Tech Talk

Recent posts

A groundbreaking new report by the Urban Land Institute in Washington, D.C. explores sustainability in the hospitality industry and examines ways in which hotels are incorporating eco-friendly best practices into both operations and construction. The study includes insights from leading hotel owners, developers and investors.

Every hotel owner wants to know how he can increase the traffic to the website, and at the same time, boost direct bookings. The key to accomplish both the objectives is to design a site that is accessible even to disabled people. It will not only improve the usability for all types of visitors, but it will also improve your market penetration. Designing ADA website is also very imperative to prevent legitimate complications. In addition to this, an ADA feature will aid in improving the website performance in search engines.

The underappreciated city of Minneapolis served as host for the 2019 edition of HITEC (produced by HFTP) which wrapped up its most recent four-day run on June 20, 2019. In the days and weeks leading up to the event, meeting solicitations and party invites filled my inbox at a growth rate any VC or entrepreneur would envy. As a first-timer to this international hospitality technology behemoth, it became apparent that HITEC actually begins a few weeks prior to when that first request or invitation lands in your over-stuffed inbox.

Time is limited. Once it’s gone, you can’t gain it back. Similarly, once a room goes unsold for a night, it will go unsold forever. There’s no way to recover that loss, because there’s no way to go back in time.
Many hotels fight this limitation by trying to sell as many rooms as possible. If all the rooms are completely booked, time no longer becomes a factor. But most don’t have the luxury of being at-capacity every single night. That’s why last-minute booking apps are growing in popularity in the industry, where hotels can make the most of each day. These apps specifically target guests who don’t plan far in advance, seeking accommodations from one week to one minute later.
There are several different ways your hotel can benefit from using last-minute booking apps in your business strategy.

IoT is Coming, Jon Snow…
Posted: 05/21/2019

Hospitality is prime for the coming advent of the various devices that make up the Internet of Things. Estimates show the industry now represents 17.5 million rooms worldwide and savvy guests are demanding more personalization and an overall improved guest experience along their connected travel journey and belief is that IoT can bring this to reality. 

want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.


It’s The Fast Who Eat The Slow!


Every year Verizon releases its Data Breach Investigations Report, an in-depth analysis of the breaches and incidents it has analyzed. The report is considered the most highly anticipated cybersecurity report of the year and the 2016 edition does not disappoint, shedding new light on the evolving landscape. The information presented, if you have the time to read it (and you really should make the time!) gives you for free, some of the key statistics and lessons learned from over 100,000 security incidents and 2,000 data breaches. This report helps professionals and newbies stay on top of the most useful insights into how it all happens.

Between the latest facts and figures on malware, phishing, vulnerability exploits, and more, there are some super nuggets in the 80-page report. However, for those who need a quick overview (and in particular one with a hospitality industry slant), we're pleased to share a few key points this week and next, to whet your appetite. And, in keeping with the speed theme of this story, let's go!

The headline for this week's recap says it's not the big that eat the small, it's the fast that eat the slow. The No. 1 takeaway is the speed at which this is happening. 

No. 1:  It happens faster than you think.
In 93 percent of data breaches Verizon analyzed, the compromise occurred in minutes or less. Breaking it down, 81.9 percent of the breaches involved a compromise that took minutes, and another 11 percent happened in seconds. Phishing as you will read in a few moments, is up. Why? It is a quick and easy way for attackers to steal credentials, which might explain why in 81.9 percent of incidents, the initial compromise took minutes.

No. 2: Phishing is phenomenally a top factor in breaches. 
According to this year's data set, 30 percent of phishing messages were opened by the target across all campaigns; 12 percent of targets clicked on the malicious attachment or link, which is "a significant rise from last year's report in the number of folks who opened the email (23 percent)," but not much of a change in the number who clicked on the attachment (11 percent). However, speed counts and here's why: Verizon highlights it found that it took a recipient an average of  only one minute and 40 seconds to open the email and three minutes, 45 seconds to click on the malicious attachment.  That is an increase in success ratio compared to the stats from the prior year. 

No. 3: The attacks are effective.
The sad thing is most marketers would kill for this open rate. The even sadder thing is it explains why phishing continues to be so popular among attackers. It's a delivery tactic that works and it works FAST!  Need more proof?  Weed through the report and another key stat pops out. Verizon saw confirmed data breaches rise 48 percent year-over-year to 3,141. Tied to Verizon's analysis of actual phishing incidents (9,576) the organization found 916 (almost 10 percent) resulted in a breach of data.  The reason it is mentioned is simple. If there were 3,141 data breaches and 916 of the phishing incidents resulted in a breach, the quick and obvious stat is that about one-third of all breaches appear to have relationship with a successful phishing campaign.

