Indian Gaming Association Seminar Series Institute Presents:
Regulating Information Technology Certification Training South Point Hotel & Casino, Las Vegas, Nevada
AGENDA (Subject to Change)
Day 1
8:00 am – 9:00 am
Breakfast
Welcome and Class Expectations
9:00 am – 10:30 am
“Regulating IT-A Standards Approach” Renita DiStefano, Owner Second Derivative
10:30 am – 10:45 am
BREAK
“Audit Scoping” Renita DiStefano, Owner Second Derivative
10:45 am – 12:30 pm 12:30 pm – 2:00 pm
Lunch Break (On your Own)
“Developing a Structured Approach to Auditing” Renita DiStefano, Owner Second Derivative
2:00 pm – 3:15 pm
3:15 pm – 3:30 pm
BREAK
“Reliance Programs for IT Controls” Frances Alvarez, Chairwoman Tribal Protection Gaming Network
3:30 pm – 5:00 pm
Day 2
8:00 am – 9:00 am
Breakfast
“Regulating Slot Accountability Systems, What Should the Regulatory Know” Peter Nikiper, Director of Technical Compliance BMM
9:00 am – 10:30 am
10:30 am – 10:45 am
BREAK
“Regulating Kiosk Throughout Your Property” Sean Mason, Senior Director Tribal Services
10:45 am – 12:30 pm
12:30 pm – 2:00 pm
BREAK
“Essential Technical Information About Your Surveillance Systems” Abe Martin, Owner Casino Cryptology
2:00 pm – 3:15 pm
3:15 pm – 3:30 pm
BREAK
1
“Using Information, the Good, the Bad and the Ugly of DATA” Abe Martin, Owner Casino Cryptology
3:30 pm – 5:00 pm
Day 3
8:00 am – 9:00 am
Breakfast
“Information Technology and Regulations: What Should I Regulate and What Can I Regulate” Billy David, Owner Bo-Co- Pa & Associates
9:00 am – 10:30 am
10:30 am – 10:45 am
BREAK
“Drafting Information Technology Regulations and Controls” Billy David, Owner Bo-Co-Pa & Associates and Abe Martin, Owner Casino Cryptology
10:45 am – 12:15 pm
.
2
10/21/24
Regulating Slot Systems IGA Masterclass
company confidential
1
Purpose
• What are the risks involved with Slot Systems?
• Balancing act: Risk vs. Compliance
company confidential
2
1
10/21/24
What’s involved?
• History
• What are the parts of slot systems?
• Functionalities
• What areas are covered by other regulations?
• What are the established industry standards?
company confidential
3
Slot Systems
• General Requirements
• System Clocks and Time Synchronization
company confidential
4
2
10/21/24
Slot Systems
• General Requirements • Program Verification
company confidential
5
Slot Systems
• General Requirements • Communications
company confidential
6
3
10/21/24
Slot Systems
• General Requirements • Significant Events
company confidential
7
Slot Systems
• General Requirements • Reporting
• Hand-pays • Fills/Credit • MEAL entries
company confidential
8
4
10/21/24
Slot Systems
• Specialized Components
• Slot Machine Interface Boards • Servers & Databases • Front-end Processors / Data Collectors • Workstations • Wagering Instruments • Tickets, Vouchers, & Coupons
company confidential
9
SMIBs
• Slot Machine Interface Board (SMIB) • Located in each EGD • Communicates to the EGD via SAS • Proprietary protocol to system
• Requirements
• Data retention • Communication • Location • Access
company confidential
10
5
10/21/24
Front-end Processors / Data Collectors
• Aggregates communication from SMIBs • Encrypted communication
company confidential
11
Servers / Databases
• Heart of the slot system • Stores all data from machines and connected equipment • Processes all instructions and communication
company confidential
12
6
10/21/24
Workstations
• Programs and software that allows staff to interact with the slot system • Displays and prints reports
company confidential
13
Ticketing?
• Slot ticketing included under GLI-13 instead of separate standards • Nevada includes ticketing and cashless in Technical Standard #3
company confidential
14
7
10/21/24
Cashless
• Lots of restrictions • Regulations somewhat minimal • Debit or ATM okay, but not credit
company confidential
15
Kiosks
• GLI-20 • Cross between a gaming device and a system component • Also, must figure in banking regulations if ATM functionality is included
company confidential
16
8
10/21/24
Player User Interfaces
• GLI-28 • Allows access to player account and cashless controls using the EGDs own screen instead of a SMIB screen and keypad. • Can be part of the system’s SMIB or an additional component.
