Hilton Worldwide hack: how to reduce your supply chain security risks
Towards the end of November, Hilton Worldwide issued an official statement admitting that it had “identified and taken action to eradicate unauthorized malware that targeted payment card information in some point-of-sale systems.” We don’t know, at this point in time, whether this was in any way linked to the ModPOS malware threat, which has been described by researchers as “the most sophisticated point-of-sale malware we have seen,” but it does raise the question of supply chain security risks.
What we do know, however, is that the malware which was involved in the Hilton Worldwide breach appears to have targeted point of sale (POS) terminals situated inside of franchised restaurants, gift shops and coffee bars within the impacted Hilton hotel properties. If this attack proves anything, then it proves the old adage that your strongest security measures are only as strong as the weakest link in your supply and partner chain.
The usual data had been targeted, including cardholder names, payment card numbers, security codes and expiration dates. The usual “strongly committed to protecting customers’ payment card information” and “sincerely regret any inconvenience” lines were issued.
Are we surprised that Hilton Worldwide has fallen victim in this way? Sadly no, not least because it is just the latest in a long line of hotel chains to feel the POS malware thump or the sting of a supply chain security weakness. Hotel chains are, by their nature, both high value targets and highly vulnerable; look at the facts, these are distributed organisations providing a pretty vast attack surface.
There are not only POS terminals on most every desk, in every lobby, but some of them are operated by third party vendors. The networks themselves are also high risk, considering that you have hotel usage, guest usage, vendor usage (with booking agents requiring access to hotel platforms) and so on. Sure, these should all be isolated from each and secured up the wazoo, but that doesn’t mean there aren’t vulnerabilities and people waiting to exploit them.
At the end of the day, you may well think you are pretty secure, but if your partners are not then you need to think again. Organisations of all sizes have to understand that the decisions taken by business partners can, and will, impact on the security of your data, the reputation of your brand and the strength of your security posture. The Hilton Worldwide breach seems like as good an opportunity, especially with the seasonal shopping boom about to hit, to examine the world of supply chain insecurity and POS security postures.
We spoke to Kevin Burns, head of solution architecture at Vodat International and something of a payments industry expert with work behind him in both the BT and BT Expedite payment security teams, about the Hilton Worldwide breach.
“The issue at Hilton perhaps demonstrates how even the largest organisations need to keep an eye on all of the little details especially those involving partners” Burns told IT Security Thing, continuing “in this instance it was the minor franchisees, probably very small local business that got hit.” As Burns points out, of course, in other organisations it might be the support partner that inadvertently provides back door access to the network, which can then be exploited. The service that the partner provides may be totally unrelated to the attack, but the fact that they have remote access might be enough to make them an easy target. You only have to look to the Target breach in the US for evidence of that.
James Henry, UK southern region manager with Auriga, expands upon the Target breach of two years ago, explaining that this involved “the compromise of 25 POS terminals and was found to have originated from a heating, air conditioning and ventilation (HVAC) subcontractor which was privy to certain network credentials.”
If anything highlights just how difficult it can be to secure the supply chain, then the Target breach was it.
“Supplier relationships are often built on trust and retrofitting indemnity and liability clauses in contracts can be awkward at best” warns Henry, continuing “many organisations rely on annual audits under standards such as ISO 27001 as a catch-all solution, but this can miss potential weak spots when new processes are put in place or new systems brought online. There is currently no de facto supply chain standard for security.”
And that’s really a big part of the problem, the lack of standards. Although as Kevin Burns points out “version 3.1 of PCI DSS placed more emphasis on third party supplier management and on access controls between card holder data and the rest of the IT environment and third party access,” adding “if third parties do not need access, then companies should not grant it. If partners do, then it should be restricted.”
Talking to IT Security Thing, IEEE member and head of the Centre for Security, Communications & Network Research at Plymouth University, Professor Steven Furnell, says that he is “not sure that it is so much a question of mitigating against the insecurity of business partners, as trying to ensure that these partners are required to make best efforts to ensure security compliance for themselves. Ideally as a condition establishing and maintaining the partnership.”
Professor Furnell went on to give an example within the context of PoS systems, which would involve the aforementioned PCI DSS compliance and that includes maintaining both a vulnerability management program and the timely application of security updates. “More generally,” Professor Furnell adds, “for organisations partnering outside the payment card industry, there are other standards that may be considered.”
Things such as the Cyber Essentials scheme in the UK, for example, which can be thought of as applicable to even the smallest of organisations, and used as an indication of baseline protection against common cyber-attacks.
Richard Pharro, CEO of accreditation and certification body APMG, explains that Cyber Essentials was developed by the UK government as part of a broader initiative to raise cyber security awareness and preparedness in businesses of all sizes.
