2004 hotel security survey - hospitality net · 2004 hotel security survey presented by dr. cihan...
TRANSCRIPT
Produced by Hospitality Financial and Technology Professionals
2004 Hotel Security SurveyPresented by Dr. Cihan Cobanoglu
Assistant Professor, University of Delaware, Manager CRM and Security Practice, Network Frontiers
Dorian J. CougiasAdjunct Professor, University of Delaware,and CEO, Network Frontiers
Introduction
• Technology became inseparable from hospitality operations.
• Technology becomes a part of the DNA of the company.
• Information security is getting more important.
And we are all under compliance
Assurance is key
Introduction
• Every day thousands of major security breaches occur in the public and private sector, resulting in serious financial and property losses (Flink, 2002).
• 75% of email is spam (EWeek, 2004).• In 2003, every single computer was
attacked by a virus at least one time.
What you can lose…
What cango awry
Documents Apps OSes Storage Hardware Network Power BuildingConfidentiality 4 4 4 4 4Integrity 4 4 4 4 4 4 4 4Availability 4 4 4 4 4 4 4 4
Purpose of This Study
To analyze security practices of electronic information, network
threats and prevention techniques in hotels.
Objective of This Study
To help information technology directors or chief information officers with policy development for security
of electronic information in chain hotels in the United States.
Problem Statement
• In every level of hotel management, networks are involved. (Cobanoglu & Cougias, 2003).
• In the property level, there are local area networks where reservation, front office, restaurant management, payroll, accounting, human resources, and other systems reside.
• In addition, hotels may offer high speed Internet access (wireless or wired) to their guests in their hotel room or other areas in the hotel.
Review of Literature
• It has been calculated that the total volume of information is increasing at the rate of some 12 percent a year.
• Managing this information has become a major challenge- to public authorities, to companies, to private individuals (Daler et. al. 1989).
• The Internet now goes into over 120 nations around the world and has approximately 605 million users (NUA Internet, 2004).
Security Procedures Protect Hotel’s DNA
CRS Inventory CRM POS E-Mail
Datasets
PMS Billing Sales OpsBack Office
Processes
Refunds AR/AP Reporting UnstructuredSupply Chain
Documents
A Hotel Computer System
FOHFOHBOHBOH
PMSPMSCORPORATECORPORATEACCOUNTING ACCOUNTING
SYSTEMSYSTEM
CORPORATECORPORATERESERVATIONRESERVATION
SYSTEM SYSTEM
, MIS, EIS, MIS, EIS
FORECASTINGFORECASTING&&
SCHEDULINGSCHEDULING
TIME &TIME &ATTENDANCEATTENDANCE
GLOBALGLOBALRESERVATIONRESERVATION
SYSTEMSYSTEM
TRAVELTRAVELAGENTSAGENTS
CORPORATECORPORATEGUESTGUEST
HISTORYHISTORY
PURCHASINGPURCHASING&&
INVENTORYINVENTORY FOOD &FOOD &BEVERAGEBEVERAGE
INVENTORYINVENTORYSYSTEMSYSTEM
RESTAURANTRESTAURANTMANAGEMENTMANAGEMENT
SYSTEMSYSTEM(POS)(POS)
ELECTRONICELECTRONICBARBAR
DISPENSERDISPENSER
MINIMINIBARBAR
CALLCALLACCOUNTINGACCOUNTING
SYSTEMSYSTEM(CAS)(CAS)
LongLongDistanceDistance
YIELDYIELDMANAGEMENTMANAGEMENT
PAY PERPAY PERVIEW /VIEW /
CHECK OUTCHECK OUT
CREDIT CARDCREDIT CARDAUTHORIZATIONAUTHORIZATION
& EFT& EFT
PBXPBX(SWITCH(SWITCH
MAIDMAIDDIALDIAL--ININ
VOICEMAILVOICEMAILMESSAGEMESSAGE
HANDLINGHANDLING
WAKEWAKE--UPUPSYSTEMSYSTEM
SALES &SALES &CATERINGCATERINGSYSTEMSYSTEM
REMOTEREMOTESALESSALES
MARKETINGMARKETING
MAINTENANCEMAINTENANCEENERGYENERGYFIRE &FIRE &
LIFE SAFETYLIFE SAFETY
ELECTRONICELECTRONICLOCK &LOCK &
SECURITYSECURITYSYSTEMSYSTEM
INROOMINROOMENERGYENERGY
CONTROLCONTROL
SYSTEMS OFF PREMISESYSTEMS OFF PREMISE SYSTEMS INHOUSESYSTEMS INHOUSE
INTERFACE WITHINTERFACE WITHDIRECTION OFDIRECTION OFDATA FLOWDATA FLOW
Assurance is key
A Hotel Computer System
FOHFOHBOHBOH
PMSPMSCORPORATECORPORATEACCOUNTING ACCOUNTING
SYSTEMSYSTEM
CORPORATECORPORATERESERVATIONRESERVATION
SYSTEM SYSTEM
, MIS, EIS, MIS, EIS
FORECASTINGFORECASTING&&
SCHEDULINGSCHEDULING
TIME &TIME &ATTENDANCEATTENDANCE
GLOBALGLOBALRESERVATIONRESERVATION
SYSTEMSYSTEM
TRAVELTRAVELAGENTSAGENTS
CORPORATECORPORATEGUESTGUEST
HISTORYHISTORY
PURCHASINGPURCHASING&&
INVENTORYINVENTORY FOOD &FOOD &BEVERAGEBEVERAGE
INVENTORYINVENTORYSYSTEMSYSTEM
RESTAURANTRESTAURANTMANAGEMENTMANAGEMENT
SYSTEMSYSTEM(POS)(POS)
ELECTRONICELECTRONICBARBAR
DISPENSERDISPENSER
MINIMINIBARBAR
CALLCALLACCOUNTINGACCOUNTING
SYSTEMSYSTEM(CAS)(CAS)
LongLongDistanceDistance
YIELDYIELDMANAGEMENTMANAGEMENT
PAY PERPAY PERVIEW /VIEW /
CHECK OUTCHECK OUT
CREDIT CARDCREDIT CARDAUTHORIZATIONAUTHORIZATION
& EFT& EFT
PBXPBX(SWITCH(SWITCH
MAIDMAIDDIALDIAL--ININ
VOICEMAILVOICEMAILMESSAGEMESSAGE
HANDLINGHANDLING
WAKEWAKE--UPUPSYSTEMSYSTEM
SALES &SALES &CATERINGCATERINGSYSTEMSYSTEM
REMOTEREMOTESALESSALES
MARKETINGMARKETING
MAINTENANCEMAINTENANCEENERGYENERGYFIRE &FIRE &
LIFE SAFETYLIFE SAFETY
ELECTRONICELECTRONICLOCK &LOCK &
SECURITYSECURITYSYSTEMSYSTEM
INROOMINROOMENERGYENERGY
CONTROLCONTROL
