jonathan Reid Kerr says
Vince, I’ve seen a lot of articles hit on that same idea of holding leadership accountable. While I do agree that something needs to be done, I feel that there needs to be some context involved. Negligence has to be properly defined before any kind of legislature, as it may affect companies which, despite having adequate security, still suffered from a breached.
Maybe something like a security standard be included with the legislature to provide a objective level of security that a company must have. Of course, that is difficult to do as new software and techniques are developed and render older methods of security obsolete.
Dan Bilenker says
You’re right, there wasn’t a lot of information given – but from what was stated, what stood out to me is
“it appears as though this wasn’t the usual exploit of a vulnerability. Rather, someone without the proper credentials was able to access the Marriott reservation database to make a duplicate encrypted copy of customer information, which was then presumably taken outside the system.”
So from a network defense perspective, if a vulnerability was not exploited , was Marriott doing a good job on defending their network? The only information available states that somebody “without the proper credentials was able to access…which was then presumably taken outside the system.”
So that lends credence to your assessment that the breach could have been an issue of poor identity or access management. Maybe it was an employee without the proper credentials.
Jonathan Reid Kerr says
There a lot of things we can learn from this recent breach. The first is that there are many companies out there who do not routinely change the means of authenticating individuals for the use of their internal systems. The fact that they had access to information since 2014 highlights this issue.
There is also the fact of their response being so poor. In a similar fashion to the Equifax breach, Marriott had failed to properly respond to the breach. They sent sent users to a newly acquired domain instead of their own site, which allowed for fake sites to prop up. The response to a breach is extremely important, and I feel that many companies still do not realize the impact it has. When performing engagements, a company’s response should definitely be tested, much as it can be, since a poor response could open them up to further attacks.
Looking at it from a security architects point of view, there are a few things which I see as issues, and hopefully other companies will see as well. The biggest was the merger, which would clearly open up Marriott to attack based on the merged company, Starwood. There are many factors to look at, and they should have given extra attention to security given the vulnerability of the company. Another aspect to consider is the lack of proper detection controls. The fact that the breach remained for so long without notice is a glaring problem. Proper detection can significantly lessen the impact of a breach and goes a long way in determining the nature of the breach, how to respond, and how to prevent future attacks.
Brandan Mackowsky says
From the viewpoint of an ethical hacker, it is crucial to be vigilant and understand how to properly attack a system, even trying to use basic items such as default credentials. Clearly an access issue has been at hand for some time now and an ethical hacker trying to login with a predefined or potentially default account may have been able to compromise the system and gain quick access. As an architect or defender of the systems, there needs to be an access certification cycle to ensure that all accounts that are no longer needed or in use are properly decommissioned and locked. Also, it is important to ensure that the credential manager and verifier is actually functioning, making sure there is no way to bypass the system or to simply enter any user and password combination and gain access.