Trustwave Blog

Top 5 Compliance Challenges for Hospitality - #1: Broad Attack Surface

Written by Mark Polimus | Oct 31, 2012

In this series, we're addressing the top 5 security and compliance challenges faced by hospitality brands and properties.

The #1 challenge hotels and other hospitality businesses face is the broad attack surface found in their network environments and ecosystems.

Broad Attack Surface = More Opportunity for Hackers
A broad attack surface can be thought of in two ways:

1. The literal breadth and size of the computing and data network, at individual locations and aggregated across the business.

Hotel properties in particular host a plethora of systems, supporting reservations,  accounting, sales, and food service, to name just a few. Hotels are also increasingly a superset of a retail merchant operation, with elements of food and beverage (i.e., bars, restaurants), retail (i.e., gift shops, apparel) and traditional hospitality services (i.e., guest room charges, business office, spas). All these operations, with their traditionally high credit card transaction volume, present a large opportunity for hackers to enter the business environment - and profit from the credit card data they find.

2. Services and credentials exposed or presented via the network.

The attack surface is further broadened when a hacker can easily:

  • Discover targets on the network that use shared resources, such as file and print services.
  • Exploit weak passwords and shared credentials used to access systems and applications.
  • Leverage direct connections through insecure remote access services, applications or ports left open by your firewall, to critical assets such as database servers.


Shrinking the Attack Surface
Take an inventory of your system assets and applications to determine where your greatest risk is when it comes to sensitive or critical data. Leveraging the segmentation exercise highlighted in this series, isolate these risky systems and applications as much as possible.

Next, review in-house and third-party providers. Often the applications and systems they provide are set with default, weak passwords. Look for open ports that may leave the asset or application vulnerable. If necessary, engage an objective third party to perform a comprehensive risk assessment and gap analysis of your network and assets.