NASHVILLE – The director of technology for the National Indian Gaming Commission warned tribal casino executives Monday that the threat level has increased to a “nightmare scenario” for the hacking their data and encouraged them to take action to protect themselves and their customers.
“We’re always playing catchup, and the bad guys are always working backward off the last security patch” said the NIGC’s Travis Waldo during a panel discussion at the TribalNet conference.
“They are looking for vulnerabilities that are known and aren’t patched and work to get into your system,” Waldo said. “The security risks out there are astounding, and if you don’t think they are out there, just wait a little bit. If you haven’t been comprised already, it’s just dumb luck.”
At some point, Waldo warned casino operators, hackers are going to compromise a system unless properties bring their security footprints up to meet the basic security suggestions available.
“The risks out there are everything from defacing your website to stealing every bit of your player data (including credit card information) and bringing your system down and taking it offline forever,” he said. “The risks are as great as they can be. They are through the roof.”
Waldo works with the National Cyber Crimes Investigative Joint Task Force, which includes the CIA, FBI, and National Security Agency. There’s a large increase in data being held for ransom and about 60 percent of the time the hackers unlock the data after the ransom is paid, he said.
“What we are seeing right now is a merger in the industry between independent actors and state-sponsored actors,” Waldo said. “State-sponsored actors are Russia, North Korea and China, (which is) one of our great trade allies and biggest enemies in the world. There’s also hacker groups like Anonymous. The signatures that are left when someone compromises a network are aligning. They’re working together, which is a nightmare scenario for us and for anybody in the security industry and working in the security industry.”
Waldo said the federal government “is playing catch up just like everyone else.” He called it “a struggle every day” and that he can’t find enough security people and cloud security people to help.
The security expert said casinos should consider hiring a cyber contractor it the management doesn’t have the ability in-house to implement procedures and policies for security.
He told tribal leaders they will “save a lot more money” even if a contractor is on the job for six months. Waldo’s suggestion was to be clear in the scope of work, expectations, results and targeted goals.
Waldo said those costs for a thorough review can be $25,000 on the low end and as much as $100,000 on the high end. The NIGC is currently doing an assessment on itself at a cost of $250,000, he said.
For now, Waldo urged tribes to ask the NIGC to do a vulnerability assessment to cyber-attacks at no charge in which he and his team will come to the property and do their work over a couple of days.
“Most of the things we find is that gaming systems are not patched and updated,” Waldo said. “You find a lot of security patches outdated. We find outdated passwords and systems running on networks they didn’t even know. I found an AS/400 (IBM) system running one time with ‘admin admin’ as the password. They didn’t know it was still active.”
Waldo said training staff who work on computers daily is vital to protect tribal properties.
“The staff should be instructed about not clicking on a website, a link or a picture of a fuzzy puppy,” Waldo said. “This is the stuff that kills you, and that’s how it comes in. Start with your entry-level people and training, training and training. Even if you send out test emails telling them not to click on this or that, at some point, it will sink in on them.”
