Recent Physical Security Breaches and Potential Preventive Measures

Article 1
i. Summary of the Security Breach
The breach is a ransomware attack on Jonson Controls International, the Department of
Homeland Security’s main contractor for its security system. According to CNN reporters
Pricilla and Sean (1), the attack caused disruptions to the company’s internal IT systems, putting
some websites offline. The Department of Homeland Security (DHS) identified on 15 June 2023
that a potential breach on Johnson compromised sensitive and private physical security data,
such as DHS floor plans. Headquartered in Cork, Ireland, Johnson Control is a leading
manufacturer of automation, alarm systems, and other security equipment for buildings. The
DHS contracts the company to provide security details and, thus, holds some of its sensitive and
classified information and contracts. It stores security data and DHS floor plans tied to the
contracts on its servers. The attack led to a government shutdown in a move to establish which
DHS offices were affected.
ii. Screenshot and URL

3

URL: https://edition.cnn.com/2023/09/28/politics/dhs-investigating-ransomware-
attack/index.html
iii. Steps Taken or Being Taken to Alleviate the Effects of the Breach or
Resolve the Issue
The first step Johnson Controls took to mitigate the threat was to hire “external
cybersecurity experts” to assess the impacts of the breach. A system audit allowed the firm to
identify weaknesses and vulnerabilities within its IT infrastructure and whether or not the
sensitive physical security data, systems, and networks were compromised, including the extent
of the damage. Based on the outcomes of the audit, the company announced implementing
additional safeguards to its layered security framework (Pricilla and Sean, 1). No specific
interventions are reported in the article.
iv. Whether the Breach Was Preventable and Potential Preventive Measures
That Could Have Been Taken
The ransomware attack on Johnson Controls was preventable because it targeted and
affected the firm’s internal IT systems rather than the entire network. This signifies that the
potential breach likely emanated from within the company’s buildings and IT infrastructure,
including its computers, network, internal servers, and walk-in traffic. The firm could have taken
several measures to prevent the breach, including implementing technical, organizational, and
physical measures. Technical measures include using firewalls, antimalware or antivirus
software, data encryption, network segmentation, two-way authentication, and software updates
and patches. Organizational measures include providing employee training and awareness,
performing security and vulnerability audits regularly, and establishing and enforcing industry
security standards, procedures, and policies. Physical measures include keeping the company’s

4
buildings and critical IT infrastructure – computers, servers, and network – secure from
unauthorized intruders by installing door alarms, hiring security officers to conduct checks for all
people walking in, or locking doors for rooms housing sensitive portable devices.
v. Physical Access Security Best Practices That Could Have Been Used to
Prevent the Breach
Potential physical security interventions that could have been used include access
controls (biometrics, key cards, eye scans, and fingerprints) to prevent unauthorized entry into
the company’s buildings, locking doors and gates to bar intrusion, installing surveillance systems
and cameras across sensitive areas and entry points, deploying alarms in sensitive areas (DMAC
Security, 2). The firm could have also deployed security guards to regulate entry points.

Article 2
i. Summary of the Security Breach
On 11 September 2023, MGM Resorts International announced a “cybersecurity issue”
that affected its online systems, disrupting customer services, especially in Las Vagas. MG
Resorts is a US-owned global conglomerate operating resorts and casinos in New Jersey, Ohio,
Maryland, Mississippi, Michigan, Massachusetts, and Las Vagas, including Park MGM,
Mandalay Bay, Bellagio, and MGM Grand. The attack affected the company’s websites, slot
machines, and access to hotel rooms. Several gambling machines were offline, and guests were
unable to use their digital room keys, make reservations, or charge services to their rooms, such
as dining and accommodation fees. There was no reported loss of personally identifiable
information or revenue, although reports from experts and insiders pointed to a potential
ransomware attack.
ii. Screenshot and URL

5

URL: https://www.nytimes.com/2023/09/11/us/cyberattack-mgm-hotel-las-vegas.html

iii. Steps Taken or Being Taken to Alleviate the Effects of the Breach or Resolve the
Issue
One of the first steps the company has taken is to notify law enforcement about the
cyberattack. In a press release, MGM also mentioned taking “prompt action” to safeguard its
data and systems, including shutting down specific systems (Eduardo, 3). By temporarily
shutting specific networks and systems affected by the breach, the firm can separate them from
the rest, preventing the attack from potentially moving literally and grounding the entire system.
For a company as huge as MGM, a potential spread can spell catastrophic financial and
reputational damage that can take years to recover from. Most importantly, shutting the affected
systems can prevent unauthorized transfer (exfiltration) of sensitive customer information.

6
iv. Whether the Breach Was Preventable and Potential Preventive Measures That
Could Have Been Taken
The breach was avoidable because the hackers might have potentially launched an attack
within one of the firm’s casinos or hotel premises, especially considering that gambling centers
and hotels of MGM’s magnitude are highly vulnerable due to few physical restrictions to guests.
However, because large firms like resorts and casinos handle vast amounts of financial
transactions, private customer information, and multiple integrated systems, the first step for
MGM could have been to establish comprehensive and multifaceted cybersecurity policies
covering entirely everything, from access controls to information protection to disaster response.
The second most important step could have been to train employees regularly on security
matters, ensuring everyone is updated on the latest additions and technologies.
Another intervention would be to segment the firm’s systems and networks to prevent the
spread of any potential attacks to other systems and company branches. Segmentation means
separating customer data and systems, such as casino systems and accommodation networks.
Other potential strategies include data encryption, regular security system audits and updates,
and physical access barriers, such as restricting unauthorized access to critical infrastructure
housing IT systems, such as data centers.
v. Physical Access Security Best Practices That Could Have Been Used to Prevent
the Breach
Since casinos and resorts like MGM may have difficulty restricting the movement of
customers into their guest rooms and gambling sites, enforcing physical access security measures
may sometimes be difficult. It is nearly impossible to frisk millions of customers accessing the
Bellagio in Las Vegas on a weekend. Nonetheless, there are standard security protocols that

7
could have been taken to prevent unauthorized access to sensitive customer information and
company systems, networks, and IT infrastructure. This includes implementing access control
systems (biometric scanners and key cards), video surveillance in gaming rooms, increasing
security staffing during peak days, limiting access to servers and data centers, securing portable
hardware like laptops in lockable rooms and cabinets, and installing intrusion detectors and
alarm systems (Ahmad and Ahmad, 4).

8

Source List

1. Priscilla Alvarez and Sean Lyngaas. Sep 29, 2023. Exclusive: DHS Investigating Whether
   Floor Plans and Other Security Information Were Exposed in Ransomware Attack on
   Contract. CNN. https://edition.cnn.com/2023/09/28/politics/dhs-investigating-ransomware-
   attack/index.html
2. DMAC Security. 2022. 10 Physical Security Measures Every Organization Should Take.
   https://dmacstrategic.com/10-physical-security-measures-every-organization-should-take
3. Eduardo Medina. Sep 11, 2023. ‘Cybersecurity Issue’ Forces Systems Shutdown at MGM
   Hotels and Casinos. https://www.nytimes.com/2023/09/11/us/cyberattack-mgm-hotel-las-
   vegas.html
4. Ahmad R. AlBattat and Ahmad P. Mat-Son. 2013. Emergency Preparedness for Disasters
   and Crises in the Hotel Industry. SAGE Open. https://doi.org/10.1177/2158244013505604