9 Information system security
IT security
LEARNING GOAL
- Know how to safeguard the security of various information systems and data
OBJECTIVES
- Know several basic information system security concepts.
- Evaluate preventive measures for several major types of attacks.
- Apply rules necessary to enhance information system security.
INFORMATION TECHNOLOGY SECURITY CONCEPTS
Perhaps one of the most important issues in the hospitality industry is maintaining the security of information systems and data. This is especially important as the industry is collecting an increasing amount of data from consumers, which is necessary in designing new products and services, analyzing their preferences, and having an overall idea of how the business is doing in an analytic sense. This is because all systems are currently under threat from people with bad intentions, who seek to breach systems and get access to confidential data. Such intentions manifest in attacks and breaches on the various systems that businesses and consumers utilize. If you read the news regarding breaches and attacks, you will find that hospitality industry systems are continuously attacked. This is because the hospitality industry has several vulnerabilities that make it attractive to attackers.
First, the industry has a large scale. Hospitality is large and is comprised of a lot of multiple types of hotels, restaurants, clubs, event venues, and travel destinations, which are very different from one another. The industry is also characterized by many transactions of various sizes. Such transactions account for substantial amounts when taken together. Even when considering small-value transactions like those in cafes or food trucks, taken together, they represent substantial amounts.
Second, the industry is very fragmented. One can see a variety of types of operations, from large global chains to small mom-and-pop operations, and food trucks. In all these operations, the managerial practices can differ considerably, making it difficult to implement unified, consistent, and robust information security policies and practices. Moreover, due to the size and managerial style in practices in different types of organizations, it is difficult to afford having the right IT staff. In addition, to make technology more affordable to companies, many IT vendors have begun to rely on models where the technology is provided as a subscription service to the hospitality companies, thus removing the need for a permanent IT staff member at the level of the hospitality company.
Third, we are proud to have perhaps the most diverse workforce on the planet. As the workforce is very dynamic, we have high staff turnover. By the time an employee becomes greatly familiar with the information security policies and practices of a company, he or she is likely move to another job, maybe even to another company. Moreover, the industry has great diversity in terms of IT utilization skills of staff members. This creates a training burden for many hospitality companies and risks having gaps in the application of the proper IT security rules.
Finally, we are characterized by a strong service culture. We are there to help our guests, and in many cases our hospitality nature kicks in and creates situations where attackers can take advantage of our hospitality. More specifically, we are an industry that provides a multitude of nice benefits (e.g., staying in nice hotels, traveling in nice aircraft and receive great services based on loyalty points or miles). Even the loyalty/rewards points or miles represent attractive currency and attackers have sought to steal them. For this reason, is very important to understand how to safeguard the security of our information systems and data, regardless of the type of hospitality operation.
We will begin with the definition of information system security: it represents the protection of information and information systems (IS) from unauthorized access, disclosure, modification, destruction, or disruption.
As outlined by the National Institute of Standards and Technology (NIST), IS security has three main objectives:
- Confidentiality: protection from unauthorized access or disclosure.
- Integrity: protection from unauthorized modification or destruction. Information and information systems must be accurate, complete, and uncorrupted.
- Availability: protection from unauthorized disruption. All legitimate users should have timely and reliable access to information and information systems (Stine, Kissel, Barker, Fahlsing, & Gulick, 2008).
Unfortunately, many attacks seek to damage at least one of the three objectives mentioned above, and in many cases, attackers succeed in damaging all three objectives, with substantial negative impact on hospitality operations. Therefore, everybody who works in hospitality must be aware of these objectives and the specific ways to safeguard information systems and data security.
It is also important to recognize the concept of data to information system security, and to underline that not all data are equal. As the hospitality industry evolves, hospitality businesses tend to collect and process substantial amounts of data. Such data must be classified by each business based on each information security objective, and assign a level of low, moderate, or high, depending on what security implications would result from a failure to achieve the objective. For example, if a restaurant stores surveillance video footage, that data will be characterized by a rating of “high” in all security objectives. However, if the same restaurant stores data related to its social media postings, then that data would have a rating of “low” on all information security objectives. The hospitality companies must clearly determine the level of impact of each type of data that it uses relative to the three main security objectives.
