Cloud Hosting

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 - 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!

Yesterday, one of the largest hotel chains in the world, Marriott International, confirmed that it suffered its second data breach of 2022. Databreaches.net broke the news after receiving an anonymous tip.

During the breach, which took place in early June, a threat actor managed to gain access to an employees computer and obtained approximately 20 gigabytes of data including credit card details and confidential information about guests and workers, such as flight reservation logs.

The attackers, dubbed the Group with No Name (GNN), appear to have orchestrated a social engineering attack targeting employees working at the BWI Airport Marriott in Maryland (BWIA), and managed to trick one of them into granting access to their computer.

While the data breach has only affected 400 people, it highlights some valuable lessons for CISOs and security leaders, particularly regarding the threat posed by social engineering threats, and the havoc that poor security awareness can wreak on an organization.

The latest Marriott breach highlights that human error is one of the greatest risks to an organizations security. All it took to exfiltrate the organizations data, was for the threat actor to manipulate an employee into handing over access to their device.

In the realm of cybersecurity, manipulation is one of an attackers most effective weapons. Unlike exploits or brute force attacks that target endpoints or IT systems that can be patched or mitigated consistently, human beings arent perfect, and easily make the mistake of handing over login credentials or exploitable information.

A primary mechanism being used by adversaries is social engineering. Its simple and effective. And it means that initial compromise is dependent on human behaviors and is therefore impossible to prevent 100% of the time, said Sarya Nayyar, CEO and founder of security operation and analytics provider, Gurucul.All it takes is one successful compromise to circumvent most preventative controls.

Social engineering scams are a type of manipulation attempt where an attacker aims to trick an employee into sharing confidential information, infecting their device with malware, or handing over their login credentials.

An example of this is a phishing scam, where an attacker sends an email trying to trick a user into clicking on a malware attachment or visiting a phishing site.

The high effectiveness of these basic manipulation attempts is one of the main reasons why the number of social engineering attacks reached 25% of total breaches in 2022, and why the human element (social engineering, errors and misuse) accounts for 82% of breaches this year.

Even employees with high security awareness arent immune to being caught off guard, particularly when the average organization is targeted by over 700 social engineering attacks each year.

One of the simplest ways organizations can address social engineering threats is with security awareness training, which teaches employees security best practices, what phishing, social engineering and other manipulation attempts look like, so they can avoid sharing any valuable information with cyber criminals.

Organizations need to ensure that all employees are frequently educated about this type of social engineering, receiving training at least once a month followed by simulated phishing tests, to see how well employees understood and deployed the training, said defense evangelist at KnowBe4, Roger Grimes.Employees found to be susceptible to this particular type of phishing attack should be required to take more and longer training until they have developed a natural instinct to out these types of attacks.

For additional security, Nayyar recommends that organizations implement a detection program, to monitor and identify risky access controls and user behaviors to detect abnormal or deviant activity, to not only defend against external threats but also against internal threats.

Its important to note that detection and response is an area where many enterprises are lacking, with research showing that 36% of mid-size organizations dont have a formal incident response plan in place.

Finally, this latest data breach reveals that enterprises cant afford to gain a reputation as an easy target. If your company falls victim to a data breach, then theres a high likelihood that other attackers will attempt to target you again, making the assumption that your organization has weak security controls.

As this latest breach demonstrates, organizations that are victims of previous attacks are more likely to be targeted in the future. This attack does little to restore faith in Marriotts data security following the massive beach of the data of 5.2 million guests in 2020, said Jack Chapman, vice president of Threat Intelligence at Egress.

Given that this breach was the third of its kind that Marriott has experienced in the last four years, other organizations may now be looking at the hotel chain as a potential target.

The only way to avoid this predicament is to avoid being seen as an easy target implementing the latest detection and response solutions and consistently investing in security awareness training to help employees embrace security best practices and mitigate human risk.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.

Read this article:

What the Marriott International breach teaches us about social engineering - VentureBeat