Strategic Security Policy

Information security is referred as the strategies that manages the tools, processes as well as policies to identify, protect or prevent the digital as well as non-digital information and information assets irrespective of the format of information and whether the information is in state of transit, or in state of being processed or is at rest in storage. An information asset is a body of information, an information storage system or an information processing system, which is of value to the organization. Information security policy is designed and developed in order to protect integrity, availability and confidentiality of computer system data from malicious users (Safa, Von Solms, and Furnell 2016). An effective security strategy is dynamic, comprehensive and flexible to reply to security threat type. The process of developing a security strategy consists of planning, assessment, regular monitoring and implementation and include mix of actions such as access management measures, policies and procedures, communications systems, technologies and systems integration practices to counter imaginable threats and vulnerabilities. The security strategy document defines and arranges information security as well as security initiatives that the organization must initiate to strengthen the protection of information and the related technology (Obes, Yamada and Richarte, 2013). In the context of data security any potential danger to the information or system can be referred to as threat. One important function of data security is to identify and assess the potential threats assessment, categorically classify them and evaluate the potential damage that might be caused by them (Rao and Selvamani 2015). 

Choice Hotels International identifies information security as one of its primary requirement for smooth running of its business operations. The hotel has formulated strategic security policy to protect data and information assets. This policy involves the security and management of the Choice Hotels International’s information assets (Kim, Lee and Ham 2013). It is notable that besides information technology (IT) department everybody must also take the responsibility of information security. A security strategy can be considered as successful if it includes every stakeholder and can develop persistent processes and strategies to motivating users in taking ownership and help build a strong security policy.

• The Choice Hotels International should provide appropriate resources to create and maintain an effective approach to security;
• The hotel must periodically review policy implementation with employees, staff, customers and shareholders.
• The hotel must follow the laws and regulations that is related to information security.
• The hotel must assign responsibilities to the designated persons such information security officers for managing the information security management system.
• The hotel must keep internal rules such as manuals, basic policy, regulations to ensure information security and should review these rules regularly to strengthen the information security management system.
• The hotel must educate and train all its board members and other employees to make them understand about the importance of information security and information assets. It should also update employees regarding compliance of regulated laws, regulations and internal rules such as basic policy and regulations.
• The laws, industry regulations as well as other requirements regarding protection of data and personal information must be followed by hotel management. In addition, appropriate handling of customer related information must be ensured by the hotel.
• The hotel must collect personal information and data of its customers and other related parties in a fair and legal manner. In addition, while collecting such information and data the hotel authority must provide clarification regarding purpose of the usage of such information and data to the extent necessary for business.
• The hotel must use customer as well as other parties related personal information to provide services, service improvement, conduct questionnaire surveys and so on.
• Without prior permission of the customer and related parties, the hotel authority must not disclose any personal information obtained from them to any third party. However, this is not applicable if the law, courts and law enforcement agencies are required to disclose such information.
• The hotel must ensure that customer as well as other parties related personal information needs to be accurate and up to date. In addition, proper security measures needs to be implemented to prevent any falsification, leakage, loss or other issues that is related to such information. 

• Regarding usage suspension, disclosure, correction or deletion of personal information the hotel must take any necessary actions and/or measures in reply to its customers and other related parties requests.

The hotel management must reassure their customer that digital security is as important as physical security and the customer information must be secured against any potential/cyber threats. However, the following information security principles must be followed to implement all the above strategic security policy

• Information will be protected in line with all applicable legislation and relevant hotel policies, notably those relating to data protection, human rights, prevent and freedom of information.
• There will be a nominated owner for each information asset. Proper use of asset as well as proper security measures to protect the asset are the responsibility of the nominated owner.
• Person having the legitimate requirement for accessing information will be provided the same after confirmation.
• Information classification will be done as per appropriate security level.
• Integrity of information needs to be maintained.
• Those individuals who have the permission granted for information access must take the responsibility to proper handling of information as per its classification.
• Protection of information against unauthorised access.

Identification and Assessment of Potential Threats and Vulnerabilities of the Hotel’s Network

It is notable that if this information security policy is breached then it will be treated as misconduct and accordingly compliance will be enforced. 

The following threats are that are generally faced by the hotel’s network.

