From the lab: Ensure your system security is up to par with a comprehensive assessment
What kind of lock do you have on your front door – a chain? A deadbolt? Maybe both? The point is you know what kind of lock you have, and the reason you know is because your home’s security is important to you. You want (and need) to know who is coming and going, when they come and go, and what they are doing once they come in.
Now that you’re thinking about security, what kind of firewall or firewalls do you have running on your casino system? What about the system software? What about your CMS configuration? When was the last time they were all updated and tested? And when was the last time you revisited your internal control procedures?
These questions are not being raised to make you feel foolish; rather, they are being asked to help you question what you don’t know about your casino’s level of security. Sure, everything seems to be running fine, but what is going on under the surface mixed in the 0s and 1s that are your system’s computer code?
At GLI, we test and certify about 80,000 products every year for more than 450 jurisdictions around the world. That means when the devices and systems leave our lab with a Gaming Labs Certified™ mark, you, us, the supplier and the regulator all know the products are functioning as they should. But if your security is compromised at the property level, even the best tested and certified game or system can be vulnerable. Knowing what you don’t know is the first step in fixing what you don’t know might be broken.
To help, we recommend you have your test lab conduct a system security assessment to help you know that your casino’s deadbolts and chains are working as they should, and to receive recommendations on what to do to prepare for the future.
Before we get in to details of what might help you, let’s determine why this type of assessment is the role of your testing lab.
First, a lab is comprised of technical experts. For example, at GLI, we have more than 500 employees, about 400 of which are well educated and highly skilled engineers. Next, they are intimately familiar with the devices and systems on your floor because they have tested them from the inside out. Additionally, they are intimately familiar with the networks that run your operation, and with the flaws that could compromise your system. Finally, a lab is an independent third party with no stake in the outcome of your security assessment. It’s highly unlikely, but the fact is, your internal IT department could be colluding with other departments, so to have them test your system would defeat the purpose. The only way to achieve complete independence is to use a third party for your system security testing.
Now that we’ve established that you need a security assessment and that an independent testing lab is in the best position to conduct it, let’s look at areas you may want to consider assessing, and let’s start with a system assessment.
Historically, a test lab would be called on to assist regulators with system verification, where lab staff would perform a software verification of the system files to validate the software is certified. A security assessment would include communications testing between some of the games and the system.
An assessment should also include network security, where your network is tested to ensure the information on the network is safe from outside influence and dissemination. Much of the information in a casino network is sensitive to various degrees. Unsecure networks and policies can, for example, allow outside parties to view all of your players’ gaming habits. When you assess your network security, the assessment team will scan and enumerate potential immediate vulnerabilities and avenues of attack that could be used to infiltrate the network. Additionally, information that is improperly stored should be identified, and you should be advised of any issues and possible avenues to mitigate and or repair the vulnerability.
The next part of your assessment should include system configuration. In this phase, your assessment team should review each casino management system application and compare the configurations and user access parameters with your operational practices and internal controls. This assessment would help improve management practices and controls by eliminating the possibility of in-house theft.
No one likes to think about it, but in-house theft does happen, and some of the most common areas of in-house fraud are a result of poor management practices which exposes vulnerabilities with Global Cash, Ticket Validation, Progressive Systems, Table Game Systems and Bonusing/Promotion Systems. In most cases only the local IT personnel and vendors have any interaction with the back end of these type systems. This is precisely why a third-party, independent assessment is recommended.
At the conclusion of the assessment process, you should be provided with a detailed report of the findings. Preferably, the report will include the methodology used, outcome and any additional recommendations for further enhancements. Most importantly, at the end of the process, you should be able to identify and feel comfortable with the deadbolt and chain you have on your casino system’s front door.
There is a lot at stake, and hackers are working right now to find your weaknesses. We recommend you find out your vulnerabilities sooner rather than later.