Profile picture
Jeremiah Grossman @jeremiahg
, 6 tweets, 2 min read Read on Twitter
1. Breach disclosed on a Friday.
2. The data about 500m people DOES NOT belong to their guests, but to Marriott. They have every right to allow it be compromised.
3. Breach unlikely to be costly, and affect stock price.
4. Other hotel chains should consider incident response.
It’s hard to tell if the Marriott breach contained cardholder information, but if so, PCI-DSS needs to take there fair share of the heat... and the QSA for that matter.
An intruder was silently running around Marriott’s system for 4 years. 4 YEARS. Imagine the amount of work necessary to get security back to a known good state and confident that you did so. Might take another 4 years in any system that large.
I’d bet that Marriott has a cyber-insurance policy that’ll cover a lot of their costs. If anyone happens to have any details, please share.
When a breach goes undetected for so long, especially on a large corp with a massive network, it’s highly unlikely there was just one intruder.
And where was @briankrebs all these years!? I mean cmon, he’s supposed to be our best IDS after all right!
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Jeremiah Grossman
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @jeremiahg see all

Profile picture
I’ve spent last year creating asset inventories of the world's largest organizations (via Bit Discovery). It’s absolutely crazy to see just how many assets they have connected to the Internet — many have hundreds of thousands.

You can’t secure what you don’t know you own.
As it turns out, creating an inventory of internet-connected assets for an organization is easily the hardest engineering challenge I’ve ever worked on in my career.
An organization’s internet-connected devices may exist on many different IP-ranges, domain names, hosted services, labelled under a variety of brands or departments, managed by subsidiaries and partners, and may come and go without warning. (Very hard problem)
Read 4 tweets
Profile picture
1/ Years ago I worked on a data analysis project. The project was designed to predict the particular type and number of vulnerabilities likely to be identified (or not) in a given website when security tested.
2/ The results were fascinating. With only knowing WHEN a website was first deployed on the Web and the programming language in use, it was possible to predict the type and quanitity of vulnerabilities present with a very high degree of accuracy.
3/ Other factors such as industry, organizational size, regulatory obligations, software development processes, and so on mattered very little statistically.
Read 7 tweets

Related threads

Profile picture
UCC had opportunity to comment on the #Data.Protection & Privacy Bill. The enactment of this law is long overdue. A comprehensive law on the collection & processing personal information gives effect to the right to Privacy envisaged under Article 27(2) of the Constitution
UCC welcome the protections offered by the Bill in terms of export of data, breach notification requirements, data subjects access rights, automated decision making, compensation and the right to be forgotten and provision for financial and penal sanctions for breach of the law.
Distinction between Data collectors & data controllers.
The Bill should however clarify & distinguish Data Collectors, from Data Processors & Data Controllers. Clause 2 is inconsistent with international good practice which provides for two broad categories of Data Controllers
Read 17 tweets
Profile picture
Why does Twitter deliberately target Right-wing accounts for Shadow-banning and why it will sooner rather than later completely back-fire and why they are ultimately going to destroy the Left and what a great day that will be. Thread. 1/15
It is no surprise Twitter targets accounts for “wrong think” or as we on the #Right like to call it “free-think” this is because of two events which are now totally and utterly inextricably linked, #Brexit and #Trump and the Establishment have been rocked to the core. 2/15
Neither of which were supposed to happen & yet they did now the Establishment is determined never to allow it to happen again or even at all, the reason for them happening was nothing to do with social media, but was to do with people knocking on doors and persuading others. 3/15
Read 15 tweets
Profile picture
"RIGHT NOW"
June 24, 2018
Tehran, Iran
Protests against the regime of mullahs!
Iranians ask shopkeepers to close their shop and join the protesters.
They chant" "Close your shop"
#IranProtests
"RIGHT NOW"
June 24, 2018
Tehran, Iran
Protests against the regime of mullahs!
Iranians chant:
"Let the Syria go, Think of us"
" We cannot afford to buy one dollar for 100,000 Rials"
"Enough is enough! We can't tolerate this anymore!"
#IranProtests
3- Update
June 25, 2018
Tehran, Iran
Protests against the regime of mullahs!
Iranians chant:
"We don't tolerate mullahs and their regime anymore."
#IranProtests
Read 49 tweets
Profile picture
.@ChuckGrassley @realDonaldTrump @POTUS

IMO: we need MUCH TOUGHER laws on illegal-drug financing, manufacturing & whole-sale level distribution along with RICO enforcement. Retail level distribution & use consequences MUST BE DEFINITIVE and EQUITABLE in application across US.
.@ChuckGrassley @realDonaldTrump @POTUS

DEFINITIVE and EQUITABLE means that you can not throw the poor, the black, & other minorities in JAIL and the rich-white-kid gets help thanks to lawyers & parents.

Statistics suggest Lady Justice is NOT blind; that's a problem.
.@ChuckGrassley @realDonaldTrump @POTUS

Illegal-Drugs are harmful & deadly (like alcohol & cigarettes); some limited medical or recreational use.

Re-classify drugs as: NO-Medical-Approval-Drugs (NOMAD) for ATF sale (COMPETE, TAX, REGISTER, TRACK, EDUCATE, CONTROL & REDUCE USE).
Read 7 tweets
Profile picture
People seem to want an "honest conversation" about the NHS. So let's have an honest conversation about some basic economics of the model of healthcare in the UK:
1. Pricing healthcare at the point of use at zero means demand will exceed supply. Period. Services have to be rationed, via queuing.
2. Absent price mechanisms, resources get allocated by planning and projected demands. When demands differ from projections, you get acute shortages and severe queuing.
Read 16 tweets
Profile picture
People need to consider one thing when thinking about Session/Cannabis regs: #HIVITES are all over the legal weed industry. They may be laundering money for child sex trafficking and other illegal activity through that industry. This is a FACT. (1)
While it may be very difficult for prosecutors to get convictions on the trafficking/laundering charges, allowing federal prosecutors to charge them with cannabis violations could potentially disrupt the flow of $$$ and Children to the #Hivite cults in these areas. (2)
I am fully in support of 100% legal cannabis with an added clause that patients should have a right to grow it themselves. But I can see value in today's decision by @jeffsessions to combat the #Hivite cabal by freeing prosecutors to charge bad actors with weed related crimes (3)
Read 14 tweets

Trending hashtags

#MachineLearning #Bannon #Eurasian #Data #Barrett #McAdams #Syria #Meyssan #HBOC #Garcia #zufferingzuckotash #Flynn #homophobia #Bausman #Norton #data #Italy #botnets #transphobic #Transform #Ciswits #fascist #black #cis #Campo

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!