Tag: security training

I Spent 5 Years in the Hotel Industry; Here’s What I Learned About Cyber Security

By Andrew Harmon

Posted On August 10, 2017

I Spent 5 Years in the Hotel Industry; Here’s What I Learned About Cyber Security
cyber criminals cyber security culture hospitality security training social engineering

Stroll into any mid-range hotel with a flash drive in your pocket. Don’t bother with the old desktop computer in the lobby “business center.” Stop at the front desk, smile wide, and slap your USB device on the counter. Politely ask the guest services agent to print a document for you. If they direct you to the business center, claim that you tried it the previous night and couldn’t get it to work. Then observe.

Congratulations, you just slipped past the perimeter defense of a multi-billion dollar corporation. Let me lay out what happens next. The front desk staff takes your flash drive to the back, pops it into a USB port, and joyfully opens whatever file you ask them to.

I know this trick works because I’ve witnessed the scenario play out a thousand times. In a few instances, I was the unwitting hand guiding the thumb drive into a terminal. While most Firewalls.com blog posts shy away from anecdotes and keep individual histories at a professional arm’s length, this post is based on personal experience.

I worked in the hospitality industry for half a decade before shifting into the info sec market. This is what I learned.

Corporate Will Do the Leg Work for You

Okay, getting a file onto a machine was easy, but you’ve only infected a single computer on a closed network. Now what? Wait for corporate to do the heavy lifting.

Each night when the hotel audits their daily transactions, troves of data are gleaned from employee desktops and rolled up to the corporate servers for safe keeping. Your freeloading file needs only loiter on the network until about 2:00 or 3:00 in the morning, when corporate provides a free lift to the database where comprehensive financial data, transaction history, and confidential customer information for a multinational brand is stored.

Security Culture in 10 Minutes or Less

Hotel new hires typically sit through a series of training modules where the mainstays of employee on-boarding make their appearances: OSHA policy review, incident reporting, benefits programs, core values. If the brand is more forward-thinking, then somewhere in this hodgepodge of instructional videos is nestled the briefest touchpoint on cyber security.

Included in one training excursion I trudged through, the company splurged on commissioning Kevin Mitnick to narrate a nine-minute video on cyber crime. After a Spark Notes’ tier definition of social engineering, Kevin encourages new employees to address further email fraud questions to their direct supervisors.

Hoteliers Wear Many Hats, But None of Those are White Hats

Asking superiors for further information sounds reasonable, in a script. But I was a direct supervisor to over a dozen employees and was granted no special insight into preventing cyber crime. I was consistently preoccupied with expanding a repertoire of customer service, accounting, management, sales, payroll, quality control, HR, safety, facilities management, commercial kitchen, and plumbing skills. Hotel employees tend to be jacks of all trades at the expense of being even a journeyman in any specific talent. Specialists graduated away from the front lines quickly or were chased out when one of their duller skills failed to impress.

Perhaps further up the chain of command an answer could be uncovered? But my direct supervisor played audience to the very same training modules I watched. And his supervisors, now nearing the vice presidential or regional territory types, likely hadn’t seen a training video since before cyber crime was a credible threat. But surely further up the ladder, someone was watching over us. I’m certain that scouring LinkedIn or the company Outlook Address Book would inevitably turn up a VP of Technology or comparable title, but they were off in a lofty C-suite well outside the reach or even the zeitgeist of any ground-level employees looking for answers. For all intents and purposes, further information is impractical beyond utility if it exists at all.

Throwing the Baby Out With the Hogwash

An anecdote burned forever into my psyche involves an umbrella term that some corporate security wonk for one hotel brand took a liking to: hogwash. The term ‘hogwash’ and cyber security were married after an impassioned email in which the word was typed in bold font, in all capital letters, a total of 7 times. Several months later this diatribe lead to the introduction of a “hogwash button” on corporate email applications. At no point was it expounded exactly what ‘hogwash’ entailed or why reporting it proved crucial to company goals. The only instruction given was to delete and report any email that looked suspicious. The grounds for basing our suspicions, I suppose, were left to individual interpretation.

