Lesson 8 — The hotel attack surface: crown jewels & how they're hit

A hotel's crown jewels, how attackers reach them, and exactly what Wazuh should watch on each — the map you'll use to onboard every client.

Your mission You know Wazuh now — agents, rules, groups, tenants. This lesson points all of that at a real hotel. When you walk into a property, you need to know in minutes what's worth protecting and where it gets hit, so you can decide which agents to install and which custom rules (Lesson 5) to write inside that hotel's group (Lesson 6).

Why attackers love hotels

Hotels sit at a brutal intersection: lots of money flowing through, lots of sensitive data sitting still, and very little security watching either. The Verizon DBIR's Accommodation & Food Services data tells the same story year after year — breaches here are overwhelmingly financially motivated, and they target the two things hotels can't avoid holding: payment-card data and guest PII.¹

Key idea A hotel is a payment + PII business that runs legacy systems with no one watching. Your job is to find that hotel's crown jewels and put Wazuh's eyes on each one. The rest of this lesson is that asset list — framed as what you protect, mapped to what Wazuh watches.

The crown jewels: what you protect, mapped to what Wazuh watches

Walk every new hotel through this list. For each asset, the question is the same: where does it live, how does it get hit, and what does Wazuh look at?

1. PMS — the Property Management System

The PMS (e.g. Oracle OPERA, the dominant hotel platform) is the heart of the property: reservations, check-in/out, guest folios, and the PII attached to every stay — and it links straight to billing. If an attacker owns the PMS, they own the guest database. Treat it as crown-jewel #1.

This isn't theoretical. CVE-2023-21932 was a real vulnerability in Oracle OPERA that put hotels at risk of remote compromise — serious enough to make security news.²³ When you harden a PMS host, the vendor's own Oracle OPERA Security Guide is the reference to follow.⁴

Wazuh watch — PMS Auth logs (who's logging in, failed logins, brute force) · FIM (file-integrity monitoring) on PMS files and config so any tamper is flagged · vulnerability detection on the PMS host to catch exactly the kind of unpatched flaw that CVE-2023-21932 was.

2. POS — Point of Sale

The POS terminals — restaurant, bar, spa, front-desk card machines — are where cards get swiped. They are the classic target for RAM-scraping and card-skimming malware that grabs card numbers out of memory at the moment of payment. A POS box is small, rarely watched, and handles cards all day: a perfect victim.

Wazuh watch — POS FIM on POS binaries (skimmer malware has to write itself somewhere) · process / anomaly detection for unexpected programs running on a payment terminal · auth logs on the POS host and back-office server.

3. Guest Wi-Fi & flat networks

Guest Wi-Fi must be segmented — walled off — from the PMS and POS. On a flat network (everything on one segment) an attacker who joins the lobby Wi-Fi with a laptop can reach the payment systems directly. That single guest from the café pivots from open Wi-Fi straight to the card environment. Network segmentation is the wall; your job is to watch for traffic crossing it.

Wazuh watch — network The firewall and switches can't run an agent — so ingest their logs agentless, over syslog (recall Lesson 2). Then alert on traffic that crosses from the guest segment toward PMS/POS — the signature of a pivot.

4. Staff workstations / front desk

Front-desk and back-office PCs are the phishing entry point. Given the turnover, there's always a new employee who'll open the wrong attachment. One compromised front-desk PC is often the foothold an attacker uses to reach the PMS sitting on the same network.

5. Remote access & third-party vendor access

PMS vendors, maintenance contractors, and the hotel's own off-site manager all need to get in remotely — usually via RDP or VPN. Exposed RDP is one of the most common breach vectors anywhere, and hotels leave it open for vendor convenience. Every remote-access service is a door an attacker can try to kick in.

6. Door locks, IoT & building systems

Networked door locks, thermostats, building-management and entertainment systems are an emerging surface: increasingly connected, almost always unpatched, and rarely inventoried. You won't fully monitor these on day one, but flag them — they're where the attack surface is growing.

How the hits map to ATT&CK

You tagged custom rules with MITRE ATT&CK back in Lesson 5. The hotel attacks above land on a small, predictable set of techniques — speaking these IDs is how you talk to other defenders:⁵

Don't over-tag. A handful of techniques covers the bulk of hotel reality; a clean, accurate map beats an exhaustive one nobody trusts.

From asset list to your deployment

This is where the threat model meets the pipeline. Each crown jewel becomes a concrete decision in that hotel's group:

Crown jewelPMS · POS · firewall · staff PC · remote access

→

AgentWhich hosts you prioritize installing on

→

Custom rulesThe detections you write (Lesson 5)

→

Hotel groupScoped to this client (Lesson 6)

Where to start at a new hotel Don't try to monitor everything on day one. Cover the PMS, the POS, and the firewall first — that's roughly 80% of the risk for a fraction of the effort. PMS holds the PII and folios, POS handles the cards, and the firewall reveals the pivots between segments. Get those three watched, then expand to workstations and remote access.

Check yourself

Retrieval practice — answer from memory before scrolling back. The point is to make this map yours.

Question 1 of 3

A hotel asks which single system holds both guest PII and links to their payments. Which crown jewel is that?

The PMS (e.g. Oracle OPERA) holds reservations, check-in records, folios, and the PII for every stay, and links straight to billing — crown jewel #1. Wazuh watches it with auth logs, FIM, and vulnerability detection.

Question 2 of 3

Why is a flat network so dangerous in a hotel?

On a flat network everything shares one segment, so an attacker who joins the open lobby Wi-Fi can reach the PMS and POS directly. Segmentation is the wall; Wazuh watches for traffic crossing it.

Question 3 of 3

The hotel's firewall can't run a Wazuh agent. How do you still monitor it?

Network gear can't host an agent, so you collect its logs agentlessly over syslog — the pattern from Lesson 2 — and then alert on cross-segment traffic that signals a pivot.

Primary source to read next
Verizon DBIR — find the Accommodation & Food Services section and read how the breach patterns and motives line up with the crown jewels above. Then, for the PMS specifically: skim the Oracle OPERA Security Guide so you can speak credibly about hardening it.

I'm your teacher — ask me anything. Want to walk a specific hotel's floor plan and decide where every agent goes? Curious how a RAM-scraper actually leaves traces FIM can catch? Want me to invent a flat-network pivot and have you sketch the rule that spots it? Ask in the chat — turning this map into a real install plan is where the skill forms.

You just earned: a working threat model of a hotel — the six crown jewels, how each gets hit, what Wazuh watches on each, the light ATT&CK map, and the "PMS + POS + firewall first" starting rule that covers ~80% of the risk.

Up next (Lesson 9): the PMS and POS you just learned to protect are exactly what makes a hotel fall under PCI-DSS. Next lesson: which requirements your Wazuh service genuinely helps satisfy — and how to pitch that honestly without overclaiming "compliance."

← Previous: Lesson 7 — Multi-tenancy: RBAC & dashboard tenants

Reference: Glossary · All resources · Mission