Broomhead: Don’t gamble with your security infrastructure

­MOUNTAIN VIEW, Calif. – On Sept. 11th of this year, MGM Resorts made headlines. Not for a supersized payout or another billion-dollar merger. Instead, MGM found itself the victim of a large-scale cybersecurity attack that has since resulted in over $100 million in financial losses.

Moreover, it showed that IoT systems like slot machines and payment systems as well as security systems like access control, are targets for cybercriminals.

While much of the details of this attack have yet to be understood, the large-scale attack MGM originally cited as a “cybersecurity issue” has all the hallmarks of ransomware. It appears that the hackers used a known social engineering tactic known as vishing, or voice phishing, to impersonate an employee call to MGM’s IT help desk to obtain credentials and access internal systems. From there, it didn’t take long for guests and staff to feel the effects. IoT systems across a number of MGM properties ranging from electronic door locks to check-in systems, slots machines, elevators and beyond became completely inoperable or sporadic at best.

Ten days later, MGM reported that its hotels and casinos were operating normally again after the company refused to pay hackers. Unfortunately, it is not the only example of such attacks in recent years.

Caesars Entertainment also experienced a strikingly similar cyber-attack during the same time frame. Unlike MGM, Caesars negotiated with their attackers and paid the $15 million ransom to keep their systems online; a practice that is increasingly becoming criticized and has efforts underway to be made illegal. In 2019, MGM experienced a data breach wherein 142 million guest records were made available on the dark web. And in a now famous exploit, Nicole Eagan, the CEO of cybersecurity company Darktrace, told the WSJ CEO Council in 2018 how cybercriminals hacked an unnamed casino via an internet-connected thermometer in a lobby aquarium. According to Egan, “They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud.”

The examples outlined above demonstrate how it takes just one foothold in the network to bring down an organization. One of China’s state-backed advanced persistent threat teams, “BlackTech”, has engineered a way to modify American-manufactured routers without being detected and install custom firmware that allows for persistent access for the quiet exfiltration of data. This points to a more widespread security issue with edge, IoT, and OT devices, which is the lack of secure firmware distribution.

Even a business’s physical security solutions, the very systems put in place to protect an organization, can be a source of risk. Surveillance cameras vulnerable to and infected with a malware botnet variant known as 'MooBot’ enable cybercriminals to run privilege escalation and subject the camera to do virtually anything that they want. Many camera manufacturers are aware of such a threat, but if the proper firmware updates have not been pushed out to each device, then the manufacturer’s updated patches serve a moot point.

So what can be done to prevent such attacks? It all comes down to good cyber hygiene and creating a zero trust environment with proper network segmentation.

A zero trust environment is a security model that distrusts all users, regardless of whether they are inside or outside of the network perimeter. In a zero trust environment, every user must be authenticated and authorized before being granted access to any resources. In the case of the MGM vishing incident, it appears as though the cybercriminals posed as an innocent MGM employee looking for their credentials. And while the full story may never be revealed, it can be assumed that perhaps this person was perhaps incorrectly trusted without being properly authenticated. This highlights the importance of implementing tools such as multi-factor authentication, hardened verification processes, and regular employee training.

Typically, the zero trust model has been applied to traditional IT infrastructure such as networks, applications, servers, and the like. Increasingly cyber security experts are recognizing that an organization’s IoT infrastructure are vulnerable to cyber exploitation and in need of a zero trust framework applied as well. In this way, no one device connected to the network is automatically trusted, and all access must be verified before it is granted. Likewise, IoT devices and their applications should be firewalled off, or put on a segmented network that requires special credentials to access, so that getting into one network does not lead to accessing all networks. This approach to security helps to protect networks, applications, and infrastructure from potential threats.

Today, there are tools that allow organizations of all sizes to apply a zero trust model to their IoT devices at scale. Also known as an IoT device management platform, this kind of agentless technology monitors and manages loosely and tightly coupled devices from behind one pane of glass. This includes initiating and automating good cyber hygiene practices, such as managing firmware updates to ensure the latest fixes are deployed, certificate provisioning and management, and secure password enforcement. IoT management platforms should also perform application-based discovery so that all devices and applications that are connected are visible (this also makes setting up and maintaining segmented networks much easier). In this way, organizations can strengthen their security posture and reduce the risk of vulnerabilities, all while maintaining a comprehensive view of their IoT ecosystem.

If there are any takeaways from the most recent cybersecurity attacks in Las Vegas, let it be that no company is too large to be hacked. The truth is, any company employing networked devices such as surveillance cameras, access control systems, tablets, phones, video doorbells, and, yes, even fish tank thermometers, are vulnerable to the very risks exemplified in this article.

Don’t leave your business up to chance. Become too resilient to be hacked with the deployment of zero trust framework and solutions designed to automatically enforce cyber hygiene standards across the business.

Bud Broomhead brings to Viakoo, Inc. two decades of executive experience in the technology sector, leading innovative teams at Sun Microsystems and for privately held startups in challenging CEO, COO, and GM roles in the U.S. and Europe. He is a serial entrepreneur who has led successful software and storage companies for more than two decades. He has experience delivering computational and storage platforms to the physical security space for over seven years, with an emphasis on infrastructure solutions for video surveillance.