Since its inception in 1989, Gaming Laboratories International has sought to safeguard the interests of all stakeholders in the gaming industry— players, operators, governments, regulators and suppliers. In keeping with that mission, the company’s biggest growth area in recent years has been assessing the security and robustness of clients’ computer systems
Though best-known as the world leader in testing and certifying gaming machines and systems, Gaming Laboratories International does a lot more than that. Its Global Professional Services division offers, in the company’s words, “a wide range of information security services to gaming and non-gaming companies, from audits and training to the application of new processes and ultimately certifications”.
The IT and Internet security assessments are especially popular, given the need for companies to ensure they are able to withstand an ever-expanding variety of threats. “We started to do it about three years ago on a smaller, on-demand scale, but the demand for it has surged by tenfold. Everybody’s asking for it,” says Ian Hughes, the company’s vice president of Global Services.
The security assessments include what are known as Information Systems Security audits. “ISS is used by the banking industry and a lot of other industries, and there are standards for ISS,” Mr Hughes explains. The audits are carried out by a team of security assessment experts. “That team is growing by about 300% a year,” he adds. “It started as a small group, but they’re getting bigger and bigger. It’s probably 60% of what we do now.” Inside Asian Gaming spoke with Mr Hughes recently about how GLI provides clients this critical service.
IAG: How broad is the scope of the IT and Internet security assessments you provide?
Mr Hughes: It basically covers any computer IT system, not just gaming. It could be an operator’s hotel management system, for example.
One of the big concerns that operators have is protecting the data they hold in the event of a breach. They’re holding player information. These might be high-net-worth individuals, they’re probably foreign nationals. The protection of the data [the operators] have on those players is very important to them. We conduct assessments not just from the point of view of threats from external people, but also from internal people. People from inside the organization who are accessing systems, accessing information and applications they shouldn’t have access to, either copying the data, modifying the data, creating data, all those different things. So we need to take a multi-layered approach.
We work with the manufacturers that are providing those applications to make sure those applications are secure in the first place because that’s where it starts. Then when that application is being installed, ensuring it’s done in a secure environment. And then we look at how the client is configuring it—adding users, security policies and things like that. Our ISS team does the audits on properties and applications.
We’ve been doing it even longer than three years, but in the last three years we’ve gotten our accreditations. If you want to start taking credit card payments you have to comply with requirements for security and robustness set by the PCI, the payment card industry. We’re an accredited test lab to do PCI compliance testing. As a payment processor you have to be PCI-compliant.
The PCI standards cover any sort of credit, debit and cash card transactions, both online and the terrestrial casino part of it.
Auditing players club systems is a big part of what we do as well. Sometimes people don’t think of player points as money, but points are extremely valuable because they can be redeemed for cash. It’s an area that sometimes can be most overlooked. If I have the ability to increase my player club balance by 20,000 points, I can convert that for cash or rooms or whatever. That’s real money, real comps.
Also, player data is extremely valuable. If a competing casino or property got hold of it, they could target those players.
The other part of it is protecting the players. If I go to a casino and give them my player card I have a certain degree of trust that the casino is not going to use that information for other purposes. So the last thing I want is for someone to steal or copy that data that records how much I play, how often I play—my spending habits. I don’t mind the casino knowing that because I get a reward out of it, but I certainly don’t want someone else to have access to that information, and so casinos will protect that.
Do you do the assessments at a property level or do you need to do them at an even higher level?
We do them at a corporate level. A lot of the corporates that are in both Macau and Las Vegas are looking to do enterprise-wide security assessments. So it’s done at a very high level.
You can’t look at these data warehouses on a property basis because that doesn’t give you a complete picture. The data warehouses exist at an enterprise level so we have to look at security from an enterprise level.
Every property that has operations in Macau would be also hosting, holding or accessing that data from their corporate office. They want the ability to access it, they have extremely complicated systems in place and they take security very seriously.
It’s fair to say Las Vegas Sands, MGM, Wynn, all those, they’re going to have their data in multiple locations, like any business would, because if there’s ever a disaster, if there’s ever a failure at a service center, a fire, whatever, that data still exists elsewhere.
The great thing about doing this type of testing is you don’t have to be on site for much of it. Because of the nature of it you can access everything remotely. We actually set up servers all around the world to do penetration tests from multiple locations in the same way we do the load testing. And we also send somebody on site to do the audit, including the interviews. The initial on-site engagement takes about three to four weeks, and once we’ve done it the first time we normally repeat it every six months or 12 months. It’s like an ongoing review, because things change, configurations, all those sorts of things.
RelatedPosts
And threats evolve?
That’s exactly right. We might become aware of a new vulnerability or a new attack methodology that was not part of the previous assessment. We’ll apply that in the next review. The industry is constantly evolving, so we have to evolve with it. You must need to constantly revise your security assessments to keep up with the new threats?
Yes. There are some very good standards, like PCI and OWASP [The Open Web Application Security Project]. And there’s NSTIC [National Strategy for Trusted Identities in Cyberspace], which is an initiative by the US government to protect people’s identifies on the Internet. It helps that the US government takes applications security very seriously. They have excellent guidelines and rules.
Pretty much everything we look for in the security assessments is not coming from gaming. It’s coming from banking and the IT industries. At the end of the day, this is not a gaming problem, it’s an IT security problem, so we approach it in the same way as the rules guiding the banking and IT industries, and the systems need to be that robust and secure. So the good thing is the gaming industry is not in this alone. There are other industries spending a lot of time and effort on this, and there are commercially available tools for us to use.
Two vendors supply our tools. One of them, which supplies the tools for code-scanning, also supplies the US Department of Defense. And the other is Hewlett-Packard, they do auto-application and codesecurity assessments. These tools are not specific to gaming. They’re outside of the gaming industry.
