Security researchers have discovered an unsecured database that exposed the security logs – and therefore potential cyber security weaknesses – of major hotels managed by the Pyramid Hotel Group.
Pyramid Hotel Group manages hotels in the US, Hawaii, the Caribbean, Ireland, and the UK, including Marriott, Sheraton and Hilton properties.
The unsecured server allowed unrestricted access to security audit logs generated by an open-source intrusion detection system. This resulted in the exposure of information regarding their operating systems, security policies, internal networks, and application logs, in addition to sensitive employee data. In total, 85.4GB of security audit logs were exposed.
Any would-be attacker using the database would have the ability to monitor the hotels’ network, gather valuable information about administrators and other users, and build an attack vector targeting the weakest links in the security chain.
The issue was uncovered on May 27th 2019, while using port scanners to map areas of the Internet. Access to the database was closed shortly after Pyramid was made aware of the incident.
The NCSC recommends that organisations take care to keep security-sensitive logs private.
Organisations still struggle to manage vulnerability patching
Almost 27% of organisations globally have suffered a breach as a result of vulnerabilities that have remained unpatched, according to Tripwire’s 2019 Vulnerability Management Survey.
59% of organisations surveyed said they could detect new hardware and software on their network within hours, with some suggesting it would take mere minutes. Worryingly, 21% said it would take days, 7 percent said weeks, and 11% couldn’t detect new devices at all.
Meanwhile, 88% of organisations say that they run vulnerability scans, although the frequency varies. 39% run scans weekly, however 22% run them quarterly or less.
The survey found that most organisations aim to fix vulnerabilities within 30 days or less when spotted and most organisations recognise the need to prioritise vulnerabilities more effectively.
All modern software contains vulnerabilities; either software defects that require patches to remedy, or configuration issues that require administrative activity to resolve. The NCSC has published guidance to help organisations assess and prioritise vulnerabilities.
Microsoft drop password expiration policies
Microsoft has acted to change its security rules meaning users will no longer have to reset credentials periodically.
This update, which you can read about in Microsoft’s blog post, strengthens the argument that regularly changing passwords is bad for security. Authored by Microsoft consultant Aaron Margosis, the post also describes periodic password expiration as “ancient and obsolete mitigation of very low value,”.
Microsoft quietly removed password expiration recently and argues that it would only ever benefit users if a password was stolen – something which can be avoided by strengthening passwords and implementing further security measures such as two-factor authentication.
The NCSC completely supports the move away from asking users to periodically change passwords. Users wanting to improve their own security should focus on using strong, separate passwords and implementing two-factor authentication. We also understand that numerous passwords across what can seem to be an ever-growing amount of online accounts can be difficult to manage. We would recommend looking into using a password manager to help.