Very few data breaches have garnered as much attention recently as the Starwood/Marriott breach in which up to 500 million records may have been accessed by an unauthorized user. It’s suspected that the encryption keys that protected personally identifiable information (PII), specifically payment card data, were also compromised.
Much has been written about what is known about the breach and what it may mean for Starwood customers. Looking at this event from a CSO/CISO perspective, it’s pretty obvious that the systems designed to prevent these types of activities were not actually in place at Starwood for at least the past four years. Additionally, Marriott was clearly not aware of any issues during the acquisition process. It seems that post-acquisition, Marriott began to audit and were able to detect the breach within days.
The role of the CSO is complex and can actually hold different job requirements across companies. In many organizations, we are the guardians of the brand at a digital level ensuring all data is protected, systems are secure and that IP stays safe. We have procedures in place to make sure that our systems are functioning accordingly, and have invested in extensive controls to ensure everything continues to work as our internal and external policies advertise.
So what happens when a company decides to acquire another company? Most acquisitions are based upon the purchase of IP or functionality that our organization deems important, or are propelled by client lists, sales, and economics. During that process (often driven by financial leadership), we must ensure security gets a seat at the table and become an advocate for due diligence surrounding digital security. But once we’re there, the challenge is how we best balance our role to facilitate the transaction while diving deep into the trenches where we may uncover issues that could potentially sink the deal.
The easiest answer is three-fold: take best practices and industry standards to see if they have been applied, review system audits, and identify security investments that have been made across the enterprise. Checkbox compliance is easy, but generally proves to be ineffective. Accepting that a company followed the rules isn’t enough to claim victory and the Starwood breach is the case study that explains why.
Do You Know Who is Accessing Your Data?
Perhaps the most concerning element about this breach is that Starwood seems to have been in the dark about what was going on. The fact that the breach is suspected to have gone on for four years without recognition is evidence that no detection was in place, and no routine reviews of access logs were being taken. While it can be difficult to fully determine if data is being appropriately accessed, the basics still need to be a part of all due diligence activities. Is every attempt to access the data getting logged? Are the logs reviewed? If so, how often? Taking these simple steps will go a long way in establishing confidence that the data is being actively managed and secured safely. And with more robust processes and analytics that provide actionable guidance, patterns and anomalies should be easily identifiable.
Simply put, encrypting data is no longer enough and needs to be supported by key management. CSOs concentrate on the quality of the encryption and the algorithms used, but we do not pay enough attention to the keys themselves. I often hear, “we use vendor x or product y” when it comes to key management. Granted, there are great products on the market, but key management is not just a product implementation. It requires proactive review and ongoing supervision in order to succeed. Successful key management is a combination of a number of factors including products, policies, auditing, and trained experts who know what to be looking for.
Code signing is another area in which keys are used and if not properly managed, introduce unnecessary risk in an M&A scenario. Think of code signing as the modern-day equivalent of holographic tags in consumer goods. It gives the consumer confidence that they are using a legitimate product that is backed by the vendor. When companies release code that is unsigned, they run the risk of someone changing the contents of the code, or worse yet, replacing the legitimate code with malware-ladened code. The good news is that organizations are increasingly turning to code signing to protect their software and hardware against compromise. However, the same technology that protects the organization can also become a liability when not correctly implemented with proper controls.
In a perfect world, an organization would keep code signing certificates under lock and key – or in the IT world – in a hardware security module (HSM). Accordingly, businesses must implement policies and procedures to ensure only authorized persons or processes have access. Chances are there are code signing certificates in use throughout many organizations that are stored in the most convenient, rather than the most secure manner.
When code signing keys are not properly managed, they run the risk of being leaked and used in nefarious ways. Code signing keys can be used to fool computers and users into installing software that seems legitimate, but is in fact malicious. Just like with encryption keys, code signing keys need management that is supported by products, policies, and regular auditing.
One of the biggest questions coming out of the Starwood breach was why they would store all that incredibly valuable data in one place. While I fully understand the need for modern businesses to use all data available to better understand their customers, the reality is that centralizing data is a treasure trove for hackers if and when it’s breached. Common sense should lead decision makers to compartmentalize data into silos of need. For example, marketers, finance staff, and front-line managers all use different kinds of data for different purposes. If my role supports processing payments, I probably don’t need to know a customer’s bed preference or their passport number. One could argue that storing a customer’s passport number for longer than a hotel stay isn’t even something that a hospitality company should do. In any case, leveraging technologies that bring disconnected data together does exist and its intent is to build a single view of a customer record. Personal and important data does not need to reside alongside persona or marketing data in order to work together in building a customer profile. Not housing data in a single location is an easy win in risk reduction should a breach take place.
The Safety Net of Standards and Compliance
We have all put trust in standards and compliance to be our safety net, but compliance is only as good as the cadence it honors, the parties who spend time reviewing them and the depth to which the standards go. I always consider why a standard was created and whom it’s intended to protect. All too often, the answer is the party or parties who developed the standard in the first place. Good examples are those types of standards that require encryption, but do not look at key management. Or they require certain SSL/TLS algorithms, but pay no attention to how certificates are created. There are numerous standards that serve the interests of the governing bodies, and not the companies who are expected to conform to them.
Deal or No Deal?
For many companies, fines are paid and damaged reputations become yesterday’s news. But the pain from an operational and/or business standpoint remains. How convincingly can you demonstrate commitment to investing in and rolling out a more robust security strategy? How quickly can a large enterprise really make changes or transform its approach? What’s the impact on your brand? We just partnered with the Ponemon Institute on an upcoming report and discovered that the damage to a company’s reputation from a breach – due to mismanaged keys – exceeds $16 million.
Marriott has already been named in class-action lawsuits seeking billions in damages. It’s a good bet that more suits will be filed. If you’re in the game looking for a future buyout, bad press and lawsuits can severely impact interest from potential suitors.
It’s far too soon to accurately predict what the Starwood breach will mean to the Marriott brand. However, it’s reasonable to assume there will be action taken to seek remediation for the citizens of EU companies via GDPR. This could be a penalty of at least 20 million euros, assuming the minimums apply. US lawmakers are already looking at more robust legislation that can drive required operational investments, new penalties and more, impacting a company’s bottom line. Will the longer-term result of the Starwood breach include a tighter due diligence process for M&A activities? Will the CSO take on a larger role, making digital security on par with financial due diligence? Will the valuation of a company be tied to the quality of the security applied to its data? Only time will tell. But it’s up to us in our security leadership roles to push for that inclusion. The stakes are just too high for things to stay the same.