• Intercepts the video signal and touch controller from the slot machine. • Increases casino and component complexity, simplifies player access
company confidential
17
Additional Risks
• Remote Access • Hacking
• Configuration and functionality creep • User Access Lists and employee audits • Passwords and authentication
company confidential
18
9
10/21/24
Regulating Kiosks Throughout Your Property What kinds of Kiosks
company confidential
1
Overview
• Bill Breaking Kiosks • Player Loyalty Kiosks • Ticket redemption
• Attendant jackpot redemption • Interactive Promotional Kiosks
• New Enrollment Kiosks • Sport Wagering Kiosk • Compliance and Security of Casino Kiosks
company confidential
2
1
10/21/24
Bill Breaking Kiosks
• A Bill Breaking Kiosk is a self-service machine found in most casinos that allows patrons to exchange large bills for smaller denominations. These kiosks offer convenience and efficiency, improving the customer experience by enabling quick access to the right amount of cash for gameplay. Here’s an overview: Function : Breaks down large denomination bills (e.g., $100, $50) into smaller denominations like $20, $10, or $5. Purpose : Allows players to obtain smaller bills for use in slot machines, table games, or other services without needing to visit a cashier. Benefits : • Provides convenience for players by reducing wait times. • Enables faster access to cash for continued gameplay. • Alleviates pressure on cashier windows, allowing staff to focus on other customer service needs. Efficiency : Streamlines cash handling, allowing the casino to improve operational flow and guest satisfaction.
company confidential
3
Player Loyalty Kiosks A Player Loyalty Kiosk is a self-service machine found in casinos that allows players to access and manage their loyalty program accounts. These kiosks are part of a casino’s player rewards system, offering a convenient way for customers to check points, redeem rewards, and participate in promotions. Here’s a detailed overview: Function : Provides players with access to their loyalty accounts, allowing them to check points, track rewards, and see available promotions. Key Features : • Point Balance Check : Players can quickly check their current loyalty points earned through gameplay. • Reward Redemption : Redeem points for rewards such as free play, meals, hotel stays, or other perks. • Promotion Access : Participate in exclusive promotions, giveaways, and sweepstakes offered through the loyalty program. • Account Management : Players can update personal details and preferences directly at the kiosk. • Tier Status : Check loyalty tier levels and see what benefits are associated with their current status. Benefits : • Convenience : Provides quick access to loyalty information without needing assistance from staff. • Increased Engagement : Encourages more frequent interaction with the casino’s rewards program, boosting player retention and loyalty. • Instant Rewards : Allows players to immediately redeem points for prizes or perks, enhancing customer satisfaction. • Reduced Staff Workload : Frees up staff from routine loyalty inquiries, allowing them to focus on other guest services. Overall, Player Loyalty Kiosks enhance customer experience by offering an efficient and user-friendly way to interact with casino loyalty programs
company confidential
4
2
10/21/24
Ticket redemption • A Ticket Redemption Kiosk is a self-service machine commonly used in casinos to allow patrons to redeem TITO (Ticket-In, Ticket-Out) vouchers for cash. When players finish a gaming session at slot machines or electronic table games, they receive a ticket that can be exchanged for their winnings. The ticket redemption kiosk offers a quick and convenient way for players to cash out these tickets without needing to visit a cashier. Key Features: • Function : Allows players to insert their TITO vouchers and receive their winnings in cash immediately. • Location : Strategically placed throughout the casino floor for easy access. Benefits: • Convenience : Players can quickly redeem tickets without waiting in line at cashier counters. • Efficiency : Helps streamline operations by reducing the demand on cashier staff. • Speed : Provides fast transactions, enabling players to redeem their winnings and return to the gaming floor quickly. • Overall, ticket redemption kiosks improve customer experience and operational efficiency in a casino.
company confidential
5
Attendant Jackpot Redemption Kiosk An Attendant Jackpot Redemption is a process used in casinos when a player wins a large jackpot that exceeds the automated payout limit of slot machines or gaming kiosks. In such cases, a casino attendant is required to verify the jackpot win and complete the payout manually. This often involves higher amounts of winnings that trigger certain thresholds, typically set by casino regulations or gaming machines, necessitating human intervention. Key Features: • Manual Verification : The attendant verifies the win by checking the machine and confirming the jackpot. • Payout Assistance : The attendant processes the payout, which may involve cash, check, or a combination depending on the amount. • Tax Reporting : For large jackpots, the attendant may assist with tax documentation, such as IRS Form W-2G for U.S. casinos. Benefits: • Security : Ensures that large payouts are handled securely and accurately. • Compliance : Assures compliance with legal requirements for large wins. • Personalized Service : Provides players with direct interaction and assistance, enhancing their experience. Attendant jackpot redemptions are essential for ensuring the smooth and secure payout of large wins in a casino setting
company confidential
6
3
10/21/24
Interactive Promotional Kiosks An Interactive Promotional Kiosk is a self-service machine in casinos designed to engage players with various promotional activities. These kiosks provide a platform for players to participate in sweepstakes, giveaways, contests, and other marketing initiatives, making it an essential tool for customer engagement and loyalty building. Key Features: • Participation in Promotions : Players can interact with ongoing promotions, such as raffles, spin-the-wheel games, or instant-win contests. • Reward Redemption : Kiosks can also allow players to redeem promotional prizes, such as free play, meals, or merchandise. • Account Integration : Often linked with the casino’s loyalty program, allowing players to earn or spend points while engaging in promotions. Benefits: • Enhanced Player Engagement : Keeps players entertained and involved, increasing their time spent in the casino. • Increased Loyalty : Encourages repeat visits and deeper interaction with the casino's rewards and promotional system. • Cost-Effective : Provides a digital platform for running promotions, reducing the need for physical materials or staffing. These kiosks are an effective way to boost customer satisfaction and drive ongoing participation in casino promotions.
