Marriott hit by hack but where was their log management?
December 2018 by Colin Tankard, Managing Director Digital Pathways
Marriott International Inc is the latest hack to be announced and this one could be the largest breach in corporate history.
Details of some 500million guests were accessed from the company’s reservation database at its Starwood unit. This included passport numbers, mailing and email addresses and even some credit card details.
The breach reputedly happened in 2014, which begs the question, why was no one checking the logs? Was there no log management system, were their system administrators negligent in their duty, or worse still, the incident ignored?
A log management system collects data from servers, computers, routers, applications, databases etc. and generates information on what is happening in each system. All this diverse information is gathered together and, by looking at the trends or events happening on each system, an administrator can detect unusual behaviour, identifying a possible hack.
If these incidents go unchecked, a hacker has a free journey around the entire network, gaining access to more and more valuable resources such as personal data.
According to Colin Tankard, Managing Director of data security company, Digital Pathways, “when a hack occurs there are usually three stages. First, the primary hacker gains access and takes what they want. Second, the way- in to the network is shared by the primary hacker to their colleagues and community. They then ‘pick over the bones,’ much like a vulture does after the lions have had their fill. Finally, login details are shared openly to all hackers on various websites and then all the wanabe hackers come in to ‘have a party’ inside the network. The most damage is often done at this point.”
The second question to raise is, where were the encryption keys being stored?
According to Marriott the data was encrypted but the encryption keys were taken, so the data could be read.
“There should always be separation of duties between administrators and security as well as encryption key storage and the systems the encryption is being used on,” says Tankard. “ Any system that does not have this in place has a major flaw in its data security strategy. I always advise that encryption keys should be stored in a High Security Module (HSM) administered by the security team.
“The HSM is a server which creates encryption keys, stores them and when needed by an application, passes the encryption key for use. The key is never stored permanently in the application” explains Tankard.
He adds, “it is also very important to change the encryption key on a regular basis, this is called key rotation.
“There is simply no cutting corners when it comes to data security, especially in today’s climate where cyber-criminals are on the increase and strident legislation, such as GDPR, is in place.
“Where personal data is being stored, robust data security systems must be in place but not only this, they must be managed in a responsible and timely way.”