690 likes | 778 Views
Network Security. Trivia 1. How many percent of the restaurants opened today will be in business next year? a. 90 percent b. 50 percent c. 20 percent d. 10 percent. Trivia 2. How many percent of the restaurants opened today will be hacked next year? a. 90 percent b. 50 percent
E N D
Trivia 1 • How many percent of the restaurants opened today will be in business next year? a. 90 percent b. 50 percent c. 20 percent d. 10 percent
Trivia 2 • How many percent of the restaurants opened today will be hacked next year? a. 90 percent b. 50 percent c. 20 percent d. 10 percent
Introduction • Technology became inseparable from hospitality operations. • Technology becomes a part of the DNA of the company • Information security is getting more important.
Introduction • Every day thousands of major security breaches occur in the public and private sector, resulting in serious financial and property losses (Flink, 2002). • 75% of email is spam (EWeek, 2004) • In 2004, every single computer was attacked by a virus at least one time.
Reading jokes on the Internet Opening e-mail attachments Downloading pictures from the web Poorly chosen computer passwords To limited extent, malicious code can be picked up from downloading files from the Internet Most viruses are spread through attachments being sent in e-mail. According to a recent study by SANS, nearly 40% of all e-mail attachments are infected by a virus. Computer viruses are most commonly spread by…
We do not have a firewall. We have a firewall, and block only what we are scared of. We have a firewall with a default deny all policy, and allow traffic through by exception. We practice defense in depth, we have a corporate firewall and host based firewalls wherever possible. If you don’t have a firewall, you are just asking for trouble. You even need firewalls at each of your restaurants that connect to the Internet. And even if you do have a firewall, you have to set your policy by default to reject all traffic, and from there, only allow traffic through that you want. And oh yeah, you better have firewalls on your POS systems as well. Does your organization use perimeter protection?
Working away from the office gives you more freedom from the company’s security policies. False. The company’s security standards and policies are even more important when you are working away from the office. True or false?
We do not have IDSs. We have IDSs, but do not review system logs. We have IDSs, and review all system logs. We have IDSs throughout our network and perform event correlation. If you do not have intrusion detection systems (IDSes) throughout your organization—extending to your restaurants and any other location that feeds info directly to your headquarters—you could be attacked without knowing it. And to make sense of it all, you need to perform event correlation to determine if you are being hit by a blended attack. Does your organization use intrusion detection systems?
Off-site tapes and anti-virus updates automatically protect you from virus infections. False 90% of all organizations that do not have a very tight security policy only update their virus definitions after they have found new viruses. Any virus that existed during the backup process is now successfully backed up and offsite—thus further propagating the virus if the files are restored from tape. True or false?
No, we do not have written security policies. We have some policies, but only for critical elements or they are out of date. We have a robust set of policies and employees are required to review them. If you answered no, you are in a world of hurt. If you haven’t tested your security blanket from the outside of your organization and from the inside of your organization, you are in a world of hurt. Do you have a written set of security policies that have been tested in the last year?
Threats aren’t limited to viruses, worms, or denial of service attacks anymore • Nimda had four propagation methods attached to it. • It embedded itself into .html files on the hotel’s “secure” sign-in page, compromising the users’ computers that signed in without “live” virus protection. • It then harvested e-mail addresses from the mail box, sending out its own e-mails through its own SMTP sender application. • If the user had a “shared folder” on the computer, it proceeded to try and infect those files. • It then used the host computer to look for any computers running personal web servers, trying to use the Unicode Web Traversal exploit to gain control of the target.
