⚠ We would appreciate if you would disable your ad blocker when visiting our site! ⚠

Protecting Guest Data: What to Do about Malware

Order a reprint of this story
Close (X)

To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.


June 18, 2011
IT Security
Lynn Goodendorf, CIPP, CISSP - lynn@goodsecurityconsulting.com

View Magazine Version of This Article

As dismaying as the news has been about the frequency and types of data breaches over the last few years, the 2010 Data Breach Investigation Report by Verizon and the U.S. Secret Service shows that 85 percent of attacks were not considered highly difficult. So we can take heart that attention and effort given to fundamental security practices and processes will pay off in protecting guest data.

One of the lessons to be learned from the recent breach of email address records at Epsilon is to take action to prevent malware infections, one the top threats to protection of confidential data.  Malware, a shortened term for malicious software, is being used by criminals to steal passwords, login credentials, social security numbers, credit card numbers and other types of sensitive confidential data.  The goal of malware is to find data that will be used to gain access to a targeted system and unfortunately, most anti-virus and anti-spam products are not able to thwart all types of malware.

Using Epsilon as an example, employees were the targets of spear phishing emails containing malware, ready to be downloaded.  Epsilon system users received email messages that appeared credible and some of those individuals clicked on a link included in those emails.  

This action triggered downloads of three different kinds of malware.  The first type of malware was designed to disable antivirus and its technical name is Win32.BlkIC.IMG.  A second malware was iStealer, which is a keylogger.  The purpose of keyloggers is to capture specific entries that have been keyed in such as passwords or social security numbers.  Once the targeted data has been captured, it is then transmitted back to the attacker, often in an encrypted form so that it goes undetected by monitoring tools.  And the third type of malware used in the Epsilon attack was CyberGate, a remote administration tool allowing the attackers the ability to control the system and the data it contained.

Although this may sound very technical, the most critical defense in preventing malware is to educate employees on how to respond to email.

These simple guidelines are the best way to combat malware:

1 Do not open email from unknown senders; delete immediately.

2 Check attachments for anything unusual.  For instance, file.doc.doc may indicate the document is malicious.

3 Be aware that email senders can be falsified or what is called spoofed.  If the message asks for confidential information or does not seem like a typical message from the sender, send a reply and ask the sender to confirm the message.  If a legitimate sender’s email address was spoofed, a reply message will not be delivered to the legitimate owner and fraud or malware can be avoided.

4 Never give personal information in reply to an instant message.

5 The next practice that is not difficult or expensive is to use strong passwords. Strong passwords continue to be an effective defense to protect confidential data and it applies to the threat of malware.  Passwords should include a combination of letters and numbers and exceed six characters.  Again, similar to safety training, repetition of key messages in a security awareness program pays off.

Another way that systems are infected with malware is by installing counterfeit or unlicensed copies of software.   Counterfeit software is often sold online and may appear to be legitimate. A strong indicator of counterfeit software is a price being offered that is far below the typical retail price.  A bargain price may be tempting but it is high risk.  In addition to the risk of malware, unlicensed software cannot be patched or updated and results in operating problems over time.  On top of that, use of unlicensed software can result in legal penalties and costs.

When making IT purchases, it is still necessary to implement anti-virus and anti-spam products that include a feature called URL filtering.  This feature blocks known malicious websites and is updated on a continuous basis.  Leading vendors include Norton by Symantec, Trend Micro, Kaspersky and McAfee.

One of the more challenging tasks in combating malware is to stay current with software updates and security patches for all computers.  Do not assume it is being done automatically and make sure that all elements of a computer system are maintained including the operating system such as Windows, applications such as the property management system and Internet browsers such as Internet Explorer and Firefox.
Make sure someone is assigned to this ongoing task and hold him or her accountable by requiring monthly status reports.

Finally, consider making an IT security training investment in your onsite hotel IT support person.  There are excellent training programs available and one of the best in the U.S. is the SANS Institute (http://www.sans.org).

All of the measures described above lay a strong foundation for protecting the confidentiality of guest data, which is an important part of the total guest experience.

Lynn Goodendorf, CIPP, CISSP, is a principle with Good Security Consulting LLC, a provider of risk-based strategies for security and privacy.  She can be contacted at lynn@goodsecurityconsulting.com.

©2011 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.

want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.