Skip links

Cyber Battlefield: Protecting Your Club’s Data

If you have not initiated a vigilant effort to enhance your club’s cyber security systems, it’s time to take action. It has never been more critical to proactively protect your club. Cino Companies has had the opportunity to audit and assess many IT environments over the years, but there has never been a time like this when even the smallest of businesses are being targeted and exploited by hackers. This article presents best practices that will help clubs identify and address the risks of data breaches and cyber attacks.

The warning signs in the business community and hospitality industries are there—and it’s up to club leaders to take action to protect against security breaches, loss of confidential membership data and lawsuits. Unfortunately, many hear the warnings but do not take the necessary steps to protect their environment until it is too late—leading many to call for specialized help after a security breach.

In 2015 alone, Cino Ltd. has sent a growing number of incident response teams and cyber-forensics teams to respond to the increasing number of new clients from the hospitality industry that have been exploited by hackers’ malicious intent. These tactical teams perform a cause analysis to determine the attack vector (pathway) so the appropriate countermeasures can be deployed to reduce the likelihood of the same attack vector being used against the property in the future.

At the National Club Association’s annual National Club Conference in Washington, D.C. this past May, industry leaders learned about the current pandemic of business threats and hacking risks that could impact their clubs. Given the types of personal data that clubs often retain in their records, there is a growing level of risk from cyber security attacks that need to be addressed in the areas of technology security, risk management and crisis communications.

The session covered the importance of securing the club’s environment to preserve the reputation, name and integrity of the club. Also discussed was the potential loss of membership, as well as ways to add protections for information security liability. Since the conference, many GMs have launched initiatives with increased vigor and a sense of urgency to implement industry best practices to fortify their defenses and efforts to protect their clubs.

Hacking 101

What are hackers looking for?

  • Data that they can steal, use to extort (ransomware) and sell
  • Members’ personal data

How do they get your data?

  • Attack Vectors – Pathways used to hack
  • Attack Vectors = Vulnerability + Exploit
  • Vulnerability – Existence of a security weakness
  • Exploit – A defined way to breech a vulnerability

Some recent case study examples discussed during the conference included:

  • Ransomware: Increasingly popular, ransomware is software designed to block access to a system and/or information until a ransom is paid.
  • Data breach: Hackers gain access to personally identifiable information (DOB, social security numbers, in order to make fraudulent charges).
  • Malware distribution: The club is used as a tool to spread malicious code, such as viruses to other businesses’ IT environments.
  • Website vandalism: Hackers gain access to a website and deface it.

The most common vulnerabilities seen in the hospitality industry—those that increase your risk of becoming the next victim of cyber warfare—include:

Missing patches: The U.S. Computer Emergency Readiness Team (US-CERT) posts weekly summaries of vulnerability weaknesses that hackers try to exploit. These patches range from critical updates to Microsoft products to updates for Adobe Acrobat and Internet browsers and other software systems. The expression “Tuesday’s patch is Wednesday’s exploit” indicates that users often neglect to install updates in a timely manner, leaving their systems vulnerable. (These summaries can be found at www.us-cert.gov/ncas/bulletins.)

New attack vectors are constantly being identified: Monitor your club’s users and systems for vulnerabilities. A lack of end-user awareness may result in “phishing attacks”(targeted e-mail with a malicious link) or drive-by downloads (end-user visits a website that exploits unpatched browser vulnerabilities). Club staff must be trained and informed about theses risks.

In club systems, using default settings and enabling services can result in a “Swiss cheese network,” with open pathways that attackers can utilize as attack vectors. Without a full-time IT director or cyber security expert on site, cyber-security best practices are often lower on the list of tasks that outsourced IT companies are asked to review by clubs—particularly for individual user’s computers.

8 Primary Areas of Concern

Cino has developed a Risk Management Report Card for businesses to use to monitor their risk for IT threats and hacking risks.

