Recently, two major players in the hospitality industry, MGM Resorts and Caesars Entertainment, found themselves sustaining direct, devastating attacks from cybercriminals. Both attacks shared a common thread: they exploited the human element within help desks, highlighting the critical need for robust training, policies, and procedures to protect against such incidents.
The MGM Cyber Attack
The MGM Resorts attackers didn’t use fancy software or Mission Impossible technology or techniques. Instead, they used the oldest trick in the book – a millennia-old trick, in fact: social engineering. In other words, lies.
“Social engineering” is a fancy word. It has its place. But calling it by the older and simpler name, “lies,” sets out in clear relief the simplicity (but maddening resiliency) of the threat that organizations face.
The “cyber” criminals who attacked MGM started with … a telephone. They called in to a help desk and convinced a human to believe they were a privileged user who needed to reset a password. The help desk rep wanted to help, fell victim to the lies, and eventually provided a way to reset the password. This seemingly innocent action marked the beginning of a catastrophic breach that paralyzed MGM’s operations.
Despite MGM’s best efforts, the attack shut down virtually everything. Guests in Las Vegas had to endure frustratingly long check-in and check-out processes, with wait times stretching to two hours. In a bold move, MGM made the decision not to pay any ransom to the hackers. But the aftermath left the company reeling, with millions of dollars in losses, and a black eye on their reputation that will be remembered for years.
Caesars Entertainment: A Similar Tale
Just a week earlier, Caesars Entertainment faced a strikingly similar incident, perpetrated by a different group of hackers. These cybercriminals, too, employed “social engineering tactics” (ahem, lies) to obtain the credentials of a privileged user through a help desk deception. The result was a disruptive and costly breach.
One thing that sets these incidents apart is that the attackers have openly boasted about their exploits, demonstrating a frightening audacity. Sadly, it’s an audacity born of success, since in too many such cases liars do prosper, contrary to the old proverb. But beneath the bravado lies a crucial lesson for businesses, particularly those relying on third-party help desks or Managed Service Providers (MSPs).
The Vulnerability Lies in Human Risk
Both the MGM and Caesars attacks underscore a fundamental truth in cybersecurity: the most significant vulnerability is often human error or manipulation.
Cybercriminals gather information from various sources, including LinkedIn and other online platforms. Armed with this knowledge, they impersonate legitimate users, convincing help desk personnel to unwittingly assist in compromising an organization’s security.
Mitigating the Risk: Training and Policies
To protect against these threats, organizations, especially those with revenues that make them extremely attractive targets, need to prioritize the following strategies:
- Comprehensive Training: Your first line of defense is a well-trained and vigilant workforce – including third-party contractors. Equip help desk personnel with the skills and knowledge to identify and respond to social engineering attempts effectively.
- Multi-Factor Authentication (MFA): Implement MFA wherever possible. Adding an extra layer of security tat makes it significantly harder for attackers to gain unauthorized access.
- Stringent Credential Management: Establish rigorous procedures for changing credentials, particularly for privileged users. Implement multiple authentication steps that require extensive verification before making changes.
- Deepfake and Audio Vulnerability: Acknowledge the growing threat of deepfake videos and audio impersonation. Implement protocols to validate user identities through multiple channels, reducing the risk of impersonation.
- Cyber Insurance: Ensure your business has the right cyber insurance coverage in place. Cyber insurance not only protects against financial losses but also provides access to specialized resources to help avoid, navigate and mitigate the aftermath of a cyber attack.
The Cost of Ignoring Human Risk
The MGM and Caesars attacks demonstrate that even the most sophisticated cyber defenses can crumble when humans are manipulated. MGM faced losses in the millions, while Caesars had to pay a staggering $50 million to regain control of its systems. These eye-watering numbers emphasize the importance of addressing human risk in cybersecurity.
In the urgent need to strengthen your organization’s cybersecurity defenses, it’s easy to be drawn to shiny, high-tech tools and solutions. They have their place. But they’re not the place to start.
The MGM and Caesars attacks serve as stark reminders that the greatest vulnerability remains the human element. By focusing on robust training, strict policies and procedures, and a layered approach to authentication, businesses can significantly reduce their exposure to threats like those faced by these hospitality giants.
In a world where cybercriminals are constantly evolving their tactics, one tactic and strategy remains supreme and overarching: The con. The convincing lie. It’s often the low-hanging, unsexy fruit that can prevent catastrophic disasters. Protect your organization by recognizing the critical role that human factors play in the cybersecurity equation.