“Cyber Essentials provides a set of criteria against which organisations can measure their cyber security systems,” Pharro says, adding, “achieving the certification demonstrates to customers and partners that a business has taken basic and essential cyber security precautions.” But is that really enough?
James Henry tells IT Security Thing that, for now at least, organisations simply must steer their own supplier management policies.
“Start by listing the suppliers you do business with and classify them according to their relationship with you” he advises, continuing, “then go further back from Tier 1 to Tier 2 and beyond to ensure you have an understanding of how data is used.”
Of course, it’s also important to avoid alienating suppliers and this requires you to involve them in the process without overburdening them.
“Look at the frequency with which you assess channels of communication and data management processes,” Henry concludes, “is it monthly, quarterly or annually? No doubt Target thought any data held by an HVAC supplier would be worthless.” It was wrong.
When it comes to getting mitigation strategies right, the IT security industry is full of what if scenarios. However, Justin Harvey, chief security officer at Fidelis Cybersecurity, has some pretty clear and relevant advice if you were to ask us (and as you are reading this, we take that as a given).
“POS systems have been targeted by con artists for years and malware which strips away consumer data is only the latest in this form of attack,” Harvey insists, continuing “for this reason, Hilton Worldwide should have been hunting and profiling its POS endpoints for malware, to stop the attackers in their tracks.”
Harvey told IT Security Thing that he believes breaches such as this often occur due to “an over reliance on tactical threat intelligence, which is generated by machines and doesn’t properly investigate vulnerabilities or suspicious behaviour.
So, as the amount of data increases exponentially, the perimeter erodes and cloud usage ramps up, investment needs to be shifted to more strategic intelligence services instead.
These are, Harvey explains, “where experts analyse threats and draw conclusions about a threat group.” Only then, according to Harvey, can companies correlate trends and common traits of attacks, to inform a long-term prevention strategy.
MWR security researcher Piotr Osuch told us that one often overlooked element in such POS breaches is “insiders that are bribed, blackmailed or coerced into enabling cardholder data thefts. These have been commonly used for some time, and the combination of low wages and high staff turnover make them an attractive target for criminals.”
Osuch also reiterates that, as an entry point to the rest of the network, both POS systems and the data transmitted by them should be considered untrusted, or better still compromised, when designing network security.
“Isolating the POS systems not only helps to reduce the scope of PCI DSS compliance, but reduces the risk that they can be used to attack other systems,” Osuch explains, adding, “restricting outbound network traffic also makes it much more difficult for an attacker to exfiltrate data, and repeated trips to a compromised system are not scalable for serious criminal operations.”
Jose Diaz, director of payment strategy at Thales e-Security reveals the perhaps unsurprising fact that the accommodation industry is often cited as the sector with the highest number of POS breaches. “This can be largely attributed to the fact that most locations swipe your payment card on a simple mag-stripe reader attached to the POS System itself,” Diaz explains, “and encrypt the data using software within the POS System, rather than on a payment terminal.”
This introduces us to the crucial difference between the two: payment terminals are certified under PCI, and can encrypt the data at point of capture (the very first opportunity you have to protect it) rendering it unreadable as it flows through the merchant’s POS and IT systems to the payment processor.
“Without this protection from swipe to acquirer,” Diaz explains, “cleartext payment data is left vulnerable and open to attack.”
Yes, the migration to EMV is helping update payment acceptance systems with certified terminals that support the use of PCI P2PE for protection of sensitive data. “This, combined with the use of tokenization for payment data that merchants may need for their operation,” Diaz concludes, “can help address the ongoing breaches we continue seeing at a variety of merchants.”
But, we must repeat, is that really enough? Dominick Hume, head of product with Becrypt, doesn’t think so and has put together a checklist of some simple steps to follow when it comes to mitigating the supply chain security risks to your business for IT Security Thing readers:
- Use a security package with a pre-configured and secure operating system that enables partners to gain access to key networks, enabling them to work efficiently, that can be terminated/repudiated immediately as required.
- Implement network segmentation to protect high-value data.
- Control third party endpoints by providing a secure, dedicated terminal so that vulnerabilities from their infrastructures cannot enter your network.
- Baseline the network regularly to provide an early warning system for significant variations.
- Limit network protocols to those that are essential for operation of the business systems.
- Encrypt data at rest and data in motion so that even if the network or systems are compromised, attackers cannot gain access to any confidential or sensitive data.
- Amend existing supplier contracts to include measures to limit security risk exposure.
- Share cyber security best practices with their supply chain and encourage wider adoption.
- Insist that suppliers inform you as soon as they detect a breach so you are able to limit exposure while it is investigated.
- Conduct an impact analysis as well as a risk assessment.