Website
Free Subscription!
Click here to
learn more!
Free Subscription!
Click here to
learn more!
|
| Are you safe from computer ‘hackers’? |
| |
by Brian Welch
askMANDO.com
|
| |
On August 19, 2009, Fredrik Korallus, the chief operating officer of Radisson Hotels & Resorts, released an open letter to customers stating that “Radisson values your business and respects the privacy of your information, which is why we wish to inform you that between November 2008 and May 2009, the computer systems of some Radisson hotels in the U.S. and Canada were accessed without authorization.”
The letter goes on to say “This unauthorized access was in violation of both civil and criminal laws. Radisson has been coordinating with federal law enforcement to assist in the investigation of this incident. While the number of potentially affected hotels involved in this incident is limited, the data accessed may have included guest information such as the name printed on a guest’s credit card or debit card, a credit or debit card number, and/or a card expiration date.”
We interviewed Sean Fuery with Security Metrics, a company that specializes in security testing for the payment card industry, to find out how this breach could have been prevented.
Q. Tell us about your company.
A. “Security Metrics opened the doors back in 2001 and focused mainly on scanning network security for banks and credit unions. Today we are a full service qualified security assessor and authorized scan vendor. We have our own payment application lab and qualified incident response assessor, so that’s our forensics team. If you have a compromise, we can go in and find out why it happened. We also do penetration testing from the external side, as well as any consulting and auditing that companies may need for their payment card industry standards that they are required to meet based on their size and how many transactions they make.”
Q. Is the hospitality industry especially vulnerable to computer hacking?
A. “The hospitality industry seems to be a favorite target of hackers these days because of how they choose to process their card data. It is really hard to put your finger on the pulse of which industry is getting hit the most. Everybody is susceptible.
“Radisson certainly handled this with a great deal of decorum. They’ve kept their chins up. They’ve followed protocol. As soon as they were informed that there was a breach they let everybody know about it and gave as much information as they could without compromising the investigation. But it has got to be a public relations nightmare. It has been said that most of the cost due to a breach is loss in consumer confidence.
“In addition, when you’re breached, credit card data is lost, forensic evaluations have to be done, auditing has to be performed, and it becomes a financial and logistical nightmare when something like this happens.”
Q. What can be done to prevent this from happening, and if a breach has already occurred, what can be done to fix it?
A. “To prevent it, there are specifically three issues which may seem very simplistic on the outside, but they have a profound impact on how difficult you can make it for a hacker to get at your information. First and foremost, make sure that you’re running software and OS updates, patch management, the things that you can do as the operator to ensure that your network is secure.
“Fifty percent or more of the breaches out there occur because those specific things were not followed through with. Just making sure that patches are updated, making sure that you change your passwords. Don’t use the default passwords that come with your system. Make sure that you lock down your remote access especially in regards to multi-location merchants. And most importantly, control and monitor your outbound traffic. What a lot of people don’t realize is a firewall is intended to be two-way, not one-way. It doesn’t just stop things from coming into your system. It can also be configured to stop information from going out of your system.
“Taking the Radisson breach as an example, a piece of malware was installed that allowed for the broadcast of information from their server that went undetected simply because their system wasn’t set to monitor that information. Unfortunately, information leaked.
“It is very important that an organization have policies and procedures in place to dictate exactly what steps need to be taken in the event of a breach. And again using Radisson as an example, you can see where they went through point by point contacting legal authorities, getting a forensics team in there as quickly as they could, removing the malware, locking the system down. All those things will mitigate how much data they lose and it shows that they are proactive in solving the problem.”
www.securitymetrics.com
|
|
|
|
Print this page