  1. Comprehensive risk assessment. Identify and prioritize the immediate needs—where clubs should pay the most attention—based on potential impact to the club. Attackers will search for your “weakest link.” A fresh set of eyes auditing the club’s cyber environment will provide insight on the current state of security in relation to best practice compliance standards. The benefit of the comprehensive risk assessment is in identifying the weak links in your environment (current threat level), which could be used as an attack vector (pathway used to attack).

Clubs should strive to be PCI compliant, which identifies the 12 key areas of weaknesses in the club’s defense. Security architecture has evolved and a comprehensive end-to-end solution is needed to defend against an attacker finding the weakest link.

  1. Immediate remediation on high impact risks to the confidentiality, integrity and availability of your operational data. Clubs are in a race against time to defend against priority security deficiencies found in a risk assessment. One of the challenges faced by most clubs is that they do not usually have a full-time security analyst to address these issues but instead have to rely on their outsourced IT professional. This may delay correcting vulnerabilities and impede management’s ability to track the progress of these corrections.
  2. End-user security awareness training. Users/employees are the weakest link in protecting the club from cyber threats. Staff who operate club computers may click a link that introduces malware into the club without meaning to do any harm. Therefore it is critical that staff be properly educated and trained annually on security awareness. Monitor staff with further testing to ensure they have successfully learned how to properly detect, avoid and report a threat.
  1. Continuous monitoring verification. What is happening and what has happened? Do you know? If you are currently under attack does anyone know? If an incident has occurred, what “intel” do you have as to what’s been done? There are a collection of IT services available to give you live insight into what is occurring in your club’s network. Integrity verification tools can be used to identify unauthorized changes to system folders, which are frequently used by the attackers to hide malware. Enable the audit service on your servers and track changes and modifications to key folders to provide insight as to what has happened.Other monitoring steps include aggregating log files to analyze and detect threats. This will also help build a timeline of events and determine the root cause of an attack. Host-based intrusion detection systems as well as network-based intrusion detection systems help to identify infiltrations and alert you when you are under attack so you can implement incident response procedures to defend the club’s environment.
  1. Business continuity plan, cyber-incident response plan and business impact analysis (BIA). Review and develop these plans to address unexpected cyber-security emergency risks (ransomware, malware, data backup and restore procedures). Ransomware attacks are particularly disruptive in clubs because business continuity planning and redundant copies of the data sets have not usually been implemented. Ransomware often encrypts the data on a hard drive, preventing access to club records, documents and systems—meaning without proper backup procedures, business will grind to a halt. A proper BIA will help set the priorities and protection required to ensure successful business continuity in the face of an attack and lessen the negative impact to daily operations.
  2. Overall security policy review. Is your club implementing secure operational best practices, including shredding, data encryption, principle of least privilege, and separation of duties? Secure data handling processes and procedures are often overlooked. In several instances, clubs and hospitality businesses have received complaints by guests or members claiming their credit cards have fraudulent charges as a result their visits. In all cases, improper procedures and operational security control principles not being implemented led to the compromise.
  3. Cyber insurance. This coverage is needed to protect the financial impact of a cyber breach.
  4. Continuous testing. Clubs should conduct annual penetration tests, quarterly scans and vulnerability assessment testing. Key information about configuration and patch status (whether current or out of date) can be determined from quarterly scans and vulnerability assessment testing.

Penetration testing checks the strength of the controls you have put in place and will provide additional insight into what a hacker could do against the club. Ethical hackers, individuals hired by organizations to use techniques that the malicious hackers use, can test how well the organization is protected and identify vulnerabilities. An ounce of prevention is worth a ton of cure. This has never been more relevant to the success of your club!

In today’s world, clubs must take a proactive cyber security posture, not only because it is the prudent way to conduct business, but also it is what members expect and demand. Your club’s protection should be a key component to operating budget. The urgency to understand cyber security and protecting private club information has never been more important.

We are on this cyber battlefield together. Now is the time to take action to protect your club from cyber attacks and help gain peace of mind for club leaders and members.

Fred Santarsiere is the CTO of Cino Ltd. and a computer hacking forensic investigator. He speaks to organizations on how to protect their data. Cino is a risk mitigation organization and provides cyber security solutions. For more information, please contact Fred at [email protected].

X