Group items tagged

Hotel operators need to know that passwords, designed to keep criminals out, can also be a vulnerability in the absence of proper controls

Thanks to wireless networks, guests can speed though the check-in process, expedite valet parking and send room service orders directly to the kitchen.  At the same time, hotel operators should recognize that criminals can leverage improperly secured wireless networks to steal cardholder data and should implement strategies to thwart these efforts. 

Despite all best efforts, data compromise events can occur and every hotel operator should have a plan in place. Prompt action must be taken by hotels or restaurants that have experienced a suspected or confirmed security breach to help prevent additional exposure of cardholder data and ensure compliance with the data security requirements. 

The National Institute of Standards and Technology (NIST) offers cybersecurity guidelines for best practices to manage cyber risk. These include identify, protect, detect, respond and recover. Another resource is the NCSA’s national program, CyberSecure My Business.

Firewall Often referred to as a company's "first line of defense," a firewall is a security control that filters and screens network traffic entering and exiting your corporate network.

People can rely on the password manager to create and store dozens of passwords in an encrypted database without having to remember them.

Password managers are quite helpful, and some are even free.

store the first part of sensitive site passwords

but keep the last few digits memorized and fill them manually.

This way, if there is ever a compromise of the password database, hackers don't have those full passwords.

You should also consider implementing multi-factor authentication (MFA). MFA authentication uses more than one thing or "factor" to log you in

, biometrics is part of this last category

SPAM & Malware filters screen email for unwanted and dangerous elements, blocking them before they ever reach your users.

In the world of cybersecurity, there's a phrase, "humans are the weakest link." An employee who accidentally clicks on the wrong link or email attachment can put in motion a chain of events that results in a cyber breach. Security awareness training is an anti-phishing tactic all organizations should employ.

RDP access must be protected by a VPN connection.

reduce the risk of getting hacked is to ensure your systems and software are updated regularly, or "patched.

patching shouldn't end with the operating system. Your patch program should also look to patch all other applications running on your systems

regardless of the security tools implemented to prevent a data breach, you should plan for a compromise occurring.  

That's where 24/7/365 network and endpoint monitoring comes in

The PCI Security Standards Council claims that since March, malicious virus-related reports are up 475%. The reason for the uptick is that cybercriminals are trying to take advantage of rapid changes to the payment-card data environment. In addition, 41% of small businesses have said they’ve suffered breaches costing more than $50,000 to fix.

Contactless payment is one of the big changes within the payment data environment. Several restaurant companies – from chains to independents – are offering it because it reduces customers' physical interaction with the restaurant's POS system. As part of this move, some businesses have eliminated credit-card PIN numbers.

Eliot says malicious email is usually the easiest way for cybercriminals to access your networks. The emails typically show up as urgent requests for sensitive information, often pretending to be from the Small Business Administration or the Centers for Disease Control and Prevention. When the intended victim types in his or her credentials and clicks on a specific link or downloads an attachment, criminals are in.

Anyone looking for easy-to-implement security tips can try these six to start. Reduce areas where payment-card data is stored. The best way to protect against a data breach is to avoid storing any card information at all. With many small operators offering curbside pickup and accepting payment over the phone instead of through face-to-face transactions, it’s important they train employees not to write down payment card details. Instead, have them enter numbers directly into a secure terminal. Use strong passwords. Using weak and default passwords is one of the leading causes of payment data breaches among businesses. Effective passwords must be strong and updated regularly. The most recent guidance is: the longer, the better. Think of it almost as a “passphrase” rather than a password. Use it in the form of a sentence, but mix in different characters within the phrase. It’s much harder to break a long passphrase than it is a short, complex password. Weak and vendor default passwords often result in small business data breaches. Also, don’t repeat your passwords. Update your software often. Criminals look for outdated software to exploit flaws in unpatched systems. Timely installations of security patches are crucial to minimizing the risk of a breach. Whenever updates are available, use them. They will improve performance and close out some of the vulnerabilities cybercriminals are searching for. Enable two-factor authentication. It's so important for restaurateurs, especially where their POS systems or any of their sensitive databases are concerned, to have two-factor or multi-factor authentication enabled. If an instance where credentials are stolen occurs, there will be a second layer of verification the operator can rely on to potentially reduce the chances that information will be breached. Segment your networks. If you are going to store payment data, make sure your POS system has its own separate, secure network. Do not store sensitive documents on public cloud services such as Google Docs or DropBox. If you’re going to store sensitive documents, house them in an encrypted, locked down location.   Be hyper-vigilant. Criminals are going to try to take advantage of this pandemic situation as much as possible. You can protect yourself by not giving out sensitive information, especially within unsolicited emails. Don’t click on links you’re not expecting and do everything in your power to protect all sensitive information.

