Most data breaches involving hotels fall into one of several types based on what hackers are trying to unearth.
REPORT FROM THE U.S.—The modus operandi of hackers is determined by who they are and what data they’re looking to unearth, sources said.
Ted Harrington, executive partner at Independent Security Evaluators, said no two breaches are identical, but there are a handful of “distinct types” hotel companies should be on the lookout for.
“Hoteliers need to go through the process of identifying what they’re trying to protect and who they think is going to attack,” he said.
The first type, which Harrington referred to as a “stepping stone attack,” is based on hackers finding an open entry point, either through a vulnerable system or through a third party with lax security standards, then using that to “pivot somewhere else” with sensitive information.
“Whatever their end goal, they’re very unlikely to attack it directly,” he said. “If an adversary is trying to compromise credit card data, they’re likely to enter through some third-party integration.”
He said hoteliers should be careful when working with some technologies from smaller startups because some have not invested in security.
One example of this type of attack would be hackers targeting the hotel’s smart locks if they’re integrated with the larger network, with the end goal of getting to data in a hotel’s property-management system.
Harrington described “poking” as the least sophisticated type of attack. It is based largely on hackers working from the outside of the network, methodically searching any obvious openings in the hotel’s security.
He said this method doesn’t require a sophisticated knowledge base to execute.
“There are even tools (a hacker) can download to do this without knowing how they work,” Harrington said.
Harrington said some of the most dangerous attacks are those that originate from within. He said these attacks vary and happen for “different reasons with different skills,” but they are universally problematic because they happen “within trusted boundaries.”
“It’s a dangerous scenario,” he said.
Harrington said one of the most important steps hoteliers can take to avoid all kinds of breaches is deeper, more holistic threat modeling, particularly focusing on black box threat modeling. He said that’s not common in the industry yet.
He said black box testing is like knowing how the hotel’s systems work from the inside out, while current testing is just based on looking on from the outside to see if there are any obvious ways in.
“That way, if you don’t look at a certain thing, you won’t identify a vulnerability,” Harrington said.