Where is the Money? Part 5 of 36: Business as a Privilege

Authors’ Note: It seems like businesses around the world are being blasted with computer hacking events. There are now hundreds of millions of customer credit cards floating around in cyberspace. In this fifth installment of our new “Where is the Money?” series, we examine what being subjected to a major hacking event means in the gaming industry.

In an industry where, in many cases, our right to operate is a privilege granted by government compliance groups, operators are extremely concerned about management in the event of any government investigation into a hacking incident.

Green Card holders in the U.S. are very aware of the difference between a right and a privilege. Green Card holders have a visa that grants them the privilege to live permanently in the U.S., but this privilege can be revoked by the government. This is very different than U.S. citizens, who have the right to live in the U.S.—and that right cannot be removed.

Outside of gaming, companies and individuals have the right to practice business, and that right can only be removed in very special situations. Conversely, within the gaming industry, companies and individuals can have their privilege to do business removed in many situations. Consider the case of MGM losing its right to do business in Atlantic City. Now, according to recent news reports, “the company asked New Jersey gaming regulators for permission to reclaim its 50 percent stake in the Borgata Hotel Casino and Spa, one of the best-performing casinos in a city full of recent failures.”1 The concept of asking for permission to do business would be considered unusual outside of the gaming industry, yet it is a reality for us.

The Right to Know
As we described in the April 2014 issue of CEM,2 your rights to your data are like a bundle of sticks. This bundle of sticks contains ownership of data and its associated legal protections, including the right to know about investigation.

As operators, we constantly exercise our privilege to operate our gaming businesses, and we are constantly dealing with compliance considerations. Consider this example from the Southern Star: “Attorney General Luther Strange announced that a search warrant was served today at Southern Star casino in Lowndes County by law enforcement agents from the Attorney General’s Office and the Alabama Department of Public Safety.”3 It is clear that the operator is being investigated and that it has retained its right to know about that investigation.

The Southern Star example illustrates how casino operators have been and can be subjected to search warrant-based investigations and that, as part of this process, they are notified of the investigation. However, this right to know about investigations does not extend to the investigation of data held by third parties. Casino businesses retain the right to know of any investigation of its data (by necessity of their owning of that data) only in situations where the data is controlled behind a casino’s four walls.

Consider this example of data held by a cloud-based service, and notice the way that the government’s actions are directed against the cloud provider. “On July 31st Microsoft lost an appeal in U.S. district court over a government search warrant for emails held on servers in one of the company’s Irish data centers. Supported by a host of other prominent technology companies, as well as AT&T and Verizon, Microsoft said it would appeal the ruling. In a court filing, the company argued that ‘Over the course of the past year, Microsoft and other U.S. technology companies have faced growing mistrust and concern about their ability to protect the privacy of personal information located outside the United States. The Government’s position in this case further erodes that trust, and will ultimately erode the leadership of U.S. technology companies in the global market.’”4

While the court cases are ongoing and the final outcome will be years in the making, it is apparent that the issuing of search warrants on gaming operators without notice can happen if the data is held in the cloud.

The Consequences of Breach
In addition to search without notice, cloud-based data has come under fire from hackers. Home Depot and JPMorgan are the latest companies to be impacted by wide-scale breaches. These breaches are massive in size, as JPMorgan “confirmed that hackers managed to access personal data for more than 83 million customers, including 76 million households and 7 million small-business online accounts, but The New York Times reveals that the largest bank in the U.S. isn’t the only one to have been hit. It appears that another nine, unnamed, financial institutions have also been targeted by the same mysterious hackers group, which also managed to steal some critical security data from JPMorgan on top of personal data.”5

This massive breach of security has happened widely, with breaches of Home Depot, Target and many others. To us authors, it seems like the hackers must have personal details on hundreds of millions of consumers in U.S. This is frightening enough, but the consequences for these companies’ bottom lines are significant as well. In the case of Target, the company stated that the data breach caused 46 percent drop in profit in the fourth quarter.

In the world of casino gaming, there could be more at risk than sensitive customer information and a decline in profits. In an industry where business is a privilege, the implications can extend even further. At this point, we can only speculate what regulators would do in response to a security breach of this size, but we can speculate that it could be a catastrophic removal of the casino’s privilege to do business.

Security Primer
Understanding security is an extremely complex and highly specialized area; it is worth taking a little time to establish a framework for thinking about security matters. There are three essential aspects of security: cost, hardness and monitoring systems. Cost is the amount of money the attacker is prepared to spend to gain information, hardness is the firewall and other internal protections in place and monitoring systems involve active counter-intelligence activities.

Cost
When thinking about security systems and serious hacking attempts, the amount of effort involved can be enormous. In other words, the cost of the attack is a very important factor. Consider the example of the recent attack on Home Depot. If the hackers were offshore and used purely computer methods to carry out the attack, then the cost could be considered to be low. On the other hand, an extremely well-funded attack could involve multiple aspects, including bribery, human spies and even physical network attacks.

Hardness
Firewalls and external protections are just the start. Real security extends to password policies, physical network controls and, most importantly, the strength of the network once physically inside the network. A simple analogy to use here is to think of a firewall as a shell on an egg; it’s hard on the surface, and the hardness extends to how hard boiled the egg is inside.

