Matt Kelley

InfoSec From the Beginning
– for Executives

Information security (a.k.a. InfoSec) can be an intimidating subject, especially for those from non-technical backgrounds. Gaming and hospitality executives and management can be, from my perspective, extremely busy and burdened with the day-to-day operations of their organizations, leaving little time to consider and appreciate new concerns facing the industry that do not have immediate bottom line impact. I am not telling you anything that you do not experience every day. However, information security is one of those new concerns that needs your attention.

There is a saying in the industry that “there are two types of businesses: those that have been hacked and know it, and those that don’t know it yet.” This is obviously not true, but it has always been used to draw attention to the potential impact of security breaches.

Press play to listen to the audio version of this article

Infosec From the Beginning – for Executives by Matt Kelley

If you found out now, today, that you had been breached, what would you do? Would you feel a bottom-line effect from customers via attraction or retention? What would the follow-on impacts be?

This fall, I was able to attend TribalNet in Phoenix. There I talked to a few people who were starting from absolute zero, asking, “What do we do if we have nothing right now?” I was shocked, in the year 2017, that there are significant businesses that do not have security programs in place. Upon reconsideration though, it should not have been a surprise. SMBs have been underserved in the information security realm, and Tribal organizations even more so.

A quick note here regarding TribalNet. The show this fall was my first opportunity to attend this event, and I was impressed. Mike Day and the entire board did an amazing job of providing an educational track on information security for those who have found it difficult to approach, or make progress in. As a part of the InfoSec industry/community, I hope that they will continue to provide these opportunities.

Reflecting upon my own path and research, InfoSec can be intimidating and unapproachable. These problems are exacerbated without trained or dedicated staff to throw at it, which is very likely the case in Tribal and smaller facilities, as well as what is likely a significant number of small-to-medium enterprises in the nation.

There are some worrisome figures that will accentuate this point:

  • The Small Business Administration defines an SMB as a business with less than 500 employees. These entities make up 29.6 million organizations, or 99.9% of the entire United States economy, including 47.8% of all employees.1
  • According to industry group ISACA, via Forbes, cyber security will have a professional shortage of two million by 2019.2
  • CNBC cites a Keeper Security and Ponemon Institute report based on a survey of 2,000 small businesses in April 2017. Of those, approximately half have been breached.3

To further relate these statistics to the Gaming & Leisure audience:

  • There are more than 980 gaming facilities in the United States, with 733,930 employees.4
  • The U.S. has 53,554 hotel properties with 16,018,000 employees.5

Combined, the average gaming and hospitality facility employs just 308 people, landing this industry directly in the small business space.

In your own organization, how many employees do you have? How many IT staff? If you have outsourced IT operations, does your vendor know your priorities and expectations? From my own experience, hospitality companies run on lean margins. Without readily available budget, how do those organizations address information security in a meaningful way?

Taking another step back to my previous article on governance, risk management and compliance (GRC), where do non-InfoSec people start? If my audience here, in Gaming & Leisure, are executives and management-level staff, where do you begin if you do not have a formal security program in place right now? How do I, as an author and contributor, convey these important ideas and truths without overwhelming the conversation with technical jargon?

Here are seven steps that I believe will help any gaming or hospitality organization that has an immature, or nonexistent, InfoSec program. When I formulate these opinions, I keep in mind the principal of: “First, do no harm.” While commonly and mistakenly attributed to the Hippocratic oath and the medical profession, it remains valid for information security professionals. My goal is to provide insight for making improvements to your organization and what you have already in place, not to suggest that a complete rebuild is necessary. Find the activities that will work for you and incorporate them into your overall business plan.

First, Admit That You Have a Problem

You are a target. You are vulnerable. You are a target because you are available to the Internet. You are a target because you are there. There are bad actors out there who are running scans right now. If you are seen, you are a target. What is worse is that if you are seen to be readily exploitable, you will be attacked. It is not a matter of if, it is a matter of when.

