Friday, 30 November 2018

Marriott Hotels 4 Year Hack Impacts Half a Billion Guests!

A mammoth data breach was disclosed by hotel chain Marriott International today (30 Nov 18), with a massive 500 million customer records said to have been compromised by an "unauthorized party". 
Image result for marriott
The world's largest hotel group launched an internal investigation in response to a system security alert on 8th September 2018, and found an attacker had been accessing the hotel chain's "Starwood network" and customer personal data since 2014, copying and encrypting customer records. In addition to the Marriott brand, Starwood includes W Hotels, Sheraton, Le Méridien and Four Points by Sheraton. 

Image result for starwood
You are at risk if you have stayed at any of the above hotel brands in the last 4 years

The Marriott statement said for around 326 million of its guests, the personal information compromised included "some combination" of, name, address, phone number, email address, passport number, date of birth, gender and arrival & departure information. The hotelier also said encrypted payment card data was also copied, and it could not rule out the encryption keys to decrypt cardholder data had not been stolen.

The hotel giant said it would notify customers affected and offer some a fraud detecting service for a year for free, so I expect they will be making contact with myself soon. In the meantime, Marriott has launched a website for affected customers and a free helpline for concerned UK customers 0808 189 1065.

The UK ICO said it would be investigating the breach, and warned those who believe they are impacted to be extra vigilant and to follow the advice on the ICO website, and by the National Cyber Security Centre
. The hotel chain could face huge fines under the GDPR, and possibly a large scale class action lawsuit by their affected guests, which could cost them millions of pounds. 

What I really would like to know is why the hotel chain had retained such vast numbers of guest records post their stay. Why they held their customer's passport details and whether those encryption keys were stolen or not. And finally, why the unauthorised access went undetected for four years.

Tom Kellermann, Chief Cybersecurity Officer for Carbon Black, said "It appears there had been unauthorised access to the Starwood network since 2014, demonstrating that attackers will get into an enterprise and attempt to remain undetected. A recent Carbon Black threat report found that nearly 60% of attacks now involve lateral movement, which means attackers aren’t just going after one component of an organisation - they’re getting in, moving around and seeking more targets as they go."

The report also found that 50% of today’s attackers now use the victim primarily for island hopping. In these campaigns, attackers first target an organisation's affiliates, often smaller companies with immature security postures and this can often be the case during an M&A. This means that data at every point in the supply chain may be at risk, from customers, to partners and potential acquisitions.”

Jake Olcott, VP of Strategic Partnerships at BitSight, said "Following the breaking news today that Marriott’s Starwood bookings database has been comprised with half a billion people affected, it highlights the importance of organisations undertaking sufficient security posture checks to avoid such compromises. Marriott’s acquisition of Starwood in 2016 allowed it to utilise its Starwood customer database. Therefore, proactive due diligence during this acquisition period would have helped Marriott to identify the potential cybersecurity risks, and the impact of a potential breach".

“This is yet another example of why it is critical that companies perform cybersecurity analysts during the due diligence period, prior to an acquisition or investment. Traditionally, companies have approached cyber risk in acquisitions by issuing questionnaires to the target company; unfortunately, these methods are time consuming and reflect only a “snapshot in time” view.

“Understanding the cybersecurity posture of an investment is critical to assessing the value of the investment and considering reputational, financial, and legal harm that could befall the company. After an investment has been made, continuous monitoring is essential.”

Wednesday, 7 November 2018

Complexity is the Worst Enemy of Security, Time for a New Approach with Network Security?

Bruce Schneier summed it up best in 1999 when he said "Complexity is the Worst Enemy of Security" in an essay titled A Plea for Simplicity, correctly predicting the cybersecurity problems we encounter today.

The IT industry has gone through lots of changes over the past few years, yet when it comes to cybersecurity, the mindset has remained the same. The current thinking around cybersecurity falls into the definition of insanity, with many organisations doing the same thing over and over again, expecting different results, and are then shocked when their company is the latest to hit the hacking headlines.

The current security model is broken and is currently too complex. As Paul German, CEO, Certes Networks, argues, it’s time to strip network security back and focus on the data. 

What should Organisations Really be Protecting?
Ultimately, by overcomplicating network security for far too long, the industry has failed - which won’t come as a surprise to many. We’ve all learned the lessons from the high profile data breaches such as Dixon’s Carphone and historical breaches like Ticketmaster or Target; what they succeeded in showing us was that current attempts to secure corporate networks are just not enough. And the reason for this? Quite simply, it’s because organisations are trying to protect something they no longer own. For a long time, security thinking has focused purely on the network, honing in on the insecurity of the network and trying to build up network defences to protect the data that runs over it in order to combat the challenges.

