Face-to-Face: Cybersecurity at the top of the agenda as hacks highlight risks

Cybersecurity is topping the agenda, as recent hacks on major operators such as MGM and Caesars highlight the need for companies to protect and prepare. Continent 8’s Craig Lusher explains how sophisticated hacks are now becoming and how much companies should be investing in infrastructure to prevent any future problems.

We’re joined today by Craig Lusher, the product manager for Continent 8. Specifically within the environment now, we’re seeing so many cyber-attacks on casino operators. It’s really interesting to question what are the main takeaways, for example, from this most recent one that we’ve seen at Caesars and MGM?

Security measures must continually evolve and adapt in changing environments And the human element remains the weakest link both in cyber and physical security, complacency and failure to educate employees on cyber awareness as significant factors in both parties’ attacks really.

Should we be evolving in terms of implementing more cybersecurity? Should we be giving in to some of these cyber-attacks and paying out the ransom, and what should be the evolutionary strategy going forward?

 With everything, integration is key. So, the human element is the most vulnerable part of any security strategy. So, ensuring education is the number one. In terms of paying ransoms and things like that law enforcement and the general rule is you don’t pay ransoms.

However, payment can be justified if failing to do so will release sensitive information or employee data, you need to protect those people. So the decision to pay ransom should be on a case by case basis, and consider the potential kind of legal repercussions as well as the organization’s preparedness, data and system recovery.

Now, we’re going to run back to that in just a second. But I just want to look at kind of the difference between online and land-based. Who are actually more vulnerable, the online gaming operators or the land-based gaming operators?

Well, land-based operators are more vulnerable due to that human factor, I suppose. Especially when targeted by phishing campaigns and ransomware. Online casinos can be taken offline quickly if they’re not adequately protected, particularly from DDoS attacks, phishing and ransomware. Both types of operators do have similar vulnerabilities. And I suppose there’s less effort required to take offline an online company than to take a land-based one.

So I suppose the question really comes down to what’s less effort, and there’s less effort against the online casinos.

But looking at cybersecurity in general, obviously, there have been changes in the way that the hackers in particular are working. So how has cybersecurity had to change within the recent news to try and keep up with what they’re now doing.

So the threat actors become more organized, sophisticated and ruthless in their attacks. Over lockdowns and the pandemic, lots of attacks took place, lots of money was made. And in fact, they kind of reinvested this money into their own infrastructure and tools.

And that kind of has helped them break in and attack faster than ever before. So in 2018, I think it took around 10 hours for a cyber attacker to get into the systems and kind of move within those systems. Nowadays, we’re looking at under one and a half hours to do the same sort of job. So the pandemic really provided more opportunities to exploit the changes in work patterns, and things like that.

So obviously, the adoption of AI and machine learning by the hacking community has also increased, allowing more efficient and objective attacks. So AI is very good at doing things objectively. And, cybersecurity is something that it’s either protected or it’s not. It’s either there or it’s not. So, it’s very easy for these tools to go in and start probing and finding vulnerabilities.

You mentioned how the amount of time in which people can then hack into your system has gone down quite a bit, but how about the detection time? What exactly are we looking at in terms of the detection time once you’ve identified a threat? Or how long can it take to identify a potential threat to your system?

Infiltration can take anywhere from weeks to a year, right? So you could get into the system, they may have a handhold in there and kind of slowly prize open the doors over a period of time. Once in, they might put backup entries in and things like that. So it can take a long time for these things to be put in place. All the while it’s undetected by the security teams.

So, it can take on average about a year since the initial kind of attack and the initial hack into your system between them being detected by the InfoSec teams. And there are also specialist hackers known as access brokers that will identify these vulnerabilities and ensure the access is there, and backed up access as well, before selling that access onto other organizations that can then kind of do the ransom or do the hack or do the next stage of that attack.

Remediation time, if an attack takes place, and maybe there’s ransomware, or something like that, if InfoSec teams are prepared, it can take on average about seven days to kind of pull all that data back in. If they’re not prepared, it’s a piece of string and six months down the line, they could still be feeling the effects of that attack.

Just to touch back on the recent scenario that we saw with MGM, would you say that that kind of response time in order to fix the issue was industry standard?

It’s a tricky one to comment on that precise scenario. It can take anywhere between a week and six months. So if they do things within a week, great. If it takes longer than that, it’s still not unknown. So it’s hard to pin down.

Yeah. So I mean, basic takeaway from this is that if you get hacked, it’s going to be bad. I’m really, I’m really curious about the type of data that the hackers are actually trying to scrape from the gaming operators in particular, what do you have any insights on that?

Casinos and the gaming industry, it’s all a high cash industry, right. So there’s bank accounts, there’s wallets that are sitting there, as good as bank accounts. Preliminary, they’re trying to steal account information and banking information specifically from customers and wallets. But also, they can be looking to steal software code for the games as well, that could be targeted. So you can find vulnerabilities within that as well.

The ultimate goal is financial gain. So they’re looking to go through this, whether it’s ransomware, or account disclosures and things like that. And, they’re looking to make money from this. There are some obviously hacktivision-type scenarios where people are against the gaming industry, as we saw with Ice Breaker and things like that. But again, other companies and corporate espionage, that’s still ongoing as well within this industry.

Within corporate espionage, would that be primarily done by the competitors?

It can be competitors, but also it can be groups that are against casinos, and things like that as well. Or just want the prestige of being able to take down a big name. So it’s all of the above factors, really.

