Your Campus Hotel is Targeted

If you have a hotel or conference center on your campus, assume it is targeted by criminal hackers who want to get the stash of payment card information they keep.

I've written about this issue before (see here, here, and here). Three major hotel associations issued a joint statement today warning of cybercriminal attacks. Their basic recommendations were:

1. Eliminate EVERY default password on EVERY machine on your network -- server, workstation, router, firewall, and any other device that has a password. The most important machines to check are the ones you think are NOT vulnerable, such as a PC on an engineer's desk for monitoring building systems, or the PC in the parking garage attendant's office, or the one in a closet running your keycard system.

2. Eliminate holes in remote access to systems inside your network.

3. If you don't have a firewall, buy one and install it. If you are connected to the Internet without one, then people you don't know, from around the world and many with malicious intent, are reaching into your network. A recent University of Maryland study counted more than 2,200 attacks on an average Internet-connected computer every day -- equating to one every 39 seconds. If that computer is in your hotel, and if their intent is to steal credit card data, they will probably succeed.

The release also endorses PCI DSS compliance. This is actually pretty smart given their three recommendations are pretty well covered by PCI Requirements: 2.1; 8.3 and 8.5.6; and 1.1 (and all its sub-sections), respectively.

The point is to share this information with your campus hospitality and conference organization. Let them know they are targeted, and to be PCI compliant every day -- not just the one day a year when you do your assessment. If you are not or cannot be PCI compliant today, do your best to protect your network perimeter and at least get rid of a lot of cardholder data that you probably don't need anyway.

Keep in mind the cybercriminals are very smart and well financed. You might also note that as far as I can tell, there are only two kinds of computer systems out there: those that have been breached, and those that are going to be.