Advertisement
09/07/2015

Six Security Hang-ups: Beware the Black Holes

How secure are you about your security? According to the past three Trustwave Global Security Reports, the hospitality industry is one of the top three most compromised industries. And Privacyrights.org reports a 50 percent increase in hospitality breach disclosures in 2014.
 
Based on Trustwave’s work with hospitality organizations globally, it has seen many black holes when it comes to security. In some cases, businesses implement a standard set of security controls but have not taken them to the next level. In other cases, employees have too much access to data that they don’t really need to do their jobs and yet, no one at the top of the chain realizes it. Below are the top security pitfalls among hospitality businesses as identified by Trustwave:
 
  1. Insufficient malware protection—Too often in the hospitality industry, there is evidence of malware entering networks through the Web or email, even if the organization has basic anti-virus protections in place. That’s mainly because today’s attackers are continuously advancing their attacks – using sophisticated malware designed to evade anti-virus detection.
  1. Employees have too much access—Employees constantly test their boundaries regarding how much data they can access. More than 90 percent of the security events across hospitality organizations involve unauthorized employee access. This could lead to valuable data loss and possibly a malicious insider attack.  Many businesses do not have controls to prevent the use of shared accounts nor password vaulting systems to restrict the use of administrator credentials. They also lack comprehensive auditing capabilities meaning they cannot track who made changes in their networks and when, as well as who accessed what data and when.
  1. Lack of BYOD security—Many hospitality businesses do not have a program in place to identify rogue wireless devices on the network. This means an attacker with physical access can easily plug in. They also rarely perform wireless security testing to identify security weaknesses within their BYOD program. For hotels specifically, many guest wireless networks have little security leaving the potential for guests to attack each other through traffic interception (such as man-in-the-middle attacks).
  1. Outdated security controls—Many hospitality organizations have point security controls such as firewalls, however, they fail to keep those controls updated and patched. On average, it takes organizations at least seven days to approve security patches – a timeframe that is too long. Some organizations lag in replacing outdated devices and run outdated signatures making their security functionalities useless.
  1. Unsecure applications and databases—On a positive note, many hospitality organizations perform penetration testing and scanning of key, public-facing applications. Those services are essential because they help businesses identify and remediate security weaknesses within applications before criminals find them. However, database security often gets pushed aside, leaving the business’s back door open to an attack. Many businesses are also rolling out new, internal guest-facing applications, which tend to lack in security, since it’s generally looked at as an afterthought.
  1. Customer approval supersedes security:  In the hospitality industry, customer satisfaction is top priority.  But, to achieve perfect customer service, employees often overlook best security practices creating more opportunities for social engineering attacks. For example, a hotel guest (who is really a criminal) may approach a front desk employee and ask him to print a document that’s on a USB stick. Aiming to please the customer, the employee plugs in the USB stick without realizing it contains malware.
 
Security weaknesses are fixable as long as businesses make security a top-of-mind issue for everyone – employees and C-level executives. Organizations should deploy security controls designed to detect and block advanced malware attacks as well as network access controls to restrict who can access their sensitive data and data loss prevention so that valuable data cannot leave their network.
 
They should also make sure they have enough manpower and expertise to monitor, update and manage their security controls so that they can not only pro-actively prevent breaches but also identify and defend against any intrusions in real-time. The faster an organization detects a breach, the quicker it can contain it, and minimize the damage.