While the industry can certainly give itself a proverbial pat on the back for this achievement of making the necessary changes, albeit begrudgingly, many have known that PCI compliance was really the tip of the iceberg. The biggest concern has always been that of data security and the challenges for protecting both the guests’ and company business data.

PII vs. PCI Requirements
The industry has been conditioned to focus its attention on PCI compliance and securing credit card information, and while these efforts have helped to secure networks and led to the implementation of effective policies and procedures, the industry remains largely unfocused on the bigger issue of securing company and personally identifiable information (PII). This includes social security numbers, drivers license numbers, passport information, email addresses, cellphone numbers and other information that can subject guests and staff to potential breaches or identity theft.

While many of the PCI compliance initiatives have led to system enhancements such as data encryption and policies against the hardcopy distribution of this sensitive information, there are many areas which continue to expose guests' and company information to those who would chose to do harm.  A number of state laws require that PII be appropriately protected and that any affected individuals be notified of any reasonable suspicion of a compromise.

As with PCI, the best way to protect PII is not to have it in the first place. The problem is the hospitality industry actually targets this information with more effort than ever before. The importance to understand guests to either provide a better experience or upsell services means hoteliers are trying to gain more personal information about guests. From specific preferences to being able to identify guests by name have become the driving forces behind many marketing initiatives. Some of these areas are being targeted by criminal elements. The more information that is obtained and stored about guests, the more of a target a hotel is to those entities that have the most to gain from accessing this information. Unfortunately, most hotels and companies aren’t geared to effectively protect this information, and once the focus shifts from credit card breaches, then this will become the so-called next frontier.

The Issue of Mobile Devices
As more hotels start incorporating mobile devices into the operational aspect of properties, these devices are starting to define the way we do business. These devices offer a more efficient and engaging method of operating hotels and engaging guests, but it is more important to remember that most mobile devices are consumer grade and do not possess enhanced security features of larger workstations and laptops. As a result, organizations are at greater risk of having data compromised. What makes mobile devices an interesting target is they not only have the ability to access the key operational networks and data, but they also provide additional information such as location tracking, photos, video and audio. In many cases they contain the user's personal information including potential access to private details such as banking information and access to social media accounts.

The fact that the largest increase in device usage is occurring in the mobile arena, means that efforts to manage and control security on these devices is going to become exponentially more difficult, and to some extent may become an Achilles heel. 

In a number of cases, employees were granted access to corporate or operational networks through the use of their own devices, which has created additional security risks. The trend of bring your own device(BYOD) has created a number of additional challenges which are discussed in a later section of this article (page 24).

Favorite Techniques Used by Hackers
When evaluating techniques used by hackers one can generally separate them into the following categories:

Social Engineering
Social engineering refers to the art of manipulating people into performing actions or divulging confidential information in the absence of this information being readily available. We tend to think of hackers as people who attack networks via mediums such as the Internet. However, we never think they would be brazen enough to actually do this by talking to actual hotel employees and personnel. Hackers routinely gain information from hotel employees that provides them with a faster and more efficient way to obtain information on the hotel’s networks and systems. When you mention the word hacker, the image of a young, grunge individual comes to mind, but the truth is that hackers come from all different age groups and demographics. That means that it could also be the middle-aged businessman dressed in a jacket and tie that looks like a company executive or CEO who checks into your hotel and appears to be frustrated, to the elderly lady who is in town to visit her grandchildren. There is a fine line between helping a guest and assisting a potential hacker with an ulterior motive. The hospitality industry by its nature is service oriented to  guests, but in most cases little is done to educate staff on how to prevent compromising the integrity of data networks and the information contained therein. 

Most hackers will tell you that it is much easier to trick someone into offering up a password that allows access into a network or system than to spend a tremendous amount of time and effort hacking into the system itself.

On a recent engagement, a colleague wanted to find out more information on the guest network and simply called down to the front desk to ask for assistance.  He indicated that he had been struggling to gain access to the network and that he was a preferred VIP guest. He mentioned that the last time he stayed there they had provided him with a VIP code to get into the system and that he was wondering if they could provide him with this again. By acting very frustrated, the agent provided him with a VIP code that allowed him access to another network. While this action was great from a guest satisfaction standpoint, the actions allowed him to browse the administrative/operational network and glean a great deal of information on the system setup. Additionally, he did not have to pay for the improved service and there were no time stipulations on the length of stay. One can only presume that this password and access were hard-coded and that they could be used by the guest/hacker to gain access in the future.

