Information Security Issues at Casinos and

eGaming

Tim Tarabey

June 2012

Agenda

– Advanced Persistent Threats (APT)

– Access Controls

– eGaming / Casinos specific Issues

Advanced Persistent Threats (APT)

• Definition

usually refers to a group of people with both the capability and the intent to persistently and effectively target a specific entity.

• Challenges

– Traditional IS tools/measures and controls are generally insufficient.

– Information Security Awareness

– Increase ISS budget/training/ Skills.

Advanced Persistent Threats (APT)

• Addressing the APT

– Real time monitoring

– Packet filtering

– Continuous true penetration test

– Web application scans

– Recognize the “new normal”.

– Executive Support: reach out to CIO’s and executives to get things done.

Access Controls

• Definition

– It is the cornerstone of any Information Security program.

– Physical, technical and administrative controls

• Challenges

– Authentication of users

– Business needs

– Remote access

– Access Control Review

– Prevention vs detection and response

– Internal breaches will happen as long as people has access to data

Access Controls

• How to address

– Awareness programs

– Consistent account reviews by business owners not IT/IS

– Define Processes

• Costly

– Resources

– Require tools and technologies

– Requires facilities and back-end systems to manage

– Constant updates and maintenance of systems

Casino / eGaming Issues

• Background

– Casino and eGaming have their own unique challenges and the amount of casino/egaming expertise is limited.

– Casino operations are trying to enhance the customer experience by collecting more and more sensitive player data.

– With the changes in business operations as a result of the internet era, security concerns move from computer lab to the front page of newspapers and media.

Casino / eGaming Issues

• Challenges (Business and ISS/IT challenges)

– Unclear law around exploiting online games

– Regulatory & Compliance (GPEB, OIPC, PCI, …etc)

– Data Access

– expansion of user community

– Application/ Software providers

– Interoperability

– Speed to market

– Social Media

Casino / eGaming Issues

• 24x7x365 availability

• 3rd party support

• Mobile Devices and smart phones

• VIP Players

Casino / eGaming Issues

• Business Priorities and Requirements (meeting business demands versus security requirements)

– Projects vs. operations

– Time

– Resources

• How to address

– Information Systems Security Program

– Be Dynamic

– ISS as business enabler (business must drive security)

– Segregate critical systems

Information Security Challenges

• Requires Special Skills and Training

– Requires detection, analysis, investigative and resolution skill sets

– Requires emergency response capabilities for resolution

– Requires on-going hiring, training and retention initiatives

– Ongoing Research and ability to incorporate new tools and technologies

– Real Time Monitoring

Defining the Role, Scope and Procedures

• Role of the security operations team

– Will it simply observe, record and report on recurring attacks?

– Will it be actively involved in mitigating threats?

• Scope of the security operations team

– Agree on the scope of your Security operations activities, is it restricted to the network only, or includes suspicious behavior

from user activity.

• Define appropriate procedures

– Ensure all processes and how incidents are handled are clearly understood by all parties.

– Ensure you have a clearly documented incident response plan.

Information Systems Security

Information Systems Security

The role of ISS is to influence everyone in the corporation to embed information security principles, practices, and technology into all aspects of the business

ISS’s goal is to achieve and maintain a balanced information security posture commensurate with the risk appetite of the enterprise.

Safeguards are used to mitigate threats in a cost-efficient manner

Questions