Security Considerations in Games Platforms
Online games have taken off over the last decade. In the early years, multiplayer gaming was achieved by linking hosts directly together via Peer-to-peer links over public or private networks. Today, millions of players are gaming online every day through large, cloud-based platforms such as the PlayStation Network, Xbox Live, and various dedicated game servers. Many security professionals will at first instance dismiss the damage done to these systems as being insignificant due to it mainly impacting the games industry, but Dutch Company iQU predicts global gaming revenue to reach 35 billion US dollars by 2017. Most of that is based on at least partially online based games. This has made the extremely competitive games industry very vulnerable to cyber-attacks that specifically impact reputation or availability. When gamers cannot use their system on many occasions or bad service reviews appear amongst friends, or online, disappointed users can easily jump ship to another platform. To add to that, these high profiles organizations are a target of preference for script-kiddies and hackers who want to make a reputation for themselves amongst their peers. Because of this, there are some unique characteristics to securing the online gaming platforms.
The first, the most obvious and the most publicized threat to the games industry is the Distributed Denial of Service (DDOS) attack. Because so many games now contain online content and cloud stored save games, a service disruption will render the game unusable. A DDOS attack can be executed by directly targeting the games servers. Far more effective, however, is a large-scale attack on the platform cloud services such as Microsoft Xbox Live or Sony’s PlayStation Network or the Steam network. This can take an entire gaming platform offline by for instance denying user logins to their cloud-based accounts and save games. Many examples of these attacks exist, usually scaled up significantly around the busy December festive season. The Steam Digital Gaming store was taken offline on Christmas Day 2015 for instance. In this case, the attack led to a caching error which caused a user information leak as a byproduct of the Denial of Service attack. Some very high-profile DDOS attacks took down the Playstation Network and Xbox Live during the 2014 and 2015 December months as well. A known actor behind some of these attacks is the Lizard Squad. Some of this group’s members have since been arrested with charges such as extortion and fraud, but there has not been a stop to the relentless attacks on the cloud-based games platforms. Sony president of worldwide studios Shuhei Yoshida has stated the PlayStation Network is under attack every day, only varying in scale. Every time an attack is successful, it has an impact on the company’s reputation and indirectly (in some cases also directly) on sales.
In April 2011, as a result of a large compromise, Sony brought down the PlayStation Network for 23 days. During this time, it was trying to contain the fallout from the theft of personal information from its 77 million users and strengthening its security controls. When the service went back online, users were given free games and membership fees to reimburse them for the outage. The costs to Sony’s reputation and profit were enormous (estimated over 1 billion USD). Games platform providers maintain a large database of user’s personal data, including credit card information for automatic payments. A breach can have dire consequences for a company. This makes them a very interesting target for extortion practices or actual theft of credit card information. Data Leakage Prevention, which intelligently detects and blocks large amounts of personal or credit card data leaving the company network, must be implemented and monitored at all times. Some other cases are known where the source code of games or applications was leaked via the now very useful cloud-based collaboration platforms. Solid security controls, strict access policies and (again) data leak prevention are essential to prevent years of work leaking straight to the public domain.
Online Multiplayer games rely on a fine balance between a server and a client application, to share game information between players in the most efficient way. Some games use a larger client application focusing on latency reduction. Other games use a larger server application which takes away control from the user and minimizes exploitation options for hackers and cheaters (users of the hacks).
This exploitation (or hacking) of games, which is mostly prevalent on the more flexible PC platform, is a big issue for game developers and publishers. Cheaters can completely destroy the success of an online multiplayer game and if the damage to the titles reputation is large enough; even its possible sequels. These cheaters render the skills and achievements of genuine players worthless. This will lead to a reduced community of active players and with that comes a reduction in sales profits.
Many anti-cheating controls have been put in place, some more effective than others. Swedish Development Studio DICE (Battlefield) for instance, has an actual anti-cheating team in place for manual intervention. Online games platform Steam actively bans cheaters as well. Development Studio Valve uses Valve’s Anti-Cheat (VAC) Software and many other developers use 3rd party products such as PunkBuster. Japan has recently even arrested some cheating teenagers on the grounds of Obstructing Business in 2014.
It is very likely this battle between (now often commercial) hackers and developers will continue to go on for as long as multiplayer games exist. After all, cheating in games goes back thousands of years. The main difference now is that the online (cloud) games infrastructure have significantly increased the scale and impact.
In every branch, security needs to be customized towards the business goals and processes to achieve these goals. In the online gaming industry, this is the same. There are plenty of examples of successful DDOS attacks, Information Theft cases, and large scale game hacking around which have cost this industry many billions over the years. Putting the focus of IT Security on these areas of concern, while not losing sight of every other security risk, is an everyday battle that all organizations out there need to fight. A proper risk assessment is critical in making the right decisions around the focus of the IT Security resources. This risk assessment can be either quantitative (based on monetary values) or qualitative (risk and impact based) and will need broad company-wide support to be effective. This means it will be costly and time-consuming, but in the end, it just needs to be done. As can be seen from the examples, the results will be worth the investment.