The unprecedented cyber attack on MGM Resorts Intl. (NYSE: MGM) continues to take its toll from both an operational and financial perspective. On Monday, MGM shares were lower by over 1%, adding to an over 6% decrease last week. And the drop may not have found a floor of yet. The damage and the economic fallout from it are still being assessed, factoring in disruptions to MGM reservation systems as well as its gaming systems brought to a grinding halt, affecting services and wagering at the MGM Grand, Bellagio, Aria, Cosmopolitan, Park MGM, Luxor, Mandalay Bay, Excalibur, New York-New York, NoMad, Delano, and Vdara. This was no minor breach.
The attack caused outages for slot machines, sports betting kiosks, ATMs, and loyalty program reward machines. That's not all. Even the digital keys to guest rooms stopped working, leading to long lines at the front desk check-in as employees did their best to check people in with 1980s-style pen and paper processes. On Monday, MGM said they have gotten a handle on the situation, which is good news for them, their guests, and even the city itself. But here's the concern. It was such a massive and successful attack that many are evaluating whether or nottheir systems, some not as secure as MGM's, could fend off similar cyber attacks and ransomware missions.
CISO Global Provides Its Perspective On The MGM Hack
In our "Three for One" series, we contacted CISO Global (NasdaqCM: CISO) with three questions about the crash, seeking insight into what happened, how it happened, and what could be done to defend against similar and likely forthcoming cyber attacks. Here's how they answered, providing additional comments afterward.
Q. The cyber breach at a reported 12 MGM Group properties in Las Vegas is entering its 7th day, with estimates suggesting the brand is losing at least $25 million per day. Can CISO speculate what may have been the door used for hackers to penetrate such a massive system?
CISO: As has been reported, this appears to be a highly targeted attack with the threat actor conducting OSINT recon on MGM employees using social networks, including LinkedIn, then utilizing that information to contact the MGM helpdesk masquerading as an employee needing to regain access to their account. From there, specific details are not public. But what can be inferred is that with many organizations, especially larger ones, once a single account has been compromised, moving laterally across the environment and escalating access and privileges can be startlingly easy. The sheer number of computer systems and applications in a large enterprise can be staggering, and ensuring that every single one is secured can be a herculean task.
Q. Some debate about how these hackers penetrated the MGM systems is that they used "social engineering," using an unsuspecting employee to provide sensitive data to build from. Your company highlights "cybersecurity as a culture." Is that something many companies, maybe even MGM, lack? And what would the difference be if CISO was MGM's primary cybersecurity platform provider?
CISO: I think the point is that it's hard to seamlessly integrate new technology with dated, leading to business decisions or omissions that make cybersecurity more difficult. For example, in all organizations, you have users who routinely lose access to their accounts for a myriad of reasons. This typically necessitates a call to the company's helpdesk to regain access. Simple enough. However, while many organizations have at least some limited standardized identity verification protocols, some have none at all. That enables an attacker to impersonate a valid user able to produce information like date of birth or even social security number.
Unfortunately, with those account verifications routinely used, they are also the most often compromised and available for hackers and identity thieves, making them poor methods of accurately verifying a person is who they claim to be.
A true culture of cybersecurity requires first recognizing the risk of the helpdesk potentially granting an attacker access, then building out controls to ensure that any verification methods are the right balance of convenience and practicality. A sound approach, and the way we do this at CISO Global, is to have seasoned experts evaluate and assist with the entire process – from policies, to procedures, to effectiveness. That includes performing in-depth risk assessments to identify existing gaps and vulnerabilities, designing and implementing effective controls, and resiliency testing, conducting proactive "ethical hacking" using a similar social engineering attack to verify that processes and protocols are being followed correctly. In other words, in addition to our technology that is designed to be secure from day one, closing “open doors” of vulnerability, we train the organization's team to do the same.
Q. What would you say to the companies now scrambling to make sure their systems are protected?
CISO: To protect yourself against similar social engineering attacks, ensure that identity verification checks are in place before the helpdesk grants access to accounts to inbound callers. Additionally, make sure these verification checks are built on information not readily accessible to hackers via OSINT or dark web forums. For example, phone numbers are easily spoofed, employee start dates could readily be inferred from LinkedIn, birthdays from Facebook, and reused passwords or Social Security Numbers can be acquired from dark web identity theft marketplaces, making them poor means of verifying identity. Something simple like an employee number, PIN, or secondary verification method is far from foolproof, but still requires more in-depth recon by attackers than personal information.