Enter multifactor authentication (MFA). By adding extra layers of security to a user's login process and requiring they enter two or more pieces of evidence (e.g., factors) to prove they are who they say they are,

MFA is a great method for boosting protection against everyday threats like credential stuffing, phishing attacks and account takeovers.

1. Passwords alone are no longer enough to protect against security attacks.

it's critical every company apply effective security measures to protect their data.

to protect business and customer data, it begins and ends with preventing unauthorized account access.

MFA is the most direct and effective way to do that.

A familiar example of MFA at work is the two factors needed to withdraw money from an ATM.

Your ATM card is the something that you have, and your PIN is the something you know.

companies can require all employees to verify their identities with two or more pieces of evidence to prove they are who they say they are.

2. Companies around the world (from Fortune 500s to small businesses) are feeling the urgency to adopt MFA — but a knowledge gap persists.

It's imperative companies invest in training employees on how using MFA is essential to securing access to both work and personal accounts.

industries in our everyday lives — led by social media platforms and financial services — requiring consumers use MFA to secure their personal accounts, both businesses and employees are normalizing the everyday routine of MFA. 

make the connection between security at work and in their personal lives and understanding they're two sides of the same coin.

3. MFA adoption can seem overwhelming, but it doesn't have to be.

By recognizing any technical, change management and financial challenges to user adoption, committing to open communication, and providing the resources and training your employees need, any business can conquer that fear of the unknown. 

When adopting MFA, prioritize identifying the strongest and most user-friendly authentication method possible for your organization.

that means using an authenticator generator app, a hardware security key or a combination.

the reality is a large percentage of U.S.-based employees are also consumers with a smartphone in their pocket.

on that phone, the employee is already using multiple apps that require MFA.

4. Balance security with ease of use when identifying a preferred authentication method for your organization

With options like hardware keys, you often see employees run into issues losing, replacing or breaking them. But a (TOTP) mobile app can be continuously updated in ways that make the MFA process more seamless (e.g, an app that verifies automatically from trusted locations like an employee's home office).

authenticator apps on devices like iPhones have the added benefit of extra layers of security at the phone level like PINs and biometrics like Face ID.

Take Chipotle, for example. The company got devalued by about $400 million after they suffered a data breach.

because most go belly up six months after an attack.

Unprotected WiFi

Criminals pretend to be from the U.S. government and inform targets their COVID-19 stimulus check is ready, but they would need to verify the details of the recipient first before they can send it.

CRM software data, which may include names, addresses, and even birthdays. One of the most common ways to achieve this sort of attack is via malware (malicious software). Hackers find a vulnerable backdoor to a restaurant's network to install malware on the POS system. Malicious code then records every transaction and every detail, sending it back to the criminal's server over the internet.

GrubHub drivers scam both the restaurants and the customers by marking the deliveries as complete and pocketing the tip money, without bothering even to pick up the order from the establishment.

Businesses are scrambling to find suppliers amidst the chaos, and criminals have been taking advantage of the confusion

Scammers are posing as representatives from the World Health Organization (WHO), the Center for Disease Control (CDC), and other public health agencies

social engineering on the restaurant staff to pull off phishing attacks.

PCI compliant.

conduct a risk analysis

hiring a security expert either full time or as a consultan

Secure your network and always change the free WiFi access point's password with a strong one every day.

latest operating system updates

Force multi-factor authentication

strong passwords

Ensure sensitive data encryption

web-filter to secure your WiFi network

Install a robust security software program on all computers and devices to block, detect, and clean malware.

Conduct regular cybersecurity training

A related threat is that of “skimmers,” or devices that catch credit card numbers when consumers use them for payment. The problem primarily is contained to the restaurant industry, but Callaghan is concerned it could spread to hotels.

Ironically, one of the main reasons terrorism tops the list is because it has become less of an issue in recent years, sources said.

“The greatest business risk, as I see it … is insurance fraud. And it’s the most expensive,” he said.

