Bill’s Security Blog

From the Phoenix Business Journal:
Best Western disputes security breach story

Best Western disputes the story, saying there was an isolated incident at a hotel in Germany.

“There was one instance of suspicious activity at a single hotel with respect to 13 guests, who are being notified. We are working with the FBI and international authorities to investigate the source of the other claims, which were never presented to us for investigation prior to publication of the Herald story. We have found no suspicious activity to support them,” said Best Western external communications director Troy Rutman.

Rutman said hotel guest information is protected by a network of firewall and protocols.

“Network of firewall and protocols” - we’ve heard that story before.

Guess if they are indeed working with the FBI, then they won’t be able to hide from the requirement for data breach notifications as mandated by several states.

The saga continues.

Bill

From the UK’s vnunet.com:
Hackers breach Best Western in data heist

It seems the hacker managed to insert a Trojan into the computers of a hotel and logged the user name and password of someone with sufficient security clearance to gain access to corporate servers.

Interesting, but not ingenious.

It does seem to indicate that the attack was target explicitly at data theft, rather than someone stumbling across a SQL injection attack vector.

How could defense-in-depth have helped here?

I guess we still need to learn a little more about how the attack progressed.

• Did the user get remote access to the SQL server?
• Was the website capable of retrieving this type of data if the user login credentials were sufficient?
• Did the attacker’s trojan dial out to a remote server allowing the perpetrator to take complete remote control of the box?
• Even if he had full remote control, was there any content filtering in place to prevent that data from traveling over the network? I guess the attacker could have encrypted the channel…

More from SecurityFocus.com:
Denial, hype cloud report of Best Western breach

“We can confirm that on August 21, 2008, three separate attempts were made via a single log-on ID to access the same data from a single hotel,” the company said in a statement released late Monday. “The hotel in question is the 107-room Best Western Hotel am Schloss Kopenick in Berlin, Germany, where a Trojan horse virus was detected by the hotel’s antivirus software.  The compromised log-in ID permitted access to reservations data for that property only. The log-in ID was immediately terminated, and the computer in question has been removed from use.”

Best Western said that it had narrowed down the number of customers affected to 10.

.

Motivating my thinking is yet another data breach.

This time, reported by Scotland’s Sunday Herald in an article:
Revealed: 8 million victims in the world’s biggest cyber heist

Target:
Best Western Hotels

What was lost:

Amounting to a complete identity-theft kit, the stolen data includes a range of private information including home addresses, telephone numbers, credit card details and place of employment.

According to Bill Brenner of SearchSecurity’s analysis of the 2007 Ponemon Institute study on data breach costs, the average cost of a data breach was roughly $200 per record.

The expected cost to Best Western: 8,000,000 records X $200/record = $1.6 billion dollars USD.

Now, none of this is rocket science.

Research on the cost of a data breach is published regularly, and most companies can easily determine their total number of potential records.

Looking at a bedrock equation of information security:
Risk = threat x vulnerability x cost

We’ve already got the cost, and it should be assumed that an organization like Best Western should expect the threat of being attack to be very high.

Last is the Vulnerability component.  The vulnerability is the loss of personally identifiable information up to and including the loss of credit card data.

While an organization like Best Western may not be able to affect the threat and cost components, they sure can do a lot on the vulnerability front.

They can do that through a number of mechanisms, both technical and non-technical (insurance and whatnot), and hence reduce the total risk.

I’ll focus on a few simple things:

1) Determine what is the most costly data to loose

Certainly, does an organization need to maintain the credit card information of every patron after they have cleared their tab?

If so, should that data be encrypted?

And should access permissions be put in place that prevent bulk reads from the database account servicing the website?

How much non-credit card customer history information do you really need to use for business analysis?

If  you don’t need more than 3 months of client data, then archive the rest off-disk.

The rule of thumb in this area, is that if the data isn’t critical for business operation, then get rid of it, securely!

2) Analyze insider access

Who/what, internally, has need-to-know access to the data?

How much access do they need?

Are policies, procedures and technical controls in place to prevent unauthorized access?

3) Analyze partner access

What partners have access to the data?

Exactly what data do they need?

Are they accessing the data using accounts that forbid unauthorized access to information they shouldn’t see?

What is the partner’s security policy for dealing with this information?  Can you trust them?

4) Review policies, procedures, and do validation

Regular review of policies and procedures should be performed.

And most importantly, routine validation of the system should be performed.

A validation check should be a timed, and triggered event.  It should be timed regularly to ensure that it actually happens.  And it should be triggered by such things as: a new partner added; a DBA is terminated; a new contractor is hired…

5) Assume the worst will happen

Because it will.

Bill