Cybersecurity is not A Game for the Gaming Industry
The current pandemic has had a profound effect on people. People are taking shelter to social media, streaming video services like Netflix and video gaming, either filling the time or seeking comfort by diverting attention from disturbing news and statics bombarded by various news channels. In recent years the popularity of online video gaming has increased, specifically, Millennials and Gen Z. Video gaming is one of the top three entertainment activities of these players. From simple mobile games to the interactive multiplayer experience, video gaming has been growing in popularity.
Deloitte’s 2020 digital media trends survey found that, during the crisis, a third of consumers have, for the first time, subscribed to a video gaming service, used a cloud gaming service, or watched esports or a virtual sporting event. Microsoft’s Xbox Game Pass service has surpassed 10 million members, Nintendo had sold over 21 million consoles and made nearly 260 billion yen in profit.
This surge in online video gaming has provided great opportunities for cybercriminals. As per the Akami report Between July 2018 and June 2020, Akamai observed 152,256,924 web application attacks across the gaming industry, SQL Injection is still the number one attack vector, with 76% of attacks across all customers taking this format and 58% in gaming. This was followed by Local File Inclusion (LFI) attacks, with 16% of attacks across all customers and 31% in the gaming industry alone.
“One reason that we believe the gaming industry is an attractive target for hackers is that criminals can easily exchange in-game items for profit,” said Martin McKeay, Security Researcher at Akamai. “Furthermore, gamers are a niche demographic known for spending money, so their financial status is also a tempting target.”
As per the latest Akami Report following are the top five cyber attacks targeted at the gaming sector
- Credential Stuffing Attack
- web application attacks
- Local File Inclusion (LFI)
- distributed denial of service (DDoS) attacks
Criminals often single out mobile gaming for DDoS, account trading, and takeovers, as well as resource farming. — Akamai Gaming — You Can’t Solo Security: Volume 6, Issue 2
The gaming industry has its own challenges due to its high dependence on the game’s client experience and performance requirements. These challenges also add to implementing stringent security control. These challenges are,
- Gaming companies are highly sensitive to performance and outage issues. Their users are passionate and vocal when they can’t access a game when and how they want to. Missing user expectations can doom the reputation of a game.
- The gaming sector covers a huge variety of companies, from international giants to smaller firms that address niche markets
- The need to release games faster and provide what customers want is very obvious in the gaming industry. If you don’t have the right DevOps pipeline of new content or launches taking place, then you will lose customers
“As games move online and leverage cloud infrastructure and cross-platform and cross-generation play, that’s an attack surface,” Steve Ragan, Akamai security researcher
What does Gaming Industry need to do?
All the cybersecurity lifecycle principles followed by other industries apply to the gaming industry. To know more about the holistic view of cybersecurity please refer to my previous article “Cybersecurity Holistic View”
The gaming industry should adopt cybersecurity in the entire lifecycle of gaming applications, starting from development, deployment, and usage along with the platforms on which these applications are hosted. The following are a few guidelines to achieve better security :
- Endpoint Security for Servers/VMs — Use endpoint security solutions like Antimalware, HIPS, and antispyware. Patching of OS and applications with the latest security patches, OS hardening, compliance to security policies, etc.
- Transport security– Use encryption SSL or TLS to protect data in transit
- Identity Access Management for Application and Infra management team– Create role-based access control, implement user management to limit the access only to the active users, Implement multifactor authentication for privileged users
- Hosting Security — If hosting in the cloud understand the responsibilities of between you and the Cloud Service provider
- Payment Card Security — Implement the security controls to tokenize or obfuscate the payment card information before it is stored or passes across other applications. Comply with PCI DSS and institute safe online payments to protect financial information
- Gaming Application Security — Implement security best practices for the entire lifecycle of the application, which will include static code testing, dynamic code testing, Vulnerability assessment, penetration testing, etc
- Protection from Phishing — Protect messaging feature used in games, phishing usually happens via the messaging feature within the games.
For industry-specific threats take the following action to protect gaming applications
- To address the performance and outage challenges, the gaming industry needs to implement Cyber Resilience. This will help to balance gaming services and keeping these services running. As well as maintaining performance while keeping data secure.
- The giants and smaller organizations in the industry should opt for the MSSP for standard security services for example Security Monitoring, vulnerability and penetration testing, managing security technology infrastructure, etc. The giant organization can go for consulting services for assessing current security posture to identify gaps and implement projects to improve security. , as well as go for RED team exercise for identifying the loopholes and fix them before attackers find them.
- At the development stage, DevOps should adopt DevSecOps methodology and make security a part of the development and testing process this will allow the industry to release security-tested game software on time.
Online gaming has many positive aspects. It has become a major source of entertainment, developed new industries and sources of revenue, and introduced new uses of the human imagination to millions of people. However, almost every gamer has a story about how an attack on gaming servers ruined their day or how they lost an account to an attacker, it is important to know and guard against the risks associated with the online gaming world to keep it safe and enjoyable for all.