Image for post
Image for post

Learning from the Expedia Heist

When your IT admin is the root cause of a security breach

Ryan McGeehan
Dec 28, 2016 · 10 min read

Expedia’s security team did a good job.

Let’s first point out why this is a notable security story for Expedia, at least according to the facts drawn from the SEC legal documents.

Caveat: There’s always room for improvement

While there are some typically embarrassing vulnerability details from within the complaint, be assured that you’d likely find equally embarrassing lapses in security wherever you work as well. Comment carefully, should you someday be responding to a similar incident yourself.

An insider threat needs no beachhead.

Mitigate the risks of centralized administration.

Sysadmins, engineers, and help desks need to get large volumes of work done, and they usually wield significant levels of access to do so. This is sometimes a shared domain admin, administrative password, etc. Without getting too implementation specific, all large groups of systems runs into this problem of authorization creep and identity management.

Take advantage of a bastion environment.

It’s easier to trust high privileged network access when administrators use bastion hosts and your network enforces it. This concept is implementation agnostic, you’ll see it in Windows / Linux environments, AWS / GCE, and even some aspects with web app Single Sign On proxies.

  • Centrally logs all authentication activity to it.
  • Surrounded by network rules respecting it (SSH / RDP, etc only allowed from bastion)
  • Requires strong, multifactor authentication

Local endpoint admin access needs to be managed.

Given that Expedia sounded like a mostly Windows environment, it probably relied heavily on local admin credentials that IT administration would access endpoints when they need to get work done. So, additional work is required to ensure they’re not all using a single, local administrative password. While this risk could be mitigated quite a bit by network access control limiting remote administration to a bastion environment, defense in depth affords us shorter incident response efforts.

Protect access to passwords if forced to share them.

The Expedia insider abused his privilege and stole credentials to gain access he wasn’t supposed to have.

Did you notice we’re talking about logs again?

All of the controls we’ve talked about so far creates rich logs with lots of alert opportunities. Put them somewhere useful!

Help your HR team out with on/offboarding.

The Expedia insider was still hacking long after he resigned.

In the end, there’s always someone you trust.

No matter how much control you exert over an environment, there’s always someone you’ve trusted to protect and build it. These risks can never be totally eliminated, simply transferred to yourself or others, or a technology. At some point we all risk trusting that others won’t abuse power we’ve given them just as others will put their trust in us.


From a distance, it’s clear to me that Expedia did as well here as any security team could hope to, if an assumption is made that there’s always room for improvement. Insider threats are extremely tough to detect, generally not focused on as highly as other threats, and this one in particular did not have great opportunities for detection with direct financial loss or an impact to customers.


I’m a security guy, former Facebook, Coinbase, and currently an advisor and consultant for a handful of startups. Incident Response and security team building is generally my thing, but I’m mostly all over the place.

Starting Up Security

Guides for the growing security team

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store