TECHNOLOGY : SECURITY
hackers
HOW INVADE
Even as hackers diversify , Verizon ’ s “ 2011 Data Breach Investigations Report ” identifies several key methods cyber-criminals regularly exploit , often in tandem :
Malware : Nearly half ( 49 %) of all data breaches are at least partly caused by malware — programs containing malicious
|
|
|
|
executable code . The most common instances of malware deployment are by a remote intruder who ’ s gained access to the system ( 81 % of cases ). Malware can access sensitive data and transmit it , install “ backdoors ,” run keylogger programs to capture user passwords and interfere |
with security controls . Hacking : Half of all incoming data threats are traditional hacking attempts , where a remote user tries to obtain illegal entry into computer networks . The hacker may use a previously installed “ backdoor ” for access , or enters using system default or guessable credentials . Hacking software tools can also aid the assault with brute force , or cyber criminals can employ passwords obtained through keylogger programs .
Physical : 30 % of breaches are perpetrated through physical means , usually by tampering with devices to skim cash from transactions . POS devices have also been targeted in schemes where terminals have been “ borrowed ” and returned with malicious
|
software , or in some cases , replaced with an entirely different machine . Remote surveillance applications also figured into 17 % of the physical breaches .
Misuse : In this case a person gains lawful access to a system and abuses it . Misuse was an element of 17 % of all breaches surveyed , with embezzlement , skimming and related fraud the outcome in 75 % of the cases .
Social engineering : In 11 % of the breaches Verizon studied , information , access and the like was gained the “ old-fashioned way ,” through means like bribery , manipulation and extortion . Phishing , hoaxes and counterfeiting / forgery may also be employed . Bribery was the leading tactic , accounting for 74 % of social cases .
|
and ultimately can be broken . “ Encryption is only as secure as the algorithm and the strength of the decryption ,” Nealy Cox says .
As a next-generation alternative , some security professionals are touting tokenization — an offshoot of encryption that replaces stored data with dummy “ tokenized ” information worthless to hackers — praising its lower costs and centralized structure . All a company needs is one dedicated server for the purpose .
To demonstrate the tokenization concept , Mattsson points to casinos , where customers exchange their actual currency for chips ( the “ tokens ”), which are spent at the casino and then converted back into currency later . The same idea applies to a hotel tokenization system , which would take the guest ’ s card information , store it in one ultra-secure location and then translate the card data back to the rest of the hotel systems in the form of fictitious customer information . Should hackers break in , they may not even realize the data they have stolen is false until later .
" With data tokenization , since you ’ re replacing data with fake data , you no longer need to protect your databases or applications , because there is nothing to steal ,” Mattsson says .
Raising the stakes in the security race are the often volatile relations between merchant and card processor . As companies work to reach requirements , card processors are using the PCI-DSS standard to shield themselves from liability after break-ins , placing the onus on the merchant . Sources say multiple lawsuits have been filed recently by disgruntled merchants hit with fines , which can range as high as US $ 500,000 , and can be levied by the processor without what some deem proper proof of fraudulent activity .
“ The card brands are basically trying to put the burden on the merchants , and with every issue , the merchant is blamed ,” Mattsson explains .
Parker questions whether any solution — tokenization , encryption or otherwise — will ever satisfy card processors . Just as hackers adapt to heightened security measures , the standards expected of merchants and the penalties for non-compliance seem to be an ever-moving target .
“ It is blame-shifting . I believe the goal for the credit card companies is that nobody is ever truly compliant , so you are always going to be held accountable and you are always going to be fined ,” says Parker , who maintains strict documentation to present to auditors in case of a breach .
No silver bullet Implementing and maintaining data security is a multi-layered process that varies greatly depending on the size of the company and the geographic distribution of the company ’ s hotels . Rather than possessing a miracle “ silver bullet ,” hotel IT professionals must work to meet and exceed PCI-DSS standards on a case-by-case basis , first by deciding whether to manage security inhouse or to enlist a third party .
According to Mattsson , large global hotel chains like Marriott International and Hilton Hotels Corp . generally prefer to manage and secure
58 HOTELS March 2012 www . hotelsmag . com