company confidential
7
New Enrollment Kiosks A New Enrollment Kiosk is a self-service machine in casinos that allows new players to quickly sign up for the casino's loyalty or rewards program. These kiosks simplify the enrollment process by enabling patrons to enter their personal details, create an account, and receive a loyalty card without needing assistance from staff. Key Features: • Self-Service Registration : Players can sign up independently by entering basic information such as name, address, and contact details. • Immediate Loyalty Card Issuance : After enrollment, the kiosk can print a loyalty card that players can use to start earning points instantly. • Promotional Offers : Some kiosks offer sign-up bonuses, such as free play or reward points, encouraging players to enroll. Benefits: • Convenience : Provides a quick and efficient way for new players to join the loyalty program without waiting in line. • Increased Enrollment : By making the process fast and easy, casinos can increase participation in their loyalty programs. • Reduced Staff Workload : Frees up casino staff from manual enrollment tasks, allowing them to focus on other guest services. These kiosks help streamline player engagement and foster loyalty from new customers.
company confidential
8
4
10/21/24
Sport Wagering Kiosk A Sports Wagering Kiosk is a self-service machine that allows patrons to place bets on a variety of sporting events without the need to visit a traditional sportsbook counter. These kiosks are a convenient option for both novice and experienced bettors, offering an intuitive interface for browsing betting options, checking odds, and finalizing wagers. Sports wagering kiosks are typically found in casinos, racetracks, and other betting venues where sports betting is legal. • Key Features of a Sports Wagering Kiosk: 1. Betting Options : 1. Single Game Bets : Bettors can place simple wagers on the outcome of a single game or match, choosing a winner or predicting an over/under score. 2. Parlays : The kiosk allows players to combine multiple bets into a parlay, where the bettor must win all selected bets to receive a payout. 3. Live Betting : Some kiosks provide live betting options, where players can place bets on games that are already in progress, adjusting to changing odds in real time. 4. Prop Bets : In addition to traditional betting, kiosks often feature prop bets, which allow users to wager on specific player or team performances, such as who will score the first goal or how many yards a player will rush.
company confidential
9
Sport Wagering Kiosk 2. Options : • Single Game Bets : Bettors can place simple wagers on the outcome of a single game or match, choosing a winner or predicting an over/under score. • Parlays : The kiosk allows players to combine multiple bets into a parlay, where the bettor must win all selected bets to receive a payout. • Live Betting : Some kiosks provide live betting options, where players can place bets on games that are already in progress, adjusting to changing odds in real time. • Prop Bets : In addition to traditional betting, kiosks often feature prop bets, which allow users to wager on specific player or team performances, such as who will score the first goal • Real-Time Odds Updates : The kiosks display the latest odds, point spreads, and over/under totals, ensuring bettors have accurate and up-to-date information before placing a wager. • Event Schedules : Players can view schedules for upcoming games, tournaments, and other sports events. Some kiosks also provide historical data and team/player statistics to help inform betting decisions. or how many yards a player will rush. 3. Access to Odds and Information :
company confidential
10
5
10/21/24
Sport Wagering Kiosk
4. Payment Methods : • Cash or Card Payments : Bettors can fund their wagers using cash, debit, or credit cards. Some kiosks may also allow players to use digital wallets or betting accounts connected to the casino’s system. • Ticket-In, Ticket-Out (TITO) : Bettors can use TITO tickets, which are commonly used in slot machines, to fund wagers or receive payouts. This feature provides seamless integration with the casino’s existing payment systems. 5. Ticket Issuance : •After placing a bet, the kiosk issues a printed ticket that serves as proof of the wager. The ticket includes important details such as the bet amount, odds, and potential payout. Players must keep this ticket to redeem any winnings.
company confidential
11
Sport Wagering Kiosk Benefits of a Sports Wagering Kiosk: 1. Convenience : 1. Self-Service : Players can place bets independently without needing assistance from sportsbook staff, making the process faster and more private. 2. 24/7 Access : In many venues, sports wagering kiosks are available 24/7, giving players the ability to place bets at any time, even outside regular sportsbook hours. 3. Reduced Wait Times : By offering an alternative to traditional sportsbook counters, kiosks help reduce long lines and improve the overall betting experience, especially during major sporting events. 2. Efficiency for Operators : 1. Lower Operational Costs : Since kiosks are self-service, they reduce the need for additional staffing at sportsbook counters, allowing casinos and betting operators to manage higher volumes of bets with fewer resources. 2. Increased Revenue : The ease of use and accessibility of kiosks often lead to higher betting volumes, as players are more likely to place bets when it’s convenient and fast. 3. Scalability : Kiosks can be placed throughout a casino or venue, increasing the number of points where bets can be made, without the need to expand the physical sportsbook area.
company confidential
12
6
10/21/24
Sport Wagering Kiosk
Compliance and Security: • Regulatory Compliance : Sports wagering kiosks are typically integrated with the casinos or sportsbook’s existing systems to ensure compliance with local gaming regulations. They are programmed to follow legal limits on bet amounts and ensure age verification protocols. • Secure Transactions : Kiosks are designed with robust security features, including encryption and secure payment gateways, to protect players’ financial information and ensure safe transactions.
