Matt Blackmon is vice president of customer success for the Travel, Transportation & Hospitality Practice at DataArt, a global software engineering firm. Here he provides a primer on the cybersecurity issues facing those involved in handling corporate travel data.
As business travel recovers, corporations will allow employees back on planes and they will reach back to their trusted TMC partners for travel planning and process management. When they do, TMCs must be fully prepared. Cobwebs from more than a year of meager demand need to be cleaned out and processes may need a restart — with less headcount. To mitigate security risks and avoid cybersecurity incidents, TMCs should keep in mind the following common security weaknesses and types of cyber attacks.
Ransomware
The business travel management segment of the travel industry is particularly attractive to hackers because it deals with large volumes of traveler information, transaction details and payments. A new breed of hackers, driven by financial motivations rather than activism or anarchy, is making “ransomware” commonplace. A prime example is the recent fuel crisis caused by a hack of the Colonial Pipeline on the East Coast, leading to gas shortages in several states and a ransom payment of millions of dollars. Avoiding such a catastrophe by fixing system vulnerabilities would have cost 20 to 30 times less.
Not long ago, CWT fell victim to a similar cyberattack. CWT was reportedly asked to pay approximately $4.5 million in bitcoin to the hackers who stole sensitive corporate files and then encrypted large amounts of data. CWT stopped the malware from spreading by quickly turning off thousands of infected computers. There is no official information on how the attackers managed to plant the malware — whether it was a system vulnerability or the human element.
For any company, securing a network beforehand is likely cheaper than scrambling to appease online pirates. Furthermore, since the human element, the employee, is often the weakest link in the security chain, proper training and instating strict user policies are efficient steps a company can proactively take to protect itself against such attacks.
Restricted Access
Access control issues remain the No. 1 threat to corporations, regardless of industry. Exploiting this vulnerability can give a hacker almost full control over a company’s sensitive data. How?
Usually it’s through the front gate: the login page. Unfortunately, most multi-tenant corporate travel platforms do not have strong function-level access controls. This leads to situations where malicious users can break in and obtain information about deals with preferred airlines and hotels, user details or trip itineraries and costs. This information might not seem that precious, but often the cybercriminal uses it for further attacks such as social engineering, identity theft or worse. This information can be sold to other companies which can gain a competitive advantage; this would be similar to industrial espionage.
It is therefore very important that employees and agents only get access to their own data and to the parts of the system they need to work with, at a level appropriate to their role. This is known as “data protection at rest” and reflects the segregation of duties for staff and machines.
Breaking The Password
Weak password quality controls still are a key factor in account hijacking; these give an attacker the opportunity to easily guess a targeted account login via brute-force attacks. The weaker the password, the easier it is to break it. For example, “123qwerty” or “mypassword” are much easier to guess than “MyP455w0rd!”. For the last, the hacker must perform millions more permutations to find the right character combination. This is just one small example among numerous ways to improve password protection.
Another way to protect against unauthorized entry via a login page is to limit the number of times a user can enter an incorrect password. For example, after a third attempt the system can either lock the account or require correct completion of a captcha (meant to slow down password-guessing attempts and verify the user is a human and not a malicious script).
The “forgot password” function is a big weakness. An application should never return a user’s password via an unencrypted or public channel such as SMS, phone or personal email. The only secure solution is for the system to ask the user to reset their password; the system should never reveal it.
One can mitigate attacks of this kind by simply using secure credential management schemes and adequate secondary authentication methods. Two Factor Authentication (2FA) methods have proved to be very secure; login requires a username, password and a unique code sent to a pre-registered smartphone that expires in a few minutes. In these scenarios, a hacker has no time to perform a brute-force attack and guess both the password and the unique code.
Segregation
Another critical situation is when access control issues combine with publicly available internal developer documentation. Any technical documentation about a web application has to be hidden; it should never be available on the Internet. It must be password-protected and must reject any external access attempt.
Even internal access should be restricted. Otherwise, hackers may gain access to a legitimate account and use it to elevate their privileges, find technical documentation and sensitive data, break an application or cause other damage, or even execute non-authorized activities like buying themselves airline tickets with credit cards stored in the system.
Public Wi-Fi
A hacker using public Wi-Fi can steal user data just by sitting nearby in a Starbucks, Dunkin’ Donuts, hotel lobby or other public venue. Known as “sniffing,” capturing all the data transiting a public Wi-Fi network is relatively trivial for an attacker but also easily preventable. The most obvious solution is to avoid using corporate devices on open Wi-Fi networks.
When working from home, or traveling for business, employees naturally use applications that are part of a company’s proprietary systems. It is imperative to enable multiple encryption mechanisms that encode the traffic between the device and company’s servers, thus making traffic interception useless for an attacker. However, even this protection method is not bulletproof. Hackers can access applications that use weak configurations for such encryption mechanisms, or that have known vulnerabilities, and easily decrypt the captured private data. Still, it is paramount to use the company’s VPN properly and thoughtfully for any online work; do not store important files on your device if you do not need to, or for any longer than you have to.