In any organization, the manner in which data security is handled should include the roles assigned to individuals with responsibility to data security. Each organization should have a Data Steward. The Data Steward is person responsible for the management of an organization’s data assets to help provide business users with high-quality data that is easily accessible in a consistent manner. Typically, the data steward has multiple IT and business-related roles, such as supporting the users of a company, defining and managing metadata, and maintaining the data.
Another important role is that of the Data Custodian. The Data Custodian is the person responsible for granting access to an organization’s documents or electronic files while protecting the data, as defined by the organization’s security policy or its standard IT practices. Typically, Data Custodians are responsible for managing the systems that collect, process, and store organizational data. Among their most critical responsibilities, one can list maintaining physical system security, complying with the current regulations, and designing disaster recovery plans.
Finally, a User can be any employee, contractor, or third-party affiliate of an organization who is authorized to access organizational data or information systems.
Every single organization must clearly define these roles and must inform all the staff members about which employees fulfill each role. This is extremely important because it sets a foundation of a rules for all the staff members and creates clear communication channels that could prevent attacks from being successful.
TYPES OF ATTACKS
There is virtually an unlimited number of attacks on businesses. Every time a new system is deployed, attackers find vulnerabilities in the system and try to exploit such vulnerabilities. Generally, after each attack, the vulnerabilities are addressed, but there’s always the threat that attackers could find new vulnerabilities in existing or new systems. Such attacks take advantage of multiple aspects of information systems and especially take advantage of the human behavior related to interacting with these systems or with other humans. The following sections explains the most common types of attacks that affect hospitality businesses at the time of the current writing. Because this is an area of rapid development, the types of attacks described here is by no means complete.
MALWARE ATTACKS
One of the most common types of attacks is a malware attack. A malware attack is the situation where an attacker is infecting a system with specific software (called malware) designed to cause harm. Malware is used as a general term describing software that has a bad intention regarding a computer system, software, or data. Specifically, the software is designed to cause disclosure, modification, disruption of service, or even destruction of data or hardware. Because of this, malware attacks are extremely serious and could cause substantial damage to hospitality companies.
Typically, an attacker tricks the user (or system) into storing a piece of software on a system. While the general term for this type of software is malware, over time there have been multiple types of malware, such as viruses, worms, trojan horses, or ransomware. After the malware is stored on the victim’s system, at some point – either on a specific date or specific action of the victim – the malware does what it was designed to do. This could be: (1) disclosing or transfering data, (2) damaging existing software or hardware, for example erasing drives, shutting down systems.
Ransomware is a particular type of attack where the attacker infects a victim’s computer with software that encrypts the victim’s data. The attacker generally requests a ransom in exchange for decrypting the victim’s data. Ransomware attacks have become increasingly common in recent years, especially for organizations that collect and store confidential data, such as consumer-oriented businesses, health care organizations, and so on.
Since this is one of the oldest types of attacks, various companies over the years have created software that detects and destroys malware. Such software are typically called anti-virus software, and must be updated periodically in order to be effective against the latest malware. Also, a great way to protect a system is by using firewall protection, which filters undesired traffic.
One of the best ways in which systems can be protected against malware is to adopt very strict policies regarding individual access to IT systems. Users should not access files, links, updates or make any modifications to the system before checking with the IT department. Sometimes malware is hidden in files that can be easily confused by users with legitimate files, providing opportunities for malware to infect systems.
Occasionally, despite the best precautions, malware attacks are unfortunately successful. In such cases, when data are corrupted, the company should have a good data backup plan solution, to restore the data after an attack. One particular solution is to have the data backed-up in a cloud, which could be effective in ransomware attacks.
SOCIAL ENGINEERING ATTACKS
Social engineering represents a broad type of attacks that works by manipulating the victim to disclose information using social interactions (Cybersecurity and Infrastructure Security Agency (CISA), 2020). There are many types of attacks that fall under social engineering, and they work in a similar way. A particular case of social engineering attack is gathering information from social media about a victim’s identity, and then using that information to trick the victim into disclosing information or using that information in a stand-alone attack. For example, the attacker may go online to find a victim, and learn as much as possible about the victim from the information posted by the victim of social media. Based on information such as photos, social media postings, educational milestones, personal information (e.g., first car, favorite color, favorite sports team) the attacker can eventually find out enough information about a victim that he/she can successfully undergo password reset procedures, therefore gaining access to the victim’s system.