company confidential
13
Compliance and Security of Casino Kiosks Compliance: Regulatory Compliance: o Gaming Commission Requirements: Casino kiosks must adhere to the regulations set forth by local or national gaming authorities (e.g., state gaming commissions, tribal gaming agencies). These rules may cover aspects such as payout limits, transaction reporting, and game fairness. o Payout Limits: Kiosks are often programmed to follow specific payout limits as mandated by law. For instance, any payout exceeding a certain amount may require manual approval or processing by casino staff. o AML (Anti-Money Laundering) Laws: Kiosks must comply with AML regulations, tracking large transactions and flagging suspicious activity. Compliance with AML laws helps prevent the use of kiosks for illegal money laundering activities. o Tax Reporting: In certain jurisdictions, kiosks are required to report large wins for tax purposes. For example, in the U.S., winnings above a certain threshold (e.g., $1,200) trigger the issuance of a W-2G tax form. o Age Verification: In jurisdictions with age restrictions on gambling, kiosks should be integrated with age-verification systems. This can include ID scanning or linking to a player’s loyalty account to ensure only eligible patrons use the machines. Auditing and Reporting: o Regular Audits: Kiosks must undergo routine audits to ensure compliance with all regulatory standards. This includes verifying transaction accuracy, confirming payouts align with records, and checking for potential tampering or malfunctions. o Reporting to Authorities: Kiosks must be programmed to generate reports that can be submitted to gaming regulators. These reports typically include information about transaction volumes, suspicious activities, and large payouts.
company confidential
14
7
10/21/24
Compliance and Security of Casino Kiosks
Security of Casino Kiosks: Transaction Security Kiosks handle significant amounts of money and must ensure that all financial transactions are secure. This includes: • Encryption: All transactions, whether they involve cash, credit/debit cards, or vouchers, should be encrypted using end-to-end encryption protocols. This ensures that sensitive financial information is protected from interception or unauthorized access. • Secure Payment Systems: Casino kiosks must incorporate secure payment gateways to process transactions efficiently and safely. For example, TITO (Ticket-In, Ticket-Out) systems, cash dispensers, and card readers should all operate within secure frameworks to prevent fraud. Fraud Prevention Fraud is a major concern for casino kiosks. Fraud prevention measures include: • Counterfeit Detection: Kiosks are equipped with software and hardware that detect counterfeit bills and fake or altered tickets. This ensures that only legitimate transactions are processed. • Multi-Layer Authentication: For higher-value transactions, some kiosks require additional authentication, such as a PIN or biometric verification (e.g., fingerprint or facial recognition). This reduces the risk of fraud from unauthorized users attempting to redeem tickets or winnings.
company confidential
15
Compliance and Security of Casino Kiosks Physical Security • Tamper-Resistant Design: Casino kiosks must be designed to resist tampering. If unauthorized access is attempted, the kiosk should automatically disable itself and trigger a security alert to notify the casino staff. • Secured Cash Compartments: The cash or ticket storage compartments in kiosks must be locked and only accessible by authorized personnel. This ensures that cash deposits or large ticket redemptions are protected from internal theft or tampering. Real-Time Monitoring and Alerts Casino kiosks are often integrated into a centralized monitoring system that tracks their operation in real time. This allows casino operators to: • Monitor Suspicious Activity: Any irregularities, such as frequent transaction failures, unusual transaction sizes, or tampering attempts, are flagged in real time. This enables security teams to respond quickly to potential fraud or technical malfunctions. • Remote Troubleshooting: Casino operators can remotely diagnose and resolve certain technical issues, ensuring that kiosks are always functional and secure. In case of tampering, the kiosk can be disabled remotely. Data Protection • Secure Data Storage: Kiosks store personal and financial data, such as transaction histories and loyalty program details. This data must be securely stored and encrypted to prevent unauthorized access or breaches. • Compliance with Data Protection Laws: In jurisdictions with stringent data protection laws like the GDPR (General Data Protection Regulation) or CCPA (California Consumer Privacy Act), kiosks must follow rules regarding data collection, storage, and sharing.
company confidential
16
8
10/21/24
Compliance and Security of Casino Kiosks Regular Audits and Maintenance • Software and Hardware Updates: To ensure kiosks remain secure, casinos must regularly update kiosk software with the latest security patches and maintain their hardware. This prevents vulnerabilities that could be exploited by hackers or fraudsters. • Routine Audits: Regular audits should be conducted to check for discrepancies, transaction errors, and compliance with gaming and security protocols. This ensures that any potential security lapses are identified and resolved promptly. Conclusion • Ensuring the compliance and security of casino kiosks is crucial for maintaining the integrity of the casino’s operations and safeguarding patrons. Compliance with gaming laws, robust fraud prevention, encryption protocols, and physical security measures all contribute to a secure and trustworthy gaming environment. By adhering to these standards, casinos can protect their financial interests, uphold their regulatory obligations, and ensure a safe and fair experience for their customers.
company confidential
17
company confidential
18
9
10/21/24
company confidential
19
company confidential
20
10
10/21/24
company confidential
21
Penetration testing – What is it? A penetration test, often referred to as a pen test, is a cybersecurity practice designed to assess and evaluate the security of computer systems, networks, applications, or other information technology environments. The primary objective of a penetration test is to identify vulnerabilities and weaknesses that could be exploited by malicious actors to gain unauthorized access, disrupt services, or compromise data integrity. Pentesting involves simulated attacks on a system to assess its resilience and security controls.
