Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Searching for: marriott

 

MY TAKE: Massive Marriott breach continues seemingly endless run of successful hacks

By Byron V. Acohido

I have a Yahoo email account, I’ve shopped at Home Depot and Target, my father was in the military and had a security clearance, which included a dossier on his family, archived at the U.S. Office of Personnel Management, I’ve had insurance coverage from Premera Blue Cross and I’ve stayed at the Marriott Marquis in San Francisco.

Related: Uber hack shows DevOps risk

The common demonitor: All of those organizations have now disclosed massive data breaches over a span of the past five years.

On Friday, Starwood Properties, which merged with Marriott in 2016, disclosed as many as 500 million people who made reservations at their hotels may have had their personal information accessed in a breach that lasted as long as four years.

The Starwood hack appears to come in second in scale only to the 2013 Yahoo breach, which affected as many as 3 billion accounts, while a subsequent Yahoo breach also hit 500 million accounts.

The breach is rightly attracting attention of regulators in Europe and the United States. Marriott shares fell nearly 6 percent to $114.67 in Friday afternoon trading. Here’s a roundup of reaction from cybersecurity thought leaders: …more

MY TAKE: Identity ‘access’ and ‘governance’ tech converge to meet data protection challenges

By Byron V. Acohido

As companies make more extensive use of evermore capable – and complex — digital systems, what has remained constant is the innumerable paths left wide open for threat actors to waltz through.

Related: Applying ‘zero trust’ to managed security services.

So why hasn’t the corporate sector been more effective at locking down access for users? It’s not for lack of trying. I recently discussed this with Chris Curcio, vice-president of channel sales at Optimal IdM, a Tampa, Fla.-based supplier of identity access management (IAM) systems, which recently announced a partnership with Omada, a Copenhagen-based provider of identity governance administration (IGA) solutions.

Curcio walked me through how identity management technologies evolved over the past two decades. He pointed out how they’ve gone through a series of consolidations, including one unfolding right now. I found this historical overview to be quite instructive. It shed light on how we got to this era of companies struggling to secure highly complex networks, housed on-premises and in overlapping public and private clouds, while at the same time striving to optimize the productivity of employees and – increasingly — third-party suppliers and contractors.

Fortunately, the identity management space has attracted and inspired some of the best and brightest tech security innovators and entrepreneurs. And the encouraging news is that the best of them have, once again, begun to seek out alliances in an effort to elevate baseline protections. Here are takeaways from our fascinating discussion:

Access pain points

As this century began, and companies began assembling the early iterations of modern business networks, there was a big need for employees to log into company email systems and business applications. So along came a group of startups supplying “single sign-on” capability – a way for a user to access multiple applications with one set of credentials.

A separate set of startups soon cropped up specifically to handle the provisioning of log on accounts that gave access to multiple systems, and also the de-provisioning of those accounts when a user left the company. It wasn’t too long before the single sign-on suppliers and the provisioning vendors began to merge; most of the leaders were acquired by tech giants like Oracle, IBM, Cisco, CA Enterprises and Sun Microsystems.

Not long afterwards, in about the 2010 time frame, IAM vendors first arrived on the scene, including Optimal IdM, Centrify, Okta and CyberArk, followed by many others. These vendors all spun out of the emergence of a new set of protocols, referred to as federated standards, designed to manage and map user identities across multiple systems. The IAM vendors took single sign-on to the next level, adding multi-factor authentication and other functionalities. …more

MY TAKE: What it takes to beat cybercrime in the age of DX and IoT: personal responsibility

By Byron V. Acohido

Back in 2004, when I co-wrote this USA TODAY cover story about spam-spreading botnets, I recall advising my editor to expect cybersecurity to be a headline-grabbing topic for a year or two more, tops.

Related:  A primer on machine-identity exposures

I was wrong. Each year over the past decade-and-a-half, a cause-and-effect pattern has spread more pervasively into the fabric of modern society. Each and every major advance of Internet-centric commerce – from e-tailing and email, to social media and mobile computing, and now on to the Internet of Things – has translated into an exponential expansion of the attack surface available to cybercriminals.

