Hilton Hotels: Cybersecurity Risk Analysis “There are only two types of businesses: those that have been hacked and those that will be hacked. » Robert Mueller, Director of the FBI, 2012. Cybersecurity has become a major concern for many businesses and new challenges emerge every day. Hilton hotels face the reality of these daily challenges, creating an urgent need to identify, assess and respond to mitigate associated risks. As a leading competitor to the hospitality industry, we are constantly under attack from cybercriminals. We are not alone in this. There have been numerous successful attacks against other players in our industry, resulting in considerable financial losses and concerns for stakeholders. We must act, as a whole, to implement an appropriate course of action. Say no to plagiarism. Get a tailor-made essay on “Why Violent Video Games Should Not Be Banned”? Get an original essay What are the chances of a cyberattack hitting our organization/Is it possible that cybercriminals are currently in our systems? If so, who represents our greatest risk? The chances of a cyberattack hitting our organization are more likely than not. In today's technology-driven world, there are so many threats that the question is not if we will be attacked, but when. Whenever credit card information or sensitive data is stored, there is a high probability of security breaches in an attempt to acquire or modify said data. There is a high probability that there are cybercriminals in our system right now. Many recent cybersecurity breaches have been found to have been going on for months or even years before being detected. Our greatest risk is volatility and ineptitude of end users of our database and IT system. Additionally, employees accessing our network from personal devices present another security risk. Given the sophistication of today's personal and mobile computers, and the added complexity of cloud server technology, it is more difficult than ever to not only prevent cyberattacks, but also detect them. dissatisfied employees, according to a 2013 mathematical study by City University of London. Research also indicates that the main sources of these infections have been transmitted through the use of personal computing devices brought into the workplace and/or linked to the company's information system. The probabilities are as follows on page two: The study reveals that this data is based on a sample and cannot show the most real probabilities of cyberattacks because it is impossible to parameterize all the likely variables that could lead to a cyberattack. -security. infringe. Therefore, the likelihood of a cyber attack against us is likely greater than these figures indicate due to the nature and scale of the personal information for which we are responsible. In 2012, Wyndham Hotel Group was hacked in what is now known as one of the worst cybersecurity breaches of all time. Wyndham Hotels was responsible for allowing three separate instances of unauthorized access to their computer network and property management servers, which included their guests' payment card account numbers, expiration dates and codes security. 619,000 customer account numbers were compromised, totaling $10.6 million in chargesfraudulent. Violation 1: In April 2008, intruders hacked into a hotel's local computer network connected to the Internet and its property management system. Over the next month, the intruders used a brute force attack to compromise an administrator's account. Thanks to this technique, 212 accounts were locked before having access to them. Due to Wyndham's inadequate computer inventory system, they were unable to locate the computers that caused the accounts to be locked out, leaving them unaware of the state of their compromised network for four months. Additionally, due to inadequate security measures between each hotel's system and the company's system, once the intruders gained access to the administrator account, they were able to access the property management systems of several Wyndham hotels. The server operating system used by the hotel was outdated and no longer supported by its vendor. So they didn't receive security updates for three years. After accessing multiple servers, the intruders installed memory harvesting malware to access card data during payment processing. In addition to stealing active data, they also accessed and stole files containing unencrypted account information. By breaking into one hotel's network, the intruders were able to access forty-one separate hotels and steal more than 500,000 card account information. Violation 2: In March 2009, intruders again accessed the hotel network through the administrator account of a service provider. In addition to using the same garbage collection malware to steal information from the servers of more than thirty hotels, they also reconfigured Wyndham's software so that their systems created unencrypted files of all guests of the affected hotels . As a result of this breach, 50,000 customer accounts were accessed and used for fraudulent charges. Wyndham staff only discovered the flaw when numerous customers filed complaints. Violation 3: In late 2009, intruders again gained access to the Wyndham network via an administrator account. And because nothing was done to limit access between and among Wyndham hotels, the intruders again used the same memory harvesting malware to steal the account information of 69,000 guests at twenty-eight hotels. Again, Wyndham did not detect the intrusion, but was notified by a credit card company. (https://consumermediallc.files.wordpress.com/2015/08/120626wyndamhotelscmpt.pdf)Cybersecurity represents a large part of our organization's risk assessment and plays an important role in ensuring our objectives are met. Cyber ​​risk assessment plays a key role in influencing management decisions regarding control activities and determining what is protected and how it is protected. We must evaluate likely attack methods and prepare defense strategies in response. As shown in the probability table above, attacks can be internal or external in origin. We must implement preventive and detective controls, including general information technology controls. These controls will only be effective if communication is triggered when a control indicates a problem. To ensure timely action is taken in the event of a suspected violation, a map of who needs to be notified should be created. As we saw with Wyndham Hotels, the breaches lasted for months without anyone knowing. Through active controls and effective communication strategies, we can mitigate these risks. First, we must “establishownership of the problem on an interdepartmental basis.” A senior officer with interdepartmental authority, other than the CIO, should lead a team. Next, we should “appoint a cross-organizational cyber risk management team, comprised of representatives from all relevant departments.” Then we need to meet regularly and report to the board. Leaders must track and communicate quantifiable measures of the business impact of cyber threat risk management efforts. Internal audits of the effectiveness of cyber threat risk management should be conducted quarterly. Next, we must “develop and adopt an organization-wide cyber risk management plan and internal communications strategy across all departments and business units.” All stakeholders must participate in the development of the business plan and feel “involved”. Finally, it is necessary to “develop and adopt an overall budget for cyber risks including sufficient recourse”. Because cybersecurity affects the entire organization, its budget must take this into account, by not being tied to a single department. We also need to ask ourselves the following questions: “What data and how much data are we willing to lose or compromise?” How should our investments in cyber risk mitigation be divided between basic and advanced defenses? What options are available to help us transfer certain cyber risks? (https://na.theiia.org/standards-guidance/Public%20Documents/NACD-Financial-Lines.pdf) The following controls we should consider. 1) Identify the highest risk touchpoints and ensure we have the appropriate firewalls between individual hotel systems and the corporate system. 2) Educate our employees on proper procedures to prevent cyberattacks against our business. 3) Develop or purchase software that links daily changes in information to a master file and notifies appropriate managers when data has been changed or extracted from a daily period. 4) Areas requiring a password should be limited to three login attempts, exceeding this threshold should result in account suspension with notification to appropriate officials. 5) After five account suspensions, an alert with the inventory numbers/IP address should be sent to the relevant managers. Once the suggested controls are implemented, management should implement the following measures to monitor these controls: 1) There should be ongoing monitoring, both daily and periodically. Some information must be verified daily to ensure controls are functioning as required. 2) There should also be event-based monitoring: “Discrepancies and even fraud may occur during normal processing or in special circumstances, for example in the case of high-value transactions. In many computing environments, malicious attacks are likely. Therefore, specific controls should be in place to detect and report unusual activities to an entity within the organization specifically responsible for investigating and determining whether preventive or corrective actions should be taken. These monitoring controls are complementary to the normal controls used and provide assurance on the effectiveness of these controls or early warning of a violation. 3) We must also practice continuous monitoring by implementing technology that monitors and evaluates particular controls on an ongoing basis...