company confidential
22
11
10/21/24
Penetration testing – Planning and Scoping Planning and scoping are crucial phases in the penetration testing process as they set the foundation for the entire assessment. These initial steps help define the goals, objectives, and boundaries of the test, ensuring that the testing team and the organization being tested are aligned in terms of expectations and objectives • Define Objectives: • Clearly articulate the objectives of the penetration test. This may include identifying vulnerabilities, testing specific security controls, evaluating incident response procedures, or assessing the overall security posture. • Identify Stakeholders: • Determine the key stakeholders involved in the penetration test. This includes IT, security teams, management, legal, and any other relevant departments. Establish communication channels and ensure that all stakeholders are aware of the testing goals. • Scope Definition: • Clearly define the scope of the penetration test. Specify the systems, networks, applications, and other assets that are in scope for testing. Determine any out-of-scope areas that should not be tested to avoid unintended disruptions.
company confidential
23
Penetration testing – Planning and Scoping
• Rules of Engagement: • Establish rules of engagement that outline the boundaries and limitations of the penetration test. Define what actions are permissible and what actions are prohibited. Specify the testing team's approach to exploiting vulnerabilities, interacting with systems, and handling sensitive information. • Testing Methods and Techniques: • Discuss and agree upon the testing methods and techniques to be used during the assessment. This may include automated scanning tools, manual testing, social engineering, and other tactics. Tailor the approach to the organization's risk tolerance and the desired depth of the assessment. • Communication Plan: • Develop a communication plan to keep stakeholders informed throughout the penetration test. Establish reporting timelines, methods of communication, and escalation procedures for critical findings. Regular updates help manage expectations and address concerns. • Documentation Requirements: • Clearly outline the documentation requirements for the penetration test. This includes reports, logs, and any other records that will be generated during the assessment. Ensure that all documentation complies with the organization's policies and regulatory requirements.
company confidential
24
12
10/21/24
Penetration testing – Planning and Scoping • Testing Schedule: • Establish a testing schedule that aligns with the organization's operational requirements. Coordinate with relevant teams to minimize potential impact on business operations while ensuring that the test is thorough and effective. Clearly communicate testing windows to minimize surprises. • Post-Test Activities: • Establish a testing schedule that aligns with the organization's operational requirements. Coordinate with relevant teams to minimize potential impact on business operations while ensuring that the test is thorough and effective. Clearly communicate testing windows to minimize surprises. • Continuous Improvement: • After completing the penetration test, conduct a debriefing session to gather feedback from both the testing team and the organization. Use this feedback to continuously improve the penetration testing process and enhance overall cybersecurity measures
company confidential
25
Penetration testing – Types of Testing • External Testing • Internal Testing • Web Application Testing • Wireless Testing • Social Engineering Testing
company confidential
26
13
10/21/24
Penetration testing – External Testing External penetration testing, often referred to as external or external network penetration testing, focuses on assessing the security of an organization's external-facing systems, networks, and applications. The goal is to identify vulnerabilities that malicious actors could exploit to gain unauthorized access, disrupt services, or compromise sensitive information, from the outside.
company confidential
27
Penetration testing – Internal Testing Internal penetration testing focuses on evaluating the security of an organization's internal network, systems, and applications. Unlike external penetration testing, which assesses external-facing assets, internal penetration testing simulates attacks that could occur from within the organization's network. The goal is to identify vulnerabilities that could be exploited by an insider or an external threat actor who has gained access to the internal network.
company confidential
28
14
10/21/24
Penetration testing – Web Applications Testing Web application testing is a critical process in ensuring the security, functionality, and reliability of web-based software. Testing helps identify vulnerabilities, assess the application's performance, and ensure that it meets user expectations.
company confidential
29
Penetration testing – Wireless Testing Wireless penetration testing, also known as wireless pen testing or WiFi penetration testing, focuses on evaluating the security of wireless networks and their associated components. The goal is to identify vulnerabilities in wireless infrastructure that could be exploited by attackers to gain unauthorized access, intercept communication, or compromise the confidentiality and integrity of data.
Wireless penetration testing is essential for organizations that rely on wireless networks to ensure the confidentiality and integrity of their data. Regular testing helps identify and address security weaknesses, contributing to a more secure wireless infrastructure.
company confidential
30
15
10/21/24
Penetration testing – Social Engineering Testing Social engineering testing involves assessing an organization's susceptibility to manipulation and deception by simulating various techniques used by malicious actors to exploit human psychology. The goal is to identify potential vulnerabilities in human behavior, awareness, and security practices. Unlike typical penetration testing, social engineering penetration testing is about exploiting human psychology and social interaction rather than technical security controls or system vulnerabilities. Your aim is to trick another human into giving you access to a target’s environment This is a critical component of a good cybersecurity program, as it addresses the human factor in security. Regular testing helps organizations strengthen their employees' awareness, resilience to manipulation, and overall security posture against social engineering threats.
