Protecting the networks will save the assets
- By Matt Neely
- Nov 06, 2009
Behind all the glamour and glitz, casinos are a lot like other businesses,
yet they face a number of unique challenges. Casinos are required to
adhere to numerous regulations and must secure their assets without
causing inconvenience to customers.
Casinos must protect against physical heists, but just as important, if not
more so, casinos must protect their networks. Although it may not play as well
on the big screen, a network breach could cost millions of dollars.
Just as the styles have changed from the 1980s and 90s, so have casino networks.
All casinos face changing threats; however, some have adapted better
than others. Where there was once loud carpet and coax cable, there is now
chrome and Cat-5. Although these modern IP networks may be easier to implement
and manage, they also are easier for attackers to penetrate. With the
old security and gaming networks, serial cables connected devices to a central
monitoring and control center. The networks were point-to-point, so gaining
access required a direct connection that was fairly easy to prevent with the inplace
With today’s IP-enabled networks, it can be diffi cult to tell a hacker from a
tourist checking their e-mail on their laptop. Perhaps even more alarming, if
the gaming and security systems are on the corporate network and that network
is not properly hardened, they can be attacked from anywhere on earth.
No matter how good the physical security might be, armed guards can’t stop
an attacker in another state or country.
All casinos have IP-enabled corporate networks. In casinos with IP-enabled passwords are easily available on the Internet, often on manufacturer Web sites.
One of the easiest and most important security controls for any organization,
including casinos, is to change passwords from the manufacturer’s defaults. Passwords
also need to be strong, consisting of a miniumum of eight characters if
supported by the device, and a combination of letters, numbers and symbols.
The strongest password is useless if it is not stored properly. Passwords must
be stored inside a password vault, and must never be stored unencrypted on a
network share or hard drive.
Network segmentation. Sometimes, the easiest way to understand network
segmentation is to consider the physical equivalents. The same way cash is kept
in a safe, and the operations areas of the casino are physically protected and
separated from the public areas, so too should the security and gaming networks
be segmented. Of course, cash is kept in the counting room under armed
protection, in an area of the casino away from the public.
There are cases where the critical systems may not be able to be patched or
the devices may not support strong passwords. In these situations, it becomes far
more important to segment the network. Threats from the inside can cause the
most damage. Casinos conduct stringent background checks, but employees who
handle cash are vetted more carefully. The threat is that lower-level employees
are generally given access to the corporate network as it is necessary to perform
their job. If the networks are not segmented, anyone with access to the corporate
network can likely find a way on to the gaming and security networks.
There are two options for network segmentation: Virtual LANS and air gaps.
With a VLAN, the networks run on the same physical infrastructure but
are confi gured to be logically separate. It becomes extremely important that
VLANs are properly confi gured, otherwise an attacker can VLAN hop and
move from one network to another. Critical VLANs, including those used for
the gaming and security networks, must be designed, implemented and validated
by IT networking and security experts.
Air gaps refer to networks that are physically separated and run on their
own equipment and infrastructure. This means that an attacker needs access
to the network infrastructure they want to compromise. They are not able to
gain access to a softer network, such as the corporate network, and fi nd a way
to break into the gaming network.
The weakest point on these networks is often a machine or device that is
connected to multiple networks. The best solution is to remove these machines
or devices. If these devices are required for business, then they need to be carefully
hardened, or an attacker can use them to access a critical network if a
less-critical network is compromised. These systems, along with contractor
laptops, are the most common points of infection for these critical networks.
Additional controls. The aforementioned controls are only the beginning.
Keep in mind these controls must be implemented before the following
controls are deployed.
Network access control can be helpful but should not be solely relied upon.
Most modern NAC implementations can be bypassed by a knowledgeable and
motivated attacker. In fact, given the amount of money involved in casinos,
they tend to attract the most knowledgeable and motivated attackers. The
more valuable the target, the more secure the protections. It also is important
to keep in mind that few physical security devices and gaming systems support
802.1x, which is required by most NAC solutions.
On these systems that don’t support 802.1x, NAC will need to be disabled
on that network jack or port, which defeats the purpose of NAC and makes
NAC a wasted expense.
Testing. It is best to test controls before an attacker has the chance. This is
where a third party can be helpful. An integrator or physical security department
that implements controls should not test the controls.
The integrator or department will protect against every attack
vector they know of, but a third party can test elements that
the integrator of the security department did not think of or
may be unaware of.