The past year saw a number of high-profile security incidents across various verticals. Target and Home Depot in the retail sector, Sony in entertainment, and Las Vegas Sands in gaming, to name just a few.
What is also interesting is how the motive behind these attacks varied. In some instances, financial gain was the driving force, but in others hacktivism or attacks for political views was the primary motive.
While the examples listed above feature large, well-known companies, there are just as many (if not more) smaller, lesser-known organizations that have suffered security breaches. This article will explore what gaming organizations (both land-based and iGaming) can learn from these cyber-attacks, how they should react, and what they can do to reduce risk in the future.
When, Not If
It is common expression in the security sector that it is not if you will be “hacked,” but when. What I have learned throughout my security career is that you can never eliminate all vulnerabilities. The goal is to manage risk and make informed business decisions regarding your information technology infrastructure.
All organizations have vulnerabilities that could be exploited by a skilled and determined attacker. Our job is to make it as difficult as possible for an attacker, while balancing business needs, to cause them to move onto the next target (no pun intended). We also need to have capabilities in place to detect and respond to attacks when they do happen.
Lastly, we need to have a plan on how we will communicate with our customers in the event of a breach. Before we cover these items in detail, let’s see what can be learned from one of these previous attacks.
I was having a security discussion with the vice president of technology of a major land-based casino, and one of his concerns was facing attacks not for financial gain, but those that had a social or political message. We may not want to admit it, but gaming is not universally loved. There are those in the anti-gaming crowd that may look to cause harm via cyber-attacks.
As I have written about in the past, one of my fears is that a regulated iGaming organization will suffer a major incident that could set the industry back and curtail growth. Organizations can also become targets because of their leadership. A prime example of this is Las Vegas Sands.
Bloomberg Businessweek reported in its December 15, 2014 edition that the attack against Las Vegas Sands was driven by LVS Chairman Sheldon Adelson’s remarks on Iran’s nuclear program. If the reports in Bloomberg are accurate, the attack vector was a development server that was exposed to the internet. The attackers used this avenue to gain access to LVS’ internal network, and caused significant damage.
Some may be surprised that it was this easy to compromise a major organization. But if we have learned anything over the past few years from these news stories, it is that these larger, profitable companies are just as vulnerable as smaller organizations.
It was reported in the same news story that in 2012 there were only five cybersecurity personnel protecting over 25,000 systems on LV Sands’ network. While the board approved more budget, it was in the process of slowly being rolled out. Unfortunately, this is also something I have seen both in and outside the gaming sector. If upper management does not make the investment in information security, they are asking for trouble.
I have seen a number of gaming organizations that don’t have security leadership (i.e., CISO), but at the same time they will spend millions on marketing. Until we recognize the importance of information security to the business, we will see more of these types of security breaches.
One of the most important assets gaming companies have is data. This data must be protected, and there is no one single solution. Firewalls, data leakage prevention, intrusion detection/prevention, encryption, access control and many more are all areas that must be taken into account.
Another lesson gaming companies can learn is that compliance and regulation are not the ultimate solutions. Both Target and Home Depot were PCI-certified at the time of their breaches. During the course of performing security assessments for our customers, we often discover weakness that could lead to a security compromise.
These are organizations/systems that are FISMA, PCI, HIPAA, you name the standard certified. The same holds true for gaming regulations. Many of the gaming MICs and standards should be viewed as a starting point, not the finish line.
Compliance and regulation should be viewed as the minimum level of security that needs to be implemented. We also have to be careful not to get pulled into the compliance game, where the majority of the security budget goes into making sure the organization meets the required controls. What this often leads to is security that looks good on paper but not in practice. Remember, just because you are compliant does not mean you are secure, but if you are secure you will be compliant.
Step by Step
So what can organizations do to be better prepared to respond to security threats?
• Understand where the weaknesses in your security posture are;
• Implement detective capabilities to respond to security incidents;
• Have a breach response plan detailing how you will communicate with your customers.
Unfortunately, there is no silver bullet for information security; there is no widget that you can implement that will protect you from all cyber-attacks. Don’t fall for pitches or solutions that promise such. It is only a layered approach that incorporates risk management and knowledge of your environment that leads to an increased level of security.
Understanding what your weaknesses and vulnerabilities are is the first step. By performing security assessment and penetration testing, we can learn where the holes are and take steps to mitigate them.
This applies to technical controls, but operational and management controls are just as important. I am not suggesting that you have to fix everything, which would be impossible. But by understanding what those risks are you can make informed business decisions. The key point is you will have the knowledge and information to make these decisions. I had one customer who did not want to perform these tests because they were scared of what they would find. Sticking your head in the sand and waiting to be breached is not the solution.
The second key is to have detective capabilities in order to be alerted when you are attacked and breached. I stated earlier that it is just a matter of time until your organization suffers a security compromise. In order to quickly respond and limit damage you need a comprehensive solution. This is a combination of intrusion detection and prevention tools, installed both internally and externally, forensics, detailed auditing and logging, and data correlation tools to take information from various information sources.
Lastly, you need a breach response plan. This should cover what you will do from a technical perspective, but also how you will inform customers and perhaps regulators. It is not fun to suffer one of these types of security incidents, but at least if you have processes and procedures, you will be able to limit the damage, both technically and from a public relations viewpoint.
While it is impossible to go over all the items that companies should be doing to better protect themselves, hopefully this article has given you some items to consider. My advice is to start by asking, when is the last time you had a real security assessment, not one just for compliance purposes? If you have not had one recently, start the process to have it performed.
You cannot protect and secure what you do not know about. Knowledge is key, and while security has a cost, it is much more costly to respond after the fact.