Tag Archive for: IoT

The House Always Wins? Top Cybersecurity Issues Facing the Casino and Gaming Industry

Head into a casino, and you should know what you’re getting into — even if you see some success at the beginning of the night, the house always wins. It’s a truism often repeated and rarely questioned but when it comes to cybersecurity, many casino and gaming organizations aren’t coming out ahead.

In this post, we’ll dive into what sets this industry apart, tackle the top cybersecurity issues facing casino and gaming companies, and offer a solid bet to help build better security infrastructure.

Doing the Math: Why Casinos and Gaming Businesses are at Greater Risk

Gaming and casino industry companies generate more than $53 billion in revenue each year. While this is a big number, it’s nothing compared to the U.S. banking industry, which reached an estimated $4847.9 billion in 2021. And yet at 1/100 the size of their financial counterparts, casinos now face rapidly-increasing attack volumes.

In 2017, for example, a network-connected fish tank was compromised by attackers and used as the jumping-off point for lateral network movement. In 2020, the Cache Creek Casino Resort in California shut down for three weeks after a cyberattack, and in 2021 six casinos in Oklahoma were hit by ransomware.

So what’s the difference? Why are casinos and gaming companies being targeted when there are bigger fish to fry? Put simply, it’s all about the connected experience. Where banks handle confidential personal information to deliver specific financial functions, casinos collect a broader cross-section of information including credit card and income information, social security numbers, and basic tombstone data to provide the best experience for customers on-site. As a result, there’s a greater variety of data for hackers to access if they manage to breach network perimeters.

Casinos and gaming companies also have a much larger and more diverse attack surface. Where banks perform specific financial functions and have locked down access to these network connections, casinos have a host of Intenet-connected devices designed to enhance the customer experience but may also empower attacks. IoT-enabled fish tanks are one example but gaming businesses also use technologies like always-connected light and temperature sensors, IoT-enabled slot machines, and large-scale WiFi networks to keep customers coming back.

In practice, this combination of connected experience and disparate technologies creates a situation that sees IT teams grow arithmetically while attacks grow geometrically. This creates a challenge: No matter how quickly companies scale up the number of staff on their teams, attackers are ahead.

Not only are malicious actors willing to share data about what works and what doesn’t when it comes to breaching casino cybersecurity, but they’re constantly trying new approaches and techniques to streamline attack efforts. IT teams, meanwhile, don’t have the time or resources to experiment.

The Top Four Cybersecurity Issues Facing Casino and Gaming Companies

When it comes to keeping customer and business data secure, gaming and casino companies face four big issues.

  1. IoT Connections
    While IoT devices such as connected thermostats, refrigerators, and even fish tanks are becoming commonplace, robust security remains rare. Factory firmware often contains critical vulnerabilities that aren’t easily detected or mitigated by IT staff, in turn creating security holes that are hard to see and even more difficult to eliminate.
  2. Ransomware Attacks
    Ransomware continues to plague companies; recent survey data found that 49 percent of executives and employees interviewed said their company had been the victim of ransomware attacks. This vector is especially worrisome for casinos and gaming companies given both the volume and variety of personal and financial data they collect and store. Successful encryption of data could shut companies down for days or weeks and leave them with a difficult choice: Pay up or risk massive market fallout.
  3. Exfiltration Issues
    Collected casino and gaming data is also valuable to attackers as a source of income through Dark Web sales. By quietly collecting and exfiltrating data, hackers can generate sustained profit in the background of casino operations while laying the groundwork for identity theft or credit card fraud.
  4. Compliance Concerns
    If casinos are breached, they may face compliance challenges on multiple fronts. For example, breached credit card data could lead to PCI DSS audits, and if businesses are found to be out of compliance, the results could range from substantial fines to a suspension of payment processing privileges. Compromised personal data, meanwhile, could put companies at risk of not meeting regulatory obligations under evolving privacy laws such as the California Consumer Protection Act (CCPA).

Betting on Better Security

Once attackers have access to casino networks, they’ve got options. They could encrypt data using ransomware and demand payment for release — which they may or may not provide, even if payment is made — or they could quietly exfiltrate customer data and then sell this information online. They could also simply keep quiet and conduct reconnaissance of new systems and technologies being deployed, then use this information to compromise key access points or sell it to the highest bidder.

The result? When it comes to protecting against cyberattacks, businesses are best served by stopping attacks before they happen rather than trying to pick up the pieces after the fact. For networks as complex and interconnected as those of casinos, achieving this goal demands complete visibility.

This starts with an identification of all devices across network architecture, from familiar systems such as servers and storage to staff mobile devices and IoT-connected technologies. By identifying both known and unknown devices, companies can get a picture of what their network actually looks like — rather than what they expect it to be.

RedSeal can help casinos achieve real-time visibility by creating a digital twin of existing networks, both to identify key assets and assess key risks by discovering the impact of network changes. For example, casinos could choose to run a port and protocol simulation to determine the risk of opening or closing specific ports — without actually making these changes on live networks. RedSeal can also help segregate key data storage buckets to mitigate the impact of attacks if systems are compromised.

