Gaming Security is growing more complex
A changing audience.
The casino industry is more than just gambling these days. I saw a change happening when I was CISO for Caesars Entertainment, and I’ve seen it continue as I’ve worked to secure networks across the industry. Following the wide economic downturn in 2008, we’ve seen the industry shift focus to reflect a new generation of guests who spend their money beyond the casino floor.
These visitors expect fast and free Internet in more places. They spend more time in nightclubs, restaurants, and relaxing at the spa rather than taking the chance of losing at a slot machine. Information security has had to shift along with customers. In the past, the strategy was to build a perimeter defense in order to stop an attack. But as year-over-year cyber attacks have increased in volume and severity (the amount of data lost), it’s time to accept that the old strategy isn’t working and security in our industry needs to adapt.
These days, our users are demanding more access to data, across platforms, at all times—which changes how we protect data. Additionally, the “Internet of Things” is connecting more and more devices and systems together in ways most do not realize. Building a perimeter starts to make less and less sense when you are forced to keep punching holes in it to allow for access. This has given way to a new methodology.
Information Security today must focus on the detection of malicious actions, occurring both externally and internally, and decisive response to stop them before they become reportable events. They’re going to get in. They are. But that doesn’t mean they have to get the better of you.
The biggest mistakes I’ve seen CISOs make in the Gaming Industry:
- Lack of network control and visibility. The shear volume of access the public has to network ports, combined with poor patching or securing of environments makes controller port security critical. Additionally, the amount of legacy systems and the need to have them available 24X7 allows attackers easy access to do anything they want from steal data, use ransomware or to DOS them without being seen or challenged.
- Leaving security to the “security team.” CISOs must educate the organization that “Security is Everyone’s Responsibility.” The IT or Information Security Teams can’t keep you safe without the help of the entire organization—from the Board members to the end user. Users represent the biggest threat to most networks. Policy must be carefully created and rigorously enforced at every level.
- Treating this like any other business. Most other CISOs in other industries have one or two areas to focus on. But in the casino industry, we have multiple regulatory bodies to answer to—SOX, Information Technology Minimum Internal Controls Standards (ITMICS) by state (Gaming), PCI-DSS, HIPAA, PII—as well as our own company standards. We can’t afford to act like other businesses. We need to be even more proactive to stay in line with our regulatory frameworks and ahead of potential threats.