Executive Summary - Priceline
didosld
ExecutiveSummary-Priceline.docx
1
Executive Summary
Introduction
Priceline.com is an agency that aims to make traveling easier by providing online travel-related services such as finding flights, hotel stays, and car bookings. They act as an intermediary between customers and providers (Etzioni et al., 2003). Priceline.com started its roots in the business industry of online travel companies in 1997; they are a sub-part of Booking Holdings. Their main purpose in joining this industry was to attract the two unsaturated markets and come up with a way of mixing market penetration with market development by using the demand and power of the Internet. Commonly, airlines work on a regular basis, and individuals always travel. Priceline.com took this perfect opportunity by giving the hustled clients an easier way to travel with a stress-free process of online booking options. This site also provides suitable hotels in the neighborhood of the client’s desired destination.
It is an online travel company with a total of 40% share in the global travel and tourism market, according to the report of Statista (2021). According to the financial statements and account handling of yahoo finance, Priceline.com is one of the third largest public travel companies by market share.
The department that works for the informational security of Priceline.com is very reliable and secure. They make sure that their technical, administrative, and physical safeguards and databases are manufactured to block unauthorized access and maintain zero percent data error with increased efficiency (Huang et al., 2014). They also do not lead any personal information of their clients and make sure that clients' personal data is not used for any other purpose, such as digital marketing. All of this is done by collaborating with multiple departments but mainly by MIS experts and the Cyber security department. These all are comprised of one structure known as the privacy department.
The overall organization of Priceline has a vertical organizational structure where the decisions are made by the top management and descended to employees through their hierarchy. Similarly, their privacy department has a vertical organizational structure too (Huang et al., 2014).
Priceline is able to operate with only 12,700 employees worldwide. It has a high revenue margin, including a gross margin of 88.90%, an operating margin of 36.00%, and a profit margin of 27.40%, allowing Priceline to produce higher income from its sales. According to this data, each departmental unit's budget is reasonably high as they operate in an international market. The privacy department is owned by the Chief Technology Officer (CTO). CTO is a higher authority that under-looks every technological matter where technological units, systems, and management evolve and continuously change (Privacy & Cookies Policy, 2021). According to the 2021 Annual Report, the information technology budget was around $412 million, which also accounts for 3.8% of the revenue.
There are many policies on Priceline.com that secure their client's information safety. To provide confidentiality, they use another email site where clients can ask the organization to delete their data. Their integrity is based upon the stem of reliability and the great dealership to provide loyalty to their customers. To be on the specific site, they have many small sites and programs that deal with client satisfaction, such as protecting credit card transactions they use in transit and Secure Socket Layer encryption. They have provided cross-border data transactions for their customers to be saved from the establishment, exercise, and defense of legal claims (Privacy & Cookies Policy, 2021). They also record the data of their transactions to deal with any sort of legal processing. They provide their customers with marketing choices whose main purpose is to exercise client control over any marketing communication.
Priceline.com’s incident response is rather quick and strategic than long-term and planned. They have 24/7 online and offline helplines that provide canceling, exchanging, and changing guidance (Mills et al., 2002). Their customer care tools offer immediate help regarding any matter. The first step of their response policy is to inform the company about your issue; then, the second step is taken by the company that transfers the issue to the concerned department for a quick inquiry. After a detailed evaluation of the situation from every aspect, customer complaints are dealt with immense and immediate recovery plans. The incident response policy ensures the customer's satisfaction and resolves conflict efficiently.
Systematic failures are inevitable, and chances of errors are always present despite prevention. According to Priceline.com, they do not have a completely formalized or comprehensive disaster recovery plan. Any sudden interruption in their business can cause a loss of revenue and harm their reputation. However, the continuity of business cannot be threatened due to the stability of their business and the steps taken to increase the reliability and redundancy of their systems. They have plans to reduce their profit margin and serve the customers in the disaster recovery duration for business continuity (Mills et al., 2002). Indeed, these plans do not help earn more revenue, but they would earn customer loyalty and good repute among the valued customers. Priceline.com has promised to deliver excellence to ensure reliability and redundancy in the quality of their systems.
About the Web Application
Priceline has numerous web applications hosted within their website, though many of them are similar all require different inputs and provide different outputs. Without the necessary insight into the exact name of the chosen web application, we will refer to this application as “Trip Booking” as we explore the application in further detail. Trip Booking is hosted at the URL https://www.priceline.com/?tab=vacations which contains records as being hosted at four different IP addresses (151.101.194.186, 151.101.66.186, 151.101.130.186, 151.101.2.186).