Attacks Via Browsers
Many licensed applications and custom software products used in corporate travel are vulnerable to well-known types of attacks, such as XSS (cross-site scripting). An attacker using this method can execute malicious commands within a victim’s browser. By doing so, the malefactor can gain access to all private data within the victim’s account, execute any activity on their behalf, use the victim’s hardware for bitcoin mining or hack another application/system by masquerading as the victim.
Here is an example illustrating the dangers of XSS scripting: an attacker changes the structure of a TMC’s web solution by displaying a new window that asks the user to re-enter their credentials. After the password is entered into this fake login (that looks just like a real one), it is sent to the hacker, thus providing full access to the business traveler’s account.
SQL Injection
Applications may also be vulnerable to injection attacks including SQL-injection, open-shell and XML External Entity attacks. If an attacker discovers this kind of vulnerability in an application, they can gain unrestricted access to all of the data located within the application’s database — including sensitive data for users clients and staff, such as credit card information, personal data and so on. Sometimes by exploiting injection vulnerabilities the attacker can get a key to a company’s internal network, leading to more damage and significant security risks.
Overdue Updates
Another important security issue observed in many TMC systems is the use of outdated versions of internal components (like web servers) or third-party software components. Exploiting already-known vulnerabilities is the easiest and cheapest way for attackers to get into systems and networks. To be safe, always keep everything updated to the latest versions, thus closing back doors for attackers.
Other Areas Prone To Attack
As TMCs move to more modern technologies and to the cloud, there are a few more areas they can secure.
Secure Development lifecycle (SSDLC). Many TMCs developed and now maintain software applications in-house. Without going into the nitty-gritty technical details, the software development lifecycle must have certain procedures and activities that safeguard it. This ensures that developers code with security in mind and leave no backdoors or vulnerabilities for attackers to exploit. This actually goes beyond coding and encompasses DevOps, now DevSecOps.
Cloud Security. When it comes to cloud technology, the concept of security boils down to this: the cloud itself is very secure, but being in the cloud is not. Cloud providers do indeed protect their infrastructure but clients still must protect their applications and systems that plug into that infrastructure. This requires certified professionals, much in the way people hire licensed plumbers and electricians to connect new homes to water and electricity systems. Another way to look at it is by comparing the cloud with a country. The United States is a very secure country, with well-monitored borders; however, many citizens still lock their houses. Data and systems deployed to the cloud must be secure and properly configured by specialists.
Social Engineering Awareness. As mentioned above, the human link is still the weakest link in the security chain. The best way to strengthen that is to educate the staff and make them aware of attackers’ tactics. Security specialists can test the staff by launching mock attacks, such as phishing emails, to see how they react.
* * *
Most cybersecurity incidents are avoidable. We strongly recommend a penetration test (a.k.a. pentest) performed by an independent, trusted security vendor at least every six months, or whenever a significant change is made to the company’s tech environment.
For those TMCs that have custom-developed applications in their portfolios, we recommend comprehensive education and adherence to the rules of secure coding by their dev teams, so important business assets are kept safe (including API documentation, code-signing assets and other related artifacts).
Prevention is always better, easier and cheaper than the cure.
Related
• Does Your Board Really Understand Your Cyber Risks?
• Security Experts Highlight Concerns About Reservations Data As GDSs React To Vulnerabilities
• Sabre’s Silence On Security ‘Incident’ Isn’t Unusual, But It’s Still Making Travel Managers Nervous
• Explainer: The European Union’s General Data Protection Regulation And Business Travel
• European Court’s Data Privacy Decision Adds Uncertainty And Work For TMCs, Other Travel Companies
• ARC, TMC Exec Raise Red Flags On Ticketing Fraud
This is indeed scary for sure and Matt offers some excellent advice.
An area close to my heart and pleased to see this post to raise the profile of cybersecurity within the supply chain in corporate travel. Many in the business see this as something for the guys in IT/security teams rather than a business issue. Clearly IT/security do need to be over it but it is something the business needs to understand. If the leadership team of the business cares about information security it makes it a whole lot easier for the team looking after security to do their job and be motivated what they are doing matters. If the CEO/leadership team are not following security polices then the rest of the company are not likely to follow either.
Few people will talk openly about cybersecurity/cyber maturity within their business whether they think theirs is good or not, simply because if it is in the public domain it becomes valuable information for the bad actors to use. I would encourage people from the business to take the headlines from this post and ask the questions internally if they don’t know the answers already how their company is setup to address these threats. Anything less than a convincing response should raise alarm bells.
It does no one any good seeing anyone involved in the supply chain adversely affected by a cyber attack. As Matt said, with less headcount, Covid scams and remote working now commonplace, if there was ever a time to check, it’s now and needn’t cost money. There are quite a few things that can be done to enhance security which are free, or included in a license you may have that needs configuring. Each company will be different and you will need someone who understands what you have as a company and what options are available. Ignoring this topic and or having incomplete approach to security will lead to a breach at some point.
Lastly, this is not just a work thing. Look after your personal IT as well, use password managers, two-factor authentication, etc. I am sure we all know someone who has fallen victim to a WhatsApp/Facebook scam. Will you or your company be the next one?