The Lesson to Be Learned

This is no simple attempt at picking on the hospitality industry. Instead, take this post as a wake-up slap. When discussing information security, there is a magnetic draw to discussing the healthcare industry, banking and financial institutions, or vulnerabilities haunting our governmental or infrastructure systems. But if we trot out the conversation to less flashy or FUD-inducing industries, we find a landscape brimming with entities just begging to be caught with their pants down. And while malware crashing the power grid makes for better thriller movie material, the hospitality industry still handles the confidential information of millions of travelers each day.

We must address the disconnect between security administrators in high towers and front-line employees operating in distant venues. Real human connections are necessary to impart the axioms of cyber security to ground level employees. This is personnel that doesn’t spend hours browsing Dark Reading or CNET.

Firewalls.com dedicates a lot of time and screen space to the cause of nurturing cyber security cultures in the office. We understand that even the most expensive and sophisticated security setup will fail if employees leave gateways wide open.

It’s time to revamp your library of training videos. It’s time to review SOPs with VPs who have occupied their positions since before the hazards of cyber crime fleshed out. It’s time to put cyber security on the same pedestals as accurate payroll, helpful customer service, and efficient logistics. And for the hotel industry in particular, it is time to leave the printing of boarding passes to airline kiosks.

Firewalls.com is a value-added reseller of firewall appliances & a vendor of managed security and Firewall-as-a-Service support. Our engineers are rigorously trained and certified by all of the major manufacturers that we partner with. Whether you’re looking to add an appliance to your security set-up or seek ongoing support from seasoned experts, we can provide the security solutions necessary to get you secure and keep you secure. Contact one of our knowledgeable sales staff to answer any questions you may have about your network, firewalls, or endpoint protection.

You can also follow us on Twitter and Facebook.

The Holistic Approach to Cyber Security: A magical concept, but what does it look like?

By Andrew Harmon

Posted On July 13, 2017

The Holistic Approach to Cyber Security: A magical concept, but what does it look like?
cyber security culture firmware security training

If you’re reading this, chances are you spend a good chunk of your time keeping up with the latest news and opinions in the world of cyber security. And if that supposition is true, there’s also a strong chance that you’ve run across the concept of the “holistic approach” to cyber security culture already. In fact, headlines containing this phrase have been popping up like weeds everywhere info sec content grows. We sincerely hope that you’re not writing it off as another trendy platitude to sell endpoint protection.

The holistic cyber security approach is an idea that deserves discussion. It can be difficult though to glean some visualization clues as to what this holistic approach means beyond connotations of healing crystals and chakra therapy. What exactly would a holistic approach to cyber security look like in practice?

It may be prudent to first examine why this shift in ideology is emerging. First I’ll issue a warning: the following answer may be too cynical for readers that are faint of heart.

The truth is, we’ve been fighting the bad guys for over a decade and are no closer to “winning” the war than when it started. Don’t get me wrong, we have always put up a hell of a fight but even Sisyphus stops celebrating when he crests his thousandth summit. Daily, millions of network architects, security engineers, programmers, pen testers, and more are engaging in noble work and boasting massive strides in the protection of your data. New security layers are being added, threat signatures are being documented, and packet scrutiny is intensifying. But the bad guys are at their battle stations too. Every new feature or program unveiled is accompanied by its own unique slew of exploits. Let me be clear: this is a never-ending battle.

Cyber attackers are finding these pursuits are clearly worth their time and effort. You don’t have to dig very far into our previous blog posts to be reminded of the glaring statistical evidence that ransomware attacks are increasing at an extreme rate. High-profile attacks such as WannaCry and Petya are making regular appearances in an already overwrought news cycle. As serious as these staggering trends are, though, the concept of the holistic approach did not emerge solely in response to highly publicized attacks or to surges in certain species of malware. In fact, nothing specifically birthed any new ideology in cyber security because the “holistic approach” is nothing new. It is, at best, a rebranding. A repackaging of the same advice that the info sec community has been preaching for years: train your staff to identify threats, patch your system often, secure your most sensitive data.

