search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
IAGA SUMMIT FOCUS CYBERSECURITY


Scott Melnick Principal Security Research & Development Bulletproof, a GLI company


Scott Melnick currently leads the security research and development department for Bulletproof, a GLI Company conducting security penetration testing in the gaming and government sectors. Scott is an experienced IT leader and white hat hacker with over 25 years of experience and specialises in the gaming industry with experience in slot system R&D and security operations. During his tenure in the gaming sector, Scott has assisted law enforcement and casino operators with player and internal employee fraud investigations.


Are cyber breaches now inevitable? And why is this the current situation?


Yes. Te Identity Teft Resource Center (ITRC) reports that incidents of identity theft rose by 78 per cent from 2022 to 2023 and it shows no signs of stopping. Tis was partly because of the shift in business practices and the emergence of large new markets during the pandemic, such as work-from-home, online gaming, delivery service, and more.


Who are the entities trying to breach the digital defences of casinos? What are their motivations?


At this moment, mostly Ransomware as a Service (RaaS) which operate independently and sell/broker their services to attackers who have already gained access or even insider threats which an employee inside the organization can provide access to the RaaS.


Teir motivation is mostly financial but can also be related to disgruntled employees. In 2020 a Telsa employee was offered $1m to implant ransomware.


What are the methods by which bad actors are attempting/and succeeding to penetrate the casinos?


l


Tere are a few methods today that I’ve seen clients get breached with. One is a lack of security patches and misconfigurations that are letting attackers access the casino networks via vpn/firewall, on-premises servers, or an employee’s system.


However, the current trend is social engineering which comes as Phishing where the attacker sends a vulnerability/link via email that can be targeted at a specific individual (spear phishing) or sent to as many people as possible within the organisation.


Social engineering techniques via phone to get access from users or help desk employees are also on the rise as we saw with the MGM breach.


P70 WIRE / PULSE / INSIGHT / REPORTS


Tis is more effective because organisations can spend millions on cybersecurity, but it can be toppled by one employee.


What kind of damage can such breaches cause?


A breach will cause business damage on multiple levels. Not only paying hundreds of thousands to millions in ransomware but financial loss can come from the Casino Floor, Hotel and Online gaming being offline for weeks. Depending on the type of breach and if customer data was possibly stolen it cannot only damage your brand and customer loyalty but bring years of lawsuits against the property.


Why are casino defences insufficient to ward off such attacks?


Te defences and problems are no different than any other major corporation or government agency. Most corporations as well as casinos like to do the minimum required to get by and while it’s still a good standard it does not cover enough. Tis is because the landscape of attacks moves faster than local regulations. Businesses want to be first to market, optimise profits quickly at the risk of security and their application stability. Tey are gambling.


Another challenge is the financial pressure and the attempt to operate with minimal resources that can make cybersecurity less of a priority and lead to bigger financial problems later on.


What are the IT measures casinos should instigate to try to prevent such attacks?


Tere are many things to mention, but casinos need to follow a multi-level security approach.


l


Security needs to be layered in these times. You can't rely on just firewalls and your perimeter security anymore. You need to add more security features like multi factor authentication, end-point-protection, email protection, data encryption and hire a third- party security operation centre.


Frequent cybersecurity tests by third parties. IT departments should be doing this themselves always and constantly, but due to bias third-party checks are a must and a standard best practice. In some cases, it’s required. Also, social engineering testing should be done by the same testing company or an internal security team that will constantly keep employees on their toes and measure your education success rate.


l


Company culture, training, and funding. Employees are vulnerable to social engineering if the C-level and upper management have a poor culture. Tere should be clear policies and approval from leadership that there will be no repercussions for following procedure and


“The defences and problems are no different than any


other major corporation or government agency. Most corporations as well as casinos like to do the


minimum required to get by and while it’s still a good standard it does not cover enough. This is because the landscape of attacks moves faster than local regulations. Businesses want to be first to market, optimise profits quickly at the risk of security and their application stability. They are gambling.” Scott Melnick


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68  |  Page 69  |  Page 70  |  Page 71  |  Page 72  |  Page 73  |  Page 74  |  Page 75  |  Page 76  |  Page 77  |  Page 78  |  Page 79  |  Page 80  |  Page 81  |  Page 82  |  Page 83  |  Page 84  |  Page 85  |  Page 86  |  Page 87  |  Page 88  |  Page 89  |  Page 90  |  Page 91  |  Page 92  |  Page 93  |  Page 94  |  Page 95  |  Page 96  |  Page 97  |  Page 98  |  Page 99  |  Page 100  |  Page 101  |  Page 102  |  Page 103  |  Page 104  |  Page 105  |  Page 106  |  Page 107  |  Page 108  |  Page 109  |  Page 110  |  Page 111  |  Page 112  |  Page 113  |  Page 114  |  Page 115  |  Page 116  |  Page 117  |  Page 118  |  Page 119  |  Page 120  |  Page 121  |  Page 122  |  Page 123  |  Page 124  |  Page 125  |  Page 126  |  Page 127  |  Page 128  |  Page 129  |  Page 130  |  Page 131  |  Page 132  |  Page 133  |  Page 134  |  Page 135  |  Page 136  |  Page 137  |  Page 138  |  Page 139  |  Page 140  |  Page 141  |  Page 142  |  Page 143  |  Page 144  |  Page 145  |  Page 146  |  Page 147  |  Page 148  |  Page 149  |  Page 150  |  Page 151  |  Page 152  |  Page 153  |  Page 154  |  Page 155  |  Page 156  |  Page 157  |  Page 158  |  Page 159  |  Page 160