If you had brought the virus back with you • Your own computer would have • Begun attacking other systems from within your network, bypassing your firewall • Continued to send out infected e-mails using your own mailbox addresses for a combination of sender and receiver • Probably confounded your net admins if they didn’t have an internal intrusion detection system
What can go awry Doc u ments Apps OSes Storage Hardwa re Network Power Building Confidentia l ity 4 4 4 4 4 Integrity 4 4 4 4 4 4 4 4 Availability 4 4 4 4 4 4 4 4 What you can lose…
FORECASTING & SCHEDULING REMOTE SALES MARKETING CORPORATE RESERVATION SYSTEM PAY PER VIEW / CHECK OUT TIME & ATTENDANCE MAID DIAL-IN SALES & CATERING SYSTEM YIELD MANAGEMENT CORPORATE ACCOUNTING SYSTEM MAINTENANCE ENERGY FIRE & LIFE SAFETY ELECTRONIC LOCK & SECURITY SYSTEM BOH FOH INROOM ENERGY CONTROL , MIS, EIS CALL ACCOUNTING SYSTEM (CAS) PURCHASING & INVENTORY PBX (SWITCH FOOD & BEVERAGE INVENTORY SYSTEM VOICEMAIL MESSAGE HANDLING MINI BAR RESTAURANT MANAGEMENT SYSTEM (POS) ELECTRONIC BAR DISPENSER WAKE-UP SYSTEM A Hotel Computer System TRAVEL AGENTS GLOBAL RESERVATION SYSTEM CREDIT CARD AUTHORIZATION & EFT CORPORATE GUEST HISTORY PMS INTERFACE WITH DIRECTION OF DATA FLOW Long Distance SYSTEMS OFF PREMISE SYSTEMS INHOUSE
TRAVEL AGENTS GLOBAL RESERVATION SYSTEM FORECASTING & SCHEDULING REMOTE SALES MARKETING CREDIT CARD AUTHORIZATION & EFT CORPORATE RESERVATION SYSTEM PAY PER VIEW / CHECK OUT TIME & ATTENDANCE CORPORATE GUEST HISTORY MAID DIAL-IN SALES & CATERING SYSTEM PMS YIELD MANAGEMENT CORPORATE ACCOUNTING SYSTEM MAINTENANCE ENERGY FIRE & LIFE SAFETY ELECTRONIC LOCK & SECURITY SYSTEM BOH FOH INROOM ENERGY CONTROL MIS, EIS CALL ACCOUNTING SYSTEM (CAS) PURCHASING & INVENTORY PBX (SWITCH FOOD & BEVERAGE INVENTORY SYSTEM VOICEMAIL MESSAGE HANDLING MINI BAR INTERFACE WITH DIRECTION OF DATA FLOW RESTAURANT MANAGEMENT SYSTEM (POS) ELECTRONIC BAR DISPENSER Long Distance WAKE-UP SYSTEM SYSTEMS OFF PREMISE SYSTEMS INHOUSE Internet
Purpose of the Study • to analyze security practices of electronic information, network threats and prevention techniques in hotels.
Objective of the Study • to help information technology directors or chief information officers with policy development for security of electronic information in hotels
Problem Statement • In every level of hotel management, networks are involved. (Cobanoglu & Cougias, 2003). • In the property level, there are local area networks where reservation, front office, restaurant management, payroll, accounting, human resources, and other systems reside • In addition, hotels may offer high speed Internet access (wireless or wired) to their guests in their hotel room or other areas in the hotel.
Review of Literature • The total volume of information is increasing at the rate of some 12 percent a year (Daler et. al. 1989). • The Internet now goes into over 120 nations around the world and has approximately 605 million users (NUA Internet, 2004)
Refunds Supply Chain AR/AP Reporting Unstructured Documents PMS Back Office Billing Sales Ops Processes CRS Inventory CRM POS E-Mail Datasets Security procedures protect hotel’s DNA
Computer Crimes • Hacking (also known as Cracking): Knowingly accessing a computer without authorization or exceeding authorization of a government computer or intentionally accessing a computer without authorization or exceeding authorization to acquire financial information of a bank, business or consumer. • Theft of Technology: Knowingly accessing a computer with the intent to access or acquire technological information or secrets • Fraud: Knowingly, and with intent to defraud, accessing a federal interest computer without authorization or exceeding authorization to further a fraud or obtain anything of value. Source: (The Breaulier Law Office, 2003)
Phishing • fishing for information • phreaking • false email in order to gain username/password
Security Scenarios • While doing a security audit, we took one of the main servers out of the building with a fake work-order. • I had access to the network of Hospitality School in Thailand without any problem • Try driving with your wireless enabled laptop in streets.