Trip Booker is a web application that serves end users by giving them the ability to find travel arrangements for most of the needs they have for a vacation in one convenient location. Flights, rental cars, and hotels can all be searched for a specified date range of a potential trip and all of the results are provided to the end user. For added functionality the user can also specify for multiple hotels to be used over different time spans of the overall trip, as well as one way flight accommodations for the trip.
The end user for this web application is a little hard to define in more than a broad generic group as the general public is the target user. Some of the users would be people looking to make arrangements for business trips, while others could be booking family vacations. The options are nearly endless, and the users and destinations span the breadth of the world. Really the application is aimed at everyone who might have any interest in travelling to any destination in the world.
For this web application to function correctly, five inputs are required from the user. The first of these inputs is in the form of a radio button to select the needed components for the trip (hotel, flight, car, or combinations of these). Next is a departure location and then a destination location both of which take the user input and prompts for the nearest airport to the destination name provided. An interactive calendar provides select for a departure date and return date to be input, and then a number of travels selection which is broken down to include adults, children, and a number of rooms needed. Optional inputs include an option to provide separate dates for hotels, which Priceline.com refers to as “I Only Need a Hotel For Part of My Stay.”
Upon execution of the web application by the user, first a return of hotels available for the specified parameter is displayed in the browser. The outputs can at this point be filtered down based upon available criteria such as amenities or distance from a specified location. After selection a hotel for further review, output returned is a more detailed look at the room including images, available rates, and optional add-ons, total price for the duration specified as well as an ability to select the room to be added to the booking. After booking the room, output is that of a list of available flights for the user to select an appropriate flight with prices and times for each displayed. Lastly on the return is a list of available rental cars, showing different brands and price points for the trip. After selecting the rental car, the application returns a trip overview showing all of the details from the previous inputs and outputs and an option to proceed to the checkout application for the specified trip.
The architecture of the web application is closely protected, but thanks to an agreement between Priceline and HackerOne’s bug bounty program, testing was able to be done to reveal some of the architecture. The web application servers use a CDN or content delivery network to which is provided by Forter.com. “A CDN is a network of servers linked together with the goal of delivering content as quickly, cheaply, reliably, and securely as possible.” (What is a CDN? | how do Cdns work? | cloudflare n.d.) The application sits behind a WAF or web application firewall, but through reconnaissance was unable to identify which type of WAF was in use. The servers themselves have an operating system that has eluded discovery, though targeted Nmap scans have shown them to likely be hosted on a Linux host. Behind the servers, likely on the other side of the DMZ (De-Militarized Zone) would be the databases, though the type in use has also eluded discovery but is likely some form of SQL database, from review of the GET and POST messages seen when a request is made from the application. Also of unknown origin is the authenticating server, which appears to provide authentication either through locally stored (on the authenticating server) or through FIM or Federated Identity Management. “Federated login enables users to use a single authentication ticket/token to obtain access across all the networks of the different IT systems.” (Robinson, 2019) The FIM providers in use for Priceline are Apple, Google, and Facebook.
The architecture of the web application follows a very specific flow to ensure maximum availability of the service with a high degree of security for the features. When a user visits the URL of the web application a request is sent to the Forter CDN, which then will either allow the request or prompt for a captcha challenge to reduce the impact of automated hacking tools. Once the CDN has provided access, the request is forwarded through the web application firewall to the web application server. Authentication mechanisms have been seen in multiple types for the application. Firstly, is through the use of cookies and session tokens, and the second through identity management services allowing log ins to a registered account and persistence through the session tokens. The authenticating server receives the request and upon successful authentication the session is opened between the server and the client browser. On the server side, when a properly authenticated request comes in, the server queries the database, and forwards the structured response to the client browser for parsing and display of the content.
The Priceline web applications require some very specific technologies to be able to run. Client browsers are required to be of a Safari or Chromium based build for the application to run correctly. For security technology the web application requires TLS (Transport Layer Security) version 1.2 or 1.3 to be able to operate, and versions predating this will be rejected by the application. On the server side of there is the language Next.js in use, which is built upon a Node.js infrastructure to provide uniform rendering for the web application. “Rendering the same components on the server side as on the client side (universal rendering) means that development time is reduced as we can build our React components once and Next JS takes care of everything to do with re-rendering those components in the user’s browser.” (Duncan, n.d.) Also in use is Istio-Envoy to act as proxy. “Envoy is a high-performance proxy developed in C++ to mediate all inbound and outbound traffic for all services in the service mesh.” (Architecture n.d.) To enhance the speeds of such a formidable application Varnish 1.1 is used for caching the application to be able to facilitate faster load times on the client side.
