EHMA 2009 - SEVILLEEHMA 2009 - SEVILLE

Responsible Information Technology Security Strategy

Ian Millar CHTP

2

OBJECTIVESOBJECTIVES• Understand the importance of Information

technology Security

• Evaluate and implement the necessary protection for a modern IT network

• Implement PCI compliance for your business

• Leave with a clearer understanding of security issues that you can immediately check/implement

• Ensure both operational and guest security and safety are correct

3

Technology practicesTechnology practices

• Does your computer network have a firewall?

• Do you run antivirus scans at least weekly on all your computers?

• Is your virus scanning software and signature files up to date?

• Do you require users to change passwords every 90 days?

• Are passwords required to consist of numbers and letters?

• Are user access privileges revoked immediately upon or before separation from your company?

• Do you encrypt all payment transactions that are collected, stored, and transmitted electronically?

4

Cont…Cont…• Do you restrict user access to guest credit card data?

• Have you asked your computer software vendors if their applications are PCI compliant?

• Have you changed all vendor supplied passwords and restricted vendor access to your systems?

• Are your computer servers located in physically secure areas?

• Are the operating systems you use up to date with the latest security patches?

• Do you conduct regular audits of your computer systems and network security?

• Do you routinely monitor your hotels systems for changes made to settings, applications and passwords?

• Do your systems or applications maintain journal logs?

5

It is a bad world out thereIt is a bad world out there

6

What is happening nowWhat is happening now

• http://itw.trendmicro.com/trend_tracker.php

7

20072007 20082008

WEBS ITES BLOCKED PER

D AY1253

WEBS ITES BLOCKED PER

D AY2290

SPAM RATE84.5%

SPAM RATE81.2%

E MAIL VIRUS1 IN 140 MAILS

E MAIL VIRUS1 IN 130 MAILS

8

2008 cont…2008 cont…

• The decline can be attributed to the transition to spreading malware using malicious content hosted on websites and drive-by installs rather than favoring email as the primary means of distribution.

• The number of phishing attacks was 1 in 244.9 (.41 percent) emails across 2008

9

PhishingPhishing

10

Lots of moneyLots of money

11

MicrosoftMicrosoft

12

In the UKIn the UK

13

TodayToday

• From BBC technology

Lets get physical – Your IT roomLets get physical – Your IT room

15

IT room contIT room cont

• This room is more important than your office

• Air conditioned

• Preferably not below ground level

• Special access to get into the room

• Fire system (not water)

• All Servers protected by UPS

16

UPS – UPS – uninterrupted power supplyuninterrupted power supply

17

What happens in hospitalityWhat happens in hospitality

18

Cont 5* propertyCont 5* property

19

Which cable does what?Which cable does what?

Software protectionSoftware protection

21

The six steps to securityThe six steps to security

22

Anti virusAnti virus

• Do you have up to date paid for anti virus software on EVERY computer in your hotel?

23

Taken by me in a Hotel business centreTaken by me in a Hotel business centre

24

SPAMSPAM

25

Anti spamAnti spam

• Junk E mail

• YouTube - Monty Python – Spam

• Some facts:

– 2007 - (June) 100 billion per day

– Adult 25%

– June 2008 96.5% of e-mail received by businesses

– Bill Gates receives four million e-mails per year, most of them spam

26

Why Spam?Why Spam?

• A survey on Marshal Limited's website (an e-mail and Internet content security company) showed that 29.1% of the 622 respondents had bought something from a spam email

27

Why protect?Why protect?

• the recipient directly bears the cost of delivery, storage, and processing

• How much time do you and your employees spend removing spam.

28

FirewallFirewall

• Do you have an up to date Firewall installed

• Either software or a hardware version

• Even better BOTH !

29

Windows updateWindows update

• Should be set to automatically install when available

30

VPNVPN

• IF you have laptops used by your hotel and they can connect back to the hotel, you should be doing this with a VPN

31

No copied softwareNo copied software

• BSA (business software alliance) shows that 1 in 4 European businesses use copied software

• The Pirate Bay - The world's largest BitTorrent tracker

32

BSA - statisticsBSA - statistics

33

Why?Why?