company confidential
31
Penetration testing – Social Engineering Testing Different types or Social Engineering: • Phishing: • Definition: Phishing involves sending fraudulent emails, messages, or websites that appear to be from a trustworthy source. The goal is to trick individuals into revealing sensitive information, such as login credentials or financial details. • Example: A phishing email claiming to be from a bank, requesting the recipient to click on a link and provide their account credentials. • Vishing (Voice Phishing): • Definition: Vishing involves using voice communication, often through phone calls, to manipulate individuals into divulging sensitive information. Attackers may impersonate trusted entities or use urgent scenarios to create a sense of urgency. • Example: A phone call claiming to be from IT support, requesting the user's password for system maintenance . • Impersonation: • Definition: Impersonation occurs when an attacker poses as a trusted individual or entity to deceive individuals. This can involve pretending to be a coworker, a service technician, or a delivery person to gain access or information. • Example: An individual dressed as a maintenance worker gaining entry to a secure building by claiming to fix a non-existent issue.
company confidential
32
16
10/21/24
Penetration testing – Social Engineering Testing
• Baiting: • Definition: Baiting involves leaving physical devices, such as infected USB drives, in places where they are likely to be found. The goal is to entice individuals to use the devices, compromising the security of their systems. • Example: Leaving USB drives with malware in a public area, relying on someone finding it and plugging it into a computer. • Quizzes and Surveys: • Definition: Attackers may use fake quizzes, surveys, or contests to collect personal information from individuals. These deceptive forms may appear harmless but can lead to data theft. • Example: A social media quiz requesting personal information, which is then used for identity theft or account compromise. • Pretexting: • Definition: Pretexting involves creating a fabricated scenario or pretext to trick individuals into divulging information. This often includes gaining their trust by posing as a legitimate authority or service provider. • Example: An attacker posing as an IT support technician, claiming to need account information for a system upgrade.
company confidential
33
Penetration testing – Social Engineering Testing • Tailgating (Piggybacking): • Definition: Tailgating occurs when an unauthorized person follows an authorized individual into a secured area without proper authentication. This exploits the natural inclination to hold doors open for others. • Example: Someone without access badges following closely behind an authorized employee through a secure entrance. • Human-Based Impersonation Attacks (HBIAs): • Definition: HBIA involves attackers employing human-like characteristics in automated messages or AI-based interactions to deceive individuals. This technique combines social engineering with technology. • Example: A chatbot that mimics human communication to trick users into providing sensitive information. • Reverse Social Engineering: • Definition: In reverse social engineering, the attacker persuades the target to initiate contact, making it appear that the target is seeking help or information. • Example: An attacker posts a fake job opening online, prompting individuals to send their resumes and personal information.
company confidential
34
17
10/21/24
Cybersecurity – What Is a “Cybercrime”?
• Generally defined as any criminal activity where a computer or network is the agent of the crime, the facility of a crime, or the target of a crime. • Examples of cybercrime a casino or casino regulator might be the target of – • A computer virus installs a key logger. The logger captures usernames and passwords used to access the systems. • A system user is victimized by a phishing attack. In a phishing attack, the user is directed to click a link that installs malicious software or to divulge information that could compromise the system. The attack is usually structured such that the victim thinks what they are doing is legitimately necessary.
company confidential
35
Cybersecurity – Attacks
• William Hill • In this case a phishing attack on William Hill in 2020. The criminals used malicious emails to get the login credentials of employees. And with access to employee’s information, they easily gained entry to the company’s data. This attack again showed how essential employee training programs are and highlighted the need to raise awareness among casino providers • MGM and Caesars • MGM Resorts was compromised by Russian-linked ALPHV, also known as BlackCat, through a phone call impersonating an employee on the IT staff. They found an employee to impersonate on LinkedIn. The attack was due to a multi-layered social engineering scheme executed by the hacking group Scattered Spider. ALPHV claimed to have initially infiltrated MGM's network by exploiting vulnerabilities in the global casino owner's Okta Agent without deploying any ransomware. The hack exposed names, address, and passport numbers for former guests, but MGM said it was "confident" no financial information had been exposed.
company confidential
36
18
10/21/24
Cybersecurity – Attacks
• SolarWinds cyberattack (2020) • A cyberattack on an unprecedented scale, the Sunburst attack on SolarWinds, a major software company based in Tulsa, Oklahoma, sent shockwaves through America in 2020. The attack entailed a supply chain breach involving SolarWinds’ Orion software, which is used by many multinational companies and government agencies • WannaCry ransomware attack (2017) • Carried out in the same year as NotPetya, Like NotPetya, WannaCry propagated via the Windows exploit EternalBlue, which was stolen and leaked a few months prior to the attack. Many of the organizations that fell victim to WannaCry had yet to implement recently released patches that were designed to close the exploit. • Florida water system attack (2021) • A troubling reminder that outmoded tech can provide hackers with an easy entrance point onto an otherwise sophisticated network. In the case of this attack on a water treatment facility in Oldsmar, Florida, an old PC running Windows 7 with no firewall enabled a hacker to gain access and increase the amount of sodium hydroxide in the water by a factor of 100. The breach could have been catastrophic had it not been caught in time.
company confidential
37
Cybersecurity – Attacks • RockYou 2009
• RockYou, a Redwood City, Calif. developer of popular social media games like Gourmet Ranch and Zoo World, disclosed in Dec. 2009 that a user database, exposing personal identification data of some 32 million registered users passwords. • The breach was particularly egregious by some because the password data had been stored in plain text instead of being hashed, as is common practice. • RockYou (2021) • When a user posted an enormous 100GB TXT file on a popular hacker forum in June 2021 they claimed that it contained 82 billion passwords. Tests later found that there were in fact ‘only’ 8.4 billion passwords in the file. • Named after the original RockYou breach of 2009, RockYou2021 appeared to be a mind-bendingly huge password collection. 8.4 billion passwords equates to two passwords for every online person in the world (it’s estimated that there are 4.7 billion people online).