Hacking: An art or crime? • Whois (server address) • Keylogger (tracks keyboard strikes) • Netcraft (make and model of the server) • Packet Internet Groper (PING) • Name scan (find out computers in your network) • Port scan (Advanced LAN Scanner)—finds open doors • Attack (CGI, Unshielded directories, Trojan horses, etc.)
Hacking • DNS Lookup • Finger • Name Lookup • Port Scan • Trace Route • http://www.stayinvisible.com/index.pl/network_tools
Anonmyous IP http://www.stayinvisible.com/index.pl/test_your_ip_nocache
Trace Email • http://www.stayinvisible.com/index.pl/test_your_email?action=showheaders&key=349002755807
Methodology • Population: Hotel managers who is in charge of information security practices in the U.S. • Sample: The target sample consisted of 1143 technology managers that were current subscribers of Hospitality Technologymagazine as of November 2004.
Methodology • The survey has been adapted and expanded from 2004 CSI/FBI Computer Crime and Security Survey (CSI, 2004). • Self-administered online survey with four sections • Security technologies • Network security threats • Perception statements • Demographics and property characteristics
Findings • Out of 1143 sample members’ emails, 178 emails were returned as “undeliverable”, reducing the effective sample size to 965. • 234 filled out the questionnaire, thus yielding 24.2% response rate. • The majority of the respondents (74.3%) were somebody who was directly responsible for information technology in their organizations.
Top 5 Network Security Tools and Techniques Used by Hotels • Technique % • Anti-virus Software 84.4% • Physical Security 82.7% • Hardware Firewall 79.7% • Software Firewall 77.6% • Access Control 75.3%
Top 5 Network Security Tools and Techniques Not Used by Hotels • Technique % • Biometrics 69.4% • Digital IDs 68.1% • Image Servers 63.0% • Vulnerability Assessment Scan 42.5% • Intrusion Detection Systems 35.5%
Network Attacks • Twenty percent of the respondents had a computer network attack within the last 12 months. • The size of the hotel seems to be positively correlated with the number of attacks observed within the last 12 months (r=.72; p=.001)
Network Attack Types • Virus Attack (15.4%) was reported most frequently, followed by • Denial of Service (7.7%), • Sabotage of data networks (7.7%), • System penetration by an outsider (7.7%), and spoofing (5.1%).
Other Findings • The average financial loss created by these attacks was $10,375 per year. • About 20% of the respondents hired reformed hackers or ethical hackers as consultants. • Only 2.6% of the respondents reported computer network attacks to law enforcements. • The mostly used prevention tool was patching (79.5%) the holes as they were released by manufacturers of hardware and software.
Other Findings • Only 40% has enough resources for security • 56.4% has enough expertise • 23.1% do not have a method of getting rid of old user accounts • 20% are a member of IT security organization • 38.5% never conduct IT security audit
Conclusions • This study is one of the first attempts to analyze computer network attacks and prevention techniques in the hotel industry. • The results showed that computer network attacks create serious threats to hotels. • Although, hotel companies use some prevention techniques, we observed a distributed solutions mix.
Conclusions • Some hoteliers prefer to outsource their network and information security systems. This may have two-fold impacts on hotels: • 1) If the outsourcing company is a network and information security expert, then, the hotel network systems may be protected better; • 2) The dependency on a different company in such an important issue may create some problems such as data privacy and ownership
Recommendations • A significant number of hotels do not use and plan to use in the future some important network and information security tools and techniques • Some of these tools are so vital to network security that not using them is an open invitation to internal and external hackers. • Hotel managers would do well by reviewing this list and comparing the tools used by them and implement and use multiple tools
Recommendations- 4 step guide • Prevention through firewalls, anti-virus measures, ongoing anti-hacking analysis • Implement an intrusion detection system • Design a quick reaction team when you get hit with a virus or hack attack. Be ready to quarantine • Design an after-attack routine