1. Information Security Issues at Casinos and eGaming
Tim Tarabey
June 2012

2. Agenda Advanced Persistent Threats (APT) Access Controls
eGaming / Casinos specific Issues

3. Advanced Persistent Threats (APT)
Definition
usually refers to a group of people with both the capability and the intent to persistently and effectively target a specific entity.
Challenges
Traditional IS tools/measures and controls are generally insufficient.
Information Security Awareness
Increase ISS budget/training/ Skills.

4. Advanced Persistent Threats (APT)
Addressing the APT
Real time monitoring
Packet filtering
Continuous true penetration test
Web application scans
Recognize the “new normal”.
Executive Support: reach out to CIO’s and executives to get things done.

5. Access Controls Definition
It is the cornerstone of any Information Security program.
Physical, technical and administrative controls
Challenges
Authentication of users
Business needs
Remote access
Access Control Review
Prevention vs detection and response
Internal breaches will happen as long as people has access to data

6. Access Controls How to address Awareness programs
Consistent account reviews by business owners not IT/IS
Define Processes
Costly
Resources
Require tools and technologies
Requires facilities and back-end systems to manage
Constant updates and maintenance of systems

7. Casino / eGaming Issues
Background
Casino and eGaming have their own unique challenges and the amount of casino/egaming expertise is limited.
Casino operations are trying to enhance the customer experience by collecting more and more sensitive player data.
With the changes in business operations as a result of the internet era, security concerns move from computer lab to the front page of newspapers and media.

8. Casino / eGaming Issues
Challenges (Business and ISS/IT challenges)
Unclear law around exploiting online games
Regulatory & Compliance (GPEB, OIPC, PCI, …etc)
Data Access
expansion of user community
Application/ Software providers
Interoperability
Speed to market
Social Media

9. Casino / eGaming Issues
24x7x365 availability
3rd party support
Mobile Devices and smart phones
VIP Players

10. Casino / eGaming Issues
Business Priorities and Requirements (meeting business demands versus security requirements)
Projects vs. operations
Time
Resources
How to address
Information Systems Security Program
Be Dynamic
ISS as business enabler (business must drive security)
Segregate critical systems

11. Information Security Challenges
Requires Special Skills and Training
Requires detection, analysis, investigative and resolution skill sets
Requires emergency response capabilities for resolution
Requires on-going hiring, training and retention initiatives
Ongoing Research and ability to incorporate new tools and technologies
Real Time Monitoring

12. Defining the Role, Scope and Procedures
Role of the security operations team
Will it simply observe, record and report on recurring attacks?
Will it be actively involved in mitigating threats?
Scope of the security operations team
Agree on the scope of your Security operations activities, is it restricted to the network only, or includes suspicious behavior
from user activity.
Define appropriate procedures
Ensure all processes and how incidents are handled are clearly understood by all parties.
Ensure you have a clearly documented incident response plan.

13. Information Systems Security

14. Information Systems Security
The role of ISS is to influence everyone in the corporation to embed information security principles, practices, and technology into all aspects of the business
ISS’s goal is to achieve and maintain a balanced information security posture commensurate with the risk appetite of the enterprise.
Safeguards are used to mitigate threats in a cost-efficient manner

15. Questions