Thu, Sep 10, 2015
From movie theaters to amusement parks to myriad types of other entertainment venues, the entertainment industry has been justifiably focused on physical attacks and terrorist threats. However, another insidious form of attack exists, one that can drain assets, create a public relations nightmare and make patrons feel uncertain and insecure when going to an amusement park or entertainment center. The source of all this trouble? Hackers with a ticket to the show.
Cyber thieves can take advantage of the fact that amusement parks and entertainment centers not only have multiple point of sale (POS) terminals, but also, depending on the industry and the group, these various payment systems can be managed in multiple ways:
These multiple systems can leave gaps in oversight if not properly managed. It’s tempting for senior management to either rely on their own internal IT resources, or to rely on an external POS vendor in order to assess and review this risk. Just as a prudent company audits their books, a prudent executive must exercise meaningful oversight over these resources and vendors.
High-value targets require high-level oversight
Entertainment venues need to view their POS systems as one of the highest targets for intruders, thieves or those who would seek to disrupt the venue. For example, an entertainment center that was forced to rely on cash for any period of time, however short, would see a significant drop in revenue.
A multitude of issues and nexus points affect POS system security. These issues range from who has control and who is responsible for security when dealing with outside vendors, to the fragility and constant need for these systems to be operational. There is also a temptation for senior management to view POS systems as things “we will fix as we go.”
Unfortunately, you can be sure that hackers are all too aware of these issues in the entertainment industry and are actively looking for any gap or vulnerability they can turn to their advantage.
Senior management can go a long way toward neutralizing this threat, however, by taking an active role in reviewing and assessing POS system security.
Seven questions senior management should ask about pos system security.
Depending on the type of POS system and the relationship between the company and the POS system whether it is (a) provided by a vendor, (b) run by a vendor but using the organization’s IT, or (c) one run by the park or center itself there are different series of questions that need to be asked by senior management within the entertainment park/complex industry. The following seven questions, however, will provide fundamental information that senior management can use to better protect their organizations:
1. What steps are we taking in order to protect the networks and endpoints on which our POS systems rely?
2. What have we done to validate that these steps work?
3. Have we reviewed the protections and plans implemented by others who have connections to our networks that can access our POS systems?
4. Are our POS systems running on vulnerable platforms, (e.g., are we using a Windows XP machine to run a POS)?
5. What organizations and information sources are the people who are responsible for our POS systems connecting to or working with?
6. Do we have a plan as well as the staff in place should we have an issue with our POS system and how quickly can we react to a problem?
7. In addition to the security of the POS system, have we looked at the different ways that an attacker or insider could gain access to these systems and steal, manipulate or disrupt data?
These questions are designed to help senior management within amusement parks and entertainment centers ensure that they are taking the right steps to review and validate their POS systems. They are also questions that the board should be asking, and that outside regulators could potentially be asking should issues arise.
Owning the responsibility for pos system security
Ultimately, when an incident occurs, senior management will be held accountable for POS system security. If you are a senior executive at an amusement park or entertainment center, have you actually read the report from the most recent PCI audit done? Or was that “someone else’s job”?
If your payment card system is supplied by a vendor, have you asked for and read their most recent PCI investigation report? Or was that, too, “someone else’s job”?
Given the current state of the threat landscape and the constant attacks on POS systems, for executives who fail to understand these issues their job will also become someone else’s job.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.