A lot goes into it. All of it we’ve got to be concerned with, the guys that are out there trying to make money off this. We don’t want that to happen.

How much should these gaming companies be spending on cybersecurity, for example, what percentage of their budget should be allocated to that?

The value is a tricky one, because obviously the value of the data being protected should be the primary consideration for budget allocation. So the sensitive information should be protected as much as possible. And then perhaps you’ve got different levels, depending on the sensitivity of the information.

So basic security measures should be in place, before investing in more complex solutions as well. So this includes staff training, web application, API protection and other service protection, things like that. So that’s kind of the low hanging fruit, let’s say.

And then for more complex scenarios, solutions should be put in place for more complex, sensitive data. So I suppose, to answer your question, most organizations should allocate between 10 to 15 percent of their annual budget for security defenses, and the education which is kind of one of the key points here.

So I want to jump into AI. We’ve seen a lot of how AI has been able to create deep fakes and intricately crafted emails which seem like they’re coming from your superior. How is AI factored into the cybersecurity defense system? Is it working more in favor of those who are attempting to conduct hacks or is it working more in the favor of those who are trying to prevent them?

The rise of advanced technologies like ChatGPT, and deep fakes, it’s really blurred the lines between reality and AI generated content. So, a few years down the line, that’s going to become even more evident, and the real world and the artificial world is going to become very blurred, it’s gonna be very hard to protect against that.

Itt is something we’ve got to look out for. There’s always been an email that comes in trying to get you to do something, sometimes it’s obvious, sometimes it’s not difficult, you know, more eloquent in recent years, with deep fakes and things like that, and somebody phoning you up, that you know, their voice, and is asking you to do something, especially in a personalized authority. Your chain of command, or you CEO, something.

We’re gonna see a lot more of that sort of thing happening, due to all the information that’s out there. Some information that’s out there on the web, you can start to relate to things.

And it’s gonna be hard to really work out what’s real and what’s not, I guess, do two-factor authentication and verification may become more widespread. Authenticate video and audio calls and videos, I suppose.

Is that technology currently being used out there? Is that already in the works? Is it widespread?

In terms of the actual deep fakes and things like that, cyber attacks, you know, Chatty Goblin was an attack that happened in various casinos in the Philippines and Southeast Asia. That used that kind of social engineering on their customer support desks to try and get them to open a payload, which would then allow them access into their systems. And that was successful. So I suppose, you know, AI generated content is happening at the moment in the cyber security space.

Can we protect against it? Well, we can have two-factor or multi-factor; that’s kind of the main way to go. It could result in you and I having this conversation or a video and passing each other a password or something similar that we can verify against. And going back to that kind of route, I suppose.

It sounds almost like we’re going into the spy years, you know, the Cold War?
A lot of these operators are currently also operating kind of on a little bit more antiquated systems. So I’m wondering, I’ve heard the Continent 8 is trying to help them improve their overall cybersecurity without having to completely change their system in general. Can you explain a little bit about that to me?

Without a systems revamp, they can, from a cybersecurity, security posture standpoint, but also application development and network architecture. So as I mentioned earlier, protecting low hanging fruit is key here. So we offer intrusion detection and prevention services, and vulnerability and penetration tests to assess the company’s security posture. And this also helps you comply with regulation in some jurisdictions as well.

But we can also provide managed endpoint protection solutions to protect laptops and servers. DDoS protection protects the network and keeps businesses and websites online and alive during a DDoS attack. And then we’ve got the web application and API protection, which is kind of one of the most attack vectors at the moment, actually. So we see a kind of 300 percent year-on-year rise with these sorts of attacks, trying to exploit vulnerable websites.

And what we could do with that is we put a proxy in front of your website. So any kind of antiquated or legacy components that may be running on your website, just kind of have that standard fail of protection from that web service. So this also means that developers can bring in new features and functions to the market, and its also the easiest thing to protect against.

And so there’s kind of a correlation between how hard something is to protect and the cost obviously. But also, the simpler something is, the more likely it is to be attacked as well. So that low hanging fruit, it’s good to get that base protection in, just to ensure that the easy targets for attackers aren’t taken advantage of.

As technology evolves, as there are more people who are able to have access to these type of tools, which can even be sold online, do you predict that the frequency of these type of attacks on major gaming institutions is going to increase?

Definitely. So, the cash wallet stored within these systems is part of access to money, if they break in, they can transfer that out, there’s restrictions in place, but you know, it’s something that’s very attractive.

Also, being that the industry that we’re in is very fast moving, fast changing, and everybody’s trying to get a unique selling point amongst the competitors, new features are being released quickly, sometimes they may have exploits in there or vulnerabilities that are waiting to be exploited. So as things are constantly changing, you know what might be adequate protection one day, the risk of attack constantly changes as well.

So what might be adequate protection one day, a year down, the line systems change, everything’s moved on that same protection it might not be the standard anymore. So it’s a constantly evolving thing. And you’ve got to know about cybersecurity, it’s not only about paying attention to what you are protecting, the tools that you’re putting into place to protect, it’s also about accepting the risks, and trying to evaluate that as a constant moving target.

So, how far up the totem pole are gaming operators in terms of those who are going to be primarily attacked?

They’re right up there. Definitely. So anything with money in mind.

These attackers see gaming companies and casinos having a lot of money, being able to pay the ransoms and they see the cash wallets sitting there, being able to be cashed, to be taken out of there. And also it’s not just the cash wallets, it’s also the reward systems as we’ve seen, and anything that they can use in that space, so it’s a very attractive target for attackers.