• Follow us on:

Information Security: Can’t We Talk About Something Else?

Order a reprint of this story
Close (X)

ORDER A REPRINT

To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.

SEND EMAIL

July 06, 2017
Security
Ron Hardin

©2017 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.


Since we last met on these pages (“Information Security: We’re Doing It Wrong,” Hospitality Upgrade, Spring 2017), there have been four events that warrant further discussion, as much as we’d like to talk about something else:
  • 10th Annual Verizon Data Breach Investigations Report (DBIR) Released
  • InterContinental Hotels Group Issues Update on Data Breach
  • Sabre Reports Data Breach of SynXis Central Reservations Service
  • Worldwide WannaCry Ransomware Attack
 

It’s time for HITEC, and there are so many cool things to see and discuss other than information security. Entertainment solutions that work with your guests’ streaming services. High-performance wireless products that can provide a stellar online experience. Guest messaging and engagement platforms that enable actionable real-time data on your customers’ experiences before, during and after their stay. Mobile check-in. Mobile room keys. Operational applications that bring real innovation and competitive advantage to your hospitality business. Voice-activated guestrooms. Robots that deliver room service orders. Any one of these subjects is the basis for an infinitely more interesting conversation than information security. But recent events and media reports keep bringing us back to this subject. To quote Dr. Seuss: “It may not seem very important, I know, but it is, so I’m bothering telling you so.”
 
In a quarterly report, Sabre announced the “unauthorized access by a third party” of its SynXis Central Reservations service, used by more than 36,000 hotel properties. According Sabre, the scope and methods of the compromise are not yet known. Sabre stated in a follow-up press release that “the unauthorized access has been shut off and there is no evidence of continued unauthorized activity. There is no reason to believe that any other Sabre systems beyond SynXis Central Reservations have been affected.” Sabre reports that it is working with law-enforcement, notifying affected customers, and hired cybersecurity firm Mandiant to conduct a forensic investigation. While Sabre has not released further details, it is the consensus among information security experts in several published articles that compromised credentials – user login IDs and passwords – are the most likely avenue of compromise. Not surprisingly, there is already a class action liability investigation of the Sabre breach. One of the questions sure to be asked in any litigation will be whether Sabre could have made better use of technology solutions such as point-to-point encryption (P2PE) or tokenization.
 
Certainly, InterContinental Hotels Group (IHG) is a believer in the importance of P2PE. In December 2016, KrebsOnSecurity.com broke the news that IHG was investigating a potential data breach due to multiple common point-of-purchase investigations regarding fraudulent transactions on credit card accounts used legitimately at various IHG properties. It took until February 2017 for IHG to acknowledge the breach, at which time it reported that about a dozen properties were involved from September 29 to December 29, 2016. In April, IHG released data by state on the properties involved, but no summary was provided. According to Krebs, a Danish researcher named Christian Sonne analyzed the state lookup tool, and determined that slightly more than a dozen properties were involved:
 
1,175 properties across the U.S. and Puerto Rico in the following brands, Holiday Inn Express (781), Holiday Inn (176), Candlewood Suites (120), Staybridge Suites (54), Crowne Plaza (30), Hotel Indigo (11), Holiday Inn Resort (3).
 
IHG emphasized in its statements that hotels which had adopted the Secure Payment Solution (SPS), which includes P2PE, were not affected. The company further stated that hotels that adopted SPS after September 29 had no further compromise of data. I continue to advocate tokenization and P2PE as the most effective method to reduce the risk of a credit card data breach, it looks like I’m in good company.
 
