Cyber Security in Gaming

Cyber Security in Gaming is something I have dealt with for many years as a CISO within the Gala Coral Group. Gaming as an industry has always been and remains at the forefront in the fight for leading Information and Cyber Security practises. Online Gaming also represents a step-change in the adoption of technology practises enhancing the user experience. But this all comes with a cost, both financially and adversarially.

Over the years, cyber security in gaming has learnt, developed and evolved a lot from other high-risk sectors such as Finance and Banking. Threats have not stayed the same, though, and constant evolution of security remains paramount. As Information and Cyber Security has improved over the years, attackers methods have evolved. Some of the attack evolutions are new, never before seen attacks. And some of these are revolutions—reimagined cyber attacks from an older time.

In today’s climate, where a significant number of businesses have moved staff to a remote working model, the threats have moved from targetting the core offices to targetting the home networks. It is a matter of simplicity. Why attack a hardened business, when there is a weak and squishy link?

So what are the current threat vectors?
There are several new avenues that we have seen recently. These include attacks against home IoT devices such as android based TV’s, console games systems and the like. Attacking computers like these is significantly easier than attacking corporate devices. If a criminal can gain access to the home network, then often they can persist there for an extended period. The attacker then has more time to break into the corporate device or use the network connection to access the corporate systems.

In addition to the home network attacks, there is an increase in Phishing emails and malware delivery by the mobile device. The attacker has been targeting the user with great success to date, and there is no sign that this is slowing down.

An example
In a recent attack simulation, we were able to achieve a complete compromise of a Gaming operator through precisely this method. The IT team supplied a typical business laptop. The laptop was placed within a testing network and connected to the operators VPN. We then connected to the test network and attempted to break-in. During this engagement, we identified some problems. The first was that the laptop, while fully patched, had some in-house written applications. One of these was a simple chat application used for customer service. That simple chat application was exploited to allow us a connection into the laptop and subsequently through the computer and onto the corporate network.

Often it is not the way you expect would be used to gain access. The attackers have time on their hands, and that is very evident in the home network attacks.

Three key mitigations
The first essential mitigation has not changed; Awareness. Keeping the end users up to date on the emerging attacks is so very important. Especially with phishing and more targeted technical attacks, it is the user who will notice something wrong first. Fostering an environment where notification and alerting is supported, even if the user did click something, will always give the maximum return on investment for Information and Cyber Security.

The second critical mitigation is to test and fix. Many businesses will test their security. Addressing the findings is the money shot. Regular testing of systems and applications is essential as is testing the business processes. While many operators will routinely test their technical systems, internally developed applications and the business processes that run the operation need reviewing too.

The third mitigation is tracking. Gaming operators need to monitor and review their attack surface and monitor what is exposed. In the same way, many operations will check the sentiment of the mass social media posts; the manner in which the business systems reveal themselves on the internet is essential.

Each of these three mitigations helps every business reduce their exposure and likelihood of simple attacks.