Redspin
Services & Products
Main
External Network
Security Assessments
Internal Network
Security Assessments
Website Security Audit
Special Security
Assessment Services
PCI Services     
Casino IT Audits
Redspin Security
Audit Engine    
Request A Quote
Assessment Services Assessment Tools Security Research About Us Contact Us
Casino IT Audits
Tribal Gaming Focused Network Security Assessments

Performing a security audit is much more than just replicating tasks and running automated tools. Redspin understands that different industries have different requirements and motivations, and tribal gaming casinos, with their incredible pace of growth, are no exception. As a result we have developed a systematic approach geared specifically to the needs and concerns of the tribal gaming casino IT space.

Many auditors are already aware of the accelerating trend towards network integration that is already under way in the tribal gaming industry. ATMs, Phone Systems, and even certain gaming functions are already becoming integrated into the casino network. With the introduction of server based gaming, not only is gaming at risk of potential downtime, but even game functions or pay tables could be potentially compromised by an attacker initially able to gain access to the casino's internal network. This means that the security implications stemming from the casino network are becoming more important than ever before.

The capacity for an IT auditor to go beyond compliance and to effectively minimize IT security risk is a highly valuable skill, and it is likely to become increasingly indispensable as next generation gaming technology is introduced. A formal network security assessment of the entire casino and gaming commission infrastructure is the best way to minimize risk and achieve a fresh security baseline. Redspin prioritizes findings and effectively communicates the details of how very subtle technical configuration problems can introduce critical risk to the casino network and potentially limit gaming availability.

It is important for auditors to understand that from a broader IT security standpoint, compliance alone only scratches the surface. For example, it is possible to be compliant with the Minimum Internal Controls Standard (MICS) while also having critical vulnerabilities present on the network, due to subtle and possibly counter-intuitive configuration issues hindering the effectiveness of existing controls.

The following discussion addresses the most important areas of security risk that are not only very common in typical casino IT environments, but are also often missed by MICS audits. Understanding these fundamental security concerns will help auditors move beyond compliance to effective risk management. The following materials build off Redspin’s previous presentations at The National Tribal Gaming Regulators Conference (NTGC/R) in 2006 and 2007, as well as from our article to be found in the February 2008 issue of Indian Gaming Magazine:

Related Services
Internal Network
Security Assessments
 External Network
Security Assessments
 Wireless Security
Assessments
 PCI Services
Casino IT Security Checklist
This checklist will help you identify many common issues that consistently appear in the networks we audit. This is meant as a summary of common issues rather than a complete security guide.

External Threats
Most of the firewalls Redspin reviews are flawed.
  • Are the firewall rules implementing a security policy consistent to the documented corporate security policy?
  • Has the ruleset been peer reviewed or independently reviewed?
  • Is the person who configures the firewall trained appropriately?
  • Is egress (outbound) filtering configured?
External Threats Diagram
DMZ
A DMZ is a separate network defining a restricted security domain.
  • Is a DMZ network in place? (Be aware if you are told “no problem we use VLANs”.)
  • Are all externally/Internet facing services located in the DMZ?
  • Have the firewall rules been reviewed to verify that the internal network is protected from the DMZ?
  • If a server in the DMZ gets compromised, are you confident that the internal network would be protected?
DMX Diagram
Transactional Websites
30% of the transactional web sites we evaluate can be completely compromised; note to software developers: never trust the user (input)!
  • Has the site been audited by a manual pen-testing procedure?
  • Are all externally/Internet facing services located in the DMZ?
  • Does the SAS-70 specifically address controls related to specific web vulnerabilities? (A SAS-70 rarely addresses these.)
Transactional Websites Diagram
Remote Access
  • Are all forms of remote access identified, approved and documented?
  • Are all remote access users identified and pre-approved?
  • Are these all consistent with security policy?
  • Do you know who/what is on the other side of the remote connection?
  • Is appropriate encryption and authentication used?
The network diagram below is representative of a risky remote access configuration.
Remote Access Diagram 01

While this diagram is in line with best practices, routing remote access to a specific security zone, rather than into the core of the internal network.
Remote Access Diagram 02
Workstations & Servers
  • Have you verified that every workstation and server subscribes to patch management process?
  • How well is your vendor managing their devices hosted on your network (an ATM for example)?
  • Are third-party applications (non-operating system applications such as Adobe Acrobat) patched? What is process?
  • All are network shares known and configured to provide a minimum level of access?
  • Do you really know where all of your sensitive data is stored?
  • Is the data centralized or strewn about?
Workstations & Servers Diagram
Gaming Commission Network
  • Do you trust the casino network and its employees?
  • Does the Casino IT Department manage your network?
  • Are you aware of the specific ports/services required for the applications you need from them?
  • If the casino network was compromised (got hacked; had a virus/worm, rogue employee), is the impact to the Gaming Commission network understood?
  • Do you have a firewall protecting you from them?
  • Have you tested to verify that the casino has limited access to your network?
The three network diagrams below are sequenced to show varying degrees of implemented security controls between the host network and the partner network. To the left, partner network connections terminate unfiltered directly into the core of the internal network, potentially introducing critical risk. The middle diagram represents the pragmatic intermediary step of placing a firewall (controlled by you) in place, so that traffic originating from the partner network can be filtered. However, best practices also state that in an ideal security environment, the partner network should host a firewall between itself and you as well, represented by the final diagram on the right.
Gaming Commision Network Diagram 01


Gaming Commision Network Diagram 02


Gaming Commision Network Diagram 03
The following security policies encompass the most crucial tenants of best practices:
 www.sans.org/resources/policies/

The NIGC's MICS Checklist, specifically for Information Technology:
 www.nigc.gov
©2008 Redspin, Inc. All rights reserved. Home  |  Assessment Services  |  Assessment Tools  |  Security Research  |  About Us  |  Contact Us
Site Design and Development by Petro Design Co.

External Network Security Assessments

Internal Network Security Assessments

Website Security Audit

Special Security Assessment Services

PCI Services

Casino IT Audtis

Redspin Audit Engine

Community Banks and Credit Unions

Casinos and Gaming

Small-to-Medium-Sized Enterprises

Redspin Research

Technical Resources

Regulatory Resources

Security Management Advisory

Corporate Ethos

Environmental Ethos

Redspin In The News

Press Releases

Careers

Contact Us

Request Pricing