Lessons Learned From the MGM Cyberattack

By TraceSecurity
May 24, 2024

As we shared in part one, no corporation or business is immune to a cyberattack and human error is one of the biggest causes of cybersecurity failures across the world. Even a massive company like MGM Resort International can be hit with ransomware. Let’s dive in and discover how companies can take steps to strengthen their defenses and mitigate risk.

What Could Have Stopped the MGM Cyberattack?

With proper cybersecurity methods in place, it is very difficult for a hacker group to get access to any sort of business or server. A third-party cybersecurity firm can assist in this, which is sometimes necessary due to government regulations. However, even the bare minimum can save a lot of money and time in the long run.

Security Awareness Training

As said previously, the number one cause of cybersecurity incidents is human error. We’re all human and we all make mistakes, but these mistakes can cost a company millions and millions of dollars – this is what happened to MGM. A single 10-minute call to an IT person led to the multi-billion-dollar company shutting down for multiple days.

Security awareness training is something that both small and large businesses can take advantage of. There is no reason to put these programs on the back burner, considering it’s one of the most important things a business can do. It is a constant reminder to employees to always be vigilant, trust nothing, and scrutinize everything. With the increasing rate of technology and the skill of bad actors, it’s more important than ever before to build awareness.

Many cybersecurity firms offer these sorts of things to companies. With the assistance of security analysts, they will help a business bring together proper procedures and training sessions on cybersecurity. However, going farther than that, a cybersecurity firm may also have simulated social engineering to assist with these procedures. These include:

• Phishing: Sending fake emails and other fraudulent information in an attempt to get an employee to click on a malicious link or enter sensitive information to a bad actor.
  
  
• Smishing: Using SMS, or short message service, to send fake or fraudulent text messages to victims in an attempt to lead them to a malicious site or enter sensitive information.
  
  
• Vishing:Using telephone calls or voicemail to contact a person, posing as a professional or some various employee to get sensitive information.

There are many other methods, especially physical security awareness training. A security analyst can come to the physical location of the business and attempt to perform a number of different tests, including visitor policy, document security, and more. Everything is simulated, of course, so results will be able to inform a company where it is weakest and strongest in their employees’ awareness.

Another method of security awareness training is quizzes. While it may seem a bit juvenile to add something like that to a business’s cybersecurity procedures, it has been proven to be more effective for employees who go through these educational courses.

In these simulated social engineering attacks, a cybersecurity firm may attach educational courses to the phishing that they do. If an employee clicks on one of them, they will be entered into an informational education course to let them know how to improve on their mistake. After they read or listen, they must usually verify it by answering questions at the end.

There are plenty of other ways for employees to partake in security awareness training. This includes remote and in-person sessions that a security analyst can lead and inform people about. It is a good rule of thumb to do these two to four times a year, depending on the size and assets of the business. Some even do it once a month.

Vulnerability Assessments

While it isn’t the leading cause of cybersecurity incidents, another large factor for failures is vulnerability in a network. There are many reasons a network can fall to a bad actor’s attack, including misconfigured firewalls, unpatched threats that have been discovered, and more. A vulnerability assessment tells you exactly what might cause something to get through.

With a thorough examination, either through a security analyst or a scanner, a cybersecurity firm can give you the information on the most threatening vulnerabilities that could cause a network to malfunction or be brought down with an attack from a hacker. With these scans, a manual examination is usually required afterward to make sure there are no false positives.

While a simple scan might seem like it’s enough, further testing may be needed. A vulnerability assessment is helpful, but it won’t tell you as much as something like a penetration test, which goes through exploiting these vulnerabilities for access.

Penetration Testing

Often the bread and butter of many different cybersecurity firms, penetration testing is becoming more and more important among financial and non-financial institutions alike. Banks and credit unions usually have to get these sorts of tests done due to government compliance, but these should be done regardless.

Like the security awareness training, penetration tests revolve around simulated attacks. There are many different pen tests that can be done, including internal pen tests, external pen tests, red team tests, and more. Social engineering is sometimes taken into consideration, where the security analyst will attempt to gather information to get into the network. There are also tests that will simply allow the security analyst in to find exploits from an “inside” view.

Penetration tests are thorough examinations of a network, as well as exploitation of vulnerabilities. The simulated attacks use real world methods that hackers and bad actors use, so it gives the most accurate and most detailed information on a network and its security. Usually, the reports created from this test are valuable and are widely accepted by examiners that may come in.

IT Audit

IT audits are an important part of any cybersecurity posture. Despite many businesses using the term for various things, an IT audit is a basic test of accessible points, or controls, in a network. This can range from computers and mobile devices to things like printers or fax machines. Any access point can be a point of entry for a bad actor or hacker if not secure. An IT audit tests the security of these controls.

These IT audits are usually combined with things like risk assessments, ransomware preparedness assessments, and smaller tests like tabletop testing. Even smaller institutions can take advantage of this sort of thing, considering it is one of the easier ways for a bad actor to get into a system. One small, missed patch or unknown vulnerability can cause heavy damage, or worse, complete destruction of a business.

No Business Is Immune to Cyberattacks

There’s no mystery that MGM Resorts International is a massive multi-billion-dollar corporation. They should have had a massive cybersecurity effort to protect their employees and customers. Because they had grown complacent and careless with it, bad actors were able to shut them down and cost them tens of millions of dollars.

Despite that, however, this is just one big example. The truth of the matter is that no business is immune to cyberattacks or data breaches. Small businesses and non-profits are also prime targets for these sorts of things. Bad actors have no sympathy and will take what they can get, no matter who or what they hurt. Many businesses have already been bankrupted because of cyberattacks, so it’s important to keep cybersecurity in mind.

Even small non-profits like Water for People, a $20 million organization that provides clean drinking water for various countries, was hit by a ransomware attack. This is simply more proof that these bad actors have targeted both small and large organizations. Without proper security policies and procedures, there is a strong possibility that a bad actor will get into your network and disrupt your business.

For some businesses like MGM, it can be easy to fix. There are plenty of insurance options out there that will cover any losses that might come with these things. However, insurance is a response rather than a method of prevention. Once information is taken, no amount of insurance is going to get it back. If a business has customer information stolen, then customers should not do business with them unless they make an effort to remediate such things.

The MGM International Resort cyberattack was an unfortunate series of events. From previous data breaches, bad actors were able to pick up enough information to get into an account that had permission to access many things. It was a simple phone call to an IT employee that allowed them in, impersonating the account owner and getting access through a multi-factor authentication reset.

Upon the reset, the hackers were able to get into the account and steal more accounts. All of this could have been prevented with security awareness training and some vulnerability assessment. With the lack of training, MGM International Resort was brought down. Servers were shut off for multiple days, disrupting their reservation systems, their digital keycard network, and more.

It’s always a good idea to get proper cybersecurity into place. When it comes to cyberattacks, it doesn’t matter if you have a big company or a small one, no one is immune to them. The only big difference is the way that some businesses can bounce back from such an attack. Smaller businesses may have a hard time with remediation, so a good rule of thumb is to stop cyberattacks before they start.

Connect with TraceSecurity to learn more.

About TraceSecurity

TraceSecurity has provided over 30,000 examiner-approved reports, helping credit unions of all sizes maintain compliance year after year. A CUNA Strategic Services provider since 2006, TraceSecurity helps credit unions with a range of cybersecurity services, including risk assessments, penetration testing and IT audits. With a combination of software and services, TraceSecurity can help credit unions manage their information security program and supplement it with third-party validation.