Another technique used by hackers is to browse the various hotel networks using mobile devices. This can even be done by using a mobile phone while loitering in the lobby.

Pretexting
Many hackers will invent stories or scenarios to get people to divulge information or complete an action which will provide some or all of the necessary details to extract data or breach a network. The information can be used to establish credibility with other personnel and create the perception that the person is legitimate and that they have the necessary credentials to access a network or certain secure information. The details allow the hacker to impersonate coworkers, service providers or even police, which could lead to naive personnel offering up confidential information and network access.

Baiting
Baiting is like the real-world Trojan horse that uses physical media and relies on the curiosity or greed of the victim or employee to gain access to a network or retrieve information from the employee’s computer workstation.

At HITEC 2012, hacker Josh Klein used an example where he strategically placed USB flash drives in an employee parking lot knowing that a few of the employees would pick them up, and based on their curiosity, would plug them into their workstations. Upon doing this, it would immediately install malware giving the hacker access to the workstation and in many cases the network.

Another example includes targeting an employee and sending a digital device such as an audio player under the auspices that he or she has won a drawing at a recent conference. The employee plugs in the device and unknowingly loads the malware. The malware can also load onto every computer on this network.

Quid pro quo
Under this type of attack, the hacker will contact random numbers or people at the hotel or company and claim to be a call back for a technical support request. As everyone knows, personnel always have technical support problems and even if they don’t report them if someone calls, they will usually try to engage them in a user question or some issue that they are having with their system. Eventually the hacker will hit someone with a legitimate problem and while the hacker may help to solve the problem, they will also have the user provide them with access passwords to type certain commands that allow the hacker to launch or access malware.

Phishing
There is a tendency to forget that data security attacks often compromise active email addresses which can lead to further phishing or sophisticated targeted attacks. Phishing is where the perpetrator sends an email that appears to be a legitimate email requesting that the person verify information and usually has direct links to a fraudulent website that looks or appears to be legitimate.  The form then asks the respondent to complete an informational profile complete with PIN numbers.

Tailgating
This is one that seems so easy that no one really pays much attention to it. Simply put, the hacker follows someone into a restricted area and given the social customs, authorized personnel will either hold the door open for them or ask them if they can assist. Within a hotel or company, a hacker could pose as a phone company technician and follow a network administrator into the  main data center. If questioned, the person can indicate that he received a call for service or state that he thought this was where the equipment was located. In either instance, the person’s authorization is rarely questioned.

At HITEC, Klein also highlighted tailgating. In his example he was seeking to gain entry into a restricted area through the use of an electronic RFID security key. He wired his jeans with an RFID transponder that read the RFID cards of the personnel that passed close by him. He also placed the equipment over a door frame where personnel were required to pass. In both cases Klein obtained exact duplicates of the RFID employee cards.
 
Wi-Fi Networks
There are many articles on the potential risks of guests using public Wi-Fi networks in hotels. With the tools for scanning networks being readily available on the Internet, perpetrators can simply sit in the comfort of the lobby or their hotel rooms and monitor the open networks in the hotel. Many travelers access sensitive or restricted networks via their mobile devices and are unaware that they are being monitored. Guests are used to using Wi-Fi and think that just because they can’t see the other people on the network, they are in a safe environment for logging onto bank sites and other restricted websites.

The Human Resource Issue
While most data security specialists are focused on the network and IT-related concerns, most hoteliers pay little or any attention to one of the most important departments in the fight to secure information – the HR department. From PCI compliance to policies on the use of personnel devices to access company data, most hotels and companies have limited interaction between the IT and HR departments as far the enforcement of data security is concerned. In fact, if the HR department worked closely with the IT department, a majority of data breaches could be avoided.

Policies and Procedures
Good security starts with the development and enforcement of policies and procedures. One of the key mistakes made in regards to PCI compliance and overall data security is the lack of effort and focus on effective training programs for employees. Very few organizations take the time to educate their staff on the importance of securing both their company and guests’ information.

Hotels are required to develop and implement PCI compliance policies as part of their overall efforts to become compliant and maintain compliance. However, few organizations take this to the level of modifying their overall employee handbooks and determining effective enforcement policies (including termination) for those staff members who are caught breaching set policies and procedures. Given the importance of data security specific policies need to be generated in conjunction with the IT department. By including IT in the overall process, hotels will be in a better position to effectively educate their staff on the specific requirements for ensuring the safety of data.

