What the Marriott Breach Says About Security

For discussions about security.
Post Reply
Message
Author
labbe5
Posts: 2159
Joined: Wed 13 Nov 2013, 14:26
Location: Canada

What the Marriott Breach Says About Security

#1 Post by labbe5 »

https://krebsonsecurity.com/2018/12/wha ... -security/

We don’t yet know the root cause(s) that forced Marriott this week to disclose a four-year-long breach involving the personal and financial information of 500 million guests of its Starwood hotel properties. But anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.

For companies, this principle means accepting the notion that it is no longer possible to keep the bad guys out of your networks entirely. This doesn’t mean abandoning all tenets of traditional defense, such as quickly applying software patches and using technologies to block or at least detect malware infections.

It means accepting that despite how many resources you expend trying to keep malware and miscreants out, all of this can be undone in a flash when users click on malicious links or fall for phishing attacks. Or a previously unknown security flaw gets exploited before it can be patched. Or any one of a myriad other ways attackers can win just by being right once, when defenders need to be right 100 percent of the time.


Likewise for individuals, it pays to accept two unfortunate and harsh realities:

Reality #1: Bad guys already have access to personal data points that you may believe should be secret but which nevertheless aren’t, including your credit card information, Social Security number, mother’s maiden name, date of birth, address, previous addresses, phone number, and yes — even your credit file.

Reality #2: Any data point you share with a company will in all likelihood eventually be hacked, lost, leaked, stolen or sold — usually through no fault of your own. And if you’re an American, it means (at least for the time being) your recourse to do anything about that when it does happen is limited or nil.


Assuming compromise means placing very little trust or confidence in anything that comes to you via email. In the context of this Marriott/Starwood breach, for example, consider all the data points that attackers may now have to make a phishing or malware attack more likely to be successful: Your Starwood account number, your address, phone number, email address, passport number, dates and times of your reservations, and credit card information.

User avatar
nosystemdthanks
Posts: 703
Joined: Thu 03 May 2018, 16:13
Contact:

Re: What the Marriott Breach Says About Security

#2 Post by nosystemdthanks »

labbe5 wrote:Reality #2: Any data point you share with a company will in all likelihood eventually be hacked, lost, leaked, stolen or sold — usually through no fault of your own. And if you’re an American, it means (at least for the time being) your recourse to do anything about that when it does happen is limited or nil.[/i]

Assuming compromise means placing very little trust or confidence in anything that comes to you via email. In the context of this Marriott/Starwood breach, for example, consider all the data points that attackers may now have to make a phishing or malware attack more likely to be successful:
very true.
[color=green]The freedom to NOT run the software, to be free to avoid vendor lock-in through appropriate modularization/encapsulation and minimized dependencies; meaning any free software can be replaced with a user’s preferred alternatives.[/color]

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#3 Post by rufwoof »

$1000 per account details lost/stolen/passed on would be a great incentive for operations to better protect such details. Any internet facing system(s) that have access to entire databases block fashion are a failure point. Should only be permitted access/entry on a single record at a time/session basis.

Over time I've monitored the frequency of ticking 'do not share my details' has simply been ignored and the details still clearly sold on. For instance a registration with Investors Chronicle in the name of First name : Iam Surname : Chronic has generated massive amounts of junk mail addressed to Mr Iam Chronic, postal, email and phone ... despite having ticked the privacy option when initially registering. But pointless progressing those as there's no meaningful lawful reprimand for that breach. Now if there was a $1000 incentive, swathes would pursue such prizes and the issues would rapidly decline/cease as more often the cost of bankruptcy would outweigh any potential benefits.
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

Post Reply