Security Best Practices: Guidelines for the Hotel Industry and Similar High-Turnover Environments
Businesses with a high volume of employee turnover need an efficient onboarding and offboarding system to handle the legal requirements of the process, and this can be one of the biggest challenges to a large business. For this reason, industries like hotels, insurance companies, and convenience stores can rush or overlook the security aspects of the turnover process because they handle more staff changes.
In our research on this topic, we found several guides on the matter, including those by CSO and Total Networks. However, most of them focus on Human Resources (HR) procedures and ignore a lot of Information Technology (IT) security measures. For this reason, we brainstormed our own ideas to create an extensive summary of best security practices in the context of employee turnover. This blog will focus on IT management along with some aspects of the HR department. It is primarily intended for, but not limited to, high-turnover businesses where employees authenticate to on-premises devices through some company software. The hotel industry fits this criteria well, and will be our setting as we walk through security practices in a real-life context.
Managing Devices
The first step for securing a high-turnover business is to keep track of its devices by implementing a system that reduces the likelihood that they are lost, stolen, or tampered with.
1. Exclusively use on-premises devices. This means employees should not have any work laptops or mobile devices, there should be no BYOD (Bring Your Own Device) to work, and there is no ability to work from home. This reduces the probability of employees installing malicious software, scripts, and/or backdoors on unmonitored devices that they can bring onto the company network. It also removes the need for remote access to on-premises devices.
2. Disallow any remote access. Remote access software, such as TeamViewer, would allow an employee to log into an on-premises device remotely. This is dangerous not only because it opens up the device to any remote attacker, but it gives the opportunity for malicious employees to control devices from anywhere. For example, a disgruntled employee could subtly install TeamViewer or similar software onto one of the front desk computers at a hotel concierge, and then access the computer remotely and cause damage even after leaving the company.
3. Harden on-premises devices. All on-premises devices, such as PMS (property management systems), POS (point of sale) systems, manager terminals, etc., should be securely hardened as much as possible. This would involve implementing general computer hardening steps, e.g., Windows Group Policy, and consistent security updates. This would not, however, replace recurring security audits by a company or third-party specialist, which we would strongly recommend to any business.
4. Maintain authentication devices. The company should retrieve all of an employee’s keys, keycards, key fobs, etc., upon the employee leaving the company, regardless of termination versus resignation. This should also include any 2FA (two-factor authentication) devices as a defense-in-depth practice.
Sign up to get our latest blogs
Managing Accounts and Credentials
Mismanagement of accounts and credentials is one of the most common ways an attacker can infiltrate a system. Large companies with high turnover, especially, need a clearly defined and secure protocol for handling credentials during the turnover process.
1. Implement least privilege. Least privilege means employees should have the least amount of access to devices and software that they need to do their job. This principle becomes increasingly difficult with a larger number of employees, but can make or break a business depending on how it’s implemented.
1.1. Ensure employees have correct permissions. In the context of a hotel, employees should only be able to access the computers, interfaces, and files that pertain to their particular job function. For example, a front desk employee should not be able to use his or her credentials to log into the manager’s computer.
1.2. Restrict removable media. If the industry does not require removable media, restricting them is a good idea in order to avoid malicious entities from inserting dangerous data onto company computers or exfiltrating data. Assuming hotel computers have the normal drives and ports, this involves disabling DVD+RW and USB ports (some companies even physically obstruct their devices’ USB ports with port locks or epoxy). This will effectively reduce the attack surface of the system without introducing any new features.
2. Do not share credentials between users. Sharing credentials between employees may seem advantageous as it reduces the amount of account information a business needs to manage; however, in a high-turnover environment, it will create more problems than it avoids. For example, if hotel front desk workers all use a set of credentials dedicated to each terminal, the separation of one worker from the company requires resetting all the terminals’ credentials. This creates issues depending on the hotel’s turnover procedure. If there is a delay between when an employee leaves and when the credentials are reset, the ex-employee would retain access to the system for some time. On the other hand, if credentials are reset as soon as an employee leaves, but there is a delay until new credentials are set, then the other employees won’t be able to access the computers for some time.
Another consideration is non-repudiation (the assurance that someone cannot deny something). If an employee commits a malicious act on a company computer, it will be more difficult to pinpoint the employee if they all share common user accounts.
