Cybersecurity experts on lessons learned from Marriott's latest data breach

Cybersecurity experts on lessons learned from Marriott's latest data breach

International hotelier Marriott suffered another cyberattack, it was reported this week.

International hotelier Marriott suffered another cyberattack, it was reported this week.

Hackers took 20 gigabytes of data, including credit card details. Up to 400 people's personal information was stolen.

CRN contacted numerous tech and cybersecurity figureheads, to gauge expert opinion on the incident and what could be learned.

How these attacks occur

It is important to understand how attackers can compromise companies cyber assets, to better prevent and mitigate future incidents.

Kevin Curran, an IEEE senior member and professor of cyber security at Ulster University told CRN, "For an attacker, it takes incredible concentration to be successful, there's a lot of effort involved in staying under the radar… Cyber-criminals often target large numbers of employees through a series of attacks using tailored techniques or dynamic websites to outsmart IT teams and bypass security systems. It has an alarmingly high success rate and can be very hard to detect.

"Sophisticated malware is able to delete itself and its audit trails once the attack is done, but most malware stays on the system and is never found. Your average IT administrator would find it really hard to detect a backdoor. There are intrusion detection and prevention systems, or SIEMs (real-time monitoring) software that looks for outliers and nefarious activity as such, but it's generally impossible."

Tim Sadler, CEO at Tessian, adds, "The attacks are only getting harder to spot; all it takes is for one sophisticated email to bypass defences and one distracted employee to miss the signs, or be manipulated into thinking they're communicating with a trusted connection, before it's too late."

Defending against Social Engineering

The attack on Marriott was a case of social engineering - the hackers persuaded a staff member to allow open access to their system.

Dominic Trott, UK head of strategy at Orange Cyberdefense said, "The data breach suffered by Marriott Hotels highlights the ever-increasing issue of the insider threat, whether malicious or - as it would seem in this case - unwitting."

He adds that the threat of social engineering requires better training and awareness, "Teaching employees how to recognise phishing attempts and detect malicious activity will ultimately enable them to access the security resources needed to stop cybercriminals in their tracks, and carry out their own jobs safely and effectively.

"The need for defence-in-depth strategies that work to mitigate human error have never been more vital for businesses across all sectors, as the rise of flexi-working has resulted in work being a thing people do, rather than a place they go. Working in their own homes and other environments they're comfortable in can cause staff to lower their defences and become more susceptible to social engineering attacks, as suffered by Marriott.

Ricky Magalhaes, director of managed security services at Logicalis Jersey and Logicalis Guernsey said it was critical to, "train your staff" to build "awareness", and avert the "intimidation and trickery" of cyber criminals.

What damage can be done?

Cyberattacks have the power to shut down a business temporarily, take critical data, alter a company's reputation, and hurt customers.

Oliver Pinson-Roxburgh, CEO at Defense.com, said: "Cyberattacks cause severe damage, both financially and reputationally to businesses. Cyberattacks can disrupt multiple avenues of an organisation's infrastructure and operational capabilities, such as taking down websites or delivery systems.

"More worryingly for businesses, they can disrupt and damage data storage. Customers trust companies with large amounts of personal and commercial data, and cyberattacks often aim to appropriate or impair this data. This can have a significant adverse effect on a company's reputation."

Etienne Greeff, CEO at Flow Communications, says that the cost is determined by the type of attack. "If it is a wormable Ransomware (something that spreads automatically) as was the case with WannaCry the effect is immediate and very apparent.

"The more dangerous type is the one where the attacker is lurking in your network gaining information for use in some sort of extortion or follow-on attack. There is no initial disruption as the attacker is trying to be stealthy but huge commercial disruption later when they make their demands."

What to do after an attack

Once an attack takes place, a company's response can be critical for its profitability and future. Damage can be limited if an organisation can return to full operations with speed.

Greeff said: "Unfortunately it is not a question of "if" [a company is attacked] but more of "when": even cybersecurity leader FireEye got compromised.

"The critical thing is to deal with it as quickly as possible and to have full transparency. A well-rehearsed incident response and recovery plan is what makes the difference between an issue and a disaster."

Scott Nursten, CEO at ITHQ, said "A well prepared firm will have carried out crisis simulations, so follow the playbook… unfortunately, most firms are in a state of panic and end up making big mistakes. The key is to prepare yourself effectively. Obviously if you're breached and not in a state to respond, engage a firm that has experience in DFIR (digital forensics and incident response)."

Ricky Magalhaes said, in the wake of an attack, firms have three options. "Phone a friend", meaning call a company with knowhow to orchestrate the response. Secondly, it can "try to fix it themselves" or, third, a company could "ask the community for assistance". But he says authorities and agencies are "overwhelmed" by the scale of cyberattacks.

Steve Moore, chief security strategist at Exabeam, said that firms should focus on managing the damage.

"Even with social engineering, there's typically a short list of methods employed by the adversary post-contact. Therefore, defenders must focus on the truths of what comes next - credential theft and misuse, along with deviant behaviour.

"All organisations must be prepared and ready for a cyberattack, as they increase in volume. Defences need to stretch from cutting-edge technical systems to staff education."