SYSTEMS OFF PREMISESYSTEMS OFF PREMISE SYSTEMS INHOUSESYSTEMS INHOUSE
INTERFACE WITHINTERFACE WITHDIRECTION OFDIRECTION OFDATA FLOWDATA FLOW
Threat Matrix
Threats Physical Technical Operational
Accountability Apathy Systems can be misidentified or lose all identification
Fault isolation can be hampered by “dumb” systems, reports can be ignored
Managerial apathy can set in
Confidentiality Illicit use Physical access of systems or facilities can be breached
Malicious code can impede operations, breaching confidentiality
Authorized users can illicitly access and use confidential data
Integrity Chaos Improper setup, or unexpected manipulation can wreak havoc
Degradation, corruption, and malfunctions can bring mayhem
Untrained users can misuse or mishandle systems
Availability Loss Physical systems can be stolen, destroyed, or access can be lost Network access and data can be lost Users can be locked out of systems
Operational Loss
Technical Loss
Physical Loss
Security Scenarios
• While Cougias was doing a security audit, another employee of his took one of the main servers out of the building with a fake work-order.
• Two weeks ago, I had access to the network of Hospitality School in Thailand without any problem
• Try driving with your wireless enabled laptop in streets (war chalking).
Method - How we did the study• Population: Hotel managers who is in charge
of information security practices.• Sample: The target sample consisted of 1143
technology managers that were current subscribers of Hospitality Technology magazine as of November 2003.
• The list of the respondents is provided by Hospitality Technology magazine. All of the sample members had an email address, therefore, only the online version of the survey was conducted.
Methodology
• The survey has been adapted and expanded from 2003 CSI/FBI Computer Crime and Security Survey (CSI, 2003).
• Self-administered online survey with four sections– Security technologies– Network security threats– Perception statements– Demographics and property characteristics
Findings
• Out of 1143 sample members’ emails, 279 emails were returned as “undeliverable”, reducing the effective sample size to 864.
• 154 filled out the questionnaire, thus yielding 17.8% response rate.
Top 5 Network Security Tools and Techniques Used by Hotels
• Technique %• Anti-virus Software 84.4%• Physical Security 82.7%• Hardware Firewall 79.7%• Software Firewall 77.6%• Access Control 75.3%
Top 5 Network Security Tools and Techniques Not Used by Hotels
• Biometrics 69.4%• Digital IDs 68.1%• Image Servers 63.0%• Vulnerability Assessment Scan 42.5%• Intrusion Detection Systems 35.5%
Network Attacks
• Twenty-six percent of the respondents had a computer network attack within the last 12 months.
• The size of the hotel seems to be positively correlated with the number of attacks observed within the last 12 months (r=.72; p=.001).
Network Attack Types
• Virus 24.2%
• Insider abuse of net access 18.1%
• Spoofing 10.6%
• Unauthorized insider access 9.0%
• Denial of service 7.5%– Have you tested lately?
Who Is Responsible?
I n depen den t hacker s
3 9 %
Disgr un t led employees
2 6 %
Ot her
16 %
I do n ot kn ow
13 %
For eign Cor por at ion s
3 %
U. S. Compet it or s
3 %
Other Findings• The average financial loss created by these
attacks was $9,092 • About 50% of the respondents may hire
reformed hackers or ethical hackers as consultants.
• Only 3.7% of the respondents reported computer network attacks to law enforcements.
• The mostly used prevention tool was patching (79.5%) the holes as they were released by manufacturers of hardware and software.
Survey Conclusions
• This study is one of the first attempts to analyze computer network attacks and prevention techniques in the hotel industry.
• The results showed that computer network attacks create serious threats to hotels.
• Although, hotel companies use some prevention techniques, we observed a distributed solutions mix.
Other Findings
• Only 40% have enough resources for security
• 56.4% have enough expertise • 23.1% do not have a method of getting
rid of old user accounts• 20% are a member of IT security
organization• 38.5% never conduct IT security audit
Survey Conclusions
• Some hoteliers prefer to outsource their network and information security systems. This may have two-fold impacts on hotels: 1) If the outsourcing company is a network and information security expert, then, the hotel network systems may be more well protected.2) The dependency on a different company in such an important issue may create some problems such as data privacy and ownership.
Recommendations
• A significant number of hotels do not use and plan to use in the future some important network and information security tools and techniques.
• Some of these tools are so vital to network security that not using them is an open invitation to internal and external hackers.
• Hotel managers would do well by reviewing this list and comparing the tools used by them and implement and use multiple tools.