Don't Fall Prey to a False Sense of Security
According to Hospitality Technology’s 2018 Lodging Technology Study, guest demands for secure, high bandwidth internet are increasing daily. Innovative hotels are taking note with 45% making enhancements to guest WiFi in 2018 and 58% planning to add or upgrade smart TVs/streaming capabilities. Plus, 18% of hotels say they are planning upgrades or changes in IoT, which is double from the 2017 study when only 9% of hotels were planning rollouts and upgrades. While this implementation of new technology to improve the guest experience is exciting, there is reason for concern. According to the study, less than a quarter (22%) of IT budgets are spent on network technologies, which could have a direct impact on the security of the network. In this day and age of data breaches and cyber-attacks, network security should be of the utmost importance to hoteliers.
According to John Bell, principal consultant, Ajontech LLC (http://ajontech.com), smaller hotel companies — those with 30 or fewer properties — often have problems with the basics of securing their networks. One such issue is network separation.
“I’ve been at properties where they don’t understand the concept of separating back-office from guest network,” he says.
Given the fact that free WiFi access has become standard in hospitality, the public internet or guest network must be isolated from the internal network where hotels process sensitive customer data, agrees 128 Technology (www.128technology.com). To keep guest WiFi access separate, hotels have traditionally used VLANs (virtual local area networks). This model is becoming less effective as data breaches continue to occur since there isn’t any mechanism in VLAN to stop an attacker from crossing the segments. Newer technologies claim to segment the network based on tenants, services and applications within the enterprise.
Even if a hotel has taken the time to separate its networks, all too often they haven’t prevented someone from accidentally bridging the networks — which makes it all too convenient for malicious actors to gain access to the hotel’s most sensitive data, Bell adds.
Forgetting to configure routers with “real passwords” is another common mistake that many smaller hotels make. Without secure passwords, anyone in the hotel can access the router and then take over the entire network, Bell explains.
Unfortunately, many hoteliers gloss over the importance of these basic security measures because they think they need much more high tech solutions, he adds. Bell asserts that for some hotels, strategies like two-factor authentication and other important complex solutions is like putting a very strong lock on the front door while leaving the back door completely open.
“First worry about the basics,” Bell asserts.
IoT Ahead: Proceed with Caution
IoT devices offer many valuable use cases such as online door locks, building management systems, wayfinding, smart thermostats, voice command technologies and more. These same devices — without significant vetting and security procedures — represent a significant risk to the hospitality industry and network security, says Patrick Dunphy, CIO, HTNG (www.htng.org).
“It’s important to understand the needs of these systems, segment them from other core applications, and prevent potentially unfettered internet access for systems that do not require it,” he notes.
SageNet (www.sagenet.com) describes IoT devices as the “biggest risk on the horizon for hospitality,” expecting to see large data breaches using the IoT environment as the initial vector of attack starting very soon. Why is that? Many IoT devices are running Linux, Windows or Android operating systems that are not being patched or maintained properly. That leaves them open to the same types of vulnerabilities that a desktop computer or a server is exposed to without security patches.
In addition to vetting vendors to ensure that IoT devices are trustworthy, hotels also need to place devices on their own separate network that has no connection to the hotel’s internal network where it processes sensitive information such as credit card data or guest information, states Trustwave (www.trustwave.com). Refusing or forgetting to segregate IoT devices creates an easy way for cyber criminals to access a hotel’s most valuable assets.
When implementing Hotel Internet Services’ (www.hotelwifi.com) BeyondTV platform and integrating it with Amazon Alexa, Orchard Hotels of San Francisco (www.theorchardhotel.com) was concerned with security. BeyondTV allows hotel guests to cast content from their phone onto their in-room TV using password protected internet access on the hotel’s public WiFi network. At the hotel, BeyondTV is also integrated with Amazon Alexa which allows guests to interact with the TV using voice commands: changing channels, surfing the web in addition to using Alexa to order room service and ask about the weather, among other things.