The hot-button issue within the realm of hotel-information technology is mobile and cloud technology.

“Liability” as a general label refers to hoteliers being held liable for the acts, which are often criminal, of third parties, the AH&LA’s Callaghan said.

“Security” still is something of a taboo in the global hotel industry, said Paul Moxness VP for corporate safety and security at The Rezidor Hotel Group, a Brussels-based hotel management company, with more than 400 hotels and nearly 90,000 rooms in its portfolio.

Ogle recommended that all hotels use Wi-Fi Protected Access (WPA) encryption,

For guests, Ogle recommended connecting to the internet using a Virtual Private Network (VPN)

ted anti-virus and firewall software and making sure each secured website starts with “https://” rather than “http://”. The danger of not securing a

This type of situation was brought to a head earlier this year when marketing services giant Epsilon experienced a massive breach to its email systems. According to a SecurityWeek report, among those impacted by the breach were several hotel operators, including Hilton, Ritz-Carlton and Marriott.

According to a USA Today report, a panel of IT executives from Starwood Hotels, Hilton and other lodgings operators recently told an audience at the LodgeNet’s Customer Technology Symposium in Chicago that protecting customer data is becoming their top priority.

According to a 2010 Wall Street Journal report, the most common security vulnerability in hotels is point-of-sale software. Often, hotels do not require employees to change the default names and passwords of these programs, making it easier for hackers to break in and steal customer information

According to a 2010 Wall Street Journal report, the most common security vulnerability in hotels is point-of-sale software. Often, hotels do not require employees to change the default names and passwords of these programs, making it easier for hackers to break in and steal customer information.

According to a USA Today report, a panel of IT executives from Starwood Hotels, Hilton and other lodgings operators recently told an audience at the LodgeNet’s Customer Technology Symposium in Chicago that protecting customer data is becoming their top priority.

According to a 2010 Wall Street Journal report, the most common security vulnerability in hotels is point-of-sale software. Often, hotels do not require employees to change the default names and passwords of these programs, making it easier for hackers to break in and steal customer information

According to a USA Today report, a panel of IT executives from Starwood Hotels, Hilton and other lodgings operators recently told an audience at the LodgeNet’s Customer Technology Symposium in Chicago that protecting customer data is becoming their top priority.

According to a USA Today report, a panel of IT executives from Starwood Hotels, Hilton and other lodgings operators recently told an audience at the LodgeNet’s Customer Technology Symposium in Chicago that protecting customer data is becoming their top priority.

Hotels

According to a USA Today report, a panel of IT executives from Starwood Hotels, Hilton and other lodgings operators recently told an audience at the LodgeNet’s Customer Technology Symposium in Chicago that protecting customer data is becoming their top priority.

otels, Hilton and other lodgings operators recently told an audience at the LodgeNet’s Customer Technology Symposium in Chicago that protecting customer data is becoming their top priority.

According to a USA Today report, a panel of IT executives from Starwood Hotels, Hilton and other lodgings operators recently told an audience at the LodgeNet’s Customer Technology Symposium in Chicago that protecting customer data is becoming their top priority.

According to a USA Today report, a panel of IT executives from Starwood Hotels, Hilton and other lodgings operators recently told an audience at the LodgeNet’s Customer Technology Symposium in Chicago that protecting customer data is becoming their top priority.

Hotels

According to a USA Today report, a panel of IT executives from Starwood Hotels, Hilton and other lodgings operators recently told an audience at the LodgeNet’s Customer Technology Symposium in Chicago that protecting customer data is becoming their top priority.

According to a USA Today report, a panel of IT executives from Starwood Hotels, Hilton and other lodgings operators recently told an audience at the LodgeNet’s Customer Technology Symposium in Chicago that protecting customer data is becoming their top priority.

According to a USA Today report, a panel of IT executives from Starwood Hotels, Hilton and other lodgings operators recently told an audience at the LodgeNet’s Customer Technology Symposium in Chicago that protecting customer data is becoming their top priority.

According to a USA Today report, a panel of IT executives from Starwood Hotels, Hilton and other lodgings operators recently told an audience at the LodgeNet’s Customer Technology Symposium in Chicago that protecting customer data is becoming their top priority.

According to a USA Today report, a panel of IT executives from Starwood Hotels, Hilton and other lodgings operators recently told an audience at the LodgeNet’s Customer Technology Symposium in Chicago that protecting customer data is becoming their top priority.

