Security: Protecting Corporate Networks to Avoid a Nightmare Scenario

Order a reprint of this story
Close (X)

ORDER A REPRINT

To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.

SEND EMAIL

October 01, 2012
Security
Ingrid Beierly

View Magazine Version of This Article

A ringing phone shattered the silence, startling Charlton Dorin. He’d been dreaming about scoring an eagle on Slatewood’s challenging hole nine. It was still dark as he checked the clock while managing a mumbled hello. His 22 years of hotel management experience and the fact it was just 2:15 a.m. told him it would be unwelcome news.
 

The voice on the other end said, “Chuck, this is Armando in IT. Sorry to call at this hour, but it’s urgent. We’ve been talking to our acquiring bank and we’re now able to confirm that at least eight of our franchise locations have been breached.

“And it gets worse,” Armando said. “The common factor is us. That’s to say, our corporate network. We believe that the hacker gained access to guest names and payment card data by accessing the corporate network, burrowing through the property management system (PMS) and subsequently into the systems of our franchisees’ locations.”

“Start making calls,” Dorin said. “I want your team assembled in the conference room at 6 a.m., and be prepared to give very specific information on what happened.”

The aroma of coffee permeated the conference room as the most plausible explanation unfolded. The hacker had likely exploited a security vulnerability in the corporate website and, through a relatively simple structured query language (SQL) injection attack, had successfully penetrated the corporate network.
“How did this happen? Our corporate network doesn’t store payment card data,” Dorin said. 

Sidestepping the CEO’s question, Armando said, “Our corporate website had a vulnerable page that allowed hackers to perpetrate a SQL injection attack. A SQL attack is a method used by criminals to exploit websites, and can be done by inserting codes or commands into the browser.  We suspect that’s what happened here.  Once the hacker got inside our network, he was able to access the payment data in the property management system (PMS) and then jump to the franchisees’ networks where he was able to access additional sensitive information.”

Dorin shook his head and said, “I have a feeling this nightmare is only beginning.”
============================
 
A forensic analysis over the subsequent weeks provided a detailed review of the intrusion. According to the report, the corporate website had weak security configuration settings and had not been tested for vulnerabilities. The SQL injection attacks occurred on vulnerable active server page (ASP) on the Web server and allowed the hacker to gain access to the corporate network’s sensitive data.

The forensic report also found that there was no segmentation of the corporate network from the property management system (PMS) network. Network segmentation is an important security practice that refers to splitting a network into functional segments and implementing an access control mechanism between each of the boundaries. In this case, the corporate network’s flat setup meant there were no additional layers of security, thereby allowing the hacker to move freely within the corporate network and into the PMS.  

Once inside the network, the hacker was able to gain access to the domain controller, a server that holds user IDs and passwords.  From there the hacker obtained the administrative credentials necessary to access the PMS where he then gained access to guest names and payment information.  The hacker then jumped to eight franchise locations to gain additional sensitive information.

Because the corporate network did not contain any payment information, management had assumed that the network was out of the scope of Payment Card Industry Data Security Standards (PCI DSS) requirements.  That assumption was incorrect; its connectivity to the PMS made it critical to secure and segment properly.  Adequate controls at the corporate level could have helped limit the information the hacker was able to access or prevented the attack altogether. 

============================
 
The scenario is a worst-of-all-worlds view of what could happen. The key takeaway is that even if a corporate network does not store, process or transmit payment information in its server, it must still be in compliance with the PCI DSS if it is connected to environments which store, process or transmit payment card information.  This story also points out common security vulnerabilities that Visa has seen in previous hospitality breaches and provides an opportunity to discuss several important steps companies can take to help mitigate against data security threats.

Data Security Considerations
Ensure a Properly Segmented Network Environment
Use network segmentation to ensure the payment card processing environment is separate from public networks including wireless networks. Separate any user environments from any business systems using a firewall and strict access controls (ACLs).  For example, a system used by employees to receive e-mail should be separated from a system used for transaction processing.

Apply Strong Access Controls
Configure the firewall to only allow access between systems participating in the transaction flow. Limit access to only the network ports that are necessary to perform desired business functions. Access controls should be applied to both directions of network traffic – inbound and outbound. Enable logging and exception alerting on all network devices and business systems where possible. Audit logs are valuable in the event of suspected unauthorized activity and for monitoring traffic patterns within a network. Use strong authentication procedures to access the payment processing environment.

Protect Domain Controllers
Domain controllers are a favorite target of hackers because they generally contain authentication information such as user IDs and passwords to access resources on the network. To protect the domain controllers, ensure that the server itself is configured securely.  Domain users should only have minimum network access necessary to perform their jobs. Similarly, applications accounts should also have minimum permissions, and make sure they are in line with the purpose of the application. Organizations should also conduct regular audits of domain administrator accounts and delete any that are unneeded.  Additionally, it is recommended that entities implement a separate domain for the payment processing environment.

Ingrid Beierly is a senior business leader for Visa Inc.

©2012 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent. For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.

 

What to Do If Compromised
Entities that have experienced a suspected or confirmed security breach must take prompt action to help prevent additional exposure of cardholder data and ensure compliance with the PCI Data Security Standard. Visa’s guide provides information on what to do in the event of a compromise as well as additional information on the common attack vectors and vulnerabilities described elsewhere in this article.  To access the guide, visit: http://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf



want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.