company confidential
38
19
10/21/24
Cybersecurity – Attacks Strong Password • Strong Password • Use a mix of characters: • A secure password must include a mix of upper and lowercase letters, numbers, and symbols. This makes it more difficult for hackers to guess passwords through brute-force attacks. • Avoid easily guessable information: • Many people still use easily guessable passwords. Avoid using information such as your name, birthdate, or common words. This information can be easily obtained through social media or other online sources. • Length matters: • The longer the password, the stronger it is. It is recommended to use a password length of at least 8 characters , but ideally, passwords should be 12 or more characters long. This recommendation is based on research that shows longer passwords are more difficult to crack. Aim for a password length of at least 12 characters . This makes it more difficult for hackers to guess the password through brute-force attacks.
company confidential
39
Cybersecurity – Attacks Strong Passwords
company confidential
40
20
10/21/24
Penetration testing – Exploitation Exploitation is a phase in penetration testing where security professionals attempt to take advantage of identified vulnerabilities or weaknesses to gain unauthorized access, escalate privileges, or compromise systems. This phase is crucial for simulating real-world attacks and demonstrating the potential impact of security vulnerabilities. Security professionals use a variety of exploitation techniques to take advantage of identified vulnerabilities. These techniques can include: • Code Injection: Exploiting vulnerabilities that allow the injection of malicious code into systems or applications. • Privilege Escalation: Leveraging weaknesses to escalate user privileges, gaining higher levels of access than initially granted. • Brute Force Attacks: Trying multiple combinations of usernames and passwords to gain unauthorized access. • File and Data Manipulation: Exploiting vulnerabilities to manipulate files or access sensitive data. • SQL Injection: Injecting malicious SQL queries to manipulate or extract information from databases. • Cross-Site Scripting (XSS): Injecting malicious scripts into web applications to compromise users. • Buffer Overflow: Exploiting vulnerabilities that allow the overflow of data buffers to execute arbitrary code.
company confidential
41
Penetration testing – Remediation The remediation phase in penetration testing is a critical step that follows the identification and exploitation of vulnerabilities. Once vulnerabilities have been successfully exploited, the focus shifts to providing recommendations and guidance on how to address and mitigate these security weaknesses. This is a collaborative effort between the penetration testing team and the organization's IT and security teams. The goal is to improve the organization's security posture by addressing vulnerabilities, implementing best practices, and fostering a proactive approach to cybersecurity.
company confidential
42
21
10/21/24
Penetration testing – Continues testing Continuous testing, often referred to as continuous penetration testing or continuous security testing, is an approach that involves regularly and systematically assessing an organization's systems, applications, and networks for security vulnerabilities. Unlike traditional penetration testing, which is often conducted periodically, continuous testing is an ongoing process integrated into the organization's development and operational lifecycle. Encourage the implementation of continuous security awareness training. Provide feedback on successful and unsuccessful social engineering tests to help the organization continuously improve its defenses against such attacks.
company confidential
43
Penetration testing – Security Awareness Training Security awareness training is a crucial component of an organization's overall cybersecurity strategy. It aims to educate employees and users about potential security risks, best practices, and the importance of Being security- conscious. While security awareness training is not a direct part of penetration testing, it complements the testing process by helping individuals recognize and avoid social engineering attacks. Developing and implementing robust network security training policies and procedures is a proactive measure that helps mitigate security risks and build a security-aware culture within the organization.
company confidential
44
22
10/21/24
Penetration testing – Security Awareness Training Specify the content that will be covered in network security training. This may include topics such as: • Identification of common cyber threats (e.g., phishing, malware, social engineering). • Best practices for password management and authentication (e.g., STRONG PASSWORD ).
• Secure use of network resources, devices, and communication tools. • Reporting procedures for security incidents and suspicious activities. • Compliance with organization-specific policies and industry regulations. • Training for Physical Security Personal
company confidential
45
Penetration testing – Questions
company confidential
46
23
10/22/24
Essential Technical Information About Your Surveillance Systems
Abe Martin, CFE, CSP abe@casinocryptology.com 931-CRYPTIC (279-7842) www.casinocryptology.com
1
21 st Century Surveillance…
Video Credit: Tyler Newell/YouTube
2
1
10/22/24
The part we know (imagine)
Image Credit: freepik
3
tools
• Technicians (tech staff) need the right tools.
