MGM vs. Caesars: Cybersecurity Expert Rates Hacking Responses
Posted on: September 21, 2023, 12:21h.
Last updated on: September 26, 2023, 02:42h.
Caesars paid. That’s one of the few important things we know so far about the two recent cyberattacks on the two largest casino operators in Las Vegas. It’s not known whether MGM Resorts International paid its cyber attackers after they gained access to its systems on September 10, though outward appearances point to its resisting any such demands.
Casino.org asked Lisa Plaggemier, executive director of the National Cyber Security Alliance, whether it’s better for big corporations to pay or not to pay.
Q: According to the Wall Street Journal, Caesars Entertainment paid $15 million of the $30 million ransom that hackers originally demanded. MGM has already suffered much worse consequences than Caesars, to the tune of possibly $8.4 million per day. Assuming that this is because it refuses to pay, is this a better response than Caesars’?
A: Just like the FBI or any federal law enforcement agency will tell you, the best way to deal is not to pay. The more organizations pay, the more cybercriminals are going to keep doing it. As long as it’s profitable for them, they’re going to keep doing it. It’s as simple as that.
But actually, the best way to deal with a ransomware attack is to practice having one, to do tabletop exercises. You bring in outside consultants, a third party that runs you through an exercise where you practice having an incident and everybody knows what their role is and how they would respond. That can help you find weaknesses, maybe in the way your backup processes are built or in your response plan.
I also recommend having a policy solution for this. I’ve worked for organizations where they had a written policy that was approved by the senior leadership that said, ‘If this happens to us, then we will not pay.’ If you know that this is who you are as an organization, that you just won’t give money to criminals, that allows you to manage an attack accordingly.
It allows you to know what you need to do to be prepared, what investments you need to make, so you’re not having to make a decision like that when your hair is on fire.
Q: According to a communique allegedly posted by the hackers, MGM caused most of its own problems by shutting down its systems preemptively. What do you make of this claim?
A: I’ve read it. It’s interesting. But whether or not I feel like they have credibility, that’s another question. I mean, they’re criminals. But I think there’s a lot of evidence suggesting that MGM’s network was not properly segmented. There should never be a situation where, for example, something bad happens in your payment card system and some of your slot machines don’t work. It’s like breaking into one store in the mall gets a criminal into every store in the mall.
Organizations really need to be prepared. They need to make the investments in their IT infrastructure to make sure that they’ve got good backups because that’s the antidote to ransomware, to be able to just go to your backups, so you can be operational again as soon as possible.
Also, I’ve never seen a data breach or a security incident that didn’t have one or more human errors along the way, and it’s usually multiple points of failure. So organizations must design systems in a way that presumes there will be human failure and limits the damage it can cause.
Q: It’s been reported that MGM has $200 million in cyber insurance to cover losses, including ransoms, suffered by large corporations in a cyberattack. Isn’t this a bad crutch to lean on if your goal is to discourage cybercrime?
Q: It was kind of a panacea in the early days of cyber insurance. I’m not an expert in this area, but I’ve heard of some instances, where if you’re not taking reasonable precautions, then the insurance is not your get-out-of-jail-free card. So every instance is probably different.
But I think that apathy, that feeling of the inevitability of a cyberattack, can lead people to actually do the wrong thing. ‘Since this is going to happen, I’m just not even going to bother trying to prepare.’ That’s far, far worse than doing something. You just don’t ever want to be the easiest company to hack. Cybercriminals are busy and their time is money. They’re going to move on to the next victim if hacking you is too hard.
Q: Of course, the biggest problem with paying ransoms to cybercriminals is that you have no guarantee that it’s even going to work.
A: Exactly. Will you even get your data back? And was it already for sale on the dark web? Also, is the data encrypted? Because, if you run into technical difficulties with the encryption keys, they don’t exactly have incentive to provide customer support.
At the end of the day, they’re criminals. Considering that you know these are individuals who did this in the first place, are you really going to take their word for it? Because that’s all you have, and you’re assuming honor amongst thieves, which I think is always an iffy proposition.
Q: People like debating whether Vegas is better off with corporations running the show than when the mafia did. In a way, cyberattacks have placed organized crime back in charge.
A: Absolutely. It’s just a different mob now.
Related News Articles
MGM Cyberattack’s Scoop Came from Social Media
MGM, Caesars Hackers Claim They Stole Six Terabytes of Data
Venetian Slot Outage NOT a Cyberattack, Las Vegas Casino Insists
MGM Cyberattack Likely Costing Casino Company Millions of Dollars a Day
Most Popular
VEGAS MYTHS RE-BUSTED: The Mob Buried Hundreds of Bodies in the Desert
FTC: Casino Resort Fees Must Be Included in Upfront Hotel Rates
Genovese Capo Sentenced for Illegal Gambling on Long Island
NBA Referees Expose Sports Betting Abuse Following Steve Kerr Meltdown
Former Resorts World & MGM Grand Prez Surrenders Gaming License
Most Commented
-
Whiskey Pete’s Casino Near Las Vegas Closing After 47 Years
December 17, 2024 — 8 Comments— -
Former Resorts World & MGM Grand Prez Surrenders Gaming License
December 15, 2024 — 8 Comments— -
Caesars Virginia in Danville Now Accepting Hotel Room Reservations
November 27, 2024 — 8 Comments— -
NBA Referees Expose Sports Betting Abuse Following Steve Kerr Meltdown
December 13, 2024 — 7 Comments—
Last Comments ( 6 )
Where do you see blockchain could have prevented some of this? They took over the systems taking advantage of some exploit/credentials/social engineering and they have just shut down or prevented access to all their services... they don't need to take any data away to blackmail the casino operators...
To date no party has ever penetrated (2) yes two patented solutions that are designed to protect critical data. The Govt. Has attempted numerous times to no success. A test capability is available so there is no excuse to see a different solution that works and truly is Quantum and AI proof unlike others who talk resistant or another patch to incomplete solutions.
Yes, Michael, I'm ready to hear what you have to say. E-mail me at corey@casino.org
I was at Park MGM September 10 th thru 16 th . Then All slots went out no playing. We walked around until rumors went out that the elevators and rooms were next to go out , Then TVs stopped working then telephones stopped. Wednesday I decided to go home early on Thursday so $ 645 later we came home Thursday . I don’t understand why they didn’t have some sort of back up , No more visits to Las Vegas this year it was our 4th visit too Las Vegas this year .
I work at a Caesars property. Are ya ready to hear what I have to say?????????????
To date no hacking group has been able to successfully cripple the NACA blockchain embedded data system using the Mazachain This system embeds specific data such as user credentials within a mazachain based block chain where it cannot be removed or tampered...its the same system successfully used to protect Ukrainian documents and data during the conflict...even Russias national hacker teams failed to remove even the simplest embedded data...maybe it's time we rethink how we secure data