POSTINGS FROM THE TEAMRead the latest postings from our Uniguest team
It is probably no surprise cyberattacks often happen when you least expect them or when you are most vulnerable. In what seems like something from a movie, hackers attempted to acquire data from a North American casino by using an internet-connected fish tank, according to a report released by cybersecurity firm Darktrace. The fish tank had sensors connected to a PC that regulated the temperature, food, and cleanliness of the tank.
Any organization that holds pertinent digital information should have a highly secure system that will protect information from cyber threats. Breaches are not 100 percent preventable, however there are steps you can take to minimize that risk of liability. The systems that you deploy must be ready for anyone that attempts to steal your data.
A hotel that does not make guest–facing security a priority leaves themselves exposed to breaches that will be very costly in both the short and long run. The best approach is to identify what it is that you are wanting to protect, then to build several virtual walls around it as quickly as possible.
Some may think their property is ready for an attack until it happens; so, how could you test that theory to see if it’s true? A viable and simple way to find this out would be with a penetration test.
A penetration test, also called pen testing or ethical hacking, is the practice of testing a computer system, network, or web application to find security vulnerabilities that an attacker could exploit. A pen test is also an important step in establishing PCI-DSS compliance.
There are generally five stages to a properly conducted pen test.
- Planning the scope of the test
- Scanning, assessing, and reconnaissance
- Establishing access
- Persisting access and attempted exfiltration
Once you have the analysis, it is important to prioritize the findings and quickly mitigate any vulnerabilities. A pen test should be conducted at least every year, and with the speed that hackers move, probably part of a regular risk assessment.
The reality is that your property is going to need to provide more access to guests and have more IOT connected devices, so trying to reduce the technology will not be a competitive option. I meet with a lot of clients who feel they can self-manage their property devices. Deciding to do it yourself when it comes to your security will only last so long.
Doing it yourself could mean you are taking several privileges away from your guests and limiting what they can do at your hotel. You want them to be able to enjoy your hotel as if they were at their own home or workplace.
System breaches occur, not because you take access and amenities away from guests, but they occur when attackers take advantage of the fine details that were missed. Data encryption, network segmentation, elimination of PII, and continuous monitoring of what is entering and leaving your networks are key examples of this.
Cyber attackers are continually evolving and finding new ways to get what they want. For any cybersecurity system to last, it must continually mature, or it will become weak, unable to protect your guests from evolving cyber threats. Having your data security monitored by a single person is a daunting task even if they are knowledgeable about what they are doing.
In summary, systems built for cyber defense, an evolving cyber plan, and annual pen testing will determine if your systems are strong enough to combat a cyber threat.
Matt Goche, Chief Operating Officer
Schiffer, A. (2019, April 17). How a fish tank helped hack a casino. Retrieved from https://www.washingtonpost.com/news/innovations/wp/2017/07/21/how-a-fish-tank-helped-hack-a-casino/.
When you run your business day in and day out, it can be difficult to see small imperfections in your operation. One of the critical areas that can go unchecked at times is the maintenance of your company’s security posture. The evaluation of your company’s security posture could be conducted internally, but if performed by a third-party vendor, the risks and vulnerabilities that may exist can be identified from a more objective point of view and potentially addressed faster and more appropriately.
Why Perform Third Party Security Evaluation
If you have designed your systems and networks, it can be challenging to be truly objective when reviewing your designs and implementations for gaps and weaknesses. Cyber security may also be an additional duty for folks at your company rather than a core competency staffed with cyber security experts. Companies that perform third-party security evaluations are typically manned with cyber security experts who have research departments identifying new cyber security weaknesses who perform security testing on many different organizations given them perspective and insight on best practices. To get a full view of weaknesses and effectiveness of controls requires nuanced insight from seeing previously what works and does not work. This is what they do all day, every day. They will also have no subconscious bias as to the pros and cons of previous decisions made by the company.
Security evaluations should evaluate the people, processes, technology, data, and vendors that build out a company’s security posture. They should ensure your corporate systems are safe from outside intrusion and your guest-facing technology is properly secured. Each of these areas requires an investment of time and focus to thoroughly understanding when challenged can it stand up to the latest hacking techniques.
Internal security testing and validations should continue based on a comprehensive security policy and program. However, these also benefit from a third party security evaluation to validate the internal controls are working and are regularly updated to meet the needs of the business and the security level of the systems.
References should be verified for any third party security testing company to ensure they have the necessary skill set, depth, and breadth to properly vet a security program. Given the pace of technology change in today’s age with cloud computer, mobile computing, middleware integrations, and more, not to mention the lightning speed of malware development and hacking techniques, testing companies must show that they are keeping pace with today’s technology and today’s challenges.
How Often Should You Test and What Should be Tested
Initial testing of a network or system should be performed prior to release into production. This results in a strong baseline to work against. Then frequent testing should occur either annually or during any type of major change, whichever is more frequent. This ensures changes do not negatively impact the environment and also ensures regular testing for new types of hacking techniques and zero-day vulnerabilities.
As mentioned above, testing should cover the full security program including people, process, technology, data, and vendors. People in security roles (physical or digital) must be competent performing security duties. This is as broad as background checks and physical access limitation to database security and effective logging. There are so many potential attack vectors available to nefarious actors who want to negatively impact a company. Processes must be executed consistently and in line with policy so changes do not introduce new security gaps or vulnerabilities. Technology and data must be secured at the level of the sensitivity of the data. Lastly, vendors who play a role in a company’s technology portfolio must be held to the same standards of the rest of the company security program.
After testing is completed, gaps must be either remediated, accepted (if the fix action is larger than the potential impact), or offloaded through insurance or other means. Critical gaps must be corrected before a system is allowed to be released into production, and if already in production, must be corrected with urgency. Follow-on testing should then validate the vulnerabilities were sufficiently remediated.
When your company has performed a third party security test and has corrected (and validated) the remediations identified, the overall security posture of the company will be greatly advanced. Creating a safe environment for your customers to enjoy is always the top priority – physically or virtually. The third-party security evaluations are done as a way of keeping the company accountable, correcting mistakes or new challenges, and having proof that you are being a good steward of cyber security.
Jason Meister, Senior Manager, Information Technology & Security