The Colossal, Monumental Screw Up That Is Marriott Security

From Decipher reporting:

For [173 million] affected customers, the attackers only had access to names and some address and email address data.


For 327 million people, information compromised in the breach includes names, home addresses, phone numbers, email addresses, some passport numbers, dates of birth, and some payment card information.

…What does one even say to this?

Why did they have all this data in the first place?

Did Marriott not even have security engineers on staff?

Let’s examine just a handful of defense and mitigation strategies that could have greatly improved Marriott’s response to this incident.

Intrusion Detection Systems

Any IDS worth its weight in salt would have most likely significantly reduced the blast radius of this attack. It’s hard to say for certain when speaking in hypotheticals, but this is literally their job.

IDSs typically run as agents directly on host systems, and collate connections along with contextual information – source & destination IPs, commands executed, possible data extrusion attempts. Either via configuration, or machine learning, alerts can trigger on suspicious activity. Suspicious activity is not limited to:

  • A successful connection for the first time from a new IP address
  • A series of failed attempts, followed by a successful connection
  • Connections from unexpected geographies
  • Authentication spamming
  • Failed commands run by authenticated users
  • Unexpected connections between internal services

Regular Key And Certificate Rotation

A huge part of successful information security programs is change management. Keys and certs must be in regular rotation. An audit log must be kept up to date with what secrets were changed, and when. A log must also be kept for who has access to these secrets.

Penetration Testing

Attack yourself, before the bad guys do. Because they will attack, if they haven’t yet. Use open source tools, such as OWASP ZAP, in order to proactively discover exploitable runtimes left on wide open ports.

Principle Of Least Data

Don’t store payment information. Use a payment processor and integrate with their API.

Why, why, were passport numbers stored on-site?

Isolate and segregate databases behind private networks. Configure them with strong, unique credentials. Rotate those credentials regularly.

CVE Tracking

Scan build artifacts, application dependencies, and OS dependencies for known CVEs. Track progress on remediation. Use KPIs like time to discovery, time to fix, and total number of high severity vulnerabilities.

Zero Trust Networks

M & M security is not enough anymore. Consider any connection potentially hostile, even internal traffic. Use E2E encryption. Segregate and partition resources and authorizations. Minimize permissions on credentials to bare minimum, single purpose use-cases.

On the one hand, the levels of negligence involved to have allowed this to happen is utterly, mind-numbingly, staggeringly massive. There are processes, policies, and an endless list of proprietary and open source tools for monitoring, detecting, alerting, and responding to security events.

On the other hand, is anyone surprised? At all? It was only a year ago that Equifax failed to protect the personal information of over 147 million Americans. Yahoo’s hack, with all three billion accounts compromised, was disclosed just a year before that (the actual hack happened around 2013).

What will it take for information security to be taken seriously? Perhaps GDPR is the future.

Written on November 30, 2018