Web Application Security Mechanisms
Priceline collects lots of sensitive data from a user due to its business operations nature. Proper authentication and security are crucial for online businesses operating worldwide like Priceline since they are great targets for hackers. A successful breach would result in gaining valuable, sensitive information, which attracts hackers worldwide. Currently, Priceline keeps records of the following aspects: legal name, address, contact information, age, date of birth, gender, IP address, credit or debit card information, device information, web logs, general device locations, specific device location (with consent), and more. Priceline may also retrieve this information from other sources like third-party applications, like Google and Facebook, third party data providers, and others. The fact that this company operates online and keeps records of aspects of such sensitive nature puts high security, authentication, and data handling standards on this company and its business affiliates.
Priceline uses password authentication for users signing in their personal accounts. A password for a personal account must be at least eight characters with a number or a special character. A user is given five attempts to enter the password correctly, if a user has exceeded all attempts, the account locks automatically and can be further unlocked by verifying your identity with Priceline customer care. User`s password is linked to a personal email; therefore, user can manually reset a password for the account via email. The website also supports Single sign-on with Google, Facebook, and Apple accounts for users’ convenience.
Priceline currently works with Okta to provide users with high-standard authentication and access controls. Okta implements centralized cloud solutions for managing Priceline and their partner applications while providing user ability of SSO and admins to manage users access across all sister applications. For authentication and access control, Okta uses LDAP protocol. LDAP is a lightweight subset of the X.500 Directory Access Protocol and has been around since the early 1990s. LDAP single sign-on lets system admins set permissions to control access to the LDAP database. It can deal with password expiration, password quality validation, and account lockout after a user has too many failed attempts. An LDAP agent can authenticate users in real-time - it compares the data presented to what’s stored in the LDAP database instantly, so no sensitive user data needs to be stored in the cloud. Okta allows admins to control their own users and enable access to a joint application–without having to worry about Active Directory trusts, firewall rules, or proxies. For access control, LDAP implements RBAC methodology, which simplifies administration by assigning roles to users and then assigning permissions to those roles. The current setup allows for efficient access control, an admin can disable a user once, and that user loses access to any other sister applications supported by Okta.
Deploying Okta has contributed to a deeper understanding of employee app usage across Priceline. This helps IT make sure the apps they are supporting are those that their users need and are happy with and allows the enterprise to keep better track of licenses. For Priceline, switch to Okta decreased users` down time drastically, allowed users to better self-handled sign-in problems, improved orphan accounts monitoring, enchased security, and automated many processes. Moving forward, Priceline plans to incorporate Okta’s Threat Insight capabilities to gain deeper, actionable understanding at the device level around where its users and threats are coming from. Bolstered by the wins to date, Priceline continues to actively look for ways to further integrate Okta across the enterprise. For every upcoming project, Priceline engineers plan to integrate each one of those if possible. (Priceline | Okta, n.d.)
For any financial transactions, Priceline requires the user`s following information: full legal name, credit or debit card information including CVV code, physical address, including city, country, and zip code, personal email address, and a phone number. A user can cancel an order made on his/her name via email within 24 hours after the order was created. After every submitted order, a user gets an automatic confirmation email that includes a link to cancellation, unless a booking is a non-refundable deal. For car renting reservations, users identity is confirmed by requesting the user`s full legal name, date of birth, credit card information, and sometimes passport information for international drivers.
To receive online payments, Priceline or any other website must always be Payment Card Industry (PCI) compliant. PCI has 12 requirements, and a requirement № 8 addresses authentication issues. Here are some examples of PCI requirements: standard 8.1.1 - every user must have a unique ID before being allowed to access system components or cardholder data; standard 8.1.4 – inactive user accounts must be disabled after 90 days; standard 8.2.5 – prohibit the use of the four last known passwords. Some of the requirements listed by PCI apply to users and their authentication, while others apply to the company and its employees who have access to that sensitive information. PCI requirements might differ depending on the exposure of an employee to sensitive data. (Bartels, 2017)
To provide protection for credit card transactions while in transit, Priceline currently uses Secure Socket Layer encryption. Secure Sockets Layer (SSL) is a standard technology behind establishing an encrypted connection between a web server (host) and a web browser (client). This connection between the two makes sure that all the data passed between them remains private and intrinsic. SSL is an industry standard and is used by millions of websites to protect their online transactions with their customers. Having an SSL certificate installed is one of the 12 primary requirements set by the PCI.
