By Terence Ronson, HOTEL Asia Pacific Technology Editor
WITH the increase in malicious emails infecting internet users worldwide, hoteliers might soon find themselves having to build “virtual moats” around their properties and position electronic guards at various checkpoints to avoid being hacked.“So serious is the threat of malicious intrusion into one’s network or PC that just a single line of defence is definitely not good enough,” says Raymond Chu, product marketing manager with the advanced technologies group of Cisco Systems Asia Pacific.
In fact, some industry pundits claim that you can place a brand new PC on the internet and, within a few minutes, someone will try and hack into it. Now, that’s scary!
Almost every day, we hear of computer viruses that will cleverly attempt to masquerade themselves as something less sinister to try to outwit the less tech-savvy into lowering their often limited defences or beat those we already have in place so that they can worm their way through our networks causing havoc.
This state-of-the-art form of terrorism is smarter and potentially more damaging to humanity than the type which brandishes an AK47 or Kalashnikov. The malicious perpetrators of these viruses stealthily float around cyberspace at the speed of light - and their evil is not hindered by race, creed, religion or colour.
The list of aliases that these brats dream up is limitless, with some labelling themselves as, for example, a software patch from Microsoft “that you must immediately install to prevent hacking”. In fact, that is exactly what they are attempting to achieve.
Most often when these damaging viruses get into our systems, they “harvest” email addresses from local files and spoof the “from address”. The aim is to lull us into a false sense of security when receiving emails from known senders.
Some may even attempt to download a “back door” from a remote website, allowing them to easily get back into your machine undetected at a later date.
We used to think that passwords were the best thing since sliced bread when it came to protecting access to computers and data and, to some extent, that still holds true.
But passwords are like toothbrushes, and should be changed every three months - but not with your birthday, pet’s name or favourite type of food. They should be at least eight digits in length, with a combination of letters and numbers [some people I know add in a few symbols for increased complexity].
Systems managers - through the effective use of operating systems - have the ability to force users to change passwords every so often. Do you know if this is set up on our system? When was the last time you were asked to change yours?
The establishment and enforcement of company policies plays a significant role when it comes to securing networks. For example, at the very basic level you need to know who and what has access to your networks and systems from inside and outside your hotel.
Don’t be so naive to believe that all attacks are external: disgruntled employees do exist, and they can all too easily infect your network with a virus.
It is not impossible for some unscrupulous individual to steal and sell your data to competitors or, worse, to abuse personal details of your guests. Just imagine how valuable your guest history or corporate-account information is to the open market - it needs to be protected, in the same way that your general cashier does with physical cash.
There have been many stories recently of rogue wireless access points being surreptitiously connected to networks by staff, third-party engineers or intruders, which allow virtually undetected remote access to networks and siphoning of data.
In all honesty, can your security chief and information-systems (ISM) manager put their hands on their hearts and swear that these do not exist on your LAN (local-area network)?
Do they employ identity-management techniques which manage each and every LAN port to be 100% sure about what is plugged in?
If your hotel is connected to the outside world, I hope you have a computer “firewall”, and that stringent controls are in place to control what data can flow into and out of your property.
As responsible managers, do you know what type of data is blocked or allowed to pass through? Bear in mind that emails are not the only mechanism for viruses to penetrate your defences - instant-messaging is another channel where viruses can slip in, and data can slip out without your knowledge. While this technology can save you communications costs and improve productivity, it could also be the vehicle used for acts of cyber-terrorism.
You must also consider what impact the guest-broadband network has on the hotel. Do you allow your guests to download any file type they want, and visit any website they care to?
Can the guest who accesses your broadband network see other guests on the network, or maybe the PCs on the hotel LAN?
Have you checked with your ISM that, for added safety and security, each room has been set up as a VLAN, meaning it’s a virtual independent network in its own right that cannot be seen or accessed by others?
“Remote access and teleworking are every day occurrences on networks and, by virtue of allowing such access to your networks, you are potentially opening yourself up to abuse,” says Chu.
“Do you have the policies and procedures and physical barriers in place to prevent unauthorised access? Remember, that if people can remotely access your network, they can also remotely access your data, and do with it what they want.”
If you want to sleep soundly at night, then you have to realise that network security is just as important as the physical security of your building.
“There has to be more emphasis placed upon network security,” says Chu.
“Start by conducting a thorough audit of your defences and system policies. Look for the breaking points, and where there are risks.
“Consult with industry experts seeking their advice on such technologies as IDS (intrusion detection systems), IPS (intrusion prevention systems), firewalls and identity-management techniques.”
Don’t delay - the walls have ears.