Helping the House Win

Attackers are trying to tip the odds in their favor by compromising connected devices and leveraging unknown vulnerabilities. RedSeal can help the house come out ahead by delivering real-time visibility into casino and gaming networks that help IT teams make informed decisions and stay ahead of emerging cybersecurity challenges.

Ready to tip the odds in your favor? Start with RedSeal.

Improving Cloud Security With Segmentation And Automation

Forbes | February 12, 2021

by  Mike Lloyd

As a security professional, I tried for several years to keep IoT devices out of my house. However, my anti-IoT crusade just isn’t working anymore. Why? Because, as I’ve discovered, you really have to go to extreme measures to find non-IoT devices for your home. Whether it’s an irrigation system for your lawn, a new alarm system or even solar panels for your roof, just about every home accessory now comes with a prominent IoT footprint.

Security Think Tank: The year of the work-from-home hangover

Computer Weekly | 4 January 2021

After a year of unprecedented disruption thanks to Covid-19, it looks like remote working is set to remain with us for now, which means security strategies will change in 2021. What will this change look like, and what tools and services will be selling like hot cakes?

Why Aren’t Smart Devices Safer?

Forbes | March 6, 2020

We live in a world of rapid technological change. Consumers have adopted smart home devices at amazing (some might say alarming) speeds. Businesses have rushed to the cloud, to digitalization and to the latest artificial intelligence approaches. Each of these changes is driven by big benefits but also comes with a great deal of risk.

The smart tech threat to CEOs

TechRadar | November 7, 2019

The cybersecurity industry talks a lot about the importance of “board-level buy-in” for projects and a security-by-design culture led from the “top down”. What does that actually mean? It means CEOs and senior managers who “get” security: leaders who know that security done right can be a competitive differentiator and growth driver, not a block on innovation.

The reality is that most still do not.

What Do You Do When You Can’t Patch Your IoT Endpoints?

Dark Reading | October 29, 2019

Question: What do you do when you can’t patch your IoT endpoints?

Dr. Mike Lloyd, CTO of RedSeal: Internet of Things devices are great because they aren’t as complicated as phones, laptops, or servers. General-purpose computers cause headaches. Unfortunately for security, IoT devices are also a curse for the same reason – precisely because they aren’t flexible. The security toolchain and ecosystem we’ve built up assumes we can put stuff on network endpoints, but IoT “things” are different. Agents? Scanning? Patching? Antivirus? None of that works in the new world of IoT widgets. Worse, many of these devices are built en masse by companies focused on price point, with no intention of supporting patching.

Security in a Time of IoT

Industrial IoT News | May 15, 2019

By RedSeal CTO Dr. Mike Lloyd

The Internet of Things (IoT), made up of special-purpose devices designed to do a particular job well, presents a significant problem for security professionals. Several of their traditional approaches to security won’t work. Fortunately, it’s not all doom and gloom. We can use a three-step strategy for dealing with security and IoT.

First, we need to understand the nature of the IoT problem. Second, we need to invest effort in finding IoT endpoints and enumerating their weaknesses. And third, having found them, we need to look at them in the context of our own organization, our network, and our risk tolerance, so that we can clearly identify appropriate controls.

IoT: Why It Is Vulnerable

Security Advisor Middle East | Jan 16, 2018 | Pages 22-23

Feat. Dr. Mike Lloyd, RedSeal CTO

The Internet of Things – the connecting of billions of everyday and industrial devices using tiny sensors that transmit data and share information in the cloud – is revolutionising the way we live and do business.

IoT platforms are expected to save money, improve decision-making, increase staff productivity, provide better visibility into the organization and improve the customer experience. All this potential comes with some big security risks – mainly with the unsecured devices themselves, but also with their ability to join forces to bring down systems. This can leave corporate networks vulnerable.

When IoT Devices Go Rogue, Automation Saves the Day

SIGNAL Magazine | Dec 1, 2017

By J. Wayne Lloyd, RedSeal Federal CTO

By 2025, an estimated 75 billion or more devices will be connected via the Internet. While the ability to access data on any device from any device multiplies productivity exponentially, it also creates unforeseeable vulnerabilities that organizations are only beginning to understand.

Last year’s Mirai botnet distributed denial-of-service attack, which infected millions of devices, demonstrates the multifaceted challenges federal agencies and private-sector companies face when securing their devices and networks. These challenges will only continue to grow both inside and outside of these domains.

Fishing for Trouble in a Smart Fish Tank

Computer Business Review | October 3, 2017 

By Dr. Mike Lloyd, RedSeal CTO

More Internet of Things (IoT) means more security risk, says RedSeal Chief Technology Officer Mike Lloyd – but by gaining a better understanding of how your network works and where key vulnerabilities lie,  you’ll be able to implement effective segmentation to reap all the benefits of IoT without succumbing to data loss or damaging outages.