You need go no further than the news of the day to know that gaming and hospitality are NOT immune. Trump casinos have been breached, directly or indirectly, three times in a two-year period.6 A major hospitality vendor, Sabre Corp., suffered a security breach that involved a system that is used by 32,000 hotel properties, an event which rattled the industry.7

Additionally, an unnamed casino property was breached due to a fish tank connected to the Internet.8 That property lost 10GB of data via a fish tank. If you aren’t aware of what is available to the greater Internet, you simply do not have the knowledge that you need to properly protect yourself.

You, as an individual executive, are a target. Who has access to critical business data? Who has signatory authority on purchases and agreements? Of all the individuals at your organization, who might have the most significant value as a target in their personal life? Some phishing schemes target executives specifically for those reasons, along with the fact that you are also more visible and easier to gather intelligence on. Consider the professional publications that you have been mentioned in, social media, etc. Information available via the Internet can be used to profile you individually with the goal of compromise.

You are vulnerable, period. This statement is not intended to induce fatalism or helplessness! It is, in fact, the opposite. If you come to the understanding that your organization is vulnerable, there is hope that you can make your security activities a continual and sustained process.

Perfect security is as mythical as a unicorn; if such a magical creature were to be seen, it would be lost in the blink of an eye. There are always vulnerabilities to be found, but you can find them first and be aware of the dangers.

Information security, with technology changing as fast as it does, will always be a best effort cause. You will never be able to tell your Tribal Council or CEO that you are completely secure. What you can do, is provide assurances that the efforts you are undertaking are targeted for value and maximum effect.

Second, Your Organization Can Do Better. Find Out How

As I stated in my previous article, information security is an iterative and conversational process. Engage your people to find out where you are, where you want to be and what they need to make it happen. Be aware that this conversation may be uncomfortable for both you and them, at least initially. If you haven’t had a discussion on security before, it definitely should be uncomfortable! If you are in organizational management and your IT director or CIO has not talked you about security before you go to them, YOU HAVE A PROBLEM. If you are an IT director or CIO and you haven’t talked to management, YOU NEED TO FIX THAT PROBLEM.

As management, please realize that improvement in information security is going to require investment and expense. Your environment may require capital expenditure. Your OpEx budget will likely need to increase to maintain these new security efforts. Most importantly, you will almost certainly need either additional staff and/or sufficient training for the staff that you do have. If either of those prove to be problematic, outsourcing is a valid option. Countless InfoSec consultants can provide assistance laying the groundwork to achieve your end goal.

Third, Information Security Initiatives Need to Come From the Top – Your Level, or Above

D.J. Vanas, president and founder of Native Discover Inc., provided the closing keynote at TribalNet 2017, and offered this quote directed at organizational executives and management: “Known values provide clarity.”

An IT and/or information security operation needs direction, else it shall be rudderless. Those operations are there to support your business as best they can. Without clearly defined objectives and context, InfoSec will be shooting in the dark as to the critical areas of the business. Executives can no more account for security concerns without communication than can security do so for operations.

Another insight from Vanas was, “navigate change sustainably.” You should strive for a way to address changes, internal and external, in a manner that you can sustain from the business perspective. Again, InfoSec is there to enable and inform your business. Share and promote the organizational values that need to be taken into account.

Fourth, the Presence of Risk is Constant. Your Attitude Toward Security Needs To Be As Well

Threats change and technology evolves. If your organization is going to be serious about its information security, it needs to maintain its efforts in that area.

Your business is unique. Only you, as an executive, can properly define what risks you are willing to accept.

Risk is such a large factor to try to account for, it is probably the most difficult of areas presented here. It is a pervasive cloud that hangs over every enterprise, but especially so in IT and InfoSec.

Internal and external risks are things that can either be compensated for or directly controlled. Your business can address those seen within as well as putting in mitigating controls for the external, such as geologic and climatic.