According to a USA Today report, a panel of IT executives from Starwood Hotels, Hilton and other lodgings operators recently told an audience at the LodgeNet’s Customer Technology Symposium in Chicago that protecting customer data is becoming their top priority.

According to a USA Today report, a panel of IT executives from Starwood Hotels, Hilton and other lodgings operators recently told an audience at the LodgeNet’s Customer Technology Symposium in Chicago that protecting customer data is becoming their top priority.

Encryption: Encryption keeps data safe from unauthorized users. If an attacker steals an encrypted file, access is denied without finding a secret key. The data is worthless to anyone who does not have the key.

Authentication: Weak passwords are the most common enterprise security vulnerability. Many employees write their passwords down on paper. This defeats the purpose. Multi-factor authentication can solve this problem.

Breach Drills: Simulating data breaches can help employees identify and prevent phishing attacks. Users can also improve response times when real breaches occur. This establishes protocols for handling suspicious activity and gives feedback to users.Measurement: The results of data breach drills must inform future performance. Practice only makes perfect if analysts measure the results and find ways to improve upon them. Quantify the results of simulation drills and employee training to maximize the security of cloud storage.

Is the Cloud Secure and Private?Professional cloud storage comes with state-of-the-art security. Users must follow the vendor’s security guidelines. Negligent use can compromise even the best protection.

Redundancy makes cloud storage security platforms failure-proof. On-site data storage is far riskier. Large cloud vendors use economies of scale to guarantee user data is intact. These vendors measure hard drive failure and compensate for them through redundancy.Even without redundant files, only a small percentage of cloud vendor hard drives fail. These companies rely on storage for their entire income. These vendors take every precaution to ensure users’ data remains safe.

Percoco outlined the three main steps in a typical data breach and how attackers mostly operate at each level: initial entry, data harvesting, and exfiltration.

Consider a computer network security suite

In a breakdown of types of IT environments most frequently compromised, POS systems and assets were associated with 95 percent of breaches in the food and beverage industry

One example is the breach of Eataly,

The company reported that their Manhattan retail location was hacked and malware was installed to capture payment card transaction data.

The conclusion is, remote access credentials appear to be a common theme among most POS breach cases, which calls for a specific technical approach to eliminating this risk and the liability of weak authentication security for remote application logins.

Manufacturers are rushing products to market with little or no thought to security, often including hardcoded passwords or known vulnerable software libraries. While this problem is most obvious in the consumer space (which gets the most news coverage), vulnerable IoT devices are present in every business sector as well

The TPM stores secret keys, passwords, and digital certificates in its secure internal storage protecting them from software and physical attacks. The TPM acts as a root of trust for checking platform integrity at boot time (i.e., check against any malicious change). A cryptographic hash value of the platform configuration is calculated and compared against the precomputed hash value of the platform. Access to the platform is denied if the integrity check fails [4]. This is the beginning of the “chain-of-trust” for software modules that are subsequently initiated. This transitive trust mechanism is one of the important security features in trust computing. It uses the trust root as a starting point to establish a chain of trust model, in the order of trust root, boot loader, OS, and Application.

Secure boot provides the foundation for Trusted Boot, which extends the trust boundary to the boot process and eventually the operating system.

software attestation attempts to achieve a dynamic root of trust without specific hardware support. This method has the advantage of not requiring any stored secrets (cryptographic keys or passwords) and allows applications or modules to be updated, which may not be possible if hash values are stored in immutable formats, such as a TPM chip

While Secure Boot validates the platform and firmware, Trusted Boot is generally defined as verifying each software module before execution and extending the chain-of-trust to the entire operating system. During the boot sequence, the digest of each executing program is recorded before it executes. A TPM (Trusted Platform Module) is used to store all these records and then report on them securely.

It is important to note that Trusted Boot requires a TPM chip so the operating system can see the chain of execution, thus it may not be an option for some IoT devices. Lack of trusted boot support would allow an attacker with physical access, or using a software vulnerability during run time, to potentially modify the stored code and compromise the device.