No. 4:  Malware morphing is a rapidly evolving threat.
Unfortunately, much of their success has to do with the tactics attackers are using, which are designed to work quickly and get the data out as fast as possible. Verizon found typically in a phishing scenario, the dropping of malware via malicious attachments occurs within seconds. In particular, this year's report shed some light on the morphing capacity of malware. The DIBR found just how quickly hackers are modifying their malware code to avoid detection. The Verizon team combined its intelligence with data collected from other contributors, coming to the conclusion that the "life span" of malware is typically very low.  In fact, the report found that “99 percent of malware hashes are only seen for 58 seconds or less,” lending credence to the critical need for constantly updated protections deployed back to the network, lest organizations risk being infected by rapidly changing malware. In plain language, a single piece of malware could be subtly altered to produce an endless stream of variants, all of which would evade traditional signature-based detection.  That's bad news for companies relying solely on traditional signature-based security solutions like antivirus.  In other words, with signature based detection methodology, somebody has to get infected by a piece of malware so that it can be identified, analyzed and other folks protected against it. And in the meantime the malefactors can create new malware that signature-based defenses can't defend against. Signature-based defenses are simply not enough to defend against today's rapidly evolving malware threat.

No. 5: The bad guys get in and get out – fast.
In keeping with the theme of the FAST who eat the slow, Verizon found in 68 percent of breaches, data exfiltration occurs within days (time to exfiltration). While it doesn't clearly state it, the increase is due to ability for the criminals get in and get out before detection. Of course, there’s plenty of variety in terms of what hacking techniques and kinds of malware attackers are using, and that has changed over the years. In terms of hacking techniques, the top three are the use of stolen credentials, the use of backdoors and C2, and the use of brute force attacks. Speaking of credentials, for the first time in the history of Verizon’s DBIR, the topic of credentials received its own section. There were 1,429 incidents of credential theft last year. In those instances, attackers made off with credentials via hacking and malware, and they in turn used the stolen credentials more than three quarters (77 percent) of the time. And to wrap up the circle of this post, remember, Phishing is a quick and easy way for attackers to steal a victim’s credentials, which might explain why in 81.9 percent of incidents, the initial compromise took minutes.

That's one of the key messages this year  in order for phishing to work, a person needs to take an action. There are two people involved in order for the breach to happen. The first is the attacker, and then the second is the insider falling for the attack ruse. The key recommended actions to reduce phishing are to provide more training, be more vigilant with email filtering, and in the worst case scenario, where both of those precautions fail, make it more difficult for attackers to pivot "by segmenting the network and implementing strong authentication between the user networks and anything of importance."

In summary, the majority of data breaches just featured good old fashioned attacks designed to take advantage of the one thing we can never seem to get right  stronger password management. In fact, 63 percent of all of the breaches in the new DBIR involved the use of stolen, weak or default credentials.

That’s a depressingly high number, given how long we’ve known that the use of usernames and passwords as primary authenticators is a bad idea. This last point should help drive adoption of the recent PCI DSS 3.2 revision related to two-factor authentication. 

In case you missed it, 3.2 will require an individual to present a minimum of two separate forms of authentication (such as a password, a smart card or a fingerprint) before access to the cardholder data environment is granted. This extra layer of authentication means that a password alone is not enough and provides additional assurance that the individual attempting to gain access is who they claim to be. Authentication weaknesses leave systems highly vulnerable. The need for multifactor authentication and the risks of not employing it are so concerning that your organization should be moving as quickly as possible to implement it, regardless of the compliance requirement.

Next week we look at the multi-vector attack analysis from DIBR and why you should care.
To read the 2016 Data Breach Investigation Report please click here.
About The Author
Marion Roger
VP Business Development
Hospitality E Resources

Marion Roger, vice president of Hospitality E Resources (HER Consulting), is a specialist in the hospitality supply chain landscape who is currently leading an industry initiative to support guest data security and has developed a hotel-focused training curriculum on PII protection. With a speciality focus on electronic reservation systems, payment technology protection and data security, Marion is a regular on the speaker circuit and contributor to Hospitality Upgrade on these key topics.

Blog post currently doesn't have any comments.
Leave comment

 Security code