Following the report about Sabre breach, IT security experts from Prevalent, Inc., VASCO Data Security, FireMon, Cyphort Labs and Varonis Systems commented below.
Jeff Hill, Director of Product Management at Prevalent, Inc.:
“32,000 properties use Sabre’s reservation system, so the attackers were able to penetrate a single system and potentially access 32,000 additional targets. That’s a good day’s work, but what’s more disconcerting is that this number may not encapsulate the entirety of the potential attack surface. The compromised Sabre system, according to its website, offers “seamless connectivity to over 120 property management, 7 revenue management, 7 CRM and 18 content management solutions”, yielding another 152 potential applications this single successful attack could expose to the cyber criminals. Application interconnectivity enables myriad benefits that consumers of enterprise software take for granted, but it also gives cyber criminals multiple pathways with which to exploit a single breach. This expansive, tightly-linked “data supply chain” is a reality of the modern business world, and of the information security community. Managing risk across third party vendors, fourth party vendors, and the entire data supply chain has never been more important to an organization’s overall security posture.”
Shane Stevens, Director of Omni-Channel Trust & Identity Solutions at VASCO Data Security:
“The travel industry in the last two year has been sufficiently targeted by fraudsters from every channel that this breach could unequivocally have massive data security implications. The recent expansion of security roles in travel are a good indicator that the industry knows it has glaring security concerns. The simple access and multiple factor authentication controls, securing of end-to-end profile and payment transaction data, and protection of the mobile app are just some areas that need to take priority. Outside of being very concerned about using my mobile device to access my room, I would personally tell all consumers to cease and lock away the use of all debit cards and instead use charge cards to transact in order to protect themselves, as at this point, we are just not sure what is safe anymore.”
Paul Calatayud, Chief Technology Officer at FireMon:
“The opportunity for value is easily understood in regards to a stolen credit card. What becomes the bigger challenge is how hospitality systems gain visibility and oversight in complex, and in some cases unmanaged, eco-systems. The nature of these attacks is effective due to distributed technologies in properties where they have physical access. There may be a parent company or franchise, but often, it’s the local organization operating the establishment that is deciding on how to adhere and operate that technology. More emphasis needs to be placed on validation or monitoring at a centralized level vs. simply expecting everyone to follow corporate policies or more realistically, understand the policies. Financial and defense sectors, for example, face similar challenges in regards to branches or vast supplier connections, and in these environments nothing is left to chance or interpretation. Teams are detected in assessing and monitoring these systems.”
Mounir Hahad, Ph.D., Senior Director at Cyphort Labs:
“Unfortunately for the hospitality industry, this trend for breaches will only get much worse over time. That’s because several hotel chains have one of the worst security postures in IT I have come across. I have personally walked into a hotel room and easily mapped out the entire network diagram of their infrastructure after connecting to the local LAN, including which PC was used by the finance department, which one was handling bookings and which one belonged to the hotel manager. I showed this information to the IT staff on duty at night who were happy to let me meander unsupervised in the IT equipment room with access to all their networking gear. They even let me control a logged-in Admin PC. Anyone could have installed a backdoor with ease on those systems.
This clearly shows the two threat vectors this industry has to deal with: Network based attacks and the human weak link. The need for state of the art security gear is necessary to fend off network based attacks, as is proper network design and patching policy, but proper training of the distributed IT staff in far flung locations is just as important to avoid breaches. Any of these properties could become a soft target for determined hackers.
The flip side of this coin is the risk to hotel guests themselves who could become compromised while connecting to hotel wifi access points. I have one simple recommendation: travel with your own $20 router and insist on getting a room with a wired connection where you can plug in your router. Keep all your portable devices behind your own router, which besides the added protection is a great convenience factor as your devices should auto connect to your own access point as soon as you’re plugged in.”
Michael Magrath, Director, Global Regulations & Standards at VASCO Data Security:
“Although Sabre classified the breach to its XynXis reservation system as ‘unauthorized access,’ it is quite possible that this could be yet another in a long line of breaches related to compromised login credentials. Sabre, like many other organizations, enables access to its system with only a username and static password, both something one knows, a.k.a. single factor authentication. Although convenient, password login has proven, time and again, to be unsecure. Organizations collecting and storing sensitive customer data such as date of birth, credit card information, etc. should replace static passwords with multi-factor authentication solutions to be used across all devices; PCs, tablet, phones, etc. “
Ken Spinner, VP of Field Engineering at Varonis Systems:
“It’s too easy for data to be stolen, as we’ve seen with April’s announcement surrounding the compromise of 1,200 InterContinental Hotel Group locations and the latest news that SabreCorp. is investigating a significant breach tied to a reservations system that serves more than 32,000 properties. This is the most recent attack in a string of incidents targeting payment information systems, a threat vector that continues to be an issue and highly targeted by attackers on the hunt for easy financial gain from stolen credit card info. While we don’t know the specifics of who had unauthorised access to the information and what tactics were used, we’ve seen from similar attacks that hackers gain access with co-opted credentials of someone with too much access. The attack on Hyatt earlier this year is a perfect example of hackers gaining access to payment systems by exploiting excessive employee permissions. Further shining a spotlight on the issue, in our recently released 2017 Varonis Data Risk Report, we found that overly permissive access to files and stale data expose organisations to the same issues uncovered in the 2017 Verizon Data Breach Investigations Report.
Whether the data loss is caused by an insider threat or an external attack, it’s clear organisations need to understand where their information assets are, who is using them and who is responsible for them so they can detect malicious activity before it becomes a massive loss, such as the 32,000 hotels and other lodging establishments potentially jeopardized in this case.”