Some of the areas that require focus include integration of policies and procedures with the IT department. The IT department is involved with all facets of the business and it only makes sense that it be included in the day-to-day on boarding and disembarkment of employees. From setting up and managing email addresses and user access to the removal of access upon the employee’s departure, IT needs to apprise HR of any potential threats to the security of the organization’s data. How many times have you heard of sales personnel taking their Rolodex of contacts and working documents (including sample contracts) with them when they leave a company? When an employee is hired he or she is expected practice to bring contacts to the next position with the promise of securing clientele from previous business dealings. But this information belongs to the hotel or business entity where the business took place and is a violation of most policies and procedures, not to mention detrimental to the overall business, especially if the staff member is going to a competing property.
 
Security Awareness Training
While this topic is covered in greater detail under a separate article in this edition, it bears mentioning as few entities provide effective IT policies and procedures training to their staff. Employees are typically the first line of defense in the war of securing data. Specific and targeted training should be provided to all employees when they join the organization. Everything from how to open and transmit emails in a secure manner, to responsible use of the Internet should be covered and addressed in the initial training. Specific user training should also be provided for all positions where staff can be exposed to sensitive and potentially harming company and guest data. Refresher training should also be conducted on a periodic and regularly scheduled basis to ensure that employees are kept up to speed on new security information and techniques for preventing breaches as this becomes available. An example of this may be the policies and procedures for operating both personal and company-owned mobile devices. With new features and applications becoming readily available, hotels must maintain tight controls on new devices and operational capabilities.

Hotels often overlook this training as it is expensive and time consuming, takes personnel away from their regular jobs, and is particularly difficult when operating with limited staff. The other challenge is that many hotels have downsized or eliminated their IT staff, and as such, this becomes very difficult from a scheduling perspective with the IT resource becoming the so-called bottleneck for facilitating the training.

On a recent engagement, employee reactions were tested when we deliberately took pictures of the iPad® device that was located at the check-in counter right in front of the desk agent. Opening the settings icon, we quickly navigated to the IP configuration settings of the iPad and took pictures of the settings with a camera. At no time did the agent intervene, prevent or discourage usfrom doing this. While this is obviously something that we should not have been doing, the desk agent was not prepared to address the situation.

Policies and Procedures
While hotels and organizations may have comprehensive data security policies and procedures in place, often they are not enforced or they are enforced inconsistently. If these policies are not enforced, the organization is sending a message to employees that this is not that important and that employees don’t need to take it seriously. Effective documentation of policies breaches must be enforced, and in some cases, terminations should be made to ensure that the data is protected. It is especially important for organizations to have direct support from senior management in order for these policies to be effective.

While many of the policies and standards are on file, they may not appear to have been implemented operationally and this hinders HR departments from effectively holding employees accountable. Further policies should be linked to HR repercussions for known breaches of the policies and procedures. Unless this is conveyed to employees in an effective and constructive manner, it will prove difficult to enforce and are simply words on paper. 

Two of the key data security items upon which to educate employees are: the implementation of an effective password policy that is enforced across the entire operation, and addressing the potential for malicious internal users and making employees aware of enforcement measures.

Data Retention Policies and Procedures
Most organizations either do not have a specific data retention policy or simple fail to enforce it. In many cases there is a policy to retain all information if there is uncertainty of what to retain or what can be destroyed. One of the key methods for protecting PII and other sensitive information is to implement an effective data retention policy. The two areas upon which to focus attention are data destruction and data retention.

Data Destruction
An effective data destruction policy includes the secure and documented destruction of information where there is no longer an established business need for it. Essential aspects to these policies include but are not limited to:

• The establishment of an official time length for the storage of data and information, and the maintenance of a vigorous policy of controlled and recorded destruction of this data and documentation. It is important to delete data that has exceeded its required retention period.
• The destruction of all Social Security numbers (SSN), if there isn’t a legitimate business need for its retention.
• Maintain a policy of documenting the shredding or otherwise destroying of any hardcopy documentation before disposing of it.