There are measures that offer protection against social engineering attacks. First, it is important to not post a lot of personal information online. If information is posted online, it is important not to use security questions that are related to information posted online. For example, if a user had a Ford car in college and posted a picture of that, the user should not use security questions such as “What was your first car in college?” An important human trait that facilitates these kinds of attacks is the fact that people tend to use the same password for multiple accounts. In case an attacker guesses or breaches the password for one of the victim’s accounts, the attacker then try to use the same password to access other accounts of the same victim. A good way to prevent that is to use a unique password for every account. Another important measure is the use of multiple factor authentication. While users sometimes get annoyed by this measure, dual/multi-factor authentication allows the user to better control their access to systems and makes it more difficult for attackers to gain unauthorized access.
PHISHING ATTACKS
Phishing can be viewed as a particular case of social engineering attacks. Generally, an attacker designs an email, text, or similar message that tricks the user into believing that it is a legitimate message. For example, an attacker creates an email message that alleges that the victim’s account has been locked, and the requests the victim to input credentials such us login name and password. The email looks very similar to a legitimate email, having logos and fonts that are very similar to those in the legitimate messages. Generally, the unsuspecting victim complies with the request and inserts such credentials, thus offering the attacker a legitimate way to access restricted systems and data (Cybersecurity and Infrastructure Security Agency (CISA), 2020).
Other similar attacks involve knowledge of organizational structures. For example, a front desk agent may receive an email that appears to be from the hotel manager asking the agent to buy a few gift cards. The unsuspecting agent may believe that it is a legitimate request from the manager. Especially in large organizations, sometimes the hierarchical levels make it difficult for victims to question their supervisors when such attacks occur, increasing the chances of success of such attacks.
To prevent such attacks, it is important to update the security software. It is also important to use multi-factor authentication, to diminish the chances of logging into systems by unauthorized individuals. It is also critical to understand that the more information is publicly available about the organizational structure of a business, and the names of the people located at various levels in the organization, the higher the success rate of and attack like this could be.
However, a very important step in preventing these types of attacks is to check for errors or inconsistencies in communication. For example, users should look closely at the logos in the email or hover the mouse over the email address of the sender. If something looks suspicious, they should not click on any links and should not comply with any requests. It is very important that users not click on links or open attachments unless they know that under attachment is coming or they are absolutely certain it is from a trusted source. It is also very important to be skeptical of any requests made using electronic media. Yes, it is acceptable to ask the supervisor whether he/she made a request, just to double check the authenticity of a request. Most importantly, supervisors should make it clear to employees about the specific types of requests that will be made and which media should be used for such requests. For example, a manager can assure their employees that he/she will never request anything by email.
PASSWORD ATTACKS
Despite the advances made in authentication technology, passwords are still extremely common methods to authenticate users. For this reason, attackers are able to design a variety of methods to trick users into disclosing passwords, and they will especially use a variety of methods to simply steal passwords. Some of these methods include brute force attacks, dictionary attacks, keylogger attacks, and man-in-the-middle attacks (OneLogin, 2022).
Most of these attacks involve the use of specialized software that is designed to retrieve passwords or gain access to systems protected by passwords. For example, in brute force attacks, the attackers use software to try to guess the victim’s password by feeding multiple combinations of characters until access is gained. In a dictionary attack, the attacker relies on software that uses entire dictionary files, sometimes from multiple languages, to guess passwords. A keylogger attack involves installing software (called keylogger software) on the victim’s computer that records every keystroke. Such data on the keystrokes can be use by the attacker to retrieve the log in credentials of the victim. This is especially likely with computers that are freely available to the public and that are not monitored by knowledgeable staff.
Preventing password attacks is relatively easy, as the mechanism of prevention takes advantage of one of the main vulnerabilities of these types of attacks. For a password attack to be successful, the attacker must use specialized software that tries to “guess” the password. However, for that software to go through all the possible combinations of letters, numbers, and special characters, the process of guessing may take a long time. It is important to recognize that the amount of time necessary to guess a password by the attacker’s software is directly influenced by the length and complexity of the password. For example, passwords that contain only eight characters (upper- and lower-case letters only) can be guessed in about 2 minutes by your software. In contrast, passwords that contain 16 characters, including letters, numbers, and special characters take about 92 billion years for the attacker software to guess (Neskey, 2022). With each password reset, any user basically resets the clock of any potential attacker’s software, diminishing the risk of that software being able to guess the password. Thus, a combination of long passwords or passphrases and often password reset makes it extremely difficult for attackers to guess passwords.
