Cinema Network Security - ICTA Cinema Network Security - ICTA

Cinema Network Security

January 30, 2019

Three cyber experts discussed issues and recommendations for “Cinema Network Security.”  The experiences and suggestions of James Pope, partner @ Pope Tech and the IT Director @ Metropolitan Theatres; Greg Ackerman, Founding Partner and CEO of FRS Pros; and Wynn Salisch, Chairman and CEO of Casablanca Ventures, visit the ICTA website…

 

Alan Roe: We have one more presentation before the coffee break which is on the vital topic of Cinema Network Security. Joining us today are three experts in that field. James Pope is a partner @ Pope Tech and the IT Director @ Metropolitan Theatres; Greg Ackerman, Founding Partner and CEO of FRS Pros; and Wynn Salisch, Chairman and CEO of Casablanca Ventures. I’ll start with Wynn. Do you have some figures or numbers around security breaches and what they can mean to cinemas?

Wynn Salisch: First, let me tell you that over half of all security breaches happen in small businesses and two-thirds of those small businesses go bankrupt within six months — so this is a really important subject. Recent high-profile breaches have included the Marriott breach – which really was Starwood where over 500 million records were stolen – Equifax where 143 million records were taken – and Heartland, the credit card processor, which lost 134 million records. Ransomware, which is plaguing the industry, is costing a massive amount because of the fees involved and the lack of lost business as a result.

Roe: Those are big numbers.

Salisch: One thing I will add is that Cisco does cyber security and in their report, they indicated that even small- and medium-sized businesses can face costs up to $2 ½ million once they get breached. Costs can add up very fast because a single record can cost about $170 in a breach and given the fact that most breaches aren’t detected for 9 months, think of how many transactions occur in nine months in a movie theater — times $170 each.

Roe: So now that we have scared the lights out of everyone, I think James is just about to say something.

James Pope: Last week in court, an insurance company denied paying a cyber security breach because they called it “a nation state attack, an act of war.” They claimed Russia was behind it. So what does that mean if your cyber insurance suddenly won’t pay out because they say, “oh, the attack came from outside the United States — that’s an act of war.” We don’t know how that’s going to turn out; it should be interesting.

Roe: We’re talking about millions of dollars here. We’ve heard that even if you have cyber security insurance, it might not pay out depending on who is attacking you. So how do we stop this from happening?

Pope: We can’t. So, assume you are going to get breached. The questions are: What can you do to mitigate that? What they have access to? How far they can go? The first point is: segment your networks as much as possible. For example — you have a digital menu board company that needs remote access to update the graphics, right? But does that need to be in the same network with your digital projection systems and your audio processors and your speakers? Or can you break that off into its own separate network by itself – so if, the menu board company gets compromised, the access is contained to just digital menu boards and they can’t go to everything else. There’s some logical steps you can take and a really big one is to break up your networks. Everything should be on its own separate network; if one is breached, it shouldn’t provide access to your entire operation.

Greg Ackerman: Sometimes segmenting it physically doesn’t always do the complete job; you might not be able to see the traffic, you are not aware of the threat that might be impending. It’s important also to have manageable, intelligent devices on your network, so you can monitor all the traffic in between the segments and within the segments themselves. And I always recommend some kind of inspection within your networks and your segments because you really need to know what traffic is building and what’s the purpose of that traffic. It used to be the old days, we’d have a fire wall to protect ourselves.

Roe: You mean it was “The public’s out there, we’re in here, we’re private, we’re good”.

Ackerman: No more. Those day are gone because private internal networks are no longer protected. Quite honestly, you could have vulnerabilities from bringing your own devices into work, Wifi, and other things that are completely accidental; people don’t realize they are actually exposing your network. Cyber criminals are using ports to get in and the next thing you know they’re inside your network, and so I always like to see ongoing management and regular inspections so if you start to see trends or high volumes, realize, OK we have a possible threat here — and you can actually act upon it and lock it up.

Roe: So Wynn, what’s the solution?

Salisch: Think differently. Don’t think you are too small to be victimized — or think it just won’t happen of me. As we all know, that is no longer the case. Now with the new GDPR regulations in Europe, if somebody breaches you and takes all of your loyalty card records for instance, the addresses, and starts using those and it can be traced back to you, under GDPR, the European Union could go after your company for 4% of its revenues.

Roe: And those laws are coming to the States, aren’t they?

Salisch: California recently passed a similar law that is going to take effect in 2020 — and other states are aggressively looking at the same types of things. That just makes the cost of trying to prevent a breach miniscule by comparison. And one of the primary things you’ve got to do is to make sure that you are not using any default passwords. Everything needs to be customized, preferably made complex — not simple passwords that are searchable in a dictionary.

Pope: It’s difficult to go through and create different passwords for each piece of equipment or system because when a tech shows up, you need to know how to handle it. But there are ways to do this. Other industries have gone through this; and it’s really up to vendors to force that change.

Roe: Times have changed.

