150 likes | 311 Views
Information Security Issues at Casinos and eGaming. Tim Tarabey June 2012. Agenda. Advanced Persistent Threats (APT) Access Controls eGaming / Casinos specific Issues. Advanced Persistent Threats ( APT). Definition
E N D
Information Security Issues at Casinos and eGaming Tim Tarabey June 2012
Agenda • Advanced Persistent Threats (APT) • Access Controls • eGaming / Casinos specific Issues
Advanced Persistent Threats (APT) • Definition usually refers to a group of people with both the capability and the intent to persistently and effectively target a specific entity. • Challenges • Traditional IS tools/measures and controls are generally insufficient. • Information Security Awareness • Increase ISS budget/training/ Skills.
Advanced Persistent Threats (APT) • Addressing the APT • Realtime monitoring • Packet filtering • Continuous true penetration test • Web application scans • Recognize the “new normal”. • Executive Support: reach out to CIO’s and executives to get things done.
Access Controls • Definition • It is the cornerstone of any Information Security program. • Physical, technical and administrative controls • Challenges • Authentication of users • Business needs • Remote access • Access Control Review • Prevention vs detection and response • Internal breaches will happen as long as people has access to data
Access Controls • How to address • Awareness programs • Consistent account reviews by business owners not IT/IS • Define Processes • Costly • Resources • Require tools and technologies • Requires facilities and back-end systems to manage • Constant updates and maintenance of systems
Casino / eGaming Issues • Background • Casino and eGaming have their own unique challenges and the amount of casino/egaming expertise is limited. • Casino operations are trying to enhance the customer experience by collecting more and more sensitive player data. • With the changes in business operations as a result of the internet era, security concerns move from computer lab to the front page of newspapers and media.
Casino / eGaming Issues • Challenges (Business and ISS/IT challenges) • Unclear law around exploiting online games • Regulatory & Compliance (GPEB, OIPC, PCI, …etc) • Data Access • expansion of user community • Application/ Software providers • Interoperability • Speed to market • Social Media
Casino / eGaming Issues • 24x7x365 availability • 3rd party support • Mobile Devices and smart phones • VIP Players
Casino / eGaming Issues • Business Priorities and Requirements (meeting business demands versus security requirements) • Projects vs. operations • Time • Resources • How to address • Information Systems Security Program • Be Dynamic • ISS as business enabler (business must drive security) • Segregate critical systems
Information Security Challenges • Requires Special Skills and Training • Requires detection, analysis, investigative and resolution skill sets • Requires emergency response capabilities for resolution • Requires on-going hiring, training and retention initiatives • Ongoing Research and ability to incorporate new tools and technologies • Real Time Monitoring
Defining the Role, Scope and Procedures • Role of the security operations team • Will it simply observe, record and report on recurring attacks? • Will it be actively involved in mitigating threats? • Scope of the security operations team • Agree on the scope of your Security operations activities, is it restricted to the network only, or includes suspicious behavior from user activity. • Define appropriate procedures • Ensure all processes and how incidents are handled are clearly understood by all parties. • Ensure you have a clearly documented incident response plan.
Information Systems Security • The role of ISS is to influence everyone in the corporation to embed information security principles, practices, and technology into all aspects of the business • ISS’s goal is to achieve and maintain a balancedinformation security posture commensurate with the risk appetite of the enterprise. • Safeguards are used to mitigate threats in a cost-efficient manner