Priceline currently supports HTTPS certificate for its web application which means the web site itself supports SSL standard. According to SSL Checker, Priceline uses a varnish accelerator, and SSL certificate for the website was issued by GlobalSign, which is valid from October 20, 2021, to October 20, 2024. The algorithm used by Priceline is SHA-256. The SHA-256 algorithm is one flavor of SHA-2 (Secure Hash Algorithm 2), which was created by the National Security Agency in 2001 as a successor to SHA-1. SHA-256 is a patented cryptographic hash function that outputs a value that is 256 bits long. SHA-256 is used in some of the most popular authentication and encryption protocols, including SSL, TLS, IPsec, SSH, and PGP. In Unix and Linux, SHA-256 is used for secure password hashing. Some cryptocurrencies, such as Bitcoin use SHA-256 for verifying transactions. SHA-256 is one of the most secure hashing functions on the market. The US government requires its agencies to protect certain sensitive information using SHA-256. While the exact details of how SHA-256 works are classified, we know that it is built with a Merkle-Damgård structure derived from a one-way compression function itself created with the Davies-Meyer structure from a specialized block cipher. (N-Able, 2019)
Priceline uses RSA encryption with the SHA-256 algorithm. Under RSA encryption, messages are encrypted with a code called a public key, which can be shared openly. Due to some distinct mathematical properties of the RSA algorithm, once a message has been encrypted with the public key, it can only be decrypted by another key, known as the private key. Public-key encryption schemes differ from symmetric-key encryption, where both the encryption and decryption processes use the same private key. These differences make public-key encryption like RSA useful for communicating in situations where there has been no opportunity to safely distribute keys beforehand. RSA encryption is often used in combination with other encryption schemes, or for digital signatures, which can prove the authenticity and integrity of a message. (Lake, 2021)
The latest global impact produced by COVID-19 made many companies shift to a remote operational model for employees and users. Since then, Priceline had its sight on a coffee-shop model, in which users could come and go freely between offices without going through contortions to verify permissions and authorization to the corporate assets they needed to do their work. Dropkin and his team were interested in secure remote-access technology to allow for easier least privilege enforcement and simplify the process of granting access to consultants and other third-party users. Priceline is trying to catch up with the latest trends and provide employees and users with fast and efficient modern solutions. Some of the company’s future priorities are automation and cloud implementation. For those purposes, the company is planning to work with industry known secure solutions providers.
Priceline will comply with any future requirements of PCI for encryption and anonymizing a standard like CCPA for customer data protection. GDPR as one of the newest and most wide-ranging standards will affect Priceline as well. Some of the GDPR requirements include having a data protection officer and using standard contractual clauses when sharing data with non-EU-based organizations. For browser and server security Priceline will comply with any possible U.S. regulations and follow best guidelines.
Web Application Vulnerabilities and Attacks
Several attacks are possible against web applications, and Priceline is no exception. Web application vulnerabilities can sometimes be exploited when accessing a web application, but others can be found during the development process. The Priceline application used to plan, and book trips is generally vulnerable to hackers. An existing security policy and the latest version of Priceline's web application, libraries, and APIs safeguard the application. During the development process, web applications may be discovered to have hidden security vulnerabilities. Web applications must be secured against these vulnerabilities. Protecting data, employees, and customers from malicious, purposeful activity (Ahmad et al., 2021). Some of these vulnerabilities are hard to spot during development, which is why the application must undergo security testing. It is possible to analyze the potential threats and risks associated with each vulnerability using security testing of web applications.
According to Baako & Umar (2020), a few vulnerabilities can affect Priceline, including information disclosure, cross-site scripting, and cross-site request forgery, as identified by OWASP Top Ten 2021. Information disclosure occurs when a malicious user manages to access data that should not be publicly available. Web applications expose data to unauthorized users, which may result in attackers being able to obtain the users' personal information. Information disclosure vulnerabilities also refer to SQL injection (SQLi), session hijacking via cross-site scripting. Cross-site scripting (XSS) is an attack that allows a malicious user to perform actions on the targeted site, which then can be used by the attacker for their advantage. In addition, a cross-site request forgery (CSRF) attack occurs when a malicious user manages to create unauthorized requests on another user's behalf. It is possible because the application holds information that makes it easier to impersonate the targeted user's actions. A CSRF vulnerability can be even more dangerous than a simple XSS vulnerability because there may be no immediate warning giving away that an attack has been launched (Kaur et al., 2022). These vulnerabilities are dangerous risks to Priceline, as they could allow an unauthorized individual access to confidential information, including payment data and account specifics.
