Tim Cotton (Cherokee Nation) is the IT Audit Manager at the National Indian Gaming Commission (NIGC), where he oversees a team leading IT internal controls, CJIS audits, vulnerability assessments, and IT training for NIGC’s customer base. With over 20 years in IT and more than a decade in the gaming industry, Cotton has extensive experience with gaming vendors in areas of accounting, vendor administration, and software compliance. Here is what he had to say…
What industry trends is NIGC identifying in cybersecurity threat measures and data encryption technologies to safeguard the customer experience?
When it comes to ensuring safety and security as an agency, NIGC provides technical assistance, including services such as our IT vulnerability assessments, which is the front-end piece of a penetration test. What that vulnerability test does is it allows an operation to look at their network from a benchmark perspective and say, ‘We have these issues that we know we need to address.’ In the future, we are also looking at adding penetration testing to that offering.
As an agency, we always go back to our regulatory mandate. What do the tribes’ technical internal controls look like? How do they deal with vendors and operators? Are they continually updating controls to ensure that they are protecting themselves? When we perform audits, we look at what tribes have in place to ensure they are protecting tribal assets.
How is NIGC helping tribal gaming operators leverage cybersecurity measures to prevent game manipulation?
We offer many different types of cybersecurity and control training. I spoke five or six years ago about how tribal gaming was not necessarily being targeted at that time. However, now we are seeing more and more being targeted with ransomware attacks and cyber intrusions. It really boils down to ensuring that an operation has good internal training with employees. When onsite doing vulnerability assessments, we also incorporate a social engineering component where we try to get employees on the floor to allow us access to sensitive areas. We are finding internal training for employees needs to be increased.
What challenges are tribal gaming operators facing with securing both their internal and external systems?
The challenge they face is to ensure they have those intrusion detection systems in place. Larger operations normally have resources in order to combat all types of ransomware attacks or cyber intrusion efforts. It’s generally the smaller to medium-sized properties that can run into issues, because in some cases, there may be just one person manning the whole operation. What can be done there? It’s all about working through control standards to ensure they have something in place – penetration testing and also user education as well. All of those help ensure they maintain a safe space and avoid cyber intrusions.
What are some of the common infiltration points for tribal casinos to be most aware of – WiFi, phishing, impersonation?
All of those mentioned are an issue. From the WiFi perspective, because there have been many instances of penetrations here, we scan WiFi looking for anomalies on networks. And if we see those anomalies, we point those out to say, ‘Why do you have an extra printer? Is that actually a printer?’ We’ve gone into several sites where we’ve actually identified WiFi points in places the operation had forgotten about. It’s important to know what your technical landscape is so you can make sure that you’re turning those off.
Another big area of concern is phishing. If a property does a continual phishing campaign, that definitely helps with user education. Another great tool is software that not only does phishing campaigns, but can also provide hands-on and practical guidance as well. That can be huge in making sure that users are up to date and more knowledgeable in what to look for when protecting tribal assets.
How can tribal casinos best prepare for the future with regard to their IT and security systems?
Tribal gaming operators need to make sure that they are working closely with their independent test labs. Sometimes tribes forget that they are the approvers of their floor, and although those certification labs are certifying the software, tribes don’t have to necessarily approve them for their floors. That’s an important aspect – making sure that before a product comes out of a lab, tribes are working with their vendors to ensure that what they want in those games placed on their floor is actually included.
Attending relevant industry events is important for tribal gaming operations because they get to engage with the major vendors. When it comes to events like G2E, these are big because you get to talk to folks face-to-face, and make sure that they understand what some of your issues or concerns are as they build out new technology in these games.