Paul McLellan

Community Member

Blog Activity
Options

What Keeps MGM's Head of Security Up at Night? Lightbulbs!

8 minute read

breakfast bytes logomgm resorts international logoThe trusted supplier day at GOMAC opened with a slightly off-topic, but fascinating, keynote by Scott Howitt, who is the Chief Information Security Officer (CISO, or see-soh) of MGM Resorts International. They are most famous for owning about 40% of the big hotels on the Las Vegas strip, although they also have some sports stadiums, concert promoters, and more. He showed us a video giving an idea of the breadth of their products. "That was a lot more interesting than when I used to work for JC Penney," he quipped at the end.

Security at MGM Hotels

His topic was security challenges. Almost everyone in the audience, as part of the trusted supplier ecosystem, had some involvement in security, but mostly of the government type that has a big focus on secrecy and also can take approaches, such as "air gapping" that commercial operations can't really do. After all, a resort hotel can't really function if its customers can't access its website.

One surprising thing is that Scott said that gaming is not considered high risk, and it is not the thing that keeps him up at night. There was a lot of recent coverage of Russian hackers predicting slot machine payoffs using iPhones, but they had discovered this a couple of years ago and so the Russians involved had moved to eastern European countries with poorer security than Vegas. In any case, he is simply not that worried about that sort of attack. "From a cyber criminal's point of view, why would you want to be physically present? And if you successfully steal over $10,000, you have to fill out a tax form!"

In the commercial world, you have to prioritize concerns. His biggest revenue stream is hotel rooms. Look at a hotel with 6,000 or more rooms. Perhaps 4,000 people are checking in on a busy night. If the system is down for some security reason (denial of service, malware, whatever) then that is a big problem and he won't pay much attention to other problems until it is solved. It's not ideal forcing 4,000 people to stand in line (admittedly not quite at the same time) in a snaking line in the lobby just to check in. It is inefficient and it isn't the experience that MGM wants to give its guests.

He used this as an example. The obvious thing is to allow people to check in on their phones, and not go near the front desk. So create a mobile app. Next problem, they don't want people under 21 checking into Vegas hotels, so that the app has to link to some age verification service. To make things really work smoothly, you also need Bluetooth doorlocks that the app controls. There are obvious security implications since you want the right door to unlock but other doors not to. There is another complication though, the doorlocks are all controlled by a specialized door lock system that was designed to be self contained between the card writers at reception, and the card readers on the doors, and logging. But there was no api for a smartphone app. So that has to be created, and it has to be secure, of course. To make sure it is all working, you need to run penetration tests, pen-tests, on the locks. But that isn't really what his security experts went to school for. Something seemingly straightforward, an app that allows you to check in and open your room door, has security issues all over the place.

scott howitt

IoT Device Security

The area that Scott is most concerned about are IoT type devices. There are lots of these in the food and beverage area, with equipment to keep food hot (or cold), and in some cases serve it automatically (such as making cocktails). These devices arrive without the security team even being aware of it. He said that any device that can be hacked, will be, even if just for fun. So a bad guy can change the temperature of the food and a guest can get sick. Or lots of them. That is something he has to worry about.

Another one is smart lightbulbs. It would be a pain if every bulb had to programmed with the network name and password, so one lightbulb can tell all the others. It turns out that it is not that hard to take a Raspberry Pi $10 computer and program it to pretend to be a lightbulb. And it gets handed the password. "I didn't see that one coming," Scott said. His first thought is to segment that away and have a dirty untrusted network just for lightbulbs, but that wants to talk to the check-in so that lights can be set to a frequent guests preference and so on.

Scott thinks IoT is a big issue. There are already 28B IoT devices. The forecast of 50B by 2020 will be blown past. But current security tools and practices do not understand IoT. As a result, machine learning is going to be part of any good security program, segmenting and containerizing different parts and controlling the touch points. Security is going to have to adjust and adapt, sometimes on the fly. Another IoT challenge is simulating it at scale. He can get a tool to provide bulk load to a website, but there are no tools to simulate bulk IoT devices. That means it is hard to identify problems with, for example, light bulbs before installing them.

The Target Story

He had some details on the infamous Target breach. Everyone knows that "they came in through the HVAC system" but that's not really true. They came in through the supplier portal that Target ran. When a supplier logged in, a drop-down menu listed all the suppliers to pick from, so anyone could find out a list of all the suppliers. They then took that list and found out which suppliers had weak security. It turned out to be an HVAC supplier. They took control of the supplier portal, found a non-hardened Windows server and took it over. Then they found point-of-sale (PoS, credit card readers) that were exploitable, and loaded their malware. In three weeks, they took out 45M credit cards between Thanksgiving and December 14 (which for many retailers is well over half their annual business).

They did so many things wrong. First, why have a public list of all suppliers. Second, there was no two-factor authentication when a login happened from a new device. Then, since it was the busiest time of year, they turned off white listing on the PoS terminals since it was considered, incorrectly, to slow things down too much. Next, they allowed the thieves to FTP the results out. Nobody should ever allow a naked FTP like that without going through a proxy server and egress rules. They even ran a malware detection system called Fireye, which runs their applications in a sandbox and checks that nothing bad comes out in three minutes (which is a problem on its own, since the bad guys have learned to wait four minutes before doing anything suspicious) but they didn't act on it. End result, the bad guys were in the network for weeks.

One lesson from that breach is that 100% of breaches involve compromised credentials. Identity is unsexy but important.

Complexity and Sharing

Another lesson is that complexity is its own problem, creating what security guys call a large attack surface. When Scott arrived at MGM, they had 27 security vendors. If he asked how some detailed operation was done, nobody had a clue. Now they are down to three vendors and he and his organization understand how one tool interacts with another, and avoiding the finger pointing when every one of the 27 vendors says anything bad is the fault of a different vendor.

It used to be that one organization would keep quiet about breaches because they would look vulnerable, but now everyone realizes everyone else is under attack all the time, and breaches happen all the time. So that has changed. Also, cybercriminals share information and outsource work they cannot do themselves, so the good guys need to work together as well. Scott said this now works really well in the commercial world but is still really bad between government and industry. In the Q&A ,he was asked why this is. He said that government is just not used to deciding which things are a state secret and which are not, and default to treating everything as a state secret instead of getting it out to the public. Result: a hack can come and go in 48 hours, and the government is still trying to decide what classification to put on it.

The weakest link in security is the human factor. People will always click on the bad link. People will always pick up the USB in the parking lot. Security is always a performance hit. Things are a lot better than they used to be. "A really determined nation state, I'll never stop. I can't stop all breaches, what is important is to contain them and recover."

All in all, it was a fascinating talk to kick off the conference.

Use Two-Factor Authentication

A bit of advice from me. I mentioned two-factor authentication above. If you use Gmail (or anything on Google), Amazon, Apple, Yahoo, and so on, they all support two-factor authentication. Turn it on. What this means is that if you access your account from a new device (say you bought a new phone, or you are on a public computer at a hotel) then just your password alone is not enough. That would be one-factor authentication. The system will text you a numeric code to your phone and you have to provide that too. Even if a bad guy somehow gets your password, it is not enough. Only you have your phone. When the system has seen the device before and gone through the two-factor authentication, you don't have to do it every time, so it is only an occasional inconvenience for a big increase in security.