‍“God does not play dice with the Universe.”

Why would you play with hackers?

2,814 data breaches happened in 2023, compromising over 8,000 million records. Every day, new software updates come out and a new vulnerability puts your company at risk. 

Malicious hackers are getting more aggressive in their attempts, so it’s on you to become more aggressive in your security. 

Recently, ransomware attacks have started to focus on casinos and the gambling industry, so much so that the FBI had to publish a formal notification, warning companies in this sector about it. 

In these attacks, malicious actors are using phishing attacks and exploiting vulnerabilities in third party tools to disrupt the gaming industry’s daily operations and expose sensitive information. 

In many ways, much like gambling, getting hacked is a game of odds. You’re always exposed to the possibility of losing, but that does not mean you can’t take the necessary precautions to lower the probability of this happening.

No matter what your security posture looks like, there’s always something you can do to ensure an extra layer of protection.

Casinos work with large amounts of money and credit card information, making them enticing targets for malicious parties. While many invest in some defensive security, they often don't see the need for offensive security analysis. Understandably, solutions like a pentest can be expensive, especially for places with such big infrastructures, and there is also the mindset of “why do I need offensive security when I already have defensive security systems in place.” 

And this is what hackers are counting on.

A company will mitigate the odds of a security breach through different forms of defensive tools. And with this, they’re content. After all, they’ve reduced the possibility of a breach to about 10%. But the roulette ball will almost certainly, at some point in time, land in the green, and what follows is a monetary and reputation loss bigger than most can imagine.

And after such a loss, companies are even more apprehensive about wasting money on a penetration test to find if there are other holes in their system. Instead, they simply patch where the breach happened.

It’s assumed that because there was such a low probability of something like this happening, that it’s even more unlikely to happen again in the near future. 

Ironically, this way, casinos end up falling victim to their #1 money making factor…

The Gambler’s Fallacy

The gambler’s fallacy is the belief that, in a game of odds, after several bad hands, a good one is bound to follow soon. This causes the players of, let’s say, Blackjack, to increase their bets after several bad hands, believing that they’re bound to win soon enough. 

This would be a true statement if all individuals had infinite money to gamble. In this scenario, they would increase their bet until, of course, at some point they would win. But individuals, much like companies, have a finite amount of money they can lose before having to back out empty-handed. 

Cyberattacks on Casinos

And here’s where we go back to our original issue, cyberattacks. Games of chance are a series of independent, unrelated events. The outcome of each hand is unrelated to the outcome of previous ones, meaning the odds of a good hand reset every time the deck is shuffled.

Having just suffered a cyberattack does not mean in the slightest that another one won’t be suffered soon. In fact, it alerts many malicious hackers that you’re a vulnerable target with unknown holes in its defense system. At the same time, a competitor getting attacked also doesn’t mean you got skipped over. It just means you may be next.

This creates the imperative need to not just have a robust security defense system, but to also have recurring penetration tests to uncover all vulnerable points in one’s environments, allowing companies to take the necessary steps to patch all exploitable vulnerabilities and have all their bases covered. 

Ideally, pentesting is done quarterly, as new vulnerabilities are constantly being uncovered. But as they can be expensive, it is recommended to do this exercise at least once a year, and have a vulnerability management platform to keep you posted on new exposures between penetration tests. 

It is important to clarify that many may refer to “automated pentests”, as they appear to be more affordable options; these are not real penetration tests. These are vulnerability scans with exploit capabilities, but they cannot replicate the creativity and proactiveness that an actual person can provide (a penetration tester/ ethical hacker). 

A person will be able to find your vulnerable points in a similar way that a malicious hacker would. Companies may mention using AI to replicate this, and though this is what the industry is moving towards, it would be foolish to say that the technology is there yet.The reality is that they’re just using Machine Learning algorithms, and cannot be entrusted with complete confidence. 

Human Error

We would love to tell you that pentests are a bulletproof solution, but unfortunately, the #1 cause of cyberattacks is in fact one of your most valuable assets, employees. 

Human error accounts for over 80% of cyber incidents. And the unfortunate attack on MGM is a perfect example of this: 

The hackers looked for employee information on LinkedIn and assumed the identity of one. They then proceeded to call the IT department claiming to have lost access to their accounts. And after a mere 10 minutes, the attackers were able to get administrator access to the company’s cloud environments. 

And employees on every level are a target for this, even the ones with little to no access to sensitive information. Education is key on every level of your organization. An attacker may target a low level employee and get ahold of their email credentials through phishing. The attacker can then send backdoors to everyone in their contact list and obtain access to the company's internal network. From there, they can scan for exploits and vulnerabilities. For example, they may find a popular exploit called EternalBlue AKA MS17-010, that can be used to spread malware all over the company.

Social engineering exercises look to evaluate your security posture in regards to your human capital. Through phishing (emails) and vishing (calls) campaigns you can evaluate your employees security awareness and provide them with the proper education and training to avoid real attacks that may endanger your whole organization.

Conclusion

The state of cybersecurity today is extremely complex. As new technologies appear to make our work easier, more threats do as well. Therefore, to protect ourselves properly, it is necessary to first know where one's vulnerabilities lie. 

Social engineering exercises, alongside annual pentests, give a company a full picture of its security posture, including their most vulnerable points of entry. 

Games of chance can be fun, especially when one wins. So why would we not try to reduce the probability of losing? Yes, chance is a series of independent events, but that does not mean certain actions can’t affect it. 

2023 High Profile Casino Attacks

• MGM Resorts 
• Caesars Entertainment 
• Marina Bay Sands

Stay secure,

Florencia.

‍

References:

• https://www.oreilly.com/library/view/statistics-hacks/0596101643/ch04.html#I-0596101643-CHP-4-SECT-2 
• https://westoahu.hawaii.edu/cyber/global-weekly-exec-summary/alphv-hackers-reveal-details-of-mgm-cyber-attack/ 
• https://hbr.org/2023/05/human-error-drives-most-cyber-incidents-could-ai-help https://www.oreilly.com/library/view/statistics-hacks/0596101643/ch04.html#I-0596101643-CHP-4-SECT-2
• https://www.cybersecuritydive.com/news/ransomware-targets-casinos-fbi/699313/
• https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-2023#top-ten 

‍