1 33 Table of Contents 35 48

Inside Asian Gaming

inside asian gaming March 2015 34 One of the big concerns that operators have is protecting the data they hold in the event of a breach. They’re holding player information. These might be high-net- worth individuals, they’re probably foreign nationals. The protection of the data [the operators] have on those players is very important to them. At the end of the day, this is not a gaming problem, it’s an IT security problem, so we approach it in the same way as the rules guiding the banking and IT industries, and the systems need to be that robust and secure. So the good thing is the gaming industry is not in this alone. There are other industries spending a lot of time and effort on this. Cyber Security You can’t look at these data warehouses on a property basis because that doesn’t give you a complete picture. The data warehouses exist at an enterprise level so we have to look at security from an enterprise level. Every property that has operations in Macau would be also hosting, holding or accessing that data from their corporate office. They want the ability to access it, they have extremely complicated systems in place and they take security very seriously. It’s fair to say Las Vegas Sands, MGM, Wynn, all those, they’re going to have their data in multiple locations, like any business would, because if there’s ever a disaster, if there’s ever a failure at a service center, a fire, whatever, that data still exists elsewhere. The great thing about doing this type of testing is you don’t have to be on site for much of it. Because of the nature of it you can access everything remotely. We actually set up servers all around the world to do penetration tests from multiple locations in the same way we do the load testing. And we also send somebody on site to do the audit, including the interviews. The initial on-site engagement takes about three to four weeks, and once we’ve done it the first time we normally repeat it every six months or 12 months. It’s like an ongoing review, because things change, configurations, all those sorts of things. And threats evolve? That’s exactly right. We might become aware of a new vulnerability or a new attack methodology that was not part of the previous assessment. We’ll apply that in the next review. The industry is constantly evolving, so we have to evolve with it. You must need to constantly revise your security assessments to keep up with the new threats? Yes. There are some very good standards, like PCI and OWASP [The Open Web Application Security Project]. And there’s NSTIC [National Strategy for Trusted Identities in Cyberspace], which is an initiative by the US government to protect people’s identifies on the Internet. It helps that the US government takes applications security very seriously. They have excellent guidelines and rules. Pretty much everything we look for in the security assessments is not coming from gaming. It’s coming from banking and the IT industries. At the end of the day, this is not a gaming problem, it’s an IT security problem, so we approach it in the same way as the rules guiding the banking and IT industries, and the systems need to be that robust and secure. So the good thing is the gaming industry is not in this alone. There are other industries spending a lot of time and effort on this, and there are commercially available tools for us to use. Two vendors supply our tools. One of them, which supplies the tools for code-scanning, also supplies the US Department of Defense. And the other is Hewlett-Packard, they do auto-application and code- security assessments. These tools are not specific to gaming. They’re outside of the gaming industry.

RkJQdWJsaXNoZXIy OTIyNjk=