Hong Kong and Shanghai Hotels Ltd Vulnerability Assessment

Conducted a global Internet security vulnerability audit and analysis and implemented significant improvements.

CASE STUDY

About HSH Ltd.

HSH is a Chinese holding company which is engaged in the ownership, development and management of prestigious hotel, commercial and residential properties in key locations in Asia, the United States and Europe. The hotel portfolio of the Group comprises The Peninsula Hotels in Hong Kong, Shanghai, Beijing, New York, Chicago, Beverly Hills, Tokyo, Bangkok, Manila and Paris (opening in 2013). The property portfolio of the Group includes The Repulse Bay Complex, The Peak Tower and The Peak Tramways, St. John’s Building, The Landmark in Ho Chi Minh City, Vietnam and the Thai Country Club in Bangkok, Thailand.

Challenge

The Management Services organization of HSH was concerned that the company was over-exposed to technical vulnerabilities in their computers and networks as well as weaknesses in security policies and practices that might leave them and their guests exposed to hacking and network disruptions.

Specifically, the major concerns were:

  • The susceptibility of each system to a specific attack and the opportunities available to a threat agent to mount that attack.
  • Identifying all of the means by which penetrators might attempt to circumvent the security features of each system.
  • Whether methods and process were in place sufficient to detect break-ins or attempts to attack.

Solution

Netswitch designed and built a complex vulnerability analysis that included:

  • An Internet perimeter vulnerability assessment to discover all host based systems accessible via the Internet from outside the HSH Internet Firewalls, updated to reflect technological developments and the emergence of new threats.
  • Port scans for each of the IP Addresses, to identify services running on internet-facing machines that may be vulnerable to exploitation or reveal confidential system configuration information.
  • The use of malformed URLs and different authentication techniques to gain information and access to the servers; to determine account lockout, IDS levels, automated IP blocking levels; and identify use of access control lists and VPNs.

Value

The determination of security vulnerability enabled HSH to take proactive measures to insure against theft, fraud and subsequent loss and litigation resulting from modern Internet hacking protocols and guest account exposures to privacy violations.