How does your business account for vendors and supply chain risk though? In the gaming and hospitality industry, there are only a few major solution providers. There are known issues between vendors and customers, as the G&L Roundtable highlights each year. Are your vendors keeping the security of your organization in mind, or are they just selling you widgets? If the answer to that question is negative, it is imperative that you include these, and all, vendors in your risk portfolio. Find ways to work with those vendors and mitigate the risks that they bring into your organization.

Rather than attempt to capture all of the nuances in this limited space, I will instead point you to a talk presented at GrrCon by Joel Cardella: “The Shuttle Columbia Disaster: Lessons That Were Not Learned”.9 This presentation does an amazing job of highlighting risk, and the potential outcomes if not fully appreciated.

Fifth, Know Thyself

Troy Hunt, an information security professional and researcher who recently testified before Congress on data breaches, wrote a very good series of articles about that subject.10 One of those ideas, particularly from the perspective of an organization’s executives, is very important to keep in mind – data that you hold is data that can be lost, and data that you are responsible for. As a business, decisions must be made regarding the retention of the data that is taken in. How long is it a viable and valuable resource? Does that value exceed the cost of its disclosure? Retention equals responsibility.

In my article on GRC, I referenced the Center for Internet Security (CIS) Controls. The first two items address organizational inventory of hardware and software, respectively. The goal of those can be combined and modified to include the inventory of confidential data in your possession. Knowing the specific data that you have is critically important to defining what you are trying to secure.

Know your environment, your culture and your employees. If you have processes that are cumbersome and provide little value, they will be subverted. Have you had an employee bring in a home router because they wanted Internet? Have you had someone bring in their personal laptop and attach it to your network? Process subversion does not have to be done out of maliciousness, but can be done out of ignorance. Employee awareness training that includes the greater context can be extremely beneficial.

Sixth, Engage in Realistic Planning. Pragmatism Wins in the End

If you currently have no formal security program, or the one that you have is a disaster, aim for the easy wins. In his presentation at the GrrCon security conference “We Got It Wrong”, Wolfgang Goerlich said, “mitigate some of the things.”11 It will be nearly impossible to mitigate all of your vulnerabilities with any speed. Goerlich also said, “make some decisions … about what we want to prioritize and where we want to act.” Find the things that are simple to resolve and fix them, especially those that are critical. With every easy win, you are taking away an attack vector from the bad actors trying to breach your environment.

In my own conversations with staff and others involved in diverse processes, I stress this idea: keep it simple and repeatable. This is especially true when beginning any InfoSec activities. Look at the base problem that you want to resolve and work from the ground up. Simplicity survives complexity, every single time.

From a strategic view, plan to be breached and address areas of need before you actually are breached. Identify a partner that will respond immediately to a security incident – without waiting for a purchase order. Assign responsibilities to those who will need to be involved in a breach response, and not just IT! What are your notification requirements to customers, your state Attorney General, your partners?

One of the most beneficial activities that you can participate in as an executive is that of a tabletop exercise using the latest industry breach as the play book. Where did the victim fail? Where are the gaps in your implementation? When does management become involved and to what extent? If you were in the same situation, would you or your IT/InfoSec staff even know where to begin?

Lucky Number Seven, There Will Always be an Information Security Deficit. Identify It and Work to Decrease It

As I stated above, there is no such thing as perfect security. There will always be a gap somewhere, between the ideal and your current state. The gap may be technical in nature, it may be staff or organizational knowledge, or it may be in your business controls. If you can find where the gap exists, it can be addressed.

You would not leave your bank account untended for years at a time, and you shouldn’t do that with your InfoSec implementation. Compliance requirements change, technology changes and your staff capabilities change. With these, or any other number of forces, your environment and activities should be reassessed to verify applicability.

A word of caution to any executive who becomes involved with the InfoSec implementation at their organization: there will not be a silver bullet fix to all of your technical debts. There are too many areas to be addressed with a single solution, no matter what snake oil salespeople tell you. Find the solutions to the problems that YOU have, not those of another organization.