• You can be fined

• Most copied software contains viruses

• You do not get security upgrades

• You will have no support

34

PCI - CompliancePCI - Compliance

35

Pci compliancePci compliance• What would happen to your hotel as a business if you

could no longer accept credit cards?

• Or you receive a heavy fine?

36

World wide Credit card fraudWorld wide Credit card fraud

• What % of credit card fraud comes from hospitality?

• The payment card industry compliance, American hotel and lodging association & Visa.com

37

WHAT IS PCI COMPLIANCEWHAT IS PCI COMPLIANCE• PCI DSS stands for Payment Card Industry Data

Security Standard.

• It was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud, hacking and various other security vulnerabilities and threats.

• A company processing, storing, or transmitting payment card data must be PCI DSS compliant

38

PCI COMPLIANCEPCI COMPLIANCE

• Non-compliant companies who maintain a relationship with one or more of the card brands, either directly or through an acquirer risk losing their ability to process credit card payments and being audited and/or fined.

• All in-scope companies must validate their compliance annually. This validation can be conducted by auditors - i.e. persons who are PCI DSS Qualified Security Assessors (QSAs)

39

Build and Maintain a Secure Network Build and Maintain a Secure Network

40

Protect cardholder dataProtect cardholder data

41

Maintain a Vulnerability Management Maintain a Vulnerability Management Program Program

42

Implement Strong Access Control Implement Strong Access Control Measures Measures

43

Regularly Monitor and Test Networks Regularly Monitor and Test Networks

44

Maintain an Information Security Policy Maintain an Information Security Policy

45

Real life exampleReal life example

• Hotel chain Best Western has downplayed concerns over a recent hack attack that was reported to have put at risk the personal details of all its customers since 2007.

Best Western downplays hack attack - vnunet.com

46

• According to a report in the Sunday Herald, an unknown Indian hacker had managed to gain unauthorised access to Best Western’s databases

• which contain the names, addresses and credit card numbers of international customers.

• 10 customers personal data was stolen

47

• He added that Best Western complies with the Payment Card Industry Data Security Standard for secure online payments to protect customer information. The hotel chain is now working with the FBI and other international authorities to investigate further.

48

Compliance and Wireless LANsCompliance and Wireless LANs• The PCI DSS recognizes wireless LANs as public

networks and automatically assumes they are exposed to vulnerabilities and threats.

• PCI DSS also provides two specific security guidelines to prevent breaches coming in from wireless networks used in any environments containing credit card data. They are:

– Firewall segmentation between wireless networks and the point of sale networks or any network that comes in contact with credit card information.

– Use of wireless analyzers (a.k.a. Wireless Intrusion Detection System) to detect any unauthorized wireless devices and attacks

49

Worried about your wirelessWorried about your wirelessOctober 11th 2008October 11th 2008

• A computer hacker is threatening to release "personal and sensitive" e-mails swiped from the Thompson hotel chain after taunting the company about its lax security practices.

• The hacker threats against the Thompson hotel chain, which includes several five-star hotels in Manhattan, Beverly Hills and Washington, could result in lawsuits against the company, said Hobson, but the resultant publicity could put off high-spending guests from staying at the boutique hotels, with a consequent loss of revenue.

50

What your guests do!!What your guests do!!

51

• http://www.youtube.com/watch?v=1fPv115nmMw

52

• http://www.youtube.com/watch?v=vdbuZ5s1viE

53

Questions?Questions?

54

REFERENCESREFERENCES• PCI DSS - Wikipedia, the free encyclopedia

• Best Western downplays hack attack - vnunet.com

• UK hotels vulnerable to same Wi-Fi hack as US hotel chain | 15 Oct 2008 | ComputerWeekly.com

• BBC NEWS | Technology | Spam plummets as gang leaves net

• http://www.nytimes.com/2008/11/30/business/30privacy.html?_r=2&emc=eta1

• Payment Applications | Merchants | Visa USA

55

Viruses for macViruses for mac