Lessons Learned from a Popular Hotel’s Recent Data Breach Involving Social Engineering
This week Marriott International, one of the largest hotel chains, suffered a second data breach of 2022. The breach took place in early June by a group named ‘Group with No Name’ (GNN), and they used social engineering to trick one of the hotels employees into granting access to the hotel’s computer.
While the data breach only affected a small amount of users, there are some valuable learning lessons to be shared on how important it is to implement new-school security awareness training across your whole organization.
“Organizations need to ensure that all employees are frequently educated about this type of social engineering, receiving training at least once a month followed by simulated phishing tests, to see how well employees understood and deployed the training,” said Roger A. Grimes, Data-Driven Defense Evangelist at KnowBe4. “Employees found to be susceptible to this particular type of phishing attack should be required to take more and longer training until they have developed a natural instinct to out these types of attacks.”
Unfortunately, social engineering attacks are not going away anytime soon. And it’s important that your organization does not become an easy target for attackers. Here are ten ways that you can make your organization a hard target:
- With any ransomware infection, nuke the infected machine from orbit and re-image from bare metal
- Get Secure Email Gateway and Web Gateways that cover URL filtering and make sure they are tuned correctly
- Make sure your endpoints are patched religiously, OS and 3rd Party Apps. Test the Flexera Personal Software Inspector on your workstation
- Make sure your endpoints and web gateway have next-gen, frequently updated (a few hours or shorter) security layers, but don’t rely on them
- Identify users that handle sensitive information and enforce multi-factor authentication for them
- Review your internal security policies and procedures, specifically related to financial transactions to prevent CEO fraud
- Check your firewall configuration and make sure no criminal network traffic is allowed out to C&C servers
- Leverage new-school security awareness training, which includes frequent social engineering tests using multiple channels, not just email
- You need to have weapons-grade backups in place
- Work on your security budget to show it is increasingly based on measurable risk reduction, and try to eliminate overspending on point-solutions targeted at one threat-or-another
Valuable education resources such as our Social Engineering Red Flags infographic and more will teach your users to identify these types of attacks. Remember, social engineering attacks can only be successful because of one reason – USERS!