What can we learn from the Marriott breach?
The recent breach of 500M guest records with some of the most sensitive information of customers now ranks as the second worst breach in computing history. With some exceptions, the Marriott chain has been able to hold onto my loyalty with their service better than banks, credit card issuers, airlines and other service oriented brands. While Marriott will pay heavily for this lapse, what can others in the hospitality industry learn from this to avoid a similar fate? Root-cause analysis details of the breach are unavailable as of the time of writing, but it is fair to speculate how such a breach could have been avoided.
Statistically, the #1 reason companies succumb to data-breaches are because of the use of ancient technology to authenticate humans to systems: passwords. Invented in the mid-20th century, they are hopelessly incapable of protecting anyone on the current internet – a searchable database of 1.4B cleartext passwords, collected from past breaches exists on the dark-web. While stronger authentication technology based on digital certificates has been in use for nearly a quarter of a century, the challenges with their use prevented it from displacing passwords despite billions spent on deployments around the world.
However, the availability of a cost-effective, consumer-friendly and secure technology from the FIDO Alliance – a non-profit standards group – changes status quo. This technology remains undeployed in the hospitality industry despite the fact that it was standardized three years ago, has dozens of suppliers available worldwide, and is strong enough to be given the “highest assurance level” for authentication by the NIST Digital Identity Guidelines of 2017. Backed by more than 200 companies world-wide, FIDO protocols have the potential to eliminate the dreaded password off the internet – but only if companies take the first step to integrate the technology into their web-applications.
If strong-authentication with a FIDO technology is the first line of defense, the last bastion of defense is undoubtedly encryption of sensitive data. However, merely encrypting data without paying attention to cryptographic details can be disastrous. Marriott's press release indicates that guest data was encrypted, but couldn't rule out the possibility of two-components, necessary to decrypt the stolen data, were not also stolen by the attackers. This indicates that Marriott did not pay attention to the first rule of secure key-management: it is virtually impossible to secure cryptographic keys without purpose-built cryptographic hardware in conjunction with appropriate key-management policies and procedures. Had Marriott implemented such controls, while the system might have been breached and while the attackers may have pilfered encrypted guest data, they would have been unable to steal cryptographic keys to decrypt that data.
The practice of using key-components to backup, transport and/or reassemble cryptographic keys are still in use by many companies in the banking industry. However, when implemented securely, they are always maintained off-line where they are never accessible except when used by a key-custodian to perform a key-management operation in conjunction with purpose-built cryptographic hardware module. That Marriott could not rule out the possibility that attackers might have stolen the key-components indicates that these “ready-to-assemble” components were stored on the same system as the encrypted data – a disastrous key-management practice.
While it might seem that using strong-authentication and encryption supported by purpose-built cryptographic hardware modules might solve all data-breach problems, there is another subtlety to a cyberattack on data that is relatively unknown – this could be simply because stealing unprotected or weakly-protected sensitive data is the “low hanging fruit” for cyberattackers. However, even when strong-authentication and encryption are in use, it is possible for companies to be affected by a more insidious attack: that of surreptitious modification of data within a system leading legitimate users of the system to make erroneous business decisions.
While this might appear to be a trivial business problem in comparison to the theft of sensitive information, depending on how data is used within the company, it could lead to financial and/or reputation losses. While attacks of this category are, generally, unknown today, it is conceivable if sensitive information is weakly protected, it is only a matter of time before cyberattackers might discover other ways to steal from the hospitality industry.
Forward-thinking companies in the industry that choose to protect their systems with strong-authentication and appropriate encryption controls would be well advised to go further and add data-integrity controls to their records within systems. Digital signatures are a little-used protection mechanism that can be used to preserve and verify the integrity of data within systems. As with all technological risk-mitigation measures, while it requires a little effort during the design and construction of the system, its benefits endure – sometimes for decades.
There have been breaches in the hospitality industry before - although nothing comes close to the Marriott breach. We are likely to learn more about how the breach occurred in the coming weeks, and speculate on how much Marriott is likely to spend to cover the damage caused by it. But, there is no reason for others to wait to begin the task of better protecting hospitality systems and the guests that represent the life-blood of the industry. Whatever the cost may be to improve data-defenses, it will pale in comparison to the consequences of a loss of faith.
Arshad Noor is the CTO of StrongKey, a Silicon Valley and Durham, NC based company focused on securing data through key management, strong authentication, encryption and digital signatures. He has 32 years of experience in the Information Technology sector, of which, more than 19 were devoted to designing and building key-management infrastructures for dozens of mission-critical environments around the world. He has been published in periodicals and journals, as well as authored XML-based protocols for two Technical Committees at OASIS and represents StrongKey at the FIDO Alliance. He is also a frequent speaker at forums such as RSA, ISACA, OWASP and the ISSE. He can be reached at [email protected].