Author: Paul Smith and Russ Simons
FM Issue: March/April 2017
In 2016 the International Association of Venue Managers (IAVM) created the Venue Safety & Security Committee. This committee is the modern version of our organization’s previous Life Safety Committee. The new committee’s mission is:
The Venue Safety & Security Committee represents and advocates for safety and security interests of the venue management industry furthering the mission of the Academy for Venue Safety & Security with a focus of working with the IAVM Director of Education and staff to encourage and equip professionals in the discipline of life safety and security operations and management.
This new committee lead by John Siehl, chairman and Russell Dyer, vice chairman, is composed of a diverse group of facility professionals who are committed to representing the interests and opportunities for public facility management professionals in all areas relating to safety and security, including the continued success of the Academy for Venue Safety & Security (AVSS)
As part of the process of understanding the nature of the threats, risks and vulnerabilities that face our industry, it became clear that we needed to pay attention to the evolving threat that cyber-attacks are playing in our industry. Our response was to create a working group of professionals from both inside IAVM and outside experts identify, inform and prepare our members for this threat.
Honestly, there are some people who believe that it cannot or will not affect them or their business so let’s start with a little exercise. Based on the size and magnitude of recent hacks that have compromised the personal information of customers at Target, Sony, Adobe, LinkedIn, Dropbox and now one billion accounts at Yahoo, there is a good chance that your personal information has been exposed.
I know that many of you are right now thinking that cannot be me, no one has contacted me, I am sure I would know if that happened. I am also telling you that you are likely wrong. Don’t believe me? Go to www.haveIbeenpwned.com, enter your email address(es) and see the results. My own email address shows that my information has been exposed in the Adobe and Dropbox hacks. I am betting that you will be surprised. By the way, this site does not currently include the Yahoo hack, you know, the biggest one in history.
Let’s start with the basics for you and your business.
Sometimes the most obvious IT security issues can be overlooked. Without getting too technical, here are some points to consider when you are reviewing your organization’s cyber protection. They may seem straightforward, but they are worth reviewing.
Physical security
Large buildings with continually changing complex networks can result in forgotten wall data ports that are left open or “hot”. If these are not closed or rerouted on your switch, anyone can physically plug into your network. Close any unused ports on your switches. Network monitoring tools can also be used to track what devices are connected.
Networking closets and server room security can be difficult to manage in large venues. Ensuring that these areas are locked up and out of site could be the difference between a secure network and a data breach or malicious sabotage.
Offsite backups are not only a good idea for disaster recovery plans, but they also keep your data safe from extortion attacks. Cybercriminals are increasingly encrypting data and holding it hostage until they are paid handsomely for a decryption key. Don’t be a victim with only one copy of your critical business data.
Software Updates
The average system administrator may not know how to find or plug holes in the Czechoslovakia version of your email application’s contact sharing connections, but there could be a vulnerability there. Even if you aren’t using that part of the software, you could be at risk. Software companies have armies of people looking for these and fixing them. Your best protection is to keep software as up to date as possible. This goes for everything from the firmware on your firewall and switches to your servers and desktop operating systems or the phone in your pocket. Most updates are not released for extra bells and whistles; they are for security reasons. By doing updates as soon as they are released, you are greatly reducing your risks.
System Setup
Your firewall is your friend. Make sure it is configured correctly and up to date. Everything for your business should be on your side of the firewall. If you absolutely must expose something through an open port, only allow it from certain IP addresses or MAC (Media Access Control) addresses. You may be surprised by how many port sniffers there are out there. Think of it like leaving your car door unlocked with valuables visible. Eventually someone is going to find the unlocked door. The same goes for keeping your data on the inside of your network with an open port. When sending data, be as specific as you can and use as much encryption as possible.
Hide your WiFi SSID name from the public and change your password regularly. Separate your business WiFi from your guest WiFi and ensure that they are inaccessible to each other. Your user and group profiles should be strictly enforced to grant access only to what is necessary and no more.
Policies and Procedures
Your users might not like it that their password needs to be eight characters long and have a combination of different characters in it, but hackers dislike it more. The stronger the password, the better the protection. Many companies may also require password changes as often as monthly. Don’t be surprised if requirements soon extend into 10 or 12 character limitations. Close accounts as soon as people leave your organization. Make it a procedure that HR notifies you as part of their routine employee termination process.
Education and Awareness
This may be your biggest protection against the bad guys. When people think of attacks they think of brute attacks from hacking groups or countries. The most vulnerable areas of our cyber world come from within. The most successful access into any network isn’t through a browser hack, it’s from tricking users to click on links or open malicious content.
Educate your entire company to be aware of everything they open or click on. If you don’t know the sender, it’s likely to be spam or a virus. Even if you know the sender and the email is out of the ordinary, it’s possible that their computer has been compromised. Contact the sender in a separate email to confirm its legitimacy before opening attachments or links that you did not specifically request. These attempts to access your information are getting sneakier. When in doubt, these are best deleted immediately or sent to your IT department for review.
The Target Hack started to get our attention
The hackers responsible for the 2013 Target data breach which exposed payment information of 40 million customers (later revised to private data of 70 million customers) gained access by obtaining credentials from technicians at Fazio Mechanical, a small heating and air conditioning company that worked with Target. Fazio Mechanical had been previously hacked with malware that was delivered by email. It was through this third-party system’s access that the hackers were eventually able to get access to the personal cash register data of Target customers.
Verizon investigators learned that Target had “no controls limiting access to any of their systems, including devices within stores such as point-of-sale (POS) registers and servers.” It is important to note that Target had passed PCI compliance audits (PCI Data Security Standards (PCI DSS) require that all Level 1 businesses (with more than six million credit card transactions per year) undergo a yearly PCI audit conducted by a qualified auditor) prior to the breach indicating they had implemented the basic security required by the credit card processing industry, and the hack still occurred.
This illustrates the difference between perceived security, what you believe to be in place, and actual security which requires constant verification and updating.
Facility operators must know who has third party access and determine if they are employing the proper procedures and protections. If not, access should be restricted.
Point of Sale Systems (we all have them)
The vulnerability of Point of Sale (POS) systems is on the upswing with over 500 attacks this year. We all employ Point of Sale systems and with the trend moving to electronic payments (credit/debit), hackers have taken notice. More recently facilities have started to experience these kinds of intrusions and there is more to come.
Phishing
Phishing: Half of people click anything sent to them. Phishing is the practice of sending emails purporting to be from reputable companies to induce individuals to reveal personal information, such as passwords and credit card numbers. You cannot believe how simple and effective this practice is.
Spear-phishing
Spear-phishing the practice of sending emails as if from a known or trusted sender to induce targeted individuals to reveal confidential information such as passwords and credit card numbers. In a recent penetration test of a highly secure government laboratory, Phishing and Spear-phishing campaigns were successful in getting nearly 10% of the staff to open phishing email attachments. Of these, several were done in a manner that allowed the penetration team to access secure files.
Public assembly facility owners and operators must ask themselves, how vulnerable are we to an intrusion? What systems or equipment if compromised could interrupt an event or keep an event from occurring? What parts of our system if taken offline by a ransomware attack could paralyze our ability to run our business?
The pace of these intrusions and attacks appears to be increasing exponentially. We must be prepared or face the consequences.
Paul Smith is information systems director of the Washington State Convention Center at paul.smith@wscc.com; Russ Simons is chief listening officer of Venue Solutions Group at russ.simons@venuesolutionsgroup.com.
