33% of companies within the digital supply chain expose common network services such as data storage, remote access and network administration to the internet, according to RiskRecon. In addition, organizations that expose unsafe services to the internet also exhibit more critical security findings.
The research is based on an assessment of millions of internet-facing systems across approximately 40,000 commercial and public institutions. The data was analyzed in two strategic ways: the direct proportion of internet-facing hosts running unsafe services, as well as the percentage of companies that expose unsafe services somewhere across their infrastructure.
The research concludes that the impact is further heightened when vendors and business partners run unsafe, exposed services used by their digital supply chain customers.
“Blocking internet access to unsafe network services is one of the most basic security hygiene practices. The fact that one-third of companies in the digital supply chain are failing at one of the most basic cybersecurity practices should serve as a wake up call to executives third-party risk management teams,” said Kelly White, CEO, RiskRecon.
“We have a long way to go in hardening the infrastructure that we all depend on to safely operate our businesses and protect consumer data. Risk managers will be well served to leverage objective data to better understand and act on their third-party risk.”
Expose unsafe network services: Key findings
- 33% of organizations expose one or more unsafe services across hosts under their control. As such, admins should either eliminate direct internet access or deploy compensating controls for when/if such services are required.
- Direct internet access to database services should be prohibited or secured. Within the top three unsafe network services, datastores, such as S3 buckets and MySQL databases are the most commonly exposed.
- Digital transformation and the shift to remote work needs to be considered. Remote access is the second most commonly exposed service; admins should consider restricting the accessibility of these services only to authorized and internal users.
- Universities are woefully exposed. With a culture that boasts open access to information and collaboration, the education sector has the greatest tendency to expose unsafe network services on non-student systems, with 51.9% of universities running unsafe services.
- Global regions lack proper security posture. Countries such as the Ukraine, Indonesia, Bulgaria, Mexico and Poland confirm the highest rate of domestically-hosted systems running unsafe services.
- Beware of ElasticSearch and MongoDB. Firms that expose these services to the internet have a 4x to 5x higher rate of severe security findings than those who do not run on internet-facing hosts.
- Unsafe services uncover other security issues. Failing to patch software and implement web encryption are two of the most prevalent security findings associated with unsafe services.
“This research should be welcome news to organizations struggling under the pressure to conduct exhaustive and time-consuming security assessments of their external business partners,” said Jay Jacobs, partner, Cyentia Institute.
“Similar to how medical doctors diagnose illnesses through various outward signs exhibited by their patients, third-party risk programs can perform quick, reliable diagnostics to identify underlying cybersecurity ailments.
“Not only is the presence of unsafe network services a problem in itself, but the data we examine in this report also shows that they’re a symptom of broader problems. Easy, reliable risk like this offer a rare quick win for risk assessments.”
Marriott International has suffered a new data breach in mid-January 2020, which affected approximately 5.2 million guests.
What information was compromised?
According to the incident notification published on Tuesday, the attackers got into an application that hotels operated and franchised under Marriott’s brands use to help provide services to guests at hotels, by compromising and using login credentials of two employees at a franchise property.
The breach was identified at the end of February 2020, and they believe it dates back to mid-January 2020.
Contact details, loyalty account information, additional personal details (e.g., company, gender, birthday day and month), partnerships and affiliations (e.g., linked airline loyalty programs and numbers) and stay and language preferences of some 5.2 million guests have been compromised.
“Although our investigation is ongoing, we currently have no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers,” Marriott International stated.
“Upon discovery [of the compromise], we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests.”
Marriott International 2020 data breach: Potential consequences
The company has offered personal information monitoring services for some affected customers, has reset their Marriott Bonvoy (loyalty program) account password, and has warned them about the possibility that the compromised information may be used by criminals to “phish” additional sensitive information from them.
The phishing warning was echoed by several security experts.
“From what we know of the information exposed, this is the kind of data that provides good, raw material for cybercrime — exposed personal data is used for anything from generating phishing campaigns to targeted business email compromise,” Tyler Carbone, Chief Strategy Officer at digital risk protection provider Terbium Labs, told Help Net Security.
“Because employer affiliation is also exposed here, again, we can expect to see an uptick of attacks of this kind against the businesses whose employees’ data were compromised here. What’s been exposed here is data that enables certain kinds of attacks, as well as a list of companies those attacks can be directed toward. This illustrates exactly why it’s so important for all companies to understand and monitor for exposed data — when other companies have breaches, that exposed data makes future breaches of other companies more likely, and so on.”
Dylan Owen, senior manager for cyber services at Raytheon, added that information about travel and specifically travel patterns can be used for intelligence gathering purposes by many adversaries.
Potential consequences for Marriott International
Kelly White, CEO of RiskRecon, noted that this breach reflects a lack of doing the basics well, specifically two-factor authentication and user account activity monitoring.
“Either of these would have either prevented the breach by increasing the difficulty of stealing the credentials or by dramatically decreasing the scope of compromise. One would think that a franchise account looking up 5.2 million customer accounts was anomalous behavior,” he added.
Samantha Humphries, security strategist at Exabeam, noted that if there is something positive to say about this breach notification, it’s that Marriott’s security team seems to have minimised the attacker’s dwell time to a little over a month.
“While still significant, 5.2 million compromised guests is a drastic reduction from almost half a billion the last time this organisation identified an attack. Despite this improvement – if we can call it that – whether the organisation did enough to shore up its security posture after the last breach will certainly be called into question,” she added
As a reminder: Marriott International, which operates hotels and lodging facilities under different brands (Marriott, Starwood, Ritz-Carlton, Le Méridien, etc.), has revealed in late 2018 that the Starwood network had been accessed without authorization since 2014 and that an unauthorized party had copied the contents from the Starwood guest reservation database.
In July 2019 the U.K. Information Commissioner’s Office announced its intention to fine Marriott International a little over £99 million for infringements of the GDPR, but the final decision has yet to be made.
“For Marriott, this breach will likely mean another round of expensive disclosures, and possible legal action. It will also mean an increased cost in fraud and misuse going forward, for any guests whose personal information is used to compromise Marriott itself in the future (fraudulent or erroneous reservations, upgrades, etc.),” Carbone pointed out.
“For businesses generally, we can expect this data to recirculate, creating more criminal activity against other businesses, and, in turn, other possible data breaches, if any of the exposed data here enables another attack in the future to be successful.”
RiskRecon, the world’s leading platform for easily understanding and acting on third-party cyber risk, and now a Mastercard company, announces its continued commitment to enabling the success of its customers in achieving good third-party risk outcomes, built on a foundation of great customer service and rapid technology innovation.
“We are honored to join with Mastercard in serving our rapidly growing customer base who rely on us to provide them accurate and actionable cybersecurity risk ratings and data that enable their success in managing third-party risk,” said Kelly White, CEO and co-founder, RiskRecon.
“In addition to accelerating our ability to scale our business and technology platforms, Mastercard brings very unique risk intelligence insights that will further enhance the value we deliver to our customers. We are very excited to reveal the new capabilities that we will be bringing to market in the coming months.”
“Continuous assessment of cybersecurity risk through an entirely objective vantage point is more important than ever for businesses and their CISOs worldwide,” said Simon Hunt, Executive Vice President, Cybersecurity Product Innovation, Cyber & Intelligence Solutions, Mastercard.
“Adding RiskRecon’s data-driven technology and AI to our offerings for banks and merchants changes the game in predicting and preventing breaches using unprecedented risk intelligence.”