Ackerman: In the old days hackers used viruses to disrupt your business and cause you financial pain. Now they can actually earn money from you by holding you ransom and keeping your files from you until you pay the money. They go in to your system, look around and try to extract as much information as possible about your business. They may even send emails from decision-makers in your organization, using email campaigns that will fool your employees to do things they shouldn’t. Long story short — these are sophisticated hacks and they are not going to stop. So when you have point-of-sales or even work stations on the network that don’t have basic security, it can be a lot easier for cyber criminals to do their job.

Roe: No reason to make it easy. Are some cinemas doing things right?

Ackerman: Sure. One of our customers — we do all their IT and one day we got a call from one of their executives who said that their processor bank said one of their cinema locations had an infiltration and about $125,000 worth of credit cards were suspected stolen, used or leaked by the site. We did an investigation and found no apparent leak. We had a solid security infrastructure, we had a strong security taskforce, all the point of sales were locked down. We had segmented networks, we had DPI (Deep Packet Inspection) capability, we had none of the vulnerabilities you might worry about. We were found innocent.

Roe: But…?

Ackerman: We reported this information to the executive, who took that to the processor and this went on for about 3 or 4 months. And this is where it gets a little crazy because I don’t think anyone realizes most of your processors have a contract with you and inside the contract — under the real fine details — they can basically order an audit or an investigation, with or without cause. And that kind of process costs minimum $40,000 – and that’s the last thing you want to spend on, but you can’t stop the investigation. It’s required. If you don’t, you don’t take credit cards any longer.

Roe: So a breach — or even a potential breach — can be costly?.

Ackerman: In several ways. In this industry, when you are investigated, you are assumed to be guilty and you have to prove you’re innocent. And while the investigation is going on, they were withholding any remittances — and they say they are doing that so that when the investigation is completed, they will figure out the fines and damage and withhold that money and give us the rest. The point here is that this can have a huge impact whether you are on the right side or the wrong side. So you have to be prepared and the reason we were successful is because of complete segmentation that we were able to prove without a doubt that information and the way it transpired though our entire network and into the processor was all safe. But all our customer’s card processing income was withheld for 4 months at that location, and then there was a further delay of 4 months before it was repaid. And this was a case where the customer was exonerated – in well over 90% of cases the merchant is found guilty, because proving that you’re innocent means having every single box ticked, and also being able to prove it, without any doubt: so much as a single weak point, and you are sunk.

Salisch: The only other thing I’ll say is the investigator that we were talking about is called a PFI forensic investigator and there are about two dozen in the entire country, so you imagine how busy they are. As soon as you are notified that a breach has occurred, you have to go out a find one within a very limited timeframe and your lawyer has to put them on retainer, so their work is protected by lawyer-client privilege. It’s not going to protect you from fines, but it will give you a little bit faster resolution of the whole thing. So I urge you to find a PFI, put them on retainer just in case.

Roe: It’s a dangerous world out there.

Pope: But nothing in security is all about any one thing; the reality is you need lots of things and you do them in layered efforts. Firewalls are a big deal. Segmentation — with firewalling between your segmentation makes a lot of sense. And increase the application firewalling. Does your LMS need to talk to your point of sale, for example? Things like that — taking it to that level — documenting it and having someone internal or external people maintaining it makes a lot of sense. If you are a top five chain, you are probably going to put a lot of money towards it, but even if you’re a smaller chain, there are logical things you can do. Get executive buy in, start with a security framework like the CIS20. You do your top six steps and you are 80% there. Take logical steps, document what’s on your network, harden some operating systems, use external people where you don’t have knowledge.

Roe: There is more help available today.

Pope: You have a lot of resources that weren’t there when I first started doing this. You can literally contact your point of sale provider and say, help me through PCI — and they will help you through PCI. You can go to your NOC and say I need all new passwords — and they’ll do it. So do it. You can put the pressure on your vendors to help you and leverage a lot of this stuff for you; they can accomplish a lot of that for you.

Salisch: If you go to the Payment Card Industry council website, there are a number of good documents on there that give greater explanation into the various categories of topics. The documents translate everything into plain English.

Pope: PCI is required, you are going to have to do that. You have to play in that game if you want to take credit cards, which we all do. The PCI is a security framework, but they only care about credit cards. In cinema today, you should care about your entire network.

Ackerman: One thing also to mention, the PCI new requirements keep getting more stringent and they’re sending out questionnaires – and if you were to get breached, that becomes a legal document, so make sure you’ve filled it out accurately and you have all the required safeguards in place. Firewalls are great, and end points are great, but without the infrastructure, the layers, the segmentation and a unified approach to threat management – all working together — you can start to see patterns in your points of failure or infiltration.

Salisch: The other thing is that your PCI compliance — your certification – is only a snapshot in time. If you answered all the questions honestly and truly are PCI compliant, ten minutes later an usher can walk into your box office and put a thumb drive into your system that’s not PCI compliant and you’re out of compliance. So nine months down the road, when they do the forensic investigation, and they do a picture of your entire system, they’ll go back to those dates and they will see that well, you were compliant on this date, but was anything added to your network later that may have voided it all?

Roe: So it’s constant diligence, isn’t it?