Image Credit: Russel Brunson
4
2
10/22/24
Simple system Diagram
5
Chairs….yep….chairs
• Considerations for Surveillance chairs: • Cost – think like insurance • 24 hour – task chairs • Steel frame (+ weight capacity) • Height/width • Arms? • Adjustable parts • Wheels • Warranties
Image Credit: tenor
6
3
10/22/24
Keep it hot…. • Uninterrupted power supplies (UPS) are required, but what about? • Redundancy – UPS at the workstation + generator • Conditioned power • Additional UPS
7
Keep it cool…. • Surveillance systems, particularly servers (rooms), generate a LOT of heat but are healthiest in cool temperatures • Cooling systems should be redundant AND alternating
8
4
10/22/24
Consoles
• Built to support
more weight than normal desks
• Designed to
house/conceal equipment and wires
• Plan installations to ensure good airflow • Should be cleaned regularly • Keep the dang doors on
Image Credit: Winsted
9
Monitors • Size matters, but bigger isn’t always better • Careful consideration for mounting height and tilt in relation to user(s) • Consumer grade monitors are cheaper but come with unwanted features • Cabling and overall aesthetic
10
5
10/22/24
Video Management Systems • VMS is essentially just software, some with required hardware • All have system requirements that may include other devices • ONVIF = Open NetworkVideo Interface Forum • Standards that allow devices from different manufactures to communicate and work together • Always consider overall performance needs AND growth
11
Servers
• “Server” is a generic term for a computer that provides resources to other computers • They can come in many shapes and sizes • Important to consider: • Total storage, virtual machines, hard drive compatibility and, warranties
Image Credit: MojoSystems
12
6
10/22/24
Servers/storage
• Virtual machines are software-based servers, allowing multiple functions from the same device • Operating system(s) • Active Storage • Archive Storage • Alarms or Analytics • Redundant Array of Independent Disks (RAID)
Image Credit: MojoSystems
13
Switches
Image Credit: lantronix • Important considerations: • Redundancy, passive/managed, POE, camera (zone) distribution 14
7
10/22/24
Cables/connectors
Image Credit: cablematters
15
• Absolutely, positively, MUST be secure • Older solutions are not as reliable as they used to be • Environment can play a huge role in quality • Additional hardware is often needed Wireless video
Image Credit: radwin
16
8
10/22/24
cameras
• There is a type of camera for nearly every application, make sure your team has the right one(s) • Consider setting standards that address features • Audio • Night vision
• Privacy zones • Frame rate(s) • Analytics • Preventive Maintenance
Image Credit: securitysales
17
Finished Product
Video Credit: KDKA CBS Pittsburgh
18
9
10/22/24
19
10
10/22/24
Using Information: Good, Bad and Ugly of Data
Abe Martin, CFE, CSP abe@casinocryptology.com 931-CRYPTIC (279-7842) www.casinocryptology.com
1
Pattern Recognition
Image Credit: 4pics1word.ws
2
1
10/22/24
If you only remember one thing today…
PROCESS > OUTCOME
3
Dam all that data!
Image Credit: Rehan van der Merwe
4
2
10/22/24
Ethical considerations
Privacy Protection Data analysis in casino Surveillance must prioritize the protection of customer privacy. Sensitive information like personal details, gaming habits, and financial transactions should be handled with utmost care, adhering to strict data protection regulations and ensuring responsible data usage.
Transparency and Accountability
Transparency and accountability are crucial in any data-driven system. Clear guidelines should be established for data collection, analysis, and usage, along with mechanisms for oversight and accountability to ensure ethical and responsible data practices.
Discrimination and Bias It's essential to address potential biases in data analysis. Algorithms should be developed and implemented in a way that avoids discriminatory practices or unfair profiling of individuals based on sensitive characteristics like race, gender, or ethnicity.
Data Security Data security measures should be robust to protect sensitive information from unauthorized access, breaches, and misuse. Implementing strong security protocols, encryption, and regular audits ensures the integrity and confidentiality of collected data.
5
Analysis or intelligence?
“Data analytics” are generally viewed as more exploratory in practice and methodology; aiming to answer more open- ended questions by identifying probabilities and/or patterns.
“Business Intelligence” does not usually try to solve a problem. Instead the goal is to provide a clear, concise and objective observational report. In either case, consider segregating duties.
6
3
Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 Page 9 Page 10 Page 11 Page 12 Page 13 Page 14 Page 15 Page 16 Page 17 Page 18 Page 19 Page 20 Page 21 Page 22 Page 23 Page 24 Page 25 Page 26 Page 27 Page 28 Page 29 Page 30 Page 31 Page 32 Page 33 Page 34 Page 35 Page 36 Page 37 Page 38 Page 39 Page 40 Page 41 Page 42 Page 43 Page 44 Page 45 Page 46 Page 47 Page 48 Page 49 Page 50 Page 51 Page 52 Page 53 Page 54 Page 55 Page 56 Page 57 Page 58 Page 59 Page 60 Page 61 Page 62 Page 63 Page 64 Page 65 Page 66 Page 67 Page 68 Page 69 Page 70 Page 71 Page 72 Page 73 Page 74 Page 75 Page 76 Page 77 Page 78 Page 79 Page 80 Page 81 Page 82 Page 83 Page 84 Page 85 Page 86 Page 87 Page 88 Page 89 Page 90 Page 91 Page 92 Page 93 Page 94 Page 95 Page 96 Page 97 Page 98 Page 99 Page 100 Page 101 Page 102 Page 103 Page 104 Page 105 Page 106 Page 107 Page 108 Page 109 Page 110 Page 111 Page 112 Page 113 Page 114 Page 115 Page 116 Page 117 Page 118 Page 119 Page 120 Page 121 Page 122 Page 123 Page 124 Page 125 Page 126 Page 127 Page 128 Page 129 Page 130 Page 131 Page 132 Page 133 Page 134 Page 135 Page 136 Page 137 Page 138 Page 139 Page 140 Page 141Made with FlippingBook - Online catalogs