2.1. Implement single sign-on. Single sign-on assigns each user a unique set of credentials to access all the applications in a system. This is an effective technique in a high-turnover environment because management can simply deactivate a specific employee’s account if they leave the company, preserving the other employees’ credentials.
2.2. Secure software licenses. Large businesses with high turnover should take precaution when distributing license keys because employees may copy them down and keep them. Malicious use of a license key could include leaking it publicly, distributing it to a competitor, or using it for personal use. A site license using a license server may work better in these environments as it may eliminate individual license keys altogether.
3. Deactivate emails and other accounts. This is an obvious recommendation, but it is easy to concentrate on high-profile accounts (e.g., property management systems) while overlooking smaller ones. Companies with high turnover, especially, should have a sound protocol for deactivating all an ex-employee’s accounts promptly after separation. As discussed above in section 2.1, single sign-on offers a better way to handle this problem.
4. Terminate any existing sessions. This follows the idea that you can lock someone out, but you need them to exit first. Depending on how sessions are handled on company computers, it’s possible that an employee’s session is preserved even after separation, which increases the possibility of a malicious ex-employee retrieving a session. One example is stateless web session management such as JSON web tokens, where administrators can lock out an account but do not necessarily have a way to “log out” a user. This means simply changing a past employee’s credentials would not be sufficient, and the account may be accessible until the session expires. It should be noted that this problem is amplified if user credentials are shared.
System Monitoring
Large businesses with large networks need a centralized way to monitor all their connected components. A strong monitoring system improves both intrusion detection and incident response.
1. Review audit logs. When utilizing computer logs, organization and vigilance are the two most important principles. Any large company will be a target of hackers, and logs provide useful information for both preventing and investigating attacks.
1.1. Develop an organized logging system. An automated security logging system is useful for detecting malicious behavior. Centralized logs also increase the efficiency of log analysis, which can be important for time-sensitive investigations. These systems should alert any significant security events, including software installations, unauthorized file system accesses or changes, authentication failures, network configuration changes, devices added to the network, etc. SIEM (security information and event management) software products exist to provide such services, but companies may also develop their own proprietary systems.
1.2. Audit logs manually. Scheduled log reviews by a security specialist is a good way to not solely rely on an automated system.
2. Restrict access by shifts (if feasible). This involves configuring time-management software to completely restrict employee access outside the time frame of their shifts. This may be an efficient way to reduce attack surfaces and increase monitoring power. It’s important to remember, however, that if any such system that restricts access is compromised, the security of the system is nullified. Another limitation is the overhead it could add to the shift-swapping process since employees would have programmed shifts.
3. Request routine audits. Properly securing a network is an arduous task that requires more than one set of eyes. Even companies with large security teams seek out specialists to perform detailed security assessments of their systems. For large companies with a high volume of turnover, routine security audits are crucial.
HR Turnover Process
This section won’t focus on technical issues, but many parts of the HR process are important for the security of a company, especially those with high turnover.
1. Develop a systematic onboarding/offboarding process. An organized turnover process limits the risk of accidentally sharing credentials, granting improper access, or forgetting to remove access. There should be a direct and efficient communication method between the HR and IT departments to avoid any delays between employee turnover and device configuration, especially when it comes to securing devices upon an employee departure.
2. Conduct extensive security training. New employees should receive a complete security training before starting to work. This should include general security practices, e.g., don’t leave a terminal open, and incident reporting, i.e., employees should know exactly how to report any security issues. An anonymous reporting system should exist to allow employees to report suspicious behavior of coworkers.
3. Perform sound background checks. Background checks are a standard way to weed out malicious employees, but they aren’t perfect and can be mishandled. Ideally, background checks are finished before an employee starts, and they should be as thorough as possible without becoming cumbersome. In a scenario where a new employee needs to start before the background check finishes, e.g., for training, then the company should restrict their access until the probationary period ends.
4. Perform exit interviews (depending on the circumstance). Exit interviews are a common practice, but they need to be handled sensitively as terminated employees’ feelings need to be respected. However, exit interviews provide a great opportunity to survey any departing employees on what devices and accounts they had access to in order to help the company remove any loose privileges.
Why is this important?
Most companies with high turnover rates, like hotels, have to process more position changes, which can become a burden on the HR and IT departments. Without the necessary resources and knowledge, these types of businesses can overlook the security considerations involved in the onboarding and offboarding processes, which can expose them to both internal and external attacks.
David Petty, Associate Security Analyst at Independent Security Evaluators.
Twitters: @ISESecurity
