How Much Damage Can One Compromised Supplier Cause? Ask Trump Towers, Loews, and Hard Rock…
By: Carolyn Crandall
The Trump Hotel Collection (THC) recently reported it has suffered its third data breach in three years. It seems not even a President’s property is safe.
Trump Hotels has not revealed how many customers the breach might have impacted but shared that compromised information included cardholder names, payment card numbers, and card expiration data and security codes. In some cases, it also included guest names, email addresses, phone numbers, addresses, and other personal information.
Attackers accessed reservation information at 14 Trump properties by breaching the Sabre Corp. central reservation system. According to a THC statement, the last breach occurred on March 9, 2017.
The Trump properties were not alone in being breached. In May, Sabre revealed hackers had compromised its SynXis hotel booking management system, and at the end of June, Google instructed employees to be on the lookout for suspicious activity on their cards, because one of its travel agencies, Carlson Wagonlit Travel, was potentially exposed to the SynXis breach. Notably, Carlson Wagonlit is also said to handle more than five million transactions annually of U.S. military and government travel.
Additionally, earlier in July, the Hard Rock chain warned its customers that 11 of its properties may have been caught up in the breach. According to Hard Rock, Sabre advised them that the system breach ran from August 2016 to March 2017.
Luxury hotel chain Loews Hotels also warned its customers that a data breach may have resulted in hackers stealing financial information. They stated that the unauthorized access was ongoing for seven months between August 2016 and March 2017. They also highlighted that Sabre told Loews about the breach in June.
With increasing frequency, hackers are targeting the suppliers and partners of large organizations that they are ultimately trying to breach. All too often, they are finding vulnerabilities in these partners’ security infrastructure and are using these to compromise the larger organization and its customer data. In this environment, enterprises must expand their adaptive defense strategies to include these entities. Rik Ferguson, VP of security research at Trend Micro, puts it well, “It’s part of your due diligence to ensure that your suppliers are of the same security standard.” I would also add that it is still ultimately the organization’s responsibility to have the right security controls in place to quickly detect when partners or suppliers open new security gaps or fail to stop an attack.
As part of the settlement of the Trump Tower’s breach, the chain promised to strengthen employee training, risk assessment and testing of “key controls, systems, and procedures.” It is safe to say that in the event the chain faces a fourth breach, the financial repercussions and penalties will be dramatically more severe.
For an enterprise’s own best interest, IT and security teams need to assume that the traditional network perimeter no longer exists and that they need to extend the best practices of their organizations to their suppliers and partners. Extending best practices should not be a one-time occurrence, but an ongoing collaboration with suppliers and partners to continuously understand how well they are maintaining their defenses and through detection controls, validate the reliability of these systems. An enterprise’s security infrastructure is only as strong as the weakest link, and that can often be the infrastructure of its supplier and partner networks. The core activities these suppliers and partners should execute include:
- Employ an in-network defense-in-depth strategy that includes visibility into unauthorized scanning and reconnaissance of an attacker and into potentially unauthorized devices as they appear on the network.
- Assess vulnerabilities based on likely attack paths that a hacker would traverse through misconfigured systems or credential misuse that would permit a supplier or partner to gain access to the enterprise.
- Topographical illustrations of attack paths can provide insight for a straightforward view of how an attacker can move laterally once they have engaged with their first end-point system.
- Manage authorization. Systematically review who gains the highest level of access with a view to minimizing this through the use of aggressive expiration date policies, log monitoring, and prompt termination of unused or unauthorized credentials. Having a process to identify where orphaned credentials may exist can also be advantageous.
- Address business continuity. Because it is likely the supplier or partner will suffer a breach at some point, establish strategies for business continuity for both the supplier or partner as well as the enterprise that contain and minimize risks, while enabling all employees to continue working.
- Share information proactively. Multiple hospitality industry associations serve as a valuable resource for collaboration on identifying and remediating cyber security threats. The R-ISAC is an emerging organization modeled after the financial and healthcare services ISACs and seeks to facilitate the sharing of attack information and threats amongst its members.
- Penetration test the connections from suppliers to see what channels of risk are open and how well existing security controls detect nefarious behavior.
At Attivo, we have seen an increased interest from hospitality and retail in deception-based threat detection. Our typical uses cases include advanced threat detection, ransomware and credential theft detection. As of recent, we have seen insider, contractor, supplier, and even acquisition management all surface as projects focused on gaining visibility and early detection into threats that have been able to bypass their existing security controls. These companies have chosen to go on the offensive against their adversaries and to test the reliability and resiliency of their supplier accessible networks. They are also rolling out projects designed to set traps in wait, to catch the attacker during initial reconnaissance through to lateral movement and credential privilege escalation.
Extending defense strategies to a supplier and/or partner network undoubtedly adds a new level of complexity. To some, this may feel time intensive and out of scope of any of their security projects or budgets. It is, however, essential to put the security controls in place to ensure that suppliers don’t create security gaps and compromise an organization’s brand. In the end, as Trump Towers, Loews, and Hard Rock Properties have all seen, the final price of a breach is always borne by the brand of that organization and rarely by that of the supplier. This is not the time for a passive defense, but instead, a time to go on the offense, to, as we like to say here deceive, detect and defend against the enemy.