And malicious hackers have taken full advantage – whether they are motivated by criminal profits, backed by nation-state operatives, or simply desirous of bragging rights. Year-in and year-out, criminal innovation has far outpaced the effort on the part of companies and governments to defend their business networks, as well as to preserve the sanctity of our private data.

…more

MY TAKE: Why companies should care about 2.2 billion stolen credentials circulating in easy reach

By Byron V. Acohido

Some chilling hard evidence has surfaced illustrating where stolen personal information ultimately ends up, once it has flowed through the nether reaches of the cyber underground.

Wired magazine reported this week on findings by independent security researchers who have been tracking the wide open availability of a massive cache of some 2.2 billion stolen usernames, passwords and other personal data.

Related: Massive Marriott breach closes out 2018

Ever wonder where the tens of millions of consumer records stolen from Marriott, Yahoo, Equifax, Dropbox, Linked In,  Target, Home Depot, Sony, Anthem, Premera Blue Cross, Uber and literally thousands of other organizations that have sustained major network breaches ends up?

This data gets collected and circulated in data bases that the thieves initially attempt to sell for big profits on the dark web, as reported by Motherboard. The work of these researchers shows how, at the end of the day, much of the stolen personal data eventually spills over into the open Internet, where it is free for the taking by  anyone with a modicum of computer skills.

Credential stuffing

The clear and present risk to the average consumer or small business owner is that his or her stolen account credentials will surface in one or more credential stuffing campaigns. This is where criminals deploy botnets to automate the injection of surreptitiously obtained usernames and password pairs until they gain fraudulent access to a targeted account. And once they do, they swiftly try to gain access to accounts on other popular services.

Reddit earlier this month acknowledged that credential stuffers locked down a “large group of accounts.” The social news aggregation site informed the victims that would need to reset their passwords to regain access, and, notably, advised them to choose strong, unique passwords. …more

GUEST ESSAY: ‘Tis the season — to take proactive measures to improve data governance

By Todd Feinman

The holiday season is upon us and the bright lights and greenery aren’t the only indicators that we’ve reached December.

Sadly, data breaches often occur at this time of year. Recently we’ve seen major news stories about breaches at Starwood Hotels and Quora.

Related podcast: The need to lock down unstructured data

Last year, at this time, it was announced that there was a significant privacy leak at eBay affecting many customers. And, it was just before the holidays in 2013 that Target announced the infamous breach impacting more than a hundred million people.

The list goes on, and with each incident everyone is always asking the same question — Could this have been prevented and how? Every large brand is acutely aware that securing its data is of foremost importance in today’s world, and that by protecting data you are protecting the brand’s equity.  That should be obvious after what we see in the news, however, it’s not always so straightforward.

According to the Poneman analyst report, The Importance of DLP in Cybersecurity Defense, many organizations still believe, “it’s probably not going to happen to me.” The first step toward fortifying one of the company’s most valuable assets — customer or employee data — is to get to know the data better. …more

Concerns rise as hotel chains disclose data breach

SEATTLE — The disclosure of consumer data breaches at certain Marriott, Hilton, Sheraton and other major hotel chains managed by White Lodging Hotels comes as Congress is getting briefed about how cybercriminals are taking advantage of flaws in systems that collect and store sensitive data.

News: White Lodging warns of breach

Senators Al Franken, Dick Durbin, and Diane Fienstein yesterday got an earful from senior executives from Target and Neiman Marcus and a full slate of industry experts.

Sterne Agee analyst Vijay Rakesh says two big takeaways from Tuesday’s sessions on Capitol Hill were:

The October 2015 timeline issued by Visa and MasterCard …more

Spear phishing wave could follow hack of e-mail marketer Epsilon

The Epsilon hack, in which potentially millions of consumers names and e-mail addresses were pilfered, is the latest in a running series of similar disclosures.

Comodo, which manages the digital certificates used to authenticate websites, such as Google, Yahoo, Skype and Windows Live, last month disclosed that intruders stole the means to create faked websites that look and behave like the real ones.

And RSA, the security division of EMC, recently disclosed that intruders gained access to the technology behind RSA security tokens, small devices that issue one-time pass codes generally used for accessing sensitive corporate accounts.

“It’s getting harder for companies to hide when they’ve had a …more