To ensure the security of its guests and of the hotel, Orchard Hotels made sure this new technology would reside on its own network.
“We have a private internal network for administrative use including reservations and finance,” says Pablo Barruti, general manager for Orchard Hotels. “Then we have another network, a public one for the guests to access. By having BeyondTV, Amazon Alexa and public WiFi on a separate network, we ensure that there is absolutely no connection to the hotel or guests’ information/data. It’s very secure.”
Additionally, when a guest checks out, the link between the BeyondTV platform and the WiFi connection is cut and the system deletes all information associated with connection as if it never occurred in the first place. Guests also have the option to manually terminate the connection early if they want.
IoT devices that don’t reside on separate networks can be hacked to the point where firmware is changed so that the device does what the cybercriminal wants it to do, not what it was created to do. For example, an antennae could be configured to extract data and send it back to the hacker even though it was never meant to do that in the first place.
In addition to putting IoT devices on the property’s network, hoteliers can implement advanced network virtual technologies such as IoT Containment to minimize threat and create an isolated environment to protect against threats, according to Alcatel-Lucent Enterprises (ALE; www.al-enterprise.com). Within a contained environment, security rules can be fine-tuned and enforced to protect as another layer against attacks and can help prevent security breaches from spreading.
“Hoteliers need to insist on a peer-reviewed and standards-based approach to communications that build on well-known, vetted and secure technologies and avoid proprietary solutions that have not been evaluated by the security community,” Dunphy says.
Weak Link? Ill-trained Staff
While seemingly rudimentary, scam phone calls asking staff members to click on a link or go to a specific website to perform an upgrade remain very effective. One reason for this is that hospitality tends to have high turnover rates. Therefore, awareness training is minimal — if given at all — and SageNet cautions that this makes it hard for the staff member to differentiate between real and scam requests.
Hotels can take steps to prevent these forms of unauthorized access to the network with education and live tests of associates. Testing staff members in this way will help hotels to gauge how well awareness training is working and also can help determine what data could actually be exposed through physical access to back office environments. Additionally, servers and other back-office computer equipment can be “hardened” so that if a criminal does gain access to the room — he is unable to access the data. For example, SageNet recommends server hardening, full disk encryption, network port restrictions, logging and monitoring, and custom alert mechanisms; they can all be used to identify and prevent potentially malicious or anomalous behavior.
The overwhelming adoption of bring your own device (BYOD) to navigate and improve the hotel experience exposes a network to cyberattacks since they open additional entry points for attacks or breaches, ALE notes.
Guests themselves commonly complain that they feel hospitality network security is lagging as they use mobile devices to make reservations, check in, purchase items, etc. Ciena (www.ciena.com) recommends that for hotels that encourage BYOD, a comprehensive, multi-layer security strategy that focuses on ensuring the confidentiality, integrity and availability of data on the network becomes a necessity.
ALE agrees, pointing out that a hotel needs to be mindful that it ensures protection at the device level, where “fingerprinting” secures devices individually and enables appropriate access; at the application level where deep packet inspection technology provides visibility and control of applications to limit issues; and at the network level where protecting the integrity of network infrastructure hardware is a last line of defense.
Another way to protect hotel guests using their own devices is to create a private, per-reservation network for each guest as they log into the network. Their connected devices are part of this private network, allowing them to securely use all of the same sharing services they would in their homes. Plus, the private network is accessible to the guest throughout the entire property without forcing them to connect to a new or different network as they roam.
Similarly, some guests’ devices harbor malicious viruses, intentionally or not. For example, some guests are unknowingly part of a botnet and their computers might begin spamming or attacking others behind the scenes using the hotel’s guest network. Other guests might be using the hotel network to perform illegal downloads, which can result in the hotel’s internet being blacklisted and even shut off. Blocking questionable activity occurring on guest computers, smartphones or tablets becomes a protection for both the hotel and all of its guests.