For the past seven years, GLI has held a roundtable for North American regulators. The purpose of the event, and the reason it has grown exponentially in attendance each year, is because it gives regulators a reliable, neutral environment in which to learn about the latest advances in technologies that will almost immediately be
impacting their jurisdictions and their regulations.
Beyond the presentations, however, is something even more valuable - a safe forum where attendees can express their concerns and ask questions of each other. A complete wrap up of the event is featured earlier in this publication, and I wanted to use this column to share one topic of discussion regulators focused on during the roundtable.
Over the three days, one of the main topics of discussion was network security. This should not be read to mean that “network” is only concerning the casino floor. Regulators were concerned about network security throughout their entire operations, given that we are in the technological age. Because of that, regulators at the roundtable were rightly thinking about assessing current security and pre-planning broadly for a higher level of network security than that on which they operate today.
The reason for the concern is because hackers and spammers are actively using the latest software security holes, worms and Trojans in an attempt to attack many different types of businesses. Some 20 new worms were identified in January 2007 alone. In addition, hackers try to trick internet users into revealing personal and financial information.
Constant attacks on private and public systems have become more than just a nuisance – they have become an overwhelming financial burden of more than $10 billion to the business world at large annually. This was what was on regulators’ minds: systems obviously need security attention, but which ones and when?
The old saying goes, there’s no time like the present, and this is especially true of network security. The systems that need attention include: the accounting system, together with communication to and from the system; bonusing (AFT/EFT) and player tracking and system monitoring interface boards; kiosks, such as gaming devices; bill/ticket validation; and multi-station automated table games; turnstiles; and standalone, local and wide area progressive controllers. These are just the gaming systems. Operators should also consider increasing security with nongaming systems, including retail, show ticketing, hotel registration, even e-mail used in the casino’s various offices.
The main partsTo help regulators and operators assess their current situation and prepare for the future, GLI has formed a relationship with Foundstone Professional Services, a division of McAfee, and at the Roundtable, representatives from Foundstone and GLI discussed several options, the most important of which is the on-site inspection.
Regulators use GLI to test and certify gaming equipment, and of course, those tests are done in the lab. But the only way to test and “certify” a network is with an on-site inspection.
Four main goals are accomplished with an on-site inspection. First, the inspection will verify that what was tested in the lab is what was installed in your casino. Without verifying on site, the fact that what was tested and what is operating is an assumption.
Next, constant monitoring ensures your online accounting system, and other systems on the property, are not infected by hackers. Unfortunately, hacker tools are being written to access your computer system using known software vulnerability. Most of these programs have been written and are freely distributed from hacker Web sites. And some of these programs were written for legitimate uses and are now abused as hacking tools. Don’t worry: an on-site inspection will seek out, test and repair potential chinks in your network armor.
That leads to the third point. On-site inspections help to ensure system integrity and security. A full audit of your network security will assess external networks and all internet-connected devices on your network; internal networks and internal devices; wireless security; host security configuration (your critical servers); network architecture security (the effectiveness of your network’s design structure); and an assessment of the building’s physical security.
Lastly, regulators need to establish
ongoing procedures to ensure constant updating of network security. Think of it this way: a hacker is a criminal, and a criminal’s full-time job is to commit crime and to think up new ways to commit crime. Hackers are determined and smart. They might not necessarily look as Hollywood slick as George Clooney, Brad Pitt and the rest of the “Oceans 11,” 12 and 13 gangs, but they are dedicated to their “craft.”
Fortunately, regulators are as equally determined to protect operations and the industry, and we must realize that, together, we must constantly and proactively move aggressively to thwart hacker attack efforts.
This is not to say that doomsday is looming large, but network security should be treated as a legitimate business concern. Fortunately, there are technological experts who are just as good at staying ahead of hackers as hackers think they are good at committing crimes.