We have all seen the media reports about the recent security incidents involving large organizations, including gaming operators. This has caused a lot of concern not only for those parties directly or indirectly affected by the incident, but also for the general community who feel that such incidents have been given much less attention than they should have. One cannot but wonder how many such incidents never go public or worse still, never get detected.
Gaming companies are amongst the most technology dependant companies one could find. This fact, coupled by the significant turnover that they generate, makes them the ideal target for attackers. It is therefore by no coincidence that these attacks are now seeing the light of day.
Despite the huge amounts of money that is spent on IT infrastructure, including security related products, gaming companies remain, like most other online companies, vulnerable from a security standpoint. Throwing money at security does not necessarily improve your security posture. Security is not just a technical problem but an enterprise-wide issue.
Attackers target gaming operators for two reasons, mainly, theft of credit card data and compromise of player data. The motivation could be commercial or just plain malicious. Theft of player data can result in serious financial losses for the company, not to mention legal liabilities in terms of data protection legislation. Theft of credit card data can result in huge penalties imposed by the card brands and potentially the inability to continue accepting card payments The decision to store credit card data must not be taken lightly. In both cases, the company’s image is severely tarnished.
PCI DSS is one of the best standards out there to safeguard against credit card breaches. Despite it being a mandatory requirement for all those entities that process, store or transmit credit card data, very few companies have taken this standard on board. Within the gaming industry, it seems that only a small percentage have followed and satisfied the PCI DSS requirements and those that have were probably forced to do so by their acquiring banks. Once a decision is taken to store credit card data then PCI DSS must be seriously implemented and followed.
Securing player data is always a challenge when one considers the number of outsourcing agreements that gaming companies enter into. Such agreements would typically involve sharing of data and possibly granting third parties access to company’s systems. It is therefore imperative that partners are chosen with care and the decision to work with one and not with another also takes into consideration the factor of security. It follows that outsourcing parties should acknowledge their responsibility for securing the data they receive and to implement the necessary technical and procedural controls to ensure that the confidentiality of such data is preserved at all times. Responsibility should not be a mere contractual formality but should also apply and be enforced onto the employees of the outsourcing party.
Another key aspect of security is monitoring. Whilst it is a generally accepted best practice to enable full audit trails on IT systems, very few companies actually take the time to monitor such logs. In many cases, logs can provide the valuable information to an administrator to determine that a system is under attack and to take appropriate actions to contain the damage. Many attacks go unnoticed because attackers go to great lengths to hide their tracks to remain undetected. In the majority of cases, the configuration of appropriate alerts and the monitoring of the necessary audit trails could enable an administrator to thwart an attack. Many insider attacks or cases of internal fraud could also be reduced as a result of having such monitoring in place.
Security is on everyone’s tongue these days, but with all this awareness around us, are we really focusing on our biggest risk areas or are we missing the wood for the trees?