The OWASP Top Ten 2021 identified a few vulnerabilities that could affect Priceline, including information disclosure, cross-site scripting, and cross-site request forgery. The disclosure of information occurs when a malicious user gains access to data that shouldn't be open to the public. Personally Identifiable Information (PII) of users can be obtained by attackers if the data is exposed to unauthorized users via a web application. These vulnerabilities include cross-site scripting (XSS) attacks, SQL injection (SQLi), and information disclosure vulnerabilities. Attacks using cross-site scripting (XSS) allow a malicious user to perform actions on a targeted site, which can be used by the attacker for their advantage. An attacker can also perform cross-site request forgery (CSRF) by creating unauthorized requests on behalf of another user. Because the application contains information about a targeted user, it is easy to impersonate their actions. It is even more dangerous to have a CSRF vulnerability than a simple XSS vulnerability, because there may be no immediate sign of an attack (Kaur et al., 2022). These vulnerabilities are dangerous risks to Priceline, as they could allow unauthorized individual access to confidential information, including payment data and account specifics.
A web application firewall (WAF) helps in detecting and blocking malicious visitors from accessing an application. Additionally, it monitors and tracks attacks on the web application. To ensure that the Priceline application is secure and protected, a web application firewall detects both known and unknown attacks. This product is relevant to Priceline because it can help prevent malicious individuals from accessing private data or undertaking other unauthorized activities on behalf of the user. According to Akbar & Ridha (2018), WAF is vulnerable to common web application vulnerabilities such as XSS and SQL injection. Web Application Firewalls use several technologies to accomplish their goals: HTTP Authentication, Rate Limiting, Session Limiting, and Denial-of-Service (DoS) protection. WAF can use it to defend against specific threats by countering it. But a robust configuration and security rules are necessary to do so. Travel Booker's WAF implementation has been thoroughly tested and approved by its security team. As a result, a Trip book can be confident that a reliable WAF technology protects the application against cross-site scripting, SQL injection attacks, and other standard web application threats.
Content delivery networks (CDNs) are another method for protecting Priceline from malicious users. With the help of a CDN, webpages and static content are delivered to end-users with low latency. The network of servers is designed to enhance the performance of web applications, reduce the load on web servers, improve website security, and meet user expectations for performance. Furthermore, it can be used to reduce the likelihood of injection attacks against applications. It helps mitigate poor input validation by using a sanitizing mechanism to ensure that a malicious user will not abuse the input. However, it is prone to content spoofing, as it cannot spot malicious input. While CDN is a very effective security solution for helping Priceline to protect its web application, it does not act as an anti-virus or anti-malware product, and therefore, it is still possible for Priceline to be attacked by malicious users.
Okta is an authenticating service used by Priceline users. In order to eliminate passwords, it is designed to provide single sign-on (SSO) functionality. Credentials are stored in an encrypted format so that security information remains private. OKTA does not check user credentials for threats, as it uses authentication methods provided by web browsers, such as Secure Socket Layer (SSL). When a user enters a URL that contains valid credentials, it can be treated as a redirection to the Priceline login page or the Okta sign-in page. Using this method, the Trip book will have a private login mechanism that is both secure and efficient. It is vulnerable to passive and active threats. Passively, a malicious user can guess a user's password by trying different combinations of words until the correct one is identified. This threat is often referred to as brute force attacks. Phishing attacks, also known as active threats, are often used to trick users into revealing their credentials or other information such as credit card numbers and email addresses (Demertzis & Iliadis, 2019). The phishing attack may be targeted at the URL of the Priceline website, which can direct users to a malicious version of the website that mimics the legitimate version.
We need to protect Priceline from cross-site scripting, SQL injection, and brute force attacks. Because it contains sensitive information such as passwords and credit card numbers, Priceline is vulnerable to these attacks. Attacks like these can be carried out by malicious users who wish to benefit from this information. For example, an attacker could use credit card information to make a purchase online. Cross-site scripting exploits Priceline users by forcing them to click on a link that will take them to malware or another location where their private information can be compromised. SQL injection is used to insert unauthorized data into Priceline that could lead to financial loss for its users. SQL injection relies on the poor validation of input values provided by users, which makes it possible for hackers to use an injection attack to gain access to Priceline or use stolen information from the application, such as social security numbers and credit card numbers. Protection from such attacks is essential for Priceline to safeguard its users and their data.
( INTERNAL USE )
