Cyber Security: Zero Day – You Have Been Hacked

by Andrew Cardno

There are two types of casinos, those that know they have been hacked and those that do not. Even more frightening is the sophistication and abilities of hackers has grown to the point where they can choose how much damage is done. There is even a class of hacks called ‘zero day’ that are nearly unstoppable. Your organization needs to be prepared for zero-day attacks – the best time for mounting a defense was last year and the second best time is today.


U.S. ransomware attacks cost about $1 billion dollars in the last year. Furthermore, these attacks are developing by industry vertical. Ransomware agents develop specialized techniques for the industries they go after, and each time they attack a business, they learn a little more about how to target effective attacks in that industry. For example, in the healthcare industry, it is estimated that cyber-attacks have cost in excess of $20 billion dollars in the last five years.

Your casino industry has been subjected to successful ransomware attacks already and these attacks have resulted in property shutdowns, and in some cases, crypto currency payments to allow the property to reopen. As the cyber criminals learn more about gaming, they have developed specific systems of attack that will make it much harder to defend against.

Stages of Attack

A ransomware attack comprises four stages:

Stage 1: Malware/Code Acquisition: During this stage a series of methods are used such as: emails, phishing, trojan horses, and employee bribery, to gain internal access to your environment. It is important to note that there are zero-day attacks where known flaws in systems are used to infiltrate your organization. These zero-day attacks are extremely difficult to defend against, as they are faults in the fundamental systems that run your business.

Stage 2: Spread and the Infection of Targets: Once they are inside your organization, and there is a high probability they already are, the cyber criminals need to spread around and take over a number of computers. While doing this takeover, they look for key areas of data that will make good subjects for extortion and resale value.

Stage 3: The Extraction of Data and/or Maintaining Persistence on Impacted Systems: During this phase, hackers extract data and embed themselves. They deploy into an organization using tricks, such as timer-based reinfection events or fake email accounts, that can be used for reentry. The gold standard is to discover system passwords. For example, they may find them stored in shared drives. The criminals will also begin the process of data encryption and data extraction. Data encryption encrypts data in place and data extraction removes it from the property.

Stage 4: Monetization: The earlier the attack is stopped the less damaging it is. At this point, the cyber criminals will announce themselves and your property has the very difficult decision of either paying the criminals (and hoping they will honor their word) or fighting the attack.

What is Zero Day?

Imagine that you take all of the precautions – patch all of your software and ensure all of the latest security – only to discover that you have been hacked because of a flaw in an executive’s iPhone. Flaws like these are called zero-day vulnerabilities, and until the software is patched, they are extremely difficult, although not impossible, to stop. For reference, Chrome has had six zero days flaws resolved this year and there are likely many more.

Slot Machines Are Computers

Remember, slot machines are computers, and if compromised, they can be excellent vectors for attack across your organization. Furthermore, your gaming floor is likely to have connectivity to the outside world. This outwards connectivity means that units within your organization can communicate outwards. If one of your gaming machines becomes compromised or a physical unit is plugged into the gaming network (say a spying device), then it can communicate externally and internally. The communication can be used by cyber criminals to undertake nefarious activities. As these criminals are sophisticated, attacks using this data on your facility may be very imaginative.

Five Actions to Mitigate

Action One: Install a Redundant Gaming System
Imagine if you could simply switch on a gaming system to keep your operations going. It might not be perfect, but it will probably get your business up and running. You need to consider having a backup gaming system, one that can run on the second SAS port allowing for you to instantly fail down to a completely separate physical environment. This second system could start in passive monitoring mode and be switched to an active gaming system in the event of a cyber attack. If you are operating a second system, you will need to ensure that player cards, points, and promotions are maintained in real-time. You may also want to consider looking at manual systems that can be implemented to keep operations running in the event of a complete system lockdown.

Action Two: Backup Your Data
Backups of your data are essential to a recovery situation. For example, you could run backups each minute to ensure that in the event of an outage, you can restore the organization back to operational with minimal loss of information. Also, backups of data are a key way of avoiding encryption attacks as the encrypted data may be able to be restored.

Action Three: Isolate and Segment Your Systems
Your systems are running on a physical network – ensure that key gaming systems are able to be fully isolated from the external world and any other systems. This ability to create complete isolation allows you to cut off critical systems and allow for logins. Complete isolation will likely require careful planning and some games (for example, wide area progressives) require external connectivity.

Action Four: Run Full Cyber Security Defense Mechanisms
There are sophisticated cyber defense mechanisms in the market, and these tools go far beyond simple penetration testing and extend artificial intelligence based active monitoring tools. A well resourced cyber team that is responsible for constant cyber protection should be an essential part of your operating budget.

In Summary

Cyber attackers are active in gaming, and if you are not already active in cyber defense, it is likely you are a soft target. If this is the case, ensure you have a substantial crypto currency deposit that you can use to pay ransomware attacks. The alternative is to build serious cyber defense into your operating budget.

Andrew Cardno is Co-Founder and Chief Technology Officer of Quick Custom Intelligence (QCI). He can be reached by calling (858) 299-5715 or email [email protected].