Yet, this way of thinking still leaves a problem untouched: we don’t always own the networks over which our data runs, so therefore focusing on this aspects is leaving many other doors wide open. The corporate network used to remain in the data centre, but in the digital economy present today, the corporate network spans over corporate locations worldwide, including data centres, private clouds and public clouds. Additionally, this data is not just shared with employees, but to third parties whose devices and policies cannot be easily controlled. Add legacy security measures into the mix which simply weren’t constructed to address the complexity and diversity of today’s corporate network, and it is extremely apparent why this is no longer enough.

So, what needs to change? First and foremost, the industry needs to take a step in the right direction and put data at the forefront of security strategies.

The Security Mindset Needs to Change - and It Needs to Change Now
In an attempt to keep their data and infrastructure secure, organisations have layered technology on top of technology. As a result of this, not only has the technology stack itself become far too complicated but the number of resources, operational overhead and cost needed to manage it have only contributed to the failing security mindset.

Anyone in the IT industry should be able to acknowledge that something needs to change. The good news is that the change is simple. Organisations need to start with a security overlay that covers the networks, independent of the infrastructure, rather than taking the conventional approach of building the strategy around the infrastructure. The network itself must become irrelevant, which will then encourage a natural simplicity in approach.

As well as enabling organisations to better secure their data, this approach also has economic and commercial benefits. Taking intelligence out of the network allows organisations to focus it on its core task: managing traffic. In turn, money and resources can be saved and then better invested in a true security model with data protection at its heart.

A New Era of Cybersecurity
To begin this mindset change, organisations need to start thinking about security as an overlay on top of existing infrastructure. They also need to introduce a software-defined approach to data security, enabling a centralised orchestration of security policy. This centralised orchestration enforcing capabilities such as software-defined application access control, cryptographic segmentation, data-in-motion privacy and a software-defined perimeter, data is completely protected on its journey across any network, while hackers are restricted from moving laterally across the network once a breach has occurred. Additionally, adopting innovative approaches such as Layer 4 encryption which renders the data itself useless, and therefore worthless to hackers, without impacting the operational visibility of the enterprise network and data flows, will further ensure the protection of the organisation’s network.

The fact is that the industry has overcomplicated network security for too long. If the industry continues to try the same methods over and over again, without making any changes, then there is no chance of progression. It’s time for organisations to start afresh and adopt a new, simple software-defined security overlay approach. 

Tuesday, 6 November 2018

How Safe and Secure are Wearables?

The ‘wearable technology’ market has been exponentially growing in recent years and is expected to exceed 830 million devices by 2020. One of the key drivers pushing this rapid expansion are fitness trackers, namely wristband tech and smartwatch apps which monitors our daily activity and health. But as we integrate wearables devices seamlessly into our everyday lives, what are the privacy and security risks they pose? How should wearable manufacturers and app developers be protecting consumers?

245 million wearables will be sold in 2019

Insurance company Vitality offers customers a heavily discounted Apple Watch to customers in return for their fitness routines and health data, the more activity you do each month, the greater your reward through a monthly discount. While this exchange of information for rewards provides a great incentive for consumers to improve their health, the personal data consumers are sharing in return has a tangible value for the insurance company. However, providing an insurance company with a daily data breakdown of one's health is an unacceptable tradeoff for some, regarding such a practice as an invasion of their privacy. 

As of May 2018, all EU citizen's privacy rights are legally protected by the General Data Protection Regulation (GDPR). GDPR compliance is required by all companies which process EU citizen data, including those based outside of the European Union. The privacy regulation requires wearable device and app providers to obtain each EU citizen's explicit consent before collecting their personal information, they must also clearly explain what types of personal information they intend to collect, how they intend to use the data, and inform consumers about any other organisation they intend to share their data with. If they don’t, wearable tech firms and app providers should brace themselves for heavy fines by European Information Commissioners.

For further details about the GDPR requirements and for Wearables Software Development Security Advice, read my IBM developerWorks 3 part guidance "A developer's guide to the GDPR" and my Combating IoT Cyber Threats

Wearable personal data is also of value to hackers and criminals, for instance, your fitness routine provides a clear picture of the best times to burglarise your home. With personal consumer data potentially at stake, fitness wearable manufacturers should incorporate both default privacy and security standards into the infrastructure of the device, to help ensure personal information remains safeguarded from known and future cyber threats.  ULa global safety science company, has developed testing for cybersecurity threats and offers security verification processes to assist manufacturers in assessing security risks and helping mitigate them before the product even goes to market. If the industry takes these steps, wearable consumers will feel safe and secure as they reap the intended benefits of this new innovation, while the wearables industry will be well positioned to meet the promise of its growth projections.