Final Thoughts

When you begin your InfoSec activities, the initial goal might be to achieve compliance for a specific area. Remember though, that compliance does not equal security. Take PCI-DSS as an example. Much of a PCI compliant implementation is transferring items out of scope. Does that make you more secure? No, it makes you compliant with one regulation. All of those items you transferred still need to be assessed and addressed.

Information security will help define risk. It is up to you, business management, to determine what is accepted, mitigated or transferred. Simple, best effort activities are acceptable as long as they improve your security posture.

Neither your business nor your vendors will fix all problems overnight. Aim for a sustainable approach to improvement. Make those activities simple and repeatable so that you do not have to recreate the wheel every time you need to make changes.

Finally, acknowledge that there are always ways to improve. There are resources readily available to train your staff and provide best practices. The difficulty, as it often appears to be, is finding resources or partners that understand that you are responsible for a business and that they are there for that purpose.

Matt Kelley, CISSP, is the IT Manager for a Tribal organization that supports Gaming and Government operations. He is also the co-founder of Korr Group, a business venture that aims to improve the Information Security of small businesses and non-profit organizations. Matt started out in the infrastructure side of technology nearly 20 years ago, and has found his calling in Information Security, specifically GRC. To stay current with Matt, he can be followed @kelley12matt or on his blog at northshoreinfosec.wordpress.com.

References

1The Small Business Administration defines small businesses as less than 500 employees, numbering 29.6 million individual companies equaling 99.9% of all us businesses and 47.8% of all U.S. employees.
https://www.sba.gov/sites/default/files/advocacy/United_States_1.pdf

2A global shortage of 2 million Cyber Security professionals by 2019, according to an Isaca study. https://www.forbes.com/sites/jeffkauflin/2017/03/16/the-fast-growing-job-with-a-huge-skills-gap-cyber-security/#47f028605163

3A CNBC article states that results from an April 2017 survey of 2,000 small business owners, project that half of the approximately 28 million small businesses have been breached.

https://www.cnbc.com/2017/07/25/14-million-us-businesses-are-at-risk-of-a-hacker-threat.html

https://signup.keepersecurity.com/state-of-smb-cybersecurity-report/

4The U.S. gaming industry was comprised of 510 commercial casinos and 470+ Tribal in 2014, with a total of 733,930 gaming employees.

https://www.statista.com/statistics/187972/number-of-us-commercial-casinos-since-2005/

https://www.statista.com/statistics/188004/number-of-us-tribal-casinos-since-2005/

https://www.statista.com/statistics/328964/number-of-employees-of-the-gambling-industry-us/

5The number of U.S. hotels in 2015 totaled 53,554 properties, with the number of U.S. hotel employees at 16,018,000 per the federal Bureau of Labor Statistics in 2017.

http://www.businesstravelnews.com/Strategic-Sourcing/U-S-Hotel-Supply-Breaks-5-Million-Room-Mark

6Trump casino breaches.

https://krebsonsecurity.com/2017/07/trump-hotels-hit-by-3rd-card-breach-in-2-years/
7Sabre Corp. breach of hospitality system. https://krebsonsecurity.com/2017/05/breach-at-sabre-corp-s-hospitality-unit/

8Casino fish tank breach.
http://www.dailyherald.com/business/20170722/how-hackers-used-a-fish-tank-to-breach-a-casino

9Joel Cardella’s 2017 GrrCon presentation.

http://www.irongeek.com/i.php?page=videos/grrcon2017/mi-go10-the-shuttle-columbia-disaster-lessons-that-were-not-learned-joel-i-love-it-when-they-call-me-big-poppa-cardella

10Troy Hunt’s column on data ownership, regarding recent industry data breaches.

https://www.troyhunt.com/fixing-data-breaches-part-2-data-ownership-minimisation/

11Wolfgang Goerlich’s 2017 GrrCon presentation.

https://www.youtube.com/watch?v=OMYcaEyzxBs&feature=youtu.be