• Wi-Fi based threats:-The target for the hacker can be hotel networks as well as customer connecting to those networks. The high-speed wireless internet illustrates the vulnerability of the hotel to cyber threats. There are several security weaknesses of hotel’s Wi-Fi networks hotels have several security weaknesses most of which are similar to the weaknesses of the public Wi-Fi networks. These networks increase the customers’ susceptibility to man-in-the-middle attack and other attacks that compromise their personal information. Security vulnerabilities of the hotel persist to increase due to its dependency upon wireless communications (Shen et al. 2016).
• Phishing attacks:- The main purpose of this attack is to get user credentials through social engineering techniques and access an agency system to launch an advanced resolute threat (Alsharnouby, Alaca and Chiasson 2015).
• Spear-phishing and backdoor attacks:- An example of such attack is The Dark hotel malware. This malware selectively attack business customer of hotel through hotel’s Wi-Fi network (Krombholz et al.2015).
• Ransomware:- In this attack, the attackers encrypts the data by getting access to the organization system. The organization are then asked for ransom payment to get the key to decrypt data (Mercaldo et al. 2016).
• Distributed-denial-of-service (DDoS) and botnet attacks:- This attack carry out activities of malware injection. Here hackers flood the critical systems with traffic such as online hotel booking by using botnets of compromised networks (Yan and Yu 2015).
• Man-in-the-middle (MITM) attacks:-In this attack, malicious code are placed between the victim and a valuable resource such as hotel’s login page by the hackers. The advanced mode of MITM attack is done through browsers where the data transfer between the hotel login page and the user’s browser and is silently recorded by the malware (Vallivaara, Sailio and Halunen 2014).
• Address Resolution Protocol (ARP) spoofing or flooding:-This technique is also used to attack hotel networks. Here hackers modify the data exchange by sniffing the hotel network’s traffic. Here fake ARP messages are send to the LAN by the criminals and victim’s IP address gets associated with the criminal’s MAC address. Consequently, instead of being transfer to the victim’s IP address the data is transferred to the criminal. In addition, the hacker can attack victims through denial-of-service by establishing connection of victim’s IP address with imaginary MAC address (Venkatramulu and Rao 2013).
• Data leakage:- In this attack, malicious actor get access to the consumers system and stay there for long time and identify and extracts critical data which can be customer’s personal and financial information (Katz, Elovici and Shapira 2014).

To mitigate and prevent attacks on hotel networks and hotel customer the following security policy can be used. The chances of information theft can be minimized by taking these considerations into account. The hotel management and IT team should perform the following:-

1) Caution signs must be displayed at front desks as well as in rooms to remind the following to the guests.

• Sensitive information such as social security numbers must not be entered into the login page.
• Any announcement about software update must be cross-checked with the front desk.
• The browser or any site must not be enabled to remember user password and always logout of sensitive accounts.
• Temporary internet files and history needs to be cleared after finishing the work.
• The computer must not be left unattended in public areas of the hotel.

2) To secure customer’s personal information, hotels must configure all its networks and servers with data encryption so that any entered information through hotel forms on the hotel login page are transmitted in encrypted format. In this measure, during the sign-up or login process the secure socket layer (SSL) technology protects the customer’s personal information and safe data transmission is ensured. In addition, to protect the customer data many hotels also uses 256-bit data encryption with validated security certificate (Karagiannis et al. 2015).

3) Hotels must implement threat intelligence feeds. Such feeds contain real-time threat reports and data breach notification that indicate which customers have already been targeted or will be targeted in future. The generating reports are analyzed to prevent attackers from re-targeting the guests in the future.

4) Using virtual private network (VPN) whenever connecting to hotel Wi-Fi can block DarkHotel malware attack. Unless a wireless traffic is not routed through a VPN, then such traffic can be sniffed by any hacker. VPN prevent the interruption of sensitive data by hacker through encryption of all the digital communications (Border, Dillon and Pardee 2015).

5) Hyper Text Transfer Protocol Secure (HTTPS) implies browser’s security and by using this extension, the browser can be forced to secure connection. HTTPS are used by websites, email services, cloud application and such system display a locked padlock in the browser to indicate the automatic encryption of user data. However, encryption for all websites can be activated by using this extension (Fielding and Reschke 2014).

6) Virtual local area network (VLAN) must be used whenever possible as it is safer than Wi-Fi and it is also password protected. Some hotels charge customer for wired internet services  or high-speed Internet. A hotel without a VLAN service would likely offer a Wi-Fi connection. Use of credit / debit cards and sensitive information must be avoided on wireless networks and where possible Ethernet must be used as it provides security (Udutha and Rapeti 2015).