The fact of the matter is the anatomy of a cyber attack has not changed much over the last few years. Someone in the office clicked something they shouldn’t have, they hesitated in reporting it in fear of repercussions, your security patches just never got around to being installed, and no one’s been accountable for data backups since Nelly was putting out new albums.

Perhaps I am giving away the golden-egg-laying goose for info sec bloggers, but the holistic approach to cybersecurity is nothing more than fresh phrasing for the need of a cyber safety culture in the workplace. Dirty secrets aside, there are still pertinent lessons to be learned. Whether you consider this cutting-edge insight or a refresher course, let’s dissect what the holistic approach to cyber security looks like in practice.

Striking a Balance Between Efficiency & Security

We live in a dangerous world. In our virtual lives, we must remain vigilant in guarding our identities and data. In our real lives, we worry over crime and random misfortune. An ever-present aspect of our fight for safety rests on the delicate scales balancing security on one side and efficiency on the other. Certainly we could be 100% secure if each email and document entering our network was personally read and reviewed by a network engineer before getting the thumbs up or down. Unfortunately, this would eat up a lot of time and a lot of labor. Your employees can’t sit around half the day while necessary emails trickle through the gateway. Likewise, it would be super efficient to hand over admin credentials to every employee, contractor, and vendor on your payroll so that they can help themselves to whatever resources are needed to get the job done. Somewhere in the middle, a balance must be struck. I may be biased here, but I encourage you to err on the side of security over productivity.

You’re On the Crew, Like It or Not

If your employer has a computer on property, guess what: you’re part of the cyber security team! Whether you’re the sys admin or the janitor, everyone has a role to play. Empower and educate your employees at all levels in the basic habits most likely to prevent a breach. Email security best practices should not be optional curriculum for new hires or annual retraining.

What Is Governance Anyway?

Cyber security governance is a hefty phrase that could do with unpacking. In this case, governance is the codified operating procedures in place to manage and enforce cyber security in the workplace. This is the infrastructure behind the lectures. The bite behind the bark. Strong cyber security governance means having accountable parties tasked with monitoring and enforcing info sec protocol. It includes having clear, concise rules outlined in employee manuals. It includes real, visible consequences for flagrant disregard of those rules. Cyber security governance is corporate speak for a company walking the walk of cyber security instead of just talking the talk. If an employee unwittingly allows a threat onto the network because they’re unaware of the procedures that could have prevented it, you share the blame.

With Our Powers Combined..

firewalls are pretty much captain planet for computers

Technical! Physical! Human! Okay, maybe this dream team of cyber security assets isn’t quite as screen-ready as Captain Planet’s squad, but it gets the job done. Another aspect of the holistic approach is a widening of your cyber security scope beyond UTMs. Having the most secure network money can buy will amount to nothing if the bad guys walk into your unlocked server closet, unplug your appliances, and jet. Or worse yet, you may find yourself in a Scooby Doo situation wherein unmasking the bad guy reveals someone assumed to be on your side. Insider attacks are a growing concern across industries of all shapes and sizes.

Whether it’s malicious insider attacks or just gullible Dave in Accounting responding to a phishing scam, human beings are much more likely than technological assets to be the wrench in your cyber security gears. A holistic approach incorporates staff training to combat social engineering as well as physical security measures to secure your hardware from break-ins.

Your company will face with a cyber attack one day. The threat of ransomware has graduated from worrisome to inevitable. In the second quarter of 2017, UK businesses experienced an average of 105 breach attempts per day. A holistic approach, a culture of cyber security, a security awareness mentality, Uncle Admin’s Special Funtime No-No’s: you can call it whatever you dream up so long as you actually implement the pillars of breach prevention. Only when we all get on the same page and work towards a common goal will the dream of vanquishing the bad guys be possible. I encourage you to put me out of a job. If a ransomware attack is never again recorded in the info sec archives, Firewalls.com would be thrilled. Sure, we’d have to hang up our lucky engineering pants, but we could always go make Mobile games or something. Unfortunately this dream world does not yet exist. Until then, we’ll do our part in the fight.

What’s your next step?

LET’S HAVE A STRATEGY MEETING