Data Retention
While the destruction of hardcopy information and data may follow relatively straight- forward procedures, the retention of data may present a more complex operation. Policies and procedures for the effective and secure storage of information must be well thought out and controlled. The following are some suggestions for the effective retention of sensitive data:

• Truncate or encrypt all PII information that you must retain whenever possible.
• Protect all intact PII that you must retain, whether it is on a work computer or personal device.
• Use data encryption for both storage and transmission where at all possible to reduce the risks associated with storing PII.
• Restrict access to this data and allow only authorized users access to this information.
• Send passwords and restricted data securely for more information.

It is recommended that entities use the services of an official document destruction company to assist with official document shredding and destruction.  A proper data classification policy and procedure combined with an enforced data retention policy are essential.
 
Legal Considerations
Currently, a big loophole exists regarding vague contractual verbiage between entities responsible for the interaction and transmission of sensitive data. This affects not only management companies, hotel brands and other ownership relationships, but also those between hotels and third-party vendors or solution providers.

Given the relationship between an owner and a brand or management company, which basically dictates the IT systems and equipment that is deployed at their branded or managed hotels, how many of the agreements address PCI compliance and data security, and who bears the responsibility in the event of a breach? Most agreements were established many years ago and have not been updated. The incentive for updating these agreements is not there and many owners are not aware of the potential threats associated with data security as the issue was not as prevalent when the original agreements were signed. That stated, how many of the new agreements address the issue and problems. While no entity starts out disregarding compliance and security requirements, the issues are real and addressing them are costly and complex to implement.

While many organizations are aware of the deficiencies of the current brand/management contracts, they are not aware of another critical area of exposure, namely the third-party applications and solution providers. Most hotels use third-party entities for everything from applications to networks, and most of these agreements do not address these complex issues.

On a recent engagement, a company encountered a rogue network engineer who, unbeknownst to the hotel, had a dispute with the third-party networking provider. The systems engineer caused major disruptions and outages to the network that disrupted the operations and resulted in a strained relationship between the provider and the hotel. The engineer went so far as to lock everyone out of the core switches and ultimately resulted in the network needing to be re-engineered. While the situation was rectified, the potential for further disruption and compromise was extremely dangerous and highlighted how many organizations entrust their networks to third parties without prequalifying these resources. As such, they spend large amounts of money securing applications but then in essence hand the keys to the Ferrari to a teenage kid to take for a spin. What kind of contractual documents are in place from all of the entities' service providers to protect the entity from potential breaches from third-party solution providers and their subcontractors? In most cases the detail on the contracts is extremely limited and barely addresses the service-level agreements (SLAs) that are required to support the system.

IT personnel must pay closer attention to the contractual documentation of each agreement to ensure that it addresses any PCI or data security-related concerns that may arise. It is also recommended that entities ensure the contracts are reviewed from a legal perspective and the legal counsel interacts with IT personnel to ensure all of the technical requirements pertaining to the contract are met. Particular attention needs to be paid to the following types of contracts: management agreements, brand agreements, application provider agreements, IT vendor and support agreements and third-party solution provider agreements. Place emphasis to subcontractor relationships and ensure they are governed and held accountable to the same terms as the original parties to the agreement. In effect the primary contractual party is responsible for all subcontractor actions.

Breaches of Third-party Solutions Partners
Trustwave recently issued its 2012 Global Security Report which indicated that in 76 percent of incident response investigations, a third party responsible for system support, development and/or maintenance of business environments introduced the security deficiencies. This is a significant indication of just how important it is to partner with a third-party that is truly a partner and is vigilant about maintaining data security as one of its primary focuses.  

Some data breaches may occur outside of the control of the hotel entity or company. For example, many hotels outsource their electronic marketing to third-party providers. In the past year, some of the larger electronic marketing companies have had their systems breached and sensitive guest data has been compromised. In these cases the fallout from the breaches can be significant and damaging to the goodwill and name of the hotel, brand or company. In these instances, one has to determine how secure the systems and data are with these third-party providers and what the contractual terms are between the parties in the event of a breach.

Physical Security
Physical security is an often overlooked aspect of data security. Many breaches can and are initiated from within the organization. Breaches may not be driven by the hope of financial gain but may take the form of a disgruntled employee or service provider intent on causing malicious and unrecoverable damage.
It’s hard not to address physical security concerns without addressing one of the lead stories from this past summer – namely the highly publicized breach of electronic door locking systems. While the issues are being addressed, it’s important to note the exposure of hacking these locks and its impact to the overall security for the hotel. It raises a larger issue: how access to restricted areas is monitored and controlled.

