Services Main

Casino IT Assessments

Testing and Certification

Program

Website Security

Assessments

Casino IT Assessment Services

Tribal Gaming Focused Network Security Assessments

Performing a security audit is much more than just replicating tasks and running automated tools. Redspin understands that different industries have different requirements and motivations, and tribal gaming casinos, with their incredible pace of growth, are no exception. As a result we have developed a systematic approach geared specifically to the needs and concerns of the tribal gaming casino IT space.

Many auditors are already aware of the accelerating trend towards network integration that is already under way in the tribal gaming industry. ATMs, Phone Systems, and even certain gaming functions are already becoming integrated into the casino network. With the introduction of server based gaming, not only is gaming at risk of potential downtime, but even game functions or pay tables could be potentially compromised by an attacker initially able to gain access to the casino's internal network. This means that the security implications stemming from the casino network are becoming more important than ever before.

The capacity for an IT auditor to go beyond compliance and to effectively minimize IT security risk is a highly valuable skill, and it is likely to become increasingly indispensable as next generation gaming technology is introduced. A formal network security assessment of the entire casino and gaming commission infrastructure is the best way to minimize risk and achieve a fresh security baseline. Redspin prioritizes findings and effectively communicates the details of how very subtle technical configuration problems can introduce critical risk to the casino network and potentially limit gaming availability.

It is important for auditors to understand that from a broader IT security standpoint, compliance alone only scratches the surface. For example, it is possible to be compliant with the Minimum Internal Controls Standard (MICS) while also having critical vulnerabilities present on the network, due to subtle and possibly counter-intuitive configuration issues hindering the effectiveness of existing controls.

The following discussion addresses the most important areas of security risk that are not only very common in typical casino IT environments, but are also often missed by MICS audits. Understanding these fundamental security concerns will help auditors move beyond compliance to effective risk management. The following materials build off Redspin’s previous presentations at The National Tribal Gaming Regulators Conference (NTGC/R) in 2006 and 2007, as well as from our article to be found in the February 2008 issue of Indian Gaming Magazine:


	View All Data Sheets


	Internal Network Security Assessments External Network Security Assessments Wireless Security Assessments PCI Services

Contact a Security Consultant Today!

* = Required Information

*First Name:

*Last Name:

* Company

*Email:

*Phone

Casino IT Security Checklist

This checklist will help you identify many common issues that consistently appear in the networks we audit. This is meant as a summary of common issues rather than a complete security guide.

	External Threats Most of the firewalls Redspin reviews are flawed. Are the firewall rules implementing a security policy consistent to the documented corporate security policy? Has the ruleset been peer reviewed or independently reviewed? Is the person who configures the firewall trained appropriately? Is egress (outbound) filtering configured?

	DMZ A DMZ is a separate network defining a restricted security domain. Is a DMZ network in place? (Be aware if you are told “no problem we use VLANs”.) Are all externally/Internet facing services located in the DMZ? Have the firewall rules been reviewed to verify that the internal network is protected from the DMZ? If a server in the DMZ gets compromised, are you confident that the internal network would be protected?

	Transactional Websites 30% of the transactional web sites we evaluate can be completely compromised; note to software developers: never trust the user (input)! Has the site been audited by a manual pen-testing procedure? Are all externally/Internet facing services located in the DMZ? Does the SAS-70 specifically address controls related to specific web vulnerabilities? (A SAS-70 rarely addresses these.)

	Remote Access Are all forms of remote access identified, approved and documented? Are all remote access users identified and pre-approved? Are these all consistent with security policy? Do you know who/what is on the other side of the remote connection? Is appropriate encryption and authentication used? The network diagram below is representative of a risky remote access configuration. While this diagram is in line with best practices, routing remote access to a specific security zone, rather than into the core of the internal network.

	Workstations & Servers Have you verified that every workstation and server subscribes to patch management process? How well is your vendor managing their devices hosted on your network (an ATM for example)? Are third-party applications (non-operating system applications such as Adobe Acrobat) patched? What is process? All are network shares known and configured to provide a minimum level of access? Do you really know where all of your sensitive data is stored? Is the data centralized or strewn about?

	Gaming Commission Network Do you trust the casino network and its employees? Does the Casino IT Department manage your network? Are you aware of the specific ports/services required for the applications you need from them? If the casino network was compromised (got hacked; had a virus/worm, rogue employee), is the impact to the Gaming Commission network understood? Do you have a firewall protecting you from them? Have you tested to verify that the casino has limited access to your network? The three network diagrams below are sequenced to show varying degrees of implemented security controls between the host network and the partner network. To the left, partner network connections terminate unfiltered directly into the core of the internal network, potentially introducing critical risk. The middle diagram represents the pragmatic intermediary step of placing a firewall (controlled by you) in place, so that traffic originating from the partner network can be filtered. However, best practices also state that in an ideal security environment, the partner network should host a firewall between itself and you as well, represented by the final diagram on the right.

The following security policies encompass the most crucial tenants of best practices:

www.sans.org/resources/policies/

The NIGC's MICS Checklist, specifically for Information Technology:

www.nigc.gov