In response to news that of a major Security Platform Leaking Hotel Security Logs, Including Marriott Properties, an expert with Cequence Security offers perspective.
Ameya Talwalkar, Co-founder and CPO at Cequence Security:
Leaving applications that store sensitive information open to the Internet because of policy mismanagement or misconfiguration is a growing problem as cloud adoption grows. Although it results in security breaches which cause extensive damage to customers, losses to enterprises from fraud and brand loss, this is really not a traditional security attack problem. It’s more an issue of internal security discipline. Anytime an application is deployed on public cloud infrastructure, steps need to be taken to protect it, limiting access using appropriate security tools. Elasticsearch does not have built-in security – as it is expected to be talking only to other trusted applications, and only authenticated and authorized user sessions should be allowed to access these applications. The enforcement of authenticated access is (typically) delegated to appropriate security zoning and policy configuration, which clearly has not been done in this case. One other significant commonality among these breaches – they are usually discovered after the sensitive data has been scraped completely, usually when it makes it way to the dark web. There is no real-time detection and protection against these incidents – but there needs to be.
The stolen data represents a significant trove of information for bad actors to use to attack any one of the target hotels. But taken collectively, it supplies bad actors with 2 of the 3 key requirements needed to execute an automated attack: 1) some form of user authentication/credentials, and 2) infrastructure, typically compromised servers, PCs, laptops, devices. The 3rd requirement would be a management tool like Snipr, Sentry MBA, to execute automated attacks targeting business logic abuse (account take offers/ credential stuffing, loyalty program fraud, etc.) of the hotel’s public facing web, mobile, and API-based applications can be executed.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.