September was a bleak month for two of the biggest casino operators from Las Vegas – MGM Resorts and Caesars – which faced cyberattacks leading to system outages, service disruptions, and data breaches.
The high-profile cases drew scrutiny and a renewed focus on cybersecurity in the casino environment. While there were reports of MGM customers raising issues with keycards in the company's hotels, non-functioning slot machines, and ATMs, Caesars said that its data breach led to the loyalty program members' Social Security numbers and driver's license numbers being stolen, along with other personal data.
With cybersecurity having become one of the hottest topics in the gambling industry, Amit Sharma, CEO of cybersecurity defense solutions provider BIG Cyber, spoke to Yogonet after the attacks to break down the risks companies face. He also highlighted the importance of a solid cybersecurity strategy in the industry, the products that BIG Cyber offers, and the steps that can be taken by casinos to avoid such attacks.
How do cybercriminals get into the systems of operators as big as Caesars and MGM? And what can be done, especially in the case of companies with fewer resources, to better protect systems and data?
As in these cases, the number one way hackers are being successful in gaining access to infiltrate their targets is via social engineering, i.e., by compromising humans.
Securing the human firewall is something that any size of organization can do to help protect themselves: security awareness training, free security information available online, free or economical phishing training for staff - these are all measures that can be taken.
Can you provide us with some insight on what social engineering involves? What are some other tactics and schemes criminals are currently using to exploit systems?
In the case of MGM, the attackers – who are a group of young hackers who target casinos, by the way – used a technique called "MFA fatigue" to trick their victims into giving them access via the multifactor authentication system at MGM.
The hackers then used social engineering – a telephone-based version apparently – to deceive the user into giving them their password. Some other techniques currently used to exploit systems include ransomware and malware attacks.
What are some of the major tools BIG Cyber provides to its customers, both in the commercial and tribal sectors, to improve their cybersecurity systems?
BIG Cyber has a suite of security products and services that we provide including:
- A 24/7/365 Security Operations Center and SIEM; these two tools provide around-the-clock monitoring of your critical environments for any anomalous behaviors so that threats can be located quickly and remediated before they become security incidents.
- An industry-leading security awareness and phishing testing product with a huge library of content and reporting and tracking features.
- vSEC teams: cybersecurity staffing is still a challenge but our Virtual Security team service (vSEC teams) can provide qualified and certified cybersecurity staff including CISOs, Security Engineers, etc.
- Vulnerability and penetration testing: we can help you find the weaknesses in your systems that hackers will also be looking to exploit and we will recommend how you can fix the issues that our testing finds.
AI is one of the most discussed concepts in gambling at the time. What role can artificial intelligence play in improving systems protection?
BIG Cyber's 24/7/365 SOC/SIEM service utilizes AI and ML to reduce the time it takes to identify Indicators of Compromise and possible threats in your environments. We also ensure our staff are kept up to date on the latest methods used by hackers as well as the evolving target landscape.
One of the worst outcomes of a cyberattack is the possibility of customer data being stolen, which damages a company's reputation and affects the trust a customer places in the operator. How should the delicate issue of personal data be addressed? And what steps can be taken by customers to better secure their information?
If a personal data (PII) breach has been confirmed to have occurred, it is always best to consult a lawyer to ensure you report correctly and appropriately on the breach. Transparency in reporting is critical.
The best advice for protecting PII is to ensure you only collect the data you need to collect, only store the data you need to store, and always get consent to collect the data that you need to collect. Encryption of PII at rest and in transit is also an absolute requirements.
BIG Cyber was present in the latest edition of G2E Las Vegas. What opportunities did this event open for the company?
G2E was absolutely fantastic, it was very well attended and cyber security was one of the hot topics of this show. The recent breaches brought the discussion to the forefront, and many visitors were prepared to find ways to help protect their businesses and customers.