Strategies to Prevent Attacks and Ensure Data Security

7) Security program such as firewall must be activated before connecting to the web via hotel networks. Firewalls are generally present in most operating systems (OS) and antivirus programs. Firewall prevents hacking and malware attacks by blocking the unauthorized system access. The data that can and cannot be transmitted from the system are also regulated by firewall (Suh et al. 2014).

8) Before check-in into the hotel, the customer must update his/her OS security and ensure that antivirus, anti-malware that are running on the device are completely updated. During web surfing on hotel network, any offer on the unsolicited software update must be avoided.

9) The configuration of all the network and security devices must be secured. A backup copy of tested and updated configuration must be stored so that it can be used in case of any disaster.

10) All network devices must be synchronized by configuring the network time server.

11) Finally, all systems must conform and include the following things.

• All known security patches must be applied.
• All unwanted application must be uninstalled and all unwanted services must be disabled.
• All necessary logs for system, security and audit must be enabled.
• Endpoint protection programs such as Host based Intrusion Detection Systems (HIDS), application firewall, anti-malicious software must be installed.  

References:

Alsharnouby, M., Alaca, F. and Chiasson, S., 2015. Why phishing still works: User strategies for combating phishing attacks. International Journal of Human-Computer Studies, 82, pp.69-82.

Border, J., Dillon, D. and Pardee, P., Hughes Network Systems LLC, 2015. Method and system for communicating over a segmented virtual private network (VPN). U.S. Patent 8,976,798.

Fielding, R. and Reschke, J., 2014. Hypertext Transfer Protocol (HTTP/1.1): Authentication (No. RFC 7235).

Karagiannis, V., Chatzimisios, P., Vazquez-Gallego, F. and Alonso-Zarate, J., 2015. A survey on application layer protocols for the internet of things. Transaction on IoT and Cloud Computing, 3(1), pp.11-17.

Katz, G., Elovici, Y. and Shapira, B., 2014. CoBAn: A context based model for data leakage prevention. Information Sciences, 262, pp.137-158.

Kim, H.B., Lee, D.S. and Ham, S., 2013. Impact of hotel information security on system reliability. International Journal of Hospitality Management, 35, pp.369-379.

Krombholz, K., Hobel, H., Huber, M. and Weippl, E., 2015. Advanced social engineering attacks. Journal of Information Security and applications, 22, pp.113-122.

Mercaldo, F., Nardone, V., Santone, A. and Visaggio, C.A., 2016, June. Ransomware steals your phone. formal methods rescue it. In International Conference on Formal Techniques for Distributed Objects, Components, and Systems (pp. 212-221). Springer, Cham.

Obes, J.L., Yamada, C.E.S. and Richarte, G.G., Core Security Technology, 2013. System and method for extending automated penetration testing to develop an intelligent and cost efficient security strategy. U.S. Patent 8,490,196.

Rao, R.V. and Selvamani, K., 2015. Data security challenges and its solutions in cloud computing. Procedia Computer Science, 48, pp.204-209.

Safa, N.S., Von Solms, R. and Furnell, S., 2016. Information security policy compliance model in organizations. Computers & Security, 56, pp.70-82.

Shen, W., Yin, B., Cao, X., Cai, L.X. and Cheng, Y., 2016. Secure device-to-device communications over WiFi direct. IEEE Network, 30(5), pp.4-9.

Suh, M., Park, S.H., Lee, B. and Yang, S., 2014, February. Building firewall over the software-defined network controller. In Advanced Communication Technology (ICACT), 2014 16th International Conference on (pp. 744-748). IEEE.

Udutha, S.C. and Rapeti, M., Cisco Technology Inc, 2015. Preventing leaks among private virtual local area network ports due to configuration changes in a headless mode. U.S. Patent 8,989,188.

Vallivaara, V.A., Sailio, M. and Halunen, K., 2014, March. Detecting man-in-the-middle attacks on non-mobile systems. In Proceedings of the 4th ACM conference on Data and application security and privacy (pp. 131-134). ACM.

Venkatramulu, S. and Rao, C.G., 2013. Various solutions for address resolution protocol spoofing attacks. International Journal of Scientific and Research Publications, 3(7), p.1.

Yan, Q. and Yu, F.R., 2015. Distributed denial of service attacks in software-defined networking with cloud computing. IEEE Communications Magazine, 53(4), pp.52-59.