There are many other attack possibilities to consider with IoT devices. For example, existing TPM architectures do not support runtime integrity checking and this allows attackers to exploit vulnerabilities to modify the program after it has been verified (at time of check or TOC) but before the time of its use (at time of use or TOU) to trigger unintended program behavior, such as the execution of malicious code or the leaking of sensitive data

Physical attack is a viable method of compromising the integrity of a device. Modifying and replacing firmware by an attacker may be worth the effort, depending on the perceived value of the device or the data it may access (such as a video camera or ATM). Attackers can go as far as removing memory and reading its contents.

a device built today can become a major problem tomorrow

Companies have uploaded VPN and cloud access credentials to cloud storage systems that are easily accessible.

security breaches are routinely made worse when hackers who enter one system are then finding the keys to another lying around unencrypted.

developers are still regularly storing the digital keys to company assets and even user data in source code, configuration files, and other miscellaneous, unencrypted locations.

Unlike typical users who can memorize their passwords or store them with a secure password manager, developers and IT workers often need to keep security credentials in places where automated software can find them.

Cloud managers are playing catchup to close the door on the critical data left out in the open.

Sophisticated new cybersecurity tools designed to securely store these kinds of credentials in a way that legitimate, automated processes can access, and intruders can’t

hackers time and again have outwitted the cyberguardians.

cloud industry leader Amazon launched AWS Secrets Manager, its own credential management tool. And Microsoft offers what it calls Azure Key Vault to securely store and monitor and control access to this kind of data.

The main problem is that companies really don’t have policies for it or they don’t follow up and make sure those policies are followed

Until recent hacks made it clear that few organizations can hope to keep their networks entirely free from intrusion, many companies paid less attention to the security of data within their firewalls

UpGuard, known for its frequent role in detecting leaks tied to data stored on insecure cloud machines, has released BreachSight, which scours the internet for its clients’ exposed code, credentials, personally identifiable information, and other sensitive data.

Since last year, Amazon has also offered a service called Amazon Macie, which uses machine learning to detect unusual access patterns to cloud storage and uploads of potentially sensitive data like access keys.

Amazon also released open source software to help prevent accidentally storing passwords and keys to source code repositories

other developers have offered similar tools to scrub credentials from existing code.

it’s possible that those types of tools will automatically be provided as part of cloud computing contracts, as standard as seatbelts in new cars.

Telecommuting Is The Only Way Of Working For Many

With swift digitalization, security controls will shift to data sources, similar to the trend witnessed in IoT.

With millions of employees working from home, hackers’ focus has shifted from enterprise to remote working individuals. To handle the menace that exists in cyberspace, decentralized cybersecurity will rise where greater emphasis will be placed on data sources such as actual remote employees themselves.

User access controls have largely revolved around single or two-factor authentication. These methods rely on “something you know (username)” and “something you have (password).”

This means identity protection will be a top priority, and the best defense should involve building authentication systems that focus on “who you are.” This would require advanced biometric solutions such as fingerprint/thumbprint/handprint, retina, iris, voice and other facial recognition technologies.

The current state of privacy regulations is designed around the enterprise network and building the proverbial wall to keep sensitive data out of prying eyes.

With the remote working concept taking center stage, re-evaluation of these policies is needed to address the new cyberthreats.

From a risk management perspective, global privacy policies will need to encapsulate standard operating procedures regarding BYOD, GDPR compliance and state privacy laws.

The shift to cloud services offers employees, customers, suppliers and everyone else across the ecosystem a seamless and frictionless way to access data and applications. Remote access by various users would compound security challenges and present many new potential attack vectors. In the post-pandemic world, IT resources could shift toward data, particularly keeping data secure across cloud platforms.

This will facilitate cybersecurity teams to apply varied access controls and demarcate data storage to minimize the risk of cyber intrusion and data breach.

Innovative technologies such as ML/AI and AR/VR will see greater adoption. As we have already witnessed, video conferencing applications will continue to rise as non-contact interactions surge.

Sectors such as retail, hospitality and manufacturing will layer their adoption of robotics with added AR/VR capabilities.

Cybersecurity teams that are saddled with an events-based approach will be overly burdened with triages when a cyber breach occurs. By embracing an intelligence-driven approach, businesses can digitalize confidently with external threat intelligence as the guiding beacon.

Social engineering techniques to trick untrained and unsuspecting employees, third parties and contractors into releasing confidential information or letting an intruder into a corporate network will also intensify accordingly.

Cybersecurity awareness training for people across the entire supply chain and ecosystem will prevail.