A hardened network functions in similar ways inside and outside the network, meaning that penetration of the network provides very little access to resources. In the example of the retail systems that were hacked, it seems like once inside the network, the hackers were able to move to very soft targets within the network (in this case the point of sale devices). To expand on this, Table 1 shows how different areas of the network can be hardened.

Table 1: Some Characteristics of a Hardened Network

Database Row and column level security is in place. This means that users only see the data they have been granted rights to see, and different users running the same query will see very different results.
Network The login to the network requires both a password and a physical device, such as a fob or a cellular phone. Users have carefully constructed rights that are controlled with user groups.
Email The email has two-step security, requiring both a login and physical device. Mobile devices have complex lock code, multiple-attempt wipe and remote wipe.
Social Social interactions are carefully controlled, and all activity is known through one central unit.
Files All files stored locally on laptops are encrypted and cannot be read without full authentication.
Screen savers All computers automatically lock during lack of activity and require a password to reenter.

Monitoring
Hackers are often clever and creative, and can be well-funded. But as they try new and innovative ways of making their way into the network, they will probe around and leave trails. One of the most critical aspects of security, therefore, is to be active, monitoring usage and looking for unusual behavior. For example, if a user decides to download all files on the server, it is an indicator of a compromised account or device.

In the Cloud
Now, it is wrong to say that cloud providers are not secure; in fact, many provide the highest level of security. The challenge is that cloud providers are, by their very nature, Internet services—and Internet services are exposed to the world. We authors are experienced in gaining approved external connections to gaming operations, and in these connections, it is common to see multiple levels of security. For example, phone verification-based VPN access to only specific systems and not to gaming systems.

Thus, gaming systems tend to benefit from smaller but harder “shells.” Fewer people need access to smaller amounts of data compared to a cloud solution. The implications of this are that the gaming systems can set up firmer barriers (like requiring phone verification to only pre-determined sectors of the system), while having much less available for a hacker to gain access to should they break through. As such, they are naturally more secure than storing the same data in the cloud.

When it comes to monitoring in the cloud, the question is, are your cloud operators obligated to tell you if they discover a breach or suspected breach? One interesting fact is that back “in 2007 it was reported that Salesforce.com was hacked when their electronic security measures were compromised. What is surprising is that I could not find any theft reports from Salesforce since.”6 Yet, despite this, the Software as a service (SaaS) security “firm vendor Adallom, detected a targeted malware attack campaign against a Salesforce.com customer, which began as an attack on an employee’s home computer. Adallom found that the new variant had web crawling capabilities that were used to grab sensitive business data from that customer’s CRM instance.”7

To be clear, this trojan does not attack vulnerabilities in the Salesforce.com system, but it uses known information about the Salesforce.com system to gain access. Other cloud providers have a similar issue where the “known” nature of their interface makes it a low cost entry point.

Implications for Online and Mobile Gaming
With developments in online gaming and mobile applications, the architecture of how the data is shared is critical. For example, in a “share nothing” environment where the end user authentication allows access to the gaming information on casino-owned application servers, we gain important legal protection against investigation. As we move to set up more online and mobile services, we need to think carefully about both security and the impact of government actions.

Enterprise Software
The global enterprise software market is $321 billion in 2014, and is forecasted to grow to $344 billion in 2015 (see Figure 1). This enterprise software is software that is used by a business to meet the needs of that business. The players include Microsoft, Oracle and IBM, and companies around the world rely on this software for almost every aspect of their business. These systems contain extremely sensitive data, and this data comes together to form the backbone of the business intelligence infrastructure. We can also classify gaming systems companies such as Bally, IGT, Aristocrat, VizExplorer and NEWave as industry-focused enterprise software companies.

Home Depot and Target may have taken some hits in profitability, but these businesses continue to operate—and, one expects, to eventually regain most of that lost business. In short, these companies have a right to operate as long as they have paying customers, and having their data hacked has not caused all of their paying customers to switch brands.

But, again, in the world of gaming, we do not have a right to operate. It is typically a privilege bestowed by the regulators, and a major hack into our systems could have far reaching consequences, including the removal of our right to operate.

Gaming exists with extremely complex regulatory controls, and oftentimes our businesses exist with the privilege rather than the right to operate. In this environment, losing the right to know that you are being investigated is unacceptable, and so think carefully before moving to the cloud and losing this right.

Operators may save a few thousand dollars by going to the cloud, but they are risking their business by losing the right to know they are being investigated. Operators moving into the cloud are risking their privilege to do business.

Footnotes
1    Reuters, http://www.reuters.com/article/2014/09/09/new-jersey-atlantic-city-mgm-r…, Hilary Russ, September 9th 2014.
2     http://www.casinoenterprisemanagement.com/articles/april-2014/where-money-now-part-16-18-data-ownership-bundle-sticks, Cardno Thomas.
3     http://www.ago.state.al.us/News-262#sthash.C7yYuQHj.dpuf.
4    Refer http://www.io.com/blog/cloud-security-data-sovereignty-edward-snowden/?u…, extracted October 2014.
5    https://bgr.com/2014/10/06/jpmorgan-chase-data-breach/, Extracted October 2014.
6    http://www.plixer.com/blog/detecting-malware/salesforcecom-hacked-securi….
7    http://thehackernews.com/2014/02/Salesforce-malware-attack-zeus-trojan.html.
8    https://www.statista.com/statistics/203428/total-enterprise-software-reve…, Extracted October 2014.

Leave a Comment