It is also no surprise that the IHG breach was linked to the front desk property management system (PMS), a type of point-of-sale system (POS) in the terminology of the 2017 Verizon DBIR. In the recently released 10th edition of this landmark annual information security report, Verizon published the analytical findings on data from 65 organizations involved in breach investigations, encompassing 42,068 incidents and 1,935 breaches from 84 countries. And guess what: 
 
Of the 206 hospitality breaches analyzed, 87 percent involved POS systems, and all those breaches utilized either malware, hacking or both. Threat actors were almost all (96 percent) external players, usually criminal organizations. The truly depressing statistic is breach timelines.  Verizon quotes The Eagles on this point, from the song, Hotel California: “You can check out any time you like, but you can never leave.” On average, time-to-compromise is measured in seconds, time-to-exfiltrate – get stolen data out – is days, but times to discovery and containment are still measured in months. Detection of breaches in hospitality rarely occurs from internal security: 85 percent were detected by external fraud investigations, followed by 4 percent from law enforcement. In the IHG case, the compromise began September 29, but was not detected until mid-December, and not shut down until December 29. And the detection was made by card-issuing banks, not IHG. The Verizon DBIR further states, “The hospitality industry continues to be inhospitable, at least when it comes to POS breaches, which continue to be as ubiquitous and unsatisfying as the continental breakfast.”
 
One other major finding reported by Verizon is that ransomware attacks have doubled from the previous year, and are now the fifth most common malware category, up from 22nd in 2014. Ransomware is now categorized as a “prevalent” type of malware. On May 10, Hospitality Upgrade’s TechTalk column reported “Nine in 10 global cyber security and risk experts believe that cyber risk is systemic and that simultaneous attacks on multiple companies are likely in 2017, according to a study issued by American International Group, Inc. (AIG).” This was followed in a couple of days by the worldwide outbreak of the WannaCry/WannaCrypt ransomware attacks, which leveraged previously identified vulnerabilities in unpatched computers (including Windows XP, for which Microsoft issued an unusual post-support security patch). 
 
Now can we PLEASE talk about all the other cool stuff at HITEC?
 
Ron Hardin is an independent technology consultant. He can be reached at www.ronhardin.tech.

Sabre has sent a letter regarding the SynXis breach to clients, customers and third parties. While the language is worst-case doom and gloom, it still indicates what the company believes could be possible, even if unlikely:

“The costs of this investigation, as well as any other impacts or remediation related to this incident, may be material.

“Any physical or electronic break-in, computer viruses, cybersecurity incidents or other security breach or compromise of the information handled by us or our service providers may jeopardize the security or integrity of information in our computer systems and networks or those of our customers and cause significant interruptions in our and our customers’ operations.

“Failure to prevent or mitigate data loss or other security breaches could expose us or our customers to a risk of loss or misuse of such information, cause customers to lose confidence in our data protection measures, damage our reputation, adversely affect our operating results or result in litigation or potential liability for us.”


----------------------------------------------------------------


Key takeaways from the Verizon DBIR:

1 Patch promptly and consistently.  Everything requires maintenance, and computer software is no different. Not keeping server and workstation software updated leaves exposed vulnerabilities that the bad guys can leverage in an attack.
2 Implement better anti-malware defenses. Malware was involved in 94 percent of breaches in hospitality. 
3 Manage passwords.
Don’t use default or easy-to-guess passwords. Don’t use the same password for multiple resources. Don’t share passwords. Don’t allow passwords to go unchanged for long periods.
4 Fortify remote access, particularly to POS systems. Only allow connections from known sources, and use multi-factor authentication for access, which combines something you know (i.e., user ID and password) with something you have, like a cell phone, or something you are, like a fingerprint.
5 Train your users in security awareness.
Teach them about phishing, pretexting and other social engineering attacks.  Encourage them to report anything out of the ordinary. Verizon points out that even a change in system performance or unusual error messages could be an indicator of compromise.
6 Know what you’re dealing with.
Research the threat environment by reading the Verizon DBIR, the associated Verizon Data Breach Digests, and other security publications. The bad guys are studying you – you should be studying them, too.
www.ronhardin.tech
want to read more articles like this?

want to read more articles like this?

Sign up to recieve our weekly newsletter and monthly e-magazine and never ever miss an issue!

Subscribe

Keep up to date on all the latest industry news.