Commenting On The Major Cyber Breah Event
Adding additional comments, Jerald Dawkins, Chief Technology Officer at CISO Global, offered his take on what happened and the significance of it, saying, "The challenge that is interesting to me is not the fact that they were breached, or the manner by which they were breached. It is the extent to which they were breached. There is a key principle in security: Least Privilege. Least Privilege is a concept that specifies denying access to everyone, except for access to what each person absolutely needs in order to perform their responsibilities. Least Privilege is the concept behind strategies like Zero Trust and network segmentation. It is central to regulatory philosophies such as segmentation of credit card data in a PCI environment or privacy information in GDPR or HIPAA. Least Privilege and segmentation might have helped limit the extent of an attack like this, because there wouldn’t have accounts with access to this many environments at once. It becomes harder, then, to take everything down with some simple account compromises and lateral navigation. Each environment, when architected securely, is segmented to deny all access, except for only those services necessary to perform its required function. While a successful attack may be possible in this type of architecture, it would be limited to the service being exploited thereby limiting the overall attack's exposure."
He added, "The extent that this compromise impacted MGM, including the casino floor, hotel rooms, reservation systems, ATMs, among other unknown internal systems, should be alarming. Companies need to do better, not just from a security and incident response standpoint but also from a network architecture standpoint. For CISO Global, it is why investing in our intellectual property, like Argo Edge, is so critical for the next generation of cyber security. Security is a team sport. It's time everyone approaches this problem from a different perspective."
Gary Perkins, Chief Information Security Officer at CISO Global, also shared thoughts, saying, "The situation at MGM is really unfortunate. Ultimately, no organization globally is immune to attack. Organizations can't focus only on prevention but must be prepared to detect and respond. It is critical for organizations of all sizes to be prepared with an incident response plan, an incident response team (dedicated, virtual, or on-retainer), runbooks, and regular drills. That's part of the CISO Global shield that differentiates us from pure technology providers. With that said, while we create a culture of cybersecurity that is inclusive to every layer of the organization, the goal is that our technology remains the potent barrier to system entry. Through real-time testing and challenges, we are proving that's the case, which, at the end of the day, should be the most important consideration to every cybersecurity arsenal."
Disclaimers: Hawk Point Media Group, Llc. is responsible for the production and distribution of this content. Hawk Point Media Group, Llc. is not operated by a licensed broker, a dealer, or a registered investment adviser. It should be expressly understood that under no circumstances does any information published herein represent a recommendation to buy or sell a security. Our reports/releases are a commercial advertisement and are for general information purposes ONLY. We are engaged in the business of marketing and advertising companies for monetary compensation. Never invest in any stock featured on our site or emails unless you can afford to lose your entire investment. The information made available by Hawk Point Media Group, Llc. is not intended to be, nor does it constitute, investment advice or recommendations. The contributors may buy and sell securities before and after any particular article, report and publication. In no event shall Hawk Point Media Group, Llc. be liable to any member, guest or third party for any damages of any kind arising out of the use of any content or other material published or made available by Hawk Point Media Group, Llc., including, without limitation, any investment losses, lost profits, lost opportunity, special, incidental, indirect, consequential or punitive damages. Past performance is a poor indicator of future performance. The information in this video, article, and in its related newsletters, is not intended to be, nor does it constitute, investment advice or recommendations. Hawk Point Media Group, Llc. strongly urges you conduct a complete and independent investigation of the respective companies and consideration of all pertinent risks. Readers are advised to review SEC periodic reports: Forms 10-Q, 10K, Form 8-K, insider reports, Forms 3, 4, 5 Schedule 13D. For some content, Hawk Point Media Group, Llc., its authors, contributors, or its agents, may be compensated for preparing research, video graphics, and editorial content. For this content, HPM, LLC has been compensated two-thousand-five-hundred-dollars via bank wire by Trending Equities, LLC. to provide digital production services and syndication for CISO Global, Inc for a one month period starting on 9/19/23 and ending on 10/15/23. As part of that content, readers, subscribers, and website viewers, are expected to read the full disclaimers and financial disclosures statement that can be found on our website. The Private Securities Litigation Reform Act of 1995 provides investors a safe harbor in regard to forward-looking statements. Any statements that express or involve discussions with respect to predictions, expectations, beliefs, plans, projections, objectives, goals, assumptions or future events or performance are not statements of historical fact may be forward looking statements. Forward looking statements are based on expectations, estimates, and projections at the time the statements are made that involve a number of risks and uncertainties which could cause actual results or events to differ materially from those presently anticipated. Forward looking statements in this action may be identified through use of words such as projects, foresee, expects, will, anticipates, estimates, believes, understands, or that by statements indicating certain actions & quote; may, could, or might occur. Understand there is no guarantee past performance will be indicative of future results. Investing in micro-cap and growth securities is highly speculative and carries an extremely high degree of risk. It is possible that an investors investment may be lost or impaired due to the speculative nature of the companies profiled.
Company Name: Hawk Point Media
Contact Person: Editorial Dept.
Country: United States