Learning from the ICO order on the Marriott breach

Exactly a month ago, the Information Commissioner’s office in the UK, in its 91-page order, issued an 18.4 Million £ penalty to Marriott, holding it culpable for a data breach that affected 339 million customers globally.
Its detailed order provides great insight into the applicability and interpretation of the GDPR by the Supervisory Authority in the context of the breach, the circumstances that led to the breach, the gaps or shortcomings in Marriott’s security control environment that were exploited, the resulting representations made by the company against the order and the various decisions and options weighed by the ICO office, before arriving at the final penalty.
For us cyber security professionals though, the notice is a clear writing on the wall – It is no longer sufficient to have adequate security tools and processes; companies will be found to be in violation of GDPR if they are unable to demonstrate operating effectiveness of security in their environment.

How did the breach happen?
In 2014, an unknown attacker penetrated the IT network of Starwood Hotels and Resorts Worldwide Inc and on 29 July 2014, the attacker installed a web shell on an internal application server that was used by employees to request changes to the Starwood website. This enabled the attacker to gain initial remote access to the system and was later used to install remote access trojan (RAT) malware on the server, allowing the attacker to maintain administrative access on the server.
At some point, the attacker installed and executed MimiKatz on the systems to compromise user accounts by moving laterally through the network. The compromised accounts were then used to perform further reconnaissance and ultimately run commands on the Starwood reservation database.
Between 15th April 2015 and 17th May 2016, the attacker created three .dmp files on the compromised server with an intention of exfiltrating the cache of personal data outside the Starwood network.
In September 2016, Marriott acquired Starwood systems and, in the process, “inherited” the compromised systems along with the IT network assets of the hotel chain.
On 7th September 2018, the attacker ran a query to enumerate the count of records in the Guest_Master_Profile table.

How was breach discovered and contained?
The attacker’s database query triggered an alert from the database monitoring tool (Guardium) installed on the database server which was observed by the security monitoring team (Accenture) of Marriott and then notified to Mariott’s IT team on 8th September 2018.
Suspecting malicious activity, Mariott initiated its incident response plan by deploying real time endpoint monitoring and forensic tools across its 70,000 systems on 9th-10th September 2018.
The endpoint monitoring tools helped discovered previously undetected attacker activity that included unauthorised use of credentials of Accenture’s employees, the presence of the RAT tool, the CnC IP addresses used by the attacker, the use of Mimikatz, the encrypted and deleted .dmp files.
As part of the incident response, the RAT tool was contained and the attacker’s CnC IP addresses were blocked at the network.
Upon restoring and decryption, these files were found to contain sensitive personal information of guests including names, emails, date of birth, mailing addresses, gender, VIP status, passport numbers and credit card expiry numbers as well as travel information.
On October 29, 2018, the Marriott contacted US FBI and subsequently on the 22nd November 2018, the Information Commissioner office was notified of the personal data breach.
The commissioner concluded that Marriott failed to comply with its obligations under Article 5 (1) and Article (32) of the GDPR. Both these articles relate to secure processing of personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.

Where did Marriott go wrong?
In its order, the ICO office held Marriott responsible for four principal failures –
1. Insufficient Monitoring of Privileged Accounts – Marriott failed to detect and respond to the abuse of administrative account credentials in its Card Data Environment. Marriott’s defence of having implemented Multi Factor Authentication for CDE was not deemed to be sufficient to ensure protection.
2. Insufficient Monitoring of Databases – Marriott’s setup of security alerts on its databases was found to be deficient as it did not aggregate all the relevant logs and also did not include logging of user actions taken on the CDE systems such as creation of files and exporting of database tables from the server. If such monitoring had been in place, Marriott could have detected and blocked the database export activity from its servers in time. In particular, database activity monitoring and alerting was configured only on specific sensitive database tables that contained payment card data. This was construed as a lack of appropriate technical and organizational security to ensure appropriate level of overall security for personal data. Marriott’s argument of having adopted a “Risk based approach” to configuring security only for payment data was not deemed to be adequate or appropriate.
3. Lack of hardening or control on critical systems – Marriott was culpable of not implementing adequate server hardening on the internal application that led to administrator account compromise and further lateral movement activity. Some of the already available security mechanisms such as secure configuration, white-listing should have been employed on critical devices to prevent installation and execution of unapproved and malicious software. The order notes that while the RAT tool was installed on the systems before the acquisition of Starwood, Marriott erred in not implementing white listing on key servers after completing the acquisition.
4. Lack of encryption – While Marriott’s database software provided a facility to encrypt database table entries, Marriott applied encryption only on passport numbers and payment card data only, and not on all the personal data fields. This, according to the ICO, was an inconsistent approach adopted by Marriott, by encrypting data in a selective or arbitrary manner, without a formal risk assessment to substantiate its approach. The order also notes that a script developed by Starwood for decrypting AES – 128 bit encrypted entries in the database was also compromised, pointing to poor cryptographic key management practices.

Marriott’s claim that the Commissioner had applied a “very high standard of care” and that it was a victim of a sophisticated attacker with a multi-vector approach that bypassed the numerous protections, was not considered tenable.

What can we learn from this breach?
There is a clear case for revisiting contemporary due diligence practices, where cyber security experts can probe deeper into a target’s security practices and implementation effectiveness and thus provide better assurance and comfort for the acquiring party.
In most large M & A transactions today, IT and Cyber Security due diligence is conducted mostly over based on document reviews, interviews and declarations against spread sheet-based checklists.
Had Marriott conducted a limited compromise assessment on Starwood systems, perhaps the breach could have been detected and mitigated before the GDPR came into force, avoiding the hefty penalty.
Compliance to security standards and frameworks such as PCI DSS and ISO 27001 is not enough to demonstrate “due care” to the regulator.
Organizations need to re-look at their current security implementation coverage and effectiveness of their security tools and processes, to assess whether they are good enough to stand a high level of expert scrutiny in the event of a post breach investigation.
When it comes to the security of personal data, it is better to err on the side of caution and uniformly implement baseline controls such as hardening, white listing and encryption rather than implementing controls selectively across a subset of sensitive data by citing a “risk based approach”.
Security Monitoring and Incident Response is the last frontier and, in a sense, supposed to compensate for the failure of the preventative controls within the Defense-in-Depth paradigm. As is evident, Marriott’s over reliance on preventive controls such as multi-factor authentication and a lack of real time endpoint monitoring, privileged account monitoring and database event monitoring within the CDE environment points to a sub-optimal focus on the detection and response elements of a security strategy.
While most security assessments and penetration tests(including those for PCI DSS compliance) focus on secure configurations or vulnerabilities in servers, applications and networks, none of these assessments really evaluate whether the logging configurations for these systems and threat detection rules in the SIEM / DAM are adequate or effective in detecting and alerting on abnormal behaviour or suspicious activity.
It’s time that cyber security managers and / or auditors include breach and attack simulation assessments as part of their annual cyber security testing regimen that can help in uncovering blind spots in their security monitoring and incident response strategy.

The link to the original ICO Penalty Order on the Marriott Breach can be found here.

For the latest cyber threats and the latest hacking news please follow us on FacebookLinkedin, and Twitter.

You may be interested in reading: How to Survive the COVID Time Cyber ​​Security Threats?

The post Learning from the ICO order on the Marriott breach appeared first on SecureReading.

Více zde: ecurereading

Další články:

[display-posts posts_per_page=”15″ image_size=”thumbnail” include_excerpt=”true”]