Other solutions include permanently monitoring the access logs and checking for unusual logins into the system, and using multiple factor authentication. A particular interesting scenario is the use of additional authentication methodologies, such as biometrics. Biometrics are unique to each individual and combining multiple biometric modalities, such as facial plus fingerprint verification, can provide strong authentication mechanisms that are robust to attacks.
DISTRIBUTED DENIAL OF SERVICE ATTACKS
Sometimes, attackers do not necessarily seek access into a system. They only want to disrupt its service. In that case, a common type of attack is the distributed denial of service attack, or DDoS. The victim of these types of attacks can be any organization that has a public website or a network. The goal of the attacker is generally to shut down the website, server, or network, putting that resource in a situation where it denies service.
Usually, in the normal course of Internet communication, a user utilizes a browser from their computer to make requests to a server connected to the Internet. The server responds to that request immediately. In a DDoS attack, using malware, the attacker can gain control over multiple systems (generally computers or servers but there can be other types of systems connected to the Internet under the concept of the Internet of Things). Once the attacker gains access to all those systems, the attacker instructs the now-compromised systems to send simultaneous requests to a particular victim server. The multitude of simultaneous requests is overwhelming for the server, which shuts down, therefore denying any further service and causing disruption.
To prevent such attacks, the organization must monitor its systems continuously. Signs of an attack include slow connectivity or no service that is does not result from an internal action. Another feasible idea is to use a firewall, which restricts the volume of traffic to a server or network. It is also critical to have a good backup plan in case such an attack is successful and causes disruption.
EVIL TWIN ATTACKS
An Evil Twin attack involves Wi-Fi communications and has the goal of accessing restricted resources by tricking the victim into connecting to a fraudulent Wi-Fi access point or network. Specifically, the attacker creates a new access point or network that has a similar name with a legitimate one. The fraudulent access point is called the evil twin. To the victim, the evil twin access point looks similar to the legitimate one. Moreover, the attacker can modify the hardware in the access point to make the signal stronger, therefore increasing the likelihood of the victim’s wi-Fi devices to connect to evil twin access point instead of the legitimate one. Once the victim connects their device to the evil twin access point, the attacker can access the victim’s traffic, which can include login credentials, payment information, and other valuable information.
These types of attacks on extremely important for hospitality operations, especially for small businesses, which are likely to offer Wi-Fi connectivity to the public. For example, small cafés, restaurants, often include Wi-Fi services that are free to the public.
To prevent these types of attacks, hospitality businesses should continuously monitor their Wi-Fi network activity. Such activities will get businesses into the habit of understanding the dynamics of their traffic and put them in a position to immediately spot unusual traffic. Related to this, especially for businesses that offer Wi-Fi connectivity to the public, it is important to separate the networks between the public network and the staff’s network. Such separation allows the organization to keep the staff network uncompromised in case of a successful evil twin attack.
From a managerial standpoint, hospitality businesses could implement specific rules for connectivity. For example, if a customer wants to connect a device to the Wi-Fi network, the customer should check with a staff member to obtain credentials. Finally, guests can be instructed to use credentials provided only by the staff members, and, very importantly, to use virtual private network (VPN) services when they connect to the public Wi-Fi networks. A VPN is the service that encrypts the communication between a user’s computer and servers on the Internet. This way, even if such communication is intercepted by attackers, they wouldn’t be able to access it due to encryption.
ENHANCING INFORMATION SYSTEM SECURITY
It is important to understand a few general rules that allow organizations to enhance information system security. Because attacks may occur when data are being transmitted from one device to another, it is important to know a few rules regarding the transmission of important data.
It is critical to not transmit important data using email or other unsecure messaging media. Email communications can be intercepted, and the results can be devastating for the users and their organizations.
