From the lab: Operators must be ever vigilant to ensure networks stay secure
An interesting situation happened to a friend of mine during G2E. He used his credit card at a nationally known and established company who has an operation at the convention center.
Thirty minutes later, he got the dreaded text message from his credit card company: “We suspect unusual activity on your account; contact us as quickly as possible.” In the three minutes his card was inserted for the transaction, his information had been stolen in what looks to have been a lapse in the company’s network security.
Keep in mind, this wasn’t a rogue brand or temporary set up he was using his card in. This is nationally known brand that conducts these types of transactions across the United States every single day, and it still happened.
Just down the hall from where his card information was compromised, there were countless gaming devices and systems on display, all of which can be networked, all of which can be compromised.
The fact is, as technology has advanced, so has the need to be even faster in responding to customer needs and smarter about our casino marketing efforts. That has led us to a time when casinos are placing a growing volume of valuable and sensitive information on their networks, such as accounting information, ticketing information, player confidential information and marketing information such as points redeemable for a monetary value.
Of course, this type of valuable data that poses an increased risk to corporate casino security, and breaches in security have occurred.
We have found that most security breaches occur within the Local Area Network (LAN). While traditional solutions such as firewalls will continue to be used to protect the perimeter of the corporate enterprise, additional layers of protection will be needed, and an overall industry effort will be required to create the various pieces needed for a comprehensive, multi-layer solution.
Assess your riskSo what can slot managers, casino operators and regulators do to help ensure that their networks are as secure as possible? You should start with a frank and honest assessment of your network security. Start by asking a few basic questions:
• Are passwords difficult to crack?
• Are the security settings for operating systems in accordance with accepted industry security practices?
• Are these operating systems and commercial applications patched to current levels?
• How is backup media stored? Who has access to it? Is it up-to-date?
• Have custom-built applications been written with security in mind?
• How have these custom applications been tested for security flaws?
But how can you be sure you have the answers to these questions? You may want to consider a complete security assessment from an independent source. GLI conducts these types of assessments, but whether you use GLI or another source, you should keep in mind that you should audit your internal network and your wireless network.
Let’s start with the basics and define exactly what a security assessment is: Quite simply, a security assessment is a systematic, measurable technical assessment of how the organization's network security measures and policies are employed at a specific site. Systematic and measurable are the key words in that sentence, because the assessment should be able to quantifiably measure whether or not your network security policy is in compliance and where any deficiencies lie.
Next, the internal network audit should identify any possible vulnerabilities or holes in the network that a potential hacker or a malicious employee might use to take the system down, sell information to a competitor, or worse, plant possible viruses on the system that would enable a person to steal or manipulate the income of the property.
Then, a wireless audit should give you a complete map of all wireless access points on property, as well as any access points that might be on the network that are not authorized to be there.
This audit must identify the encryption levels and how easy it is to break the encryption code (hopefully it can’t be broken). And critical to this audit is a map of how far the wireless network bleeds outside of the property to prevent possible hackers from being outside the casino and attempt to hack the system, like happened to my friend during G2E.
This isn’t meant to scare you away from networks. They are an irreplaceable, invaluable part of doing business today, and should be used to their full potential. But, they must be used as securely as possible, and you should consider regularly scheduled security a part of your normal course of business.