The Colossal, Monumental Screw Up That Is Marriott Security

The Damage

From Decipher reporting:

For [173 million] affected customers, the attackers only had access to names and some address and email address data.

head-explodes.gif

For 327 million people, information compromised in the breach includes names, home addresses, phone numbers, email addresses, some passport numbers, dates of birth, and some payment card information.

…What does one even say to this?

Why did they have all this data in the first place?

Did Marriott not even have security engineers on staff?

Let’s examine at a high level a handful of defense and mitigation strategies that could have greatly improved Marriott’s response to this incident.

It’s important that these recommendations be implemented correctly. For example, an IDS which generates thousands of alerts, does not contribute any value. That is the definition of security theater.

Intrusion Detection Systems

Any IDS worth its weight in salt would have most likely significantly reduced the blast radius of this attack. It’s hard to say for certain when speaking in hypotheticals, but this is literally their job.

IDSs typically run as agents directly on host systems, and collate connections along with contextual information – source & destination IPs, commands executed, possible data extrusion attempts. Either via configuration, or machine learning, alerts can trigger on suspicious activity. Suspicious activity is not limited to:

A successful connection for the first time from a new IP address

A series of failed attempts, followed by a successful connection

Connections from unexpected geographies

Authentication spamming

Failed commands run by authenticated users

Unexpected connections between internal services

If an IDS is in place, and is generating too many alerts, that’s worse than no IDS at all.

Regular Key And Certificate Rotation

A huge part of successful information security programs is change management. Keys and certs must be in regular rotation. An audit log must be kept up to date with what secrets were changed, and when. A log must also be kept for who has access to these secrets.

Manual rotation is a PITA, so automate it. Use Vault or another secret manager, and setup automatic key rotation.

Penetration Testing

Attack yourself, before the bad guys do. Because they will attack, if they haven’t yet. Use open source tools, such as OWASP ZAP, in order to proactively discover exploitable runtimes left on wide open ports.

Backbox Linux is an excellent pentesting linux distro. It comes loaded with ZAP and a host of other tools that will help in analyzing an infrastructure for security vulnerabilities.

Principle Of Least Data

Don’t store payment information. Use a payment processor and integrate with their API.

Why, why, were passport numbers stored on-site?

Isolate and segregate databases behind private networks. For example, isolate PII to a database within its own private network. Configure databases with strong, unique credentials. Rotate those credentials regularly (again, automation is essential here).

Here are pieces of data which may not need to be stored on site, or at least all in the same database, accessed by the same credentials:

Mailing address

Phone numbers

Payment information

Passport details

Other PII

Anything not related to the service being provided

If any of the above data is required, it should be partitioned into a secure enclave, or stored off site with third-party integrators.

Proactive CVE Handling

Scan build artifacts, application dependencies, and OS dependencies for known CVEs. Track progress on remediation.

Use KPIs like:

Time to discovery

Time to fix

Total number of high severity vulnerabilities at any time

Zero Trust Networks

M & M security (a hardened perimeter with a soft, tasty interior) is not enough anymore. Consider any connection potentially hostile, even internal traffic. Use E2E encryption. Segregate and partition resources and authorizations.

Minimize permissions on credentials to bare minimum, single purpose use-cases. Then, name those credentials after that single purpose. For example, in AWS, define specific roles (not machine users), such as: ses-mailer , s3-uploader-svc-x , s3-viewer-svc-y .

Rant Summary

On the one hand, the levels of negligence involved to have allowed this to happen is utterly, mind-numbingly, staggeringly massive. There are processes, policies, and an endless list of proprietary and open source tools for monitoring, detecting, alerting, and responding to security events.

On the other hand, is anyone surprised? At all? It was only a year ago that Equifax failed to protect the personal information of over 147 million Americans. Yahoo’s hack, with all three billion accounts compromised, was disclosed just a year before that (the actual hack happened around 2013).

To summarize some of the strategies outlined above:

Prioritize CVEs and the KPIs around responding to them (outlined above).

Don’t store data that is not required. Store sensitive data in a secure enclave.

Test yourself. Use penetration testing tools to find vulnerabilities in live systems.

Use secret managers (such as Vault) for automated secret rotation, and centralized secret management.

Use an IDS, and tune it so that it provides value.

What will it take for information security to be taken seriously? Perhaps GDPR-like legislation is the future.