How Hoteliers Can Protect Against USB Attacks
August 10, 2016 1:23pm
By Jeff Parker – Vice President of Hotel Technology, Interstate Hotels & Resorts
You might be your hotel’s biggest problem.
ALMOST ALL ATTACKS are traced back to Human Errors, the Villains are trying to trick you into letting them into your network, and they are really smart.
While the recent news feels like it, the hospitality sector is not the only target for the villains that are unleashing viruses and other malicious software on. One of the latest attack vectors are USB drives. We have heard of malicious persons sending a marketing piece in the mail with a USB drive with additional information. The unsuspecting user inserts the drive into their computer and POOF the computer is now ‘owned’ by the hackers. I know that I have personally seen many promotional packages delivered with a USB drive or a CD, some even have sent small digital photo frames or MP3 players that you can load by connecting to your computer.
At the end of the day, all of these attacks can prevent your hotel from checking in guests, posting revenue or even making a reservation. The worst case is they infiltrate your systems and get personally identifiable information from your staff and guests.
The Newest Scourge of the Malicious Software world is Cryptolocker and other Ransom-Ware Trojan horse programs. These programs are used to take all of the data on a computer and encrypt it. This renders the user’s data inaccessible and in most cases the user is forced to pay the ransom to get the data back.
The other typical USB threats are Keyloggers\usage Trackers and Remote Access Software, though there are others.
KeyLoggers and Usage Trackers are programs that record what a person is doing on a computer, including passwords, sites accesses and reports that are run. Some ‘phone-home’ while others just write to local storage and then are retrieved later. There have been reports of theft rings where a front desk agent is hired, places a USB device on the back of a computer when they have a chance, allows it to collect information for months and then retrieves the device and quits. The impact of the stolen data can be lead to further attacks on systems.
Remote Access software allows a hacker to connect to a computer from anywhere. From this launching point they can access computer systems and networks. Once they are in your systems, it takes them little time to have free reign, and often install back doors and other access points, so even if the first attack is thwarted, the criminals are in for the long war.
How to you protect yourself, and your business?
1) Do everything you can to block foreign USB drives on your systems. There are several great software packages to do this, but sometime it is best to go with a physical lock.
2) Team your team not to connect USB drives other than ones that they have specific knowledge of where it came from and where it has been.
3) Partner with a software provider to filter the internet, you will want one that keeps up with a daily updated list of threats and blocks those sites.
4) Protect your company email, everything in and out should be scanned and sanitized.
5) Use the internet filtering and email filtering software to Whitelist Executables, meaning only allow programs through your email and network that are specifically approved for download or updates. Start with blocking everything, then add as needed the programs that are essential for your business to operate. Does this mean that your team will have to vet every program? Yes, but that is the point! A little extra overhead beats a data breach.
6) Block personal email, many of the villains use emails to get into your systems. Most corporate email systems have pretty good protection, but personal accounts are often unprotected, or under-protected. If you can prevent personal email, you will be in a much better situation from an exposure standpoint.
7) Have a strict password policy, not just for hotel staff, but for vendor accounts and any account with administrator access. These passwords should be changed every 90 days, be at least eight characters and include Numbers, Capitol Letters, Lower Case Letters and Symbols.
With some easy controls, and a little due diligence you can prevent many of these attacks.
Article courtesy of AH&LA
Tags: usb attack,
Parker is a nationally recognized leader in data security; notably with relation to PCI compliance.
He holds a bachelor’s degree in Technical Communications from Metropolitan State College of Denver and has been working in the industry for over 28 years.
How Technology Is Driving Transparency in Real Estate
The Time Is Now for Hotels to Move Operations Into the Cloud
Why Asia Leads the Race in Smart Hotel Technology
Shiji Group Continues Global Expansion, Opens Office in Australia
Now Available for Download: HEBStrategy Q3 2018 Hotel Digital Marketing, Technology, and Trends Whitepaper
How to Build an Emotional Bond With the Most Demanding Clients, Hotel Guests
Hotel Tech Partner vs. Vendor: Knowing the Difference and Why It Matters
Casa Pepe Welcomes OpenKey Mobile Technology to Mexico City
Beekeeper Achieves ISO Certification to Protect Hotels' Data
Opportunity Intersection: The Corner of Technology and Service
Why Can’t We All Just Get Along? The Future of Hotel Technology Integrations & APIs
HAPI Taps Laurent Idrac as Latest Advisory Board Member
What's Hot at HITEC This Year
The Hotel Technology Ecosystem - What Does the Future Hold?
How to Win at the Hotel Technology Innovation Game Through Symbiotic Partnerships
Now Available for Download: HEBStrategy Q2 2018 Hotel Digital Marketing, Technology, and Trends Whitepaper
10 Step Guide to Attracting the New Digital Traveler
Where Is Hotel Technology Going?
A Case for Investing in Technology During the Design and Development Process
NAVIS Raises the Bar to Achieve Highest Level of PCI DSS Level 1 Certification
Please login or register to post a comment.