What the Marriott International breach teaches us about social engineering
We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 — 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
Yesterday, one of the largest hotel chains in the world, Marriott International, confirmed that it suffered its second data breach of 2022. Databreaches.net broke the news after receiving an anonymous tip.
During the breach, which took place in early June, a threat actor managed to gain access to an employee’s computer and obtained approximately 20 gigabytes of data including credit card details and confidential information about guests and workers, such as flight reservation logs.
The attackers, dubbed the Group with No Name (GNN), appear to have orchestrated a social engineering attack targeting employees working at the BWI Airport Marriott in Maryland (BWIA), and managed to trick one of them into granting access to their computer.
While the data breach has only affected 400 people, it highlights some valuable lessons for CISOs and security leaders, particularly regarding the threat posed by social engineering threats, and the havoc that poor security awareness can wreak on an organization.
What the Marriott breach reveals about social engineering
The latest Marriott breach highlights that human error is one of the greatest risks to an organization’s security. All it took to exfiltrate the organization’s data, was for the threat actor to manipulate an employee into handing over access to their device.
In the realm of cybersecurity, manipulation is one of an attacker’s most effective weapons. Unlike exploits or brute force attacks that target endpoints or IT systems that can be patched or mitigated consistently, human beings aren’t perfect, and easily make the mistake of handing over login credentials or exploitable information.
“A primary mechanism being used by adversaries is social engineering. It’s simple and effective. And it means that initial compromise is dependent on human behaviors and is therefore impossible to prevent 100% of the time,” said Sarya Nayyar, CEO and founder of security operation and analytics provider, Gurucul. “All it takes is one successful compromise to circumvent most preventative controls.”
Social engineering scams are a type of manipulation attempt where an attacker aims to trick an employee into sharing confidential information, infecting their device with malware, or handing over their login credentials.
An example of this is a phishing scam, where an attacker sends an email trying to trick a user into clicking on a malware attachment or visiting a phishing site.
The high effectiveness of these basic manipulation attempts is one of the main reasons why the number of social engineering attacks reached 25% of total breaches in 2022, and why the human element (social engineering, errors and misuse) accounts for 82% of breaches this year.
Even employees with high security awareness aren’t immune to being caught off guard, particularly when the average organization is targeted by over 700 social engineering attacks each year.
How organizations can respond to social engineering
One of the simplest ways organizations can address social engineering threats is with security awareness training, which teaches employees security best practices, what phishing, social engineering and other manipulation attempts look like, so they can avoid sharing any valuable information with cyber criminals.
“Organizations need to ensure that all employees are frequently educated about this type of social engineering, receiving training at least once a month followed by simulated phishing tests, to see how well employees understood and deployed the training,” said defense evangelist at KnowBe4, Roger Grimes. “Employees found to be susceptible to this particular type of phishing attack should be required to take more and longer training until they have developed a natural instinct to out these types of attacks.”
For additional security, Nayyar recommends that organizations implement a detection program, to monitor and identify risky access controls and user behaviors to detect abnormal or deviant activity, to not only defend against external threats but also against internal threats.
It’s important to note that detection and response is an area where many enterprises are lacking, with research showing that 36% of mid-size organizations don’t have a formal incident response plan in place.
Above all: Don’t get a reputation as an easy target
Finally, this latest data breach reveals that enterprises can’t afford to gain a reputation as an easy target. If your company falls victim to a data breach, then there’s a high likelihood that other attackers will attempt to target you again, making the assumption that your organization has weak security controls.
“As this latest breach demonstrates, organizations that are victims of previous attacks are more likely to be targeted in the future. This attack does little to restore faith in Marriott’s data security following the massive beach of the data of 5.2 million guests in 2020,” said Jack Chapman, vice president of Threat Intelligence at Egress.
Given that this breach was the third of its kind that Marriott has experienced in the last four years, other organizations may now be looking at the hotel chain as a potential target.
The only way to avoid this predicament is to avoid being seen as an easy target — implementing the latest detection and response solutions and consistently investing in security awareness training to help employees embrace security best practices and mitigate human risk.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.