Hackers are a fact of life. From lone wolves to boiler-room scammers to sophisticated criminal networks and even governments, they pose a threat to every enterprise that does business online.
No one knows better than Sheldon Adelson. In February 2014, hackers successfully penetrated the computer systems of Adelson’s Las Vegas Sands Corp., causing the serial shutdown of systems in both Las Vegas and Bethlehem, Pennsylvania. By all accounts, the hackers didn’t want credit card numbers or other customer data, but revenge for inflammatory remarks the CEO made about Iran.
“They were bent on causing as much destruction, harm and embarrassment to Las Vegas Sands as possible,” says Gus Fritschie, director of Washington, D.C.-based SeNet International Gaming Labs and a specialist in online gaming security. And the “hacktivists” succeeded, wreaking a reported $40 million in damage.
In a more recent example, last June hackers wormholed their way into the networks of the Hard Rock Las Vegas. The motivation this time wasn’t politics but good, old-fashioned greed. Hackers used card-scraping malware to access internal systems, stealing credit and debit card numbers and CVV codes but not PIN numbers. It was the second time Hard Rock was successfully compromised in as many years. In both instances, system users were alerted. The extent of the losses has not been disclosed.
These examples—and the blaring headlines that accompany them—have motivated gaming operators to beef up security, but total impenetrability may be a myth. “It’s all about risk management, not 100 percent security—that doesn’t exist,” says Fritschie. “For total security, you’d have to unplug completely from the internet and not do business.”
Gaming operators—Fritschie rightly calls them “defenders”—have the tougher job here. “They have to secure a massively complex enterprise, while the attacker has to find just one mistake,” he says. “It could be as simple as a missed network patch or a missed configuration in the code, but that one mistake can allow an attacker to gain access. And the impact can be pretty devastating.”
In another example—this one sounds like something out of the Oceans 11 movie—in 2013, a high roller and his cronies cracked a CCTV system in the poker room at Crown Melbourne. The player, who was fed information on the table through a wireless earpiece, took Crown for $33 million in bogus winnings—despite 24/7 surveillance and a security system noted for its sophistication.
Hacking has become so unabashed that websites openly sell hacking equipment and serve up detailed manuals on how to use them. The most common attack vectors are external systems that are exposed to the internet, “like websites, gaming applications or anything that’s accessible for users to interface with,” says Fritschie. “There are vulnerabilities in external systems that can potentially be exploited to gain access to the underlying operating system. Then the hackers pivot to other parts of the network” to do their dirty work.
Perhaps the most prevalent (and successful) hacking approach is spear phishing, in which hackers send seemingly benign emails that ask users to click on a link. If they do, it opens a hole in the firewall and lets the attackers in.
To assess an organization’s security awareness, you’ve got to think like a hacker. SeNet does it with phishing emails, saying the IT department is testing password strength. If users don’t respond within a certain period of time, the email continues, their accounts will be disabled.
“You’d be surprised how many people actually enter in their passwords,” says Fritschie. “Usually, we’re above a 50 percent success rate.”
While most people are wise to blatant phishing, like the prince from Nigeria who wants you to wire money, some hackers are better than that. “When you get something that matches the emails typically sent from your IT staff, that matches the font, the header and footer, the graphics and the logo, it can look pretty legitimate,” says Fritschie. “Obviously there are some pretty easy ways to tell if the address is fake or not, but sometimes people just click on links and get on with their jobs.
“That’s why users are always the organization’s weakest link.”
So how can an organization safeguard against cyber attacks? Network segmentation, for one thing—barricading individual computer networks so they are accessible only to privileged users. This creates a series of more secure “locked doors” that can help to foil hackers.
“A highly secure network will have multiple network segments so you can’t get from one to another,” says Fritschie. “In the iGaming infrastructure, for example, if the corporate network is compromised, there should be controls in place to ensure the hackers cannot leap over that to the gaming network.”
Show Me the Money
While the need for better security is clear, some operators may resist, just because they don’t see an immediate return on investment.
“In iGaming specifically, until recently there weren’t that many sites making decent profits, so it can be hard to force them to do testing at a certain level,” says Fritschie. “It’s much easier to justify slot floor optimization that will make X amount of more money.”
It’s an unfortunate but common mindset, says Rob Prady, field sales engineer for security firm Axis Communications, based in Washington state. “You can equate it to a fire alarm system in the building, or business insurance—you don’t need it until you need it. But by the time you do, it could be catastrophic.”
Fritschie says bricks-and-mortar operations are “a little bit behind the iGaming side, but also have a little less exposure from an external perspective.”
He gives high marks to the iGaming industry in New Jersey. “The Division of Gaming Enforcement came out with specific guidelines of what needs to be tested on an annual basis. The mandatory testing makes sure the basic requirements are met—segmentation, strong application security, firewalls, patches on systems. I’m happy the DGE went the direction it did, because to be honest, if they didn’t require it, some operators might not do it.
“But the track record speaks for itself. At this point, there hasn’t been a major security breach of any big live iGaming sites in regulated environments in New Jersey—or Nevada or Delaware, for that matter—compared to what we’ve seen in unregulated environments.”
The fallout from high-profile security breaches is not just financial, Prady says. “The businesses that are affected will write off those transactions, and the customers hit with charges will see them reversed. But all of us in the economy end up paying with higher rate charges.”
The more dramatic impact, he says, is the effect on the customers themselves, victims of cyber crimes who must clean up the collateral damage, report violations, combat fraudulent charges, cancel and reorder credit cards and in some cases even fight identity theft. “It leaves them feeling violated,” says Prady. “If a business is attached and I suffer because of it, that makes me think less favorably of the business. It’s a huge reputation issue.”
The Enemy Within
Cybersecurity expert Shane Tews, a visiting fellow at the American Enterprise Institute’s Center for Internet, Communications and Technology Policy, likens network security to the moat that guards a castle—but with a twist.
“The moat makes you feel protected from the enemy outside,” she says. “But the challenge now is inside. Casinos know that on a physical level. They have security in the elevators and on the floor, they have pit bosses and other layers of security to make sure nobody’s on the take. But the cyber version is just as important.”
After a breach, the first response is penetration testing. “Going back to the castle analogy, they run around and see how easy it is to get to the crown jewels. You figure out the weak links in your system and start to man those up, and at the same time you completely change out systems,” says Tews.
Again, this is where IT departments or security advisers may meet with some pushback from the money people. “One of the biggest challenges is that people feel they already have a big front cost in their hardware equipment, or they might have paid for a software license that they continue to maintain,” says Tews. “They don’t want to change because they’ve made that investment.”
Even so, and despite notable cases like the Sands and Hard Rock, she says gaming industry operators are taking security seriously. “They’re spending a commensurate amount of money for the risk they have. They’re investing in a very sophisticated, professional way that you don’t see retailers doing. They’re getting better. But they’re still patching,” which carries its own risk.
“Say you’ve got 10-year-old systems that are running on three-year-old upgraded software that you just keep patching,” says Tews. “You’ve got layers of layers of patches, when what you really need to do is just gut it all and start over.
“Sophisticated network operations are always rebuilding their systems. Say you go in and see a row of 100 servers. Well, they’re replacing them the whole time. By the time they get to row 99, they’re ready to go back to row one. They’re constantly updating their systems.
“If you have enough risk, that’s what you do.”