The scale of the Marriott Starwood reservation system breach last year might have shocked some, but the fact that another hotel chain suffered a data breach was sadly all too predictable. The cyber-security challenges facing the hospitality sector are at the heart of a new report by Hadar Rosenberg, a threat intelligence research analyst at Intsights, which was published today.
The hospitality sector cyber-risk is highly relevant to the enterprise, given that business travel is an inescapable reality for many. And talking of inescapable realities, hospitality is consistently at the top of the data breach charts behind the retail sector and third most targeted behind retail and finance according to this report. The reasons are many and varied, of course, but the attack surface is such that it acts like a magnet to those who covet data.
There's the almost endless supply of endpoints for starters, and these go way beyond your basic desktop and server targets. Wi-Fi networks, electronic room entry, heating, ventilation and air-conditioning (HVAC) control and an increasingly diverse IoT landscape. The sheer number of ways in is one thing, that most any of them once successfully compromised can lead directly to the whole hotel chain network another.
The Intsights report also highlights the failings in employee security awareness, subject to high churn rates, interacting with hotel systems and not forgetting guests who could also be threat actors of course.
The human factor also comes into play when looking at the management structure of branded hotels which often have a responsibility triumvirate of franchiser, owner and operator. Typically the franchiser may decide upon the hardware and software that the owner will then install, and the franchiser maintains control of this.
The owner may also have separate PoS systems for food, beverage, retail outlets and the like; many of which may well interface with third-party vendors and processors. And, as we have seen so many times over the years, the high exposure of the hospitality industry to third-party vendors has been a particularly well-exploited route to data compromise. Everything from point of sale (PoS) through to third-party reservation systems, property management and maintenance, human resources and payroll are potential entry points.
Report author, Hadar Rosenberg, told SC Media UK that the most exploited attack vector for hotels is POS systems. "Hotels needs to protect the POS endpoints by separating them from the general internal network and implementing more focused security measures on the endpoints themselves" Rosenberg advises, adding "this includes monitoring POS network traffic more closely and closing down any network traffic that is not relevant."
Something else that most any threat intelligence researcher will tell you is problematical, are the readily available 'functional' email accounts of the [hotelname].[reception]@[hotel-brand].com variety on the dark web. "It’s no wonder these credentials get leaked" Patrick Martin, a cyber-security analyst at RepKnight, points out "thanks to regular staff turnover, the email addresses are used by continually changing teams and groups of individuals, which makes enforcing any sort of password hygiene difficult."
Rosenberg agrees that with a high employee turnover rate in this industry, cyber-awareness is even more important than other sectors. "Hotels should put more emphasis on cyber-security training from the recruitment and preliminary training phase" she insists, adding "but security awareness shouldn't stop there, employees must be updated with new and emerging attack vectors and social engineering schemes, since a new type of attack against one hotel chain will most likely be duplicated for another."
So, what else could the hospitality sector be doing to better get their own cyber-security house (or, rather, hotel) in order?
"Hotels have a lot of choices including strengthening firewalls, intrusion detection, encrypting data, and limiting access to data through access controls" says Warren Poschman, senior solution architect at comforte AG in conversation with SC Media UK.
However, he admits that focusing on infrastructure, perimeter and intrusion detection is a losing battle since these measures only protect from the threats you know about and don’t offer any protection once compromised or circumvented. "Many of the hotel chains have heavily invested in passive, data-at-rest encryption protection for their storage, databases, and data warehouses" Poschman warns "which doesn’t address the current threat vectors and is a false sense of security."
The key, therefore, sits with thinking about what the attackers are looking for: the data. "Adopting a data-centric security model allows for the data to be protected as it is acquired and traverses through the organisation and, when an attacker gains access through the perimeter" Poschman explains "then the risk that the actual personal data will be exposed is dramatically reduced."
As for the enterprise in general, it can better mitigate against this seemingly ever-expanding hospitality sector threatscape by ensuring it is getting the basics right. Like any other cyber-risks, make sure that the best practice basics are being covered such as secure endpoints, using data encryption, always using VPN with public Wi-Fi and only supplying the minimum information required for the service" Joseph Carson, chief security scientist & advisory CISO at Thycotic says.