Is also critical to separate use between personal and work-related devices. This separation allows restricted communication to fall within the scope of a particular company’s information security rules. However, we need to recognize that this is difficult in the contemporary work environment, where many personal devices are brought into the workplace for work related tasks, and vice-versa. This is especially problematic in the wake of the COVID-19 pandemic, when many employees worked from home using business-owned devices and connected those devices to their personal Wi-Fi networks at home.
One important solution is also to use VPNs when accessing restricted resources or communicating important data. VPNs have increasing popularity during the past few years, as the number of attacks has increased. Many organizations offer their employees, especially when they travel, access to the VPN services, diminishing the risk of attacks when the employee connects their devices to various Wi-Fi networks while traveling.
It is critical to avoid opening attachments from unknown sources. Malware can be hidden in attachments, therefore, users should exercise extreme caution when facing the decision to open an attachment. When the user has doubts about the legitimacy of an attachment, the user should check with the IT department or the sender of the message.
While links are a natural element of today’s computing, especially when browsing the web, they can be misleading. The users should avoid clicking on unknown links, or links that have been provided in emails from unknown sources. If a user wants to access an Internet address, he or she can simply type the address in the browser and surf the web from there.
There are some basic rules about storage. In the past few years, storage has become increasingly cheaper, addressing the increasing appetite of businesses and consumers to store data. Also, the typology of storage has diversified, allowing users to choose among a variety of storage types. In this context, mobile computing devices have been increasingly popular. However, users should avoid storing data on mobile storage devices, such as USB drives, portable hard drives, or even CDs or DVDs. The risk of storing on these devices is higher than on other devices because they can be easily lost or stolen.
Another important rule in to avoid storing data on own personal computing devices. Such devices are not guaranteed to have to same levels of protection that the business-owned devices have. Typically, business-owned devices are properly maintained by professionals working in the IT departments, and undergo regular maintenance, updating, and upgrading.
One layer of protection is to encrypt the data that resides on these devices and use strong passwords to access the contents of these devices. It is also important to log out of accounts every time the system is not in use. This is also problematic in hospitality, staff members that are using login credentials often do not log out after performing tasks to optimize hospitality operations.
One important rule is to never use computing or storage devices that were found. Attackers sometimes leave USB thumb drives or other devices and occasionally use enticing information such as “confidential” or “salaries”, which may trick users into connecting these devices to networks or standalone hardware. In many cases, such devices contain malware.
There are also some general management rules. It is extremely important to secure the computing devices. The users should use unique, strong passwords, or biometric credentials to login to their accounts and devices. Managers must make sure that the users perform work related tasks using their own accounts, instead of the accounts of managers or coworkers. For example, it is wrong for a front desk employee to conduct check-ins from the profile of a coworker that had to just used the property management system terminal and left the area without logging out. It is an excellent practice to log out every time a user finishes their work on a specific terminal and leaves the terminal for a break or completes a shift.
It is also very important to adopt good password management practices. Passwords should be long, complex, and should be changed often. Password management services can also be a viable solution to good password management. Finally, using multiple factor authentication can also increase the security of IT systems as I previously discussed.
Today, information system security is extremely complex and fluid. It changes all the time as new challenges appear, as new systems develop. It is our duty as hospitality professionals to make sure that our systems are secure, our data are protected, so that a normal course of operations can take place. While this lesson was an introduction to concepts and practices, it only initiates the broader discussion of the fascinating world of hospitality information technology security.
REFERENCES
Cybersecurity and Infrastructure Security Agency (CISA). (2020). Security Tip (ST04-014). Avoiding Social Engineering and Phishing Attacks. National Cyber Awareness System – Tips. Retrieved from https://www.cisa.gov/uscert/ncas/tips/ST04-014
Neskey, C. (2022). Are Your Passwords in the Green? Infographic. Retrieved from https://www.hivesystems.io/blog/are-your-passwords-in-the-green?
OneLogin. (2022). Six Types of Password Attacks & How to Stop Them. Identity and access management 101. Retrieved from https://www.onelogin.com/learn/6-types-password-attacks
Stine, K., Kissel, R., Barker, W. C., Fahlsing, J., & Gulick, J. (2008). Volume 1: Guide for Mapping Types of Information and Information Systems to Security Categories. Retrieved from Gaithersburg, MD 20899-8930: https://csrc.nist.gov/publications/detail/sp/800-60/vol-1-rev-1/final