Ackerman: And it’s employee education and management education — to not just answer the questionnaire and answer it honestly — but to maintain those standards every single day and protect your infrastructure. Make sure that nobody accidentally — or intentionally — takes you out of compliance. The most important thing here is that prevention — because if you react to a situation when you are under investigation or audit, they see you are reacting, and they assume you’re covering up some issue in your network — and you can’t do that.

Pope: I’ve seen people spend a lot of dollars when under duress, and I’ve seen what they pay when they are not under duress — and you get way more bang for your buck when you’re not required to solve issues because you’ve been compromised.

Roe: What else are hackers looking for?

Salisch: The same information they’re looking for everywhere — personally identifiable information of you, your employees, your guests, everyone, from social security numbers to birth dates to anniversary dates, addresses — because then they sell that information to other hackers who do nothing but match it up with other information that has been stolen elsewhere and then they resell that for a much greater value.

Roe: So what you need to do is do an assessment of everything that you store in your system.

Salisch: All the information you store — and identify those pieces of information that might have value to someone, somewhere. That’s your first line of defense. Target those areas. And get rid of stuff you don’t need to store. Second of all: anything you do absolutely need to store, either make sure it’s encrypted, password-protected, or segmented off into separate networks where it’s more reasonably protected. As soon as I transmit it in a password-protected file to the processor, I delete it from my servers entirely and wipe it so that I don’t retain that information. There is no sense having stuff you don’t need and if you do need it, you can always go back and ask for it again.

Ackerman: One thing we haven’t touched on is – an investigator will want to see the longevity of your security — they will want to look at logs that are at least a year old. If you don’t have logs that are at least that old, you have to explain why. That’s why this is something that’s got to be more preventive and reactive because, by the time you react, it’s too late.

Roe: Don’t most cinemas carry cyber insurance?

Pope: Cyber insurance is good – but having an action plan also makes a lot of sense. Expect the worst will happen and know whom to call. What will you do if it’s this system? What if it’s that one? Do you have techs who can go out? How fast? How quick can you get things reimaged? I do think creating some tabletop exercises makes a lot of sense — and coming up with some action plans for those tabletop exercises. If this type of scenario happens, here’s what do we do. So that, if and when that scenario happens, you have a rehearsed plan and you follow it. It doesn’t mean it’s going to be perfect, but you’re going to be within 20% variance instead of being 100% behind and making a lot of mistakes.

Ackerman: One thing about cyber insurance: a lot of times cyber insurance has different levels, different requirements, and sometimes even a requirement for your network and infrastructure security. So if you don’t meet their criteria, you don’t get the coverage.

Pope: So the more secure you are, the more affordable the premiums. This is like any insurance. If you don’t have a roof on your house, they’re going to charge you a lot of money to protect you from water damage. If you’ve got a roof on your house, you pay less. So absolutely, they are going to make you jump through some security hoops – and make sure you’ve done some reasonable things – but that’s good for you and for them.

Salisch: Talk to your insurance company. All of them have cyber riders at this point, and they have all the statistics, they know what they need to cover. Right now, a lot of the credit card processors may be hitting you with a monthly fee for cyber insurance – I would really look into what exactly that covers. You’ll find most of it is bare bones so you are probably better off going through your insurance company where you have your other liability and property insurance and casualty.

Pope: I do want to give just a few quick easy wins, because I know every time we talk security, it seems to be all doom and gloom. And it’s not. There are some easy wins that you can apply. These aren’t going to solve everything; there is no silver bullet in security. But there are things like two-factor-authentication — you run Google, you run Office 365. Go add that to your primary account. It’s simple, it’s easy. Disabling Windows macros is another easy win. There is no reason that macros should be running on those. SPF (Sender Policy Framework) records for phishing — easy win. DKIM, these records may be a little harder but start with SPF. That just means somebody can’t spoof from your address; another easy win. Don’t upload social security numbers. So these are just some easy ones, there are plenty of others. And make sure you have executive buy-in please.

Ackerman: Also, on the local level, make sure you’re not storing people’s passwords. And keep in mind, that means on all devices. And look at everything, including your thermostat. They are all part of your network.

Salisch: Reach out to people you know who can help you. We are all available to you. We are all here to help each other, so don’t be shy.

Pope: At this point, almost every point-of-sale provider and almost every equipment reseller is now a cinema provider. The people you buy your equipment from, they almost always have a way to assist you with this because they are dealing with it every day. If you already have a rep you are comfortable with and who you are buying your equipment from, they either can help you or get you in the right direction on how to get help on this.

Roe: Thank you gentlemen. There’s lots to digest, isn’t there? Time for a ten-minute coffee break.

Upcoming Events

event_image

NACA 2024

September 12 2024 - January 14 2025

Universal Hilton, Universal City, California

event_image

CineTRAIN & ICTA Course Launch

October 21 2024 - March 31 2025

New York

event_image

Los Angeles Seminar Series Sponsorship Packages

November 18 - December 31 2024

New York

Are you a member?

Get priority access to events

Join ICTA Today