[bsa_pro_ad_space id=1 link=same] [bsa_pro_ad_space id=2]

Pereiti prie turinio


Kibernetinis saugumas: nepasiruoškite…

By – 14 m. gegužės 2024 d

The gaming industry, like many other industries, is dealing with increased pressure on legal advisors to provide guidance in this increasingly complex regulatory and risk environment. Scott Melnick, Principal Security Research & Development at Bulletproof, a GLI company, shares his expertise on IT measures casinos should be implementing to try to prevent cyberattacks and how to handle the fallout should one occur.

Are cyber breaches now inevitable? And why is this the current situation?

Yes. The Identity Theft Resource Center (ITRC) reports that incidents of identity theft rose by 78 per cent from 2022 to 2023 and it shows no signs of stopping. This was partly because of the shift in business practices and the emergence of large new markets during the pandemic, such as work-from-home, online gaming, delivery service, and more. 

Who are the entities trying to breach the digital defences of casinos? What are their motivations?

At this moment, mostly Ransomware as a Service (RaaS) which operate independently and sell/broker their services to attackers who have already gained access or even insider threats which an employee inside the organisation can provide access to the RaaS. 

Their motivation is mostly financial but can also be related to disgruntled employees. In 2020 a Telsa employee was offered $1m to implant ransomware. 

What are the methods by which bad actors are attempting/and succeeding to penetrate the casinos?

There are a few methods today that I’ve seen clients get breached with. One is a lack of security patches and misconfigurations that are letting attackers access the casino networks via vpn/firewall, on-premises servers, or an employee’s system. 

However, the current trend is social engineering which comes as Phishing where the attacker sends a vulnerability/link via email that can be targeted at a specific individual (spear phishing) or sent to as many people as possible within the organisation. 

Social engineering techniques via phone to get access from users or help desk employees are also on the rise as we saw with the MGM breach. This is more effective because organisations can spend millions on cybersecurity, but it can be toppled by one employee.

What kind of damage can such breaches cause?

A breach will cause business damage on multiple levels. Not only paying hundreds of thousands to millions in ransomware but financial loss can come from the Casino Floor, Hotel and Online gaming being offline for weeks. Depending on the type of breach and if customer data was possibly stolen it cannot only damage your brand and customer loyalty but bring years of lawsuits against the property. 

Why are casino defences insufficient to ward off such attacks?

The defences and problems are no different than any other major corporation or government agency. Most corporations as well as casinos like to do the minimum required to get by and while it’s still a good standard it does not cover enough. This is because the landscape of attacks moves faster than local regulations. Businesses want to be first to market, optimise profits quickly at the risk of security and their application stability. They are gambling. 

Another challenge is the financial pressure and the attempt to operate with minimal resources that can make cybersecurity less of a priority and lead to bigger financial problems later on. 

What are the IT measures casinos should instigate to try to prevent such attacks?

There are many things to mention, but casinos need to follow a multi-level security approach. 

  • Security needs to be layered in these times. You can’t rely on just firewalls and your perimeter security anymore. You need to add more security features like multi factor authentication, end-point-protection, email protection, data encryption and hire a third-party security operation centre.
  • Frequent cybersecurity tests by third parties. IT departments should be doing this themselves always and constantly, but due to bias third-party checks are a must and a standard best practice. In some cases, it’s required. Also, social engineering testing should be done by the same testing company or an internal security team that will constantly keep employees on their toes and measure your education success rate. 
  • Company culture, training, and funding. Employees are vulnerable to social engineering if the C-level and upper management have a poor culture. There should be clear policies and approval from leadership that there will be no repercussions for following procedure and employees should feel comfortable saying no. This includes C-Level who want to be exempt from corporate policy such as multi-factor-authentication, passwords, etc. 
  • Phishing and Vishing training for all employees should be a normal practice. Lastly, fund your IT department and keep them satisfied, rewarded and give them the training and tools they require to protect the business easily. Security needs to be layered in these times. You can’t rely on just firewalls and your perimeter security. You need to add more security features like multi factor authentication, end-point-protection, email protection, data encryption and a security operation centre.

What are the best practices once the inevitable happens – how should the fallout be handled?

That’s a great question. Disaster planning and budget are essential as well as your defences. How you deal with a breach can affect the cost from thousands to millions of dollars. 

Have a plan for how to respond to an incident, assign roles, and follow it as closely as possible. Don’t panic. It will only worsen the situation. I used to have contact numbers in my wallet in case I couldn’t access them from my phone due to outages. That’s old-fashioned.  

  • Contain the breach. There are different ways to do this depending on how the casino is run, but generally I always recommend disconnecting the network and keep the machines on if you can. This will help the investigation. But if you are not sure you can always switch off all of it until you can get more help. 
  • Contact the authorities. Depending on the type of breach, there are some organisations that you should have their contact information in the document for how to respond to an incident, such as your local FBI office. 
  • Have some cyber security companies ready to call that can come in to help anytime to assist with recovery and further monitoring for additional threats.
  • Communicate openly and honestly with your legal staff, C-level, and stakeholders and eventually your customers.
  • Update and review your processes internally on a regular basis and hire a third party governance auditor to review, suggest changes, and test your recovery methods.
  • Research cyber security insurance, how it can help you and what is suitable for you.
  • Hire a PR management firm if the fallout is going to be major because of its nature.

Can technology be used to mitigate the potential harms to reputation, to legal consequences and loss of reputation?

Indeed. Many of these services are designed for your customers, who can use them to check and protect their personal and financial information. There is also Online Reputation Management software that can track, control, and improve the online reputation and public image on the internet. 

How do the new SEC Cybersecurity Governance rules add to the pressures and measures that casinos must incorporate?

The new SEC Cybersecurity rules apply to public companies. It focuses on protecting the public investors and provides assurance of a cybersecurity program and reporting of material breaches. But a cybersecurity program and compliance doesn’t equal security. 

However, it can be a double-edged sword. When a public company suffers a breach that is ‘material’ they have four days to publicly report it. Ransomware gangs know this, and material in this context means information that a reasonable investor would consider important in making an investment decision. 

It’s not solely about customer data or data that has not gone public. This creates two new opportunities for attackers. Extortion. 

1. “If you don’t pay, we will file a complaint with the SEC in case you forgot.” 

In 2023, the ransomware group known as AlphaV and Blackcat filed a complaint with the SEC against their victim MeridanLink for failing to publicly disclose the breach within the four days required. 

2. “Pay us just under the radar of what might be considered a material breach, and we just go away and no one will ever have to know.”

The second method still violates the SEC rules if any personal data was stolen but offers temptation for the victim to save the embarrassment by illegally hiding it or not publishing the amount paid. RaaS is a business and usually if they don’t hold to their word then no one will ever pay them in the future. It’s an understood collective amongst thieves.   

We saw several high-profile casino breaches in 2023 – are we going to see more or less in 2024? 

The trend of gaming industry attacks is difficult to anticipate, but Cyber attacks will grow across the board in 2024. We are still undergoing a digital transition of doing business and then new technologies like AI will aid the attackers.

Some groups will target the entertainment industry because of their recent wins, and some will change. Targets are typically the easy ones. The harder it is to breach the more likely they will look for a simpler target.

Bendrinti per
Nukopijuoti nuorodą