With regards to actual data security, the primary area of concern is usually focused on the main data center located at the property or at a corporate, hosted facility. For most hotels, their systems are still premised based and are located on property in the main distribution frame (MDF) of the hotel. In most cases the systems are co-located with the primary voice and video systems for the building or property. The main data center is required to be secured as part of compliance requirements, and in many cases this is facilitated via the same door locking system that is in place throughout the property. As such, when the guestroom electronic door locking system was breached by the hacker, what was not mentioned was the bigger impact of access to the data systems themselves. While the focus of the breach was on guestroom security (a valid concern – although an unlikely target from a practicality standpoint), the bigger concern may be directed to securing the data center where a perpetrator may be able to strategically gain access to the servers, or worse yet, a disgruntled employee may wreak havoc on the devices themselves.

Hotels typically label their servers with specific application names, and in many cases, IP addresses to assist personnel with managing the environment. IT may feel that this is appropriate and efficient given that there may be a change in personnel supporting the systems and a belief that these rooms are secure. However, in the wrong hands this information could prove to be detrimental to the organization. Not only can the local area network (LAN) be exposed but also the wide-area network (WAN) connected to the hotel. These include ownership, brand, management companies, solution providers and other hotels within the same network.

While smaller entities usually control access to the data center via a door lock of some kind, larger properties or corporate data centers usually secure their rooms with the use of man traps. For those not familiar with man traps, it is a way to limit physical access into the room and prevent tailgating of unauthorized personnel into the facility.

Additionally, many rooms use cameras to monitor access to the rooms and in some cases within the rooms themselves. With many third-party vendors and solution providers requiring access to the rooms, it’s important to monitor and control what is taking place in these sensitive areas.

For example, the issue of employee badges is another area of concern. Some properties are moving away from employees wearing identification badges when operating in the back of the house and other areas as they don’t like to have the guests see these badges. While they may not work from an appearance standpoint, the issue then becomes how personnel can be identified and distinguished in larger properties where staff transitions happen regularly. Access to the administrative and back-of-the-house areas should be tightly controlled and  policies implemented to ensure that this takes place.

• Vendor and other visitor badges must be reviewed regularly and controlled.
• Vendors should always be escorted on premise to sensitive locations.
• Access to critical locations should be online and electronic access keys should be strictly controlled and provided for limited timeframes. Areas should be re-keyed to maintain the integrity of the areas concerned.
• Effective vendor access policies and procedures need to be created and implemented.
• Where possible, establish time rules for vendor access and set time limits that can be enforced or monitored.
• Implement a vendor access list and release forms for personnel to clock in and out to monitor activity while onsite.

Regulatory Considerations and IT Governance
A newly developed position of IT regulation and governance is emerging in many hotel organizations. Hotels and resorts interact with guests and clientele both domesticly and internationally, and this role is extremely important to ensure that the organization is compliant for all requirements. Of particular importance from an international standpoint is the EU Data Protection Directive. This governs the transfer of personal data to third-party countries, refering to countries outside the European Union. Personal data may only be transferred to third-party countries if that country provides an adequate level of protection. Organizations may therefore need to protect the transfer of information from these countries and afford the same protection requirements to the persons that they are doing business with as they are afforded in their own countries.

While PCI compliance has been the main focus of the industry over the past few years, the issue of overall data security is going to be the focus of the future. Until recently the biggest impact has been that a guest may be inconvenienced by having to replace his or her credit cards. While this may have had a negative impact on the guest’s overall image of the hotel or resort, this hasn’t really had a major impact on their overall lives. That will potentially change if and when their personal and private information is compromised. Should this happen, it could potentially lead to identity theft and that could be life altering. With more and more companies and hotels focused on capturing guests' personal information and preferences for targeted marketing of services and products, the greater risk is that this information will be compromised and will ultimately have a major impact on both the hotels and guests. The bad guys are more sophisticated in their attacks and target victims with greater precision. The industry must be vigilant in the way it conducts business to stay ahead of the curve, as this is certain to become a scenario of when, rather than if an organization will be compromised.

Jeremy Rock is the president of RockIT Group, a technology consulting firm specializing in new development and refurbishment projects. He can be reached at jrock@rockitgroup.com.

©2012 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.