Close

Cart

Total $0.00

Checkout

By Jeff Parker – Vice President of Hotel Technology, Interstate Hotels & Resorts 

You might be your hotel’s biggest problem. 

ALMOST ALL ATTACKS are traced back to Human Errors, the Villains are trying to trick you into letting them into your network, and they are really smart. 

While the recent news feels like it, the hospitality sector is not the only target for the villains that are unleashing viruses and other malicious software on. One of the latest attack vectors are USB drives. We have heard of malicious persons sending a marketing piece in the mail with a USB drive with additional information. The unsuspecting user inserts the drive into their computer and POOF the computer is now ‘owned’ by the hackers.  I know that I have personally seen many promotional packages delivered with a USB drive or a CD, some even have sent small digital photo frames or MP3 players that you can load by connecting to your computer. 

At the end of the day, all of these attacks can prevent your hotel from checking in guests, posting revenue or even making a reservation. The worst case is they infiltrate your systems and get personally identifiable information from your staff and guests. 

The Newest Scourge of the Malicious Software world is Cryptolocker and other Ransom-Ware Trojan horse programs. These programs are used to take all of the data on a computer and encrypt it. This renders the user’s data inaccessible and in most cases the user is forced to pay the ransom to get the data back. 

The other typical USB threats are Keyloggers\usage Trackers and Remote Access Software, though there are others. 

KeyLoggers and Usage Trackers are programs that record what a person is doing on a computer, including passwords, sites accesses and reports that are run. Some ‘phone-home’ while others just write to local storage and then are retrieved later. There have been reports of theft rings where a front desk agent is hired, places a USB device on the back of a computer when they have a chance, allows it to collect information for months and then retrieves the device and quits.  The impact of the stolen data can be lead to further attacks on systems. 

Remote Access software allows a hacker to connect to a computer from anywhere. From this launching point they can access computer systems and networks.  Once they are in your systems, it takes them little time to have free reign, and often install back doors and other access points, so even if the first attack is thwarted, the criminals are in for the long war. 

How to you protect yourself, and your business? 

1) Do everything you can to block foreign USB drives on your systems. There are several great software packages to do this, but sometime it is best to go with a physical lock. 

2) Team your team not to connect USB drives other than ones that they have specific knowledge of where it came from and where it has been. 

3) Partner with a software provider to filter the internet, you will want one that keeps up with a daily updated list of threats and blocks those sites. 

4) Protect your company email, everything in and out should be scanned and sanitized. 

5) Use the internet filtering and email filtering software to Whitelist Executables, meaning only allow programs through your email and network that are specifically approved for download or updates. Start with blocking everything, then add as needed the programs that are essential for your business to operate. Does this mean that your team will have to vet every program? Yes, but that is the point! A little extra overhead beats a data breach.

6) Block personal email, many of the villains use emails to get into your systems. Most corporate email systems have pretty good protection, but personal accounts are often unprotected, or under-protected. If you can prevent personal email, you will be in a much better situation from an exposure standpoint.

7) Have a strict password policy, not just for hotel staff, but for vendor accounts and any account with administrator access. These passwords should be changed every 90 days, be at least eight characters and include Numbers, Capitol Letters, Lower Case Letters and Symbols. 

With some easy controls, and a little due diligence you can prevent many of these attacks.   


Article courtesy of AH&LA

About Jeff Parker

Parker is a nationally recognized leader in data security; notably with relation to PCI compliance.

He holds a bachelor’s degree in Technical Communications from Metropolitan State College of Denver and has been working in the industry for over 28 years.

Please login or register to post a comment.