PREVALENT THREATS IN ONLINE GAMING – EVERY SECOND COUNTS

In our previous blog, we looked at a recommended approach for a security improvement program (SIP) at the highest level. Recognising that having the basis to build on and improve security is essential, however it’s also vital that the business understands different threats that the gaming industry faces. They run parallel to the SIP program.

To sustain a successful online gaming business, where every second counts, live threats can affect real-time systems and must be swiftly detected and eradicated to prevent considerable financial losses.

In this blog, we look at the most prevalent threats in the gaming industry and illustrate how they fit in to the high-level SIP approach we described previously.

DDoS Attacks:

The online gaming and gambling industry is very familiar with DDoS attacks; these types of attacks started to affect the internet back in the late 1990’s. In the early days they started as experiments run by script kiddies, but have since evolved to be used as a cyber weapon by savvy cyber criminals to extort ransom money, take websites down for business reasons or as part of hacktivism.

Despite improved protection and a drop in the number of recorded incidents, discussion on DDos attacks resumed after one of the largest incidents ever recorded, in September 2016. The magnitude of 623Gbps, attack by a botnet called “Mirai” made use of approximately 26K IP addresses, many of which were Internet of Things (IOT) devices with poor security.

It’s important to note that the goal of DDoS attacks is not necessarily to take a website down, but is often merely a decoy, allowing an adversary to target the business using a different attack vector. This leads us to the next type of threat which is targeted attacks.

Targeted Attacks – going after the ‘Crown Jewels’:

A targeted attack evades security measures and operates in low volumes to reach a specific goal. In contrast a ‘scatter attack’ would be launched against different businesses and consequently would be more detectable. Adversaries utilising targeted attacks are often cyber criminals (individuals, organised crime or mercenaries) or a nation state and are mainly after financial gain, general reconnaissance or espionage.

The adversary’s target is to steal, alter or destroy data.  Often well-funded and equipped, they persist until they succeed in penetrating the network and dwell there until their goal is achieved. The tools, techniques and procedures used by adversaries vary from widely available tools and known attack toolkits to proprietary attack tools and cyber weapons designed to evade detection. Most of the major cyber security breaches today report dwell time is around the 200-day mark and then it takes less a few days to successfully compromise a business.  This alarming stat signifies a gap in the way businesses adopt an effective security approach.

It’s important to note that while the adversarial threat is significant, the threat posed by insiders, often trusted employees, whilst lower in number of incidents, may be even riskier to the business. They may hold privileged access to different resources, and intentionally (or unintentionally which is covered in later section) cause a targeted breach of data.  The 2016 Verizon threat report signifies that privilege misuse in the business commonly commenced by an internal employee contributed to 172 confirmed breaches and reached the 4th place as the main root cause of data breaches.  Cyber espionage, Crimeware and web application attacks, by adversaries, accounted for a total of 1,112 breaches.

Adversaries use various methods to find the vulnerability that allows them to compromise and gain control of a business asset.  Spear phishing and malicious attacks via email, utilising malicious websites and drive-by attacks, attacking web applications, as well as social engineering or collaborating with an internal employee or partner are all common methods.

Protection against targeted attacks is therefore required across a variety of security solutions, including endpoint protection, anomaly detection, web and email protection among others.  Close monitoring across the estate of security logs to detect and break these attacks effectively and reduce dwelling time to a minimum, is therefore required.

The Gaming Platform:

Whether it’s the game operator or a game vendor, the gaming platform is considered the engine and the heart of the gaming experience and is therefore the target of abuse.

• Consumer credential abuse: Cyber criminals attempt to profit by abusing the gaming platform in different ways. These include targeting gaming clients with rogue software or phishing attacks to gain gaming credentials, access to credit card data, funds and chips. A consumer of a blackjack betting website for example, might find a useful plugin that promises to help beat the odds, however this plugin merely syphons off the consumer’s credentials and sends them to the attacker.

Credential abuse is one of the top concerns in the gaming industry.  These can lead to loss of reputation and business.  Online gaming businesses need to educate their consumers on these types of attacks, and incorporate mechanisms in their gaming platforms and websites to alert anomalous account behavior to prevent fraud.

•  Employee/Partner credential misuse: Employees and partners fall into a category of entities that mostly have privileged access to critical systems. Many gaming businesses rely on partners, whether it’s gaming operators that require the gaming vendor to access their network to fix issues that occur on the gaming platform in real-time, or a gaming vendor that developed a certain gaming technology that a partner requires access to for platform integration. Insider attacks are the hardest form of attack to discover, it could take months and years until such an attack is detected.  The abuser might be a disgruntled employee, a partner with a set of credentials that got compromised or even an employee joining forces with an external party.
• Game integrity and logic abuse: Game platforms are made by people and are therefore vulnerable to human error. The type of vulnerabilities referred to in this part are not application vulnerabilities, but logical gaming vulnerabilities which result in an attacker taking financial advantage of the platform. A game of poker with players hosted from all over the world, who join the same table, and work together to manipulate the game, may try repeatedly to ‘beat the house’.

Game integrity and logic abuse hacks can result in major financial loss if undetected.  Using statistical anomalies however, with an ‘inside out’ security approach is important to eliminate the different root causes.  Data governance on the ‘inside’ tiers can help identify suspicions behavior on the gaming platform.

Transactional loss & Point of Sale intrusions:

Cyber criminals love to tap into the prime sources of credit card data and while transactional loss is not exclusive to the gaming industry, this sector is lucrative and handles data in large volumes. Online gaming businesses also enjoy an international client base, and high numbers of international transactions bring increased risk of fraudulent transactions

In the last few years, cyber criminals have constantly targeted Point of Sale (POS) systems across a multitude of industries with specialised toolkits to syphon credit card numbers from vendors. The POS attack vector, seen to be on the increase, is primarily relevant to traditional Casino operators or physical gaming platform vendors. If these fail, the cyber criminals attempt to obtain this data from within.  The Payment Card Industry (PCI) regulates the gaming industry to ensure that credit card details are used with best practice and kept secure. Being compliance with PCI is therefore another important priority.

Physical data theft and Accidental data loss:

Business assets can be stolen, lost or unintentionally compromised.  These oldest breach vectors in security are simply down to human error. Determining if a lost device with sensitive data can be considered a breach is tough, when the device is no longer present and the data is no longer in control. The threat report by Verizon suggests that the device type most likely to be stolen or lost is the laptop and it has a 100 x higher chance of being lost than stolen. Unintentional loss is also one of the main causes of data breaches – a wrongly delivered email, sensitive data published online or a system misconfiguration leaves business data exposed.

Encrypting the data on endpoints (e.g. using Microsoft Bitlocker) and using a Mobile Device Management (MDM) solution reduces the risk of loss.  Educating employees, and adopting a data classification approach and enforced classification policies on sensitive documents, are all recommended.

Data loss varies amongst businesses and it’s recommended that the different issues are tracked, user awareness education is deployed and ‘data leakage prevention’ solution technology put in place to automatically mitigate data loss and address common mistakes seen in the enterprise.

In this blog, we covered the most common threats seen in the gaming industry; now that we’ve defined the most common threats we can show how they fit into our high-level security improvement approach – all in the next blog.