October 2015

Securing Online Gaming



Wow what a conference! One doesn’t find that many conferences where the keynote speaker outlines the details of subtly malformed but still legal HTTP post headers.

The whole day continued in the same vein, and we learnt that Online Gaming experiences more cyber-threat than any other industry. They have whole departments to deal with different types of threat and that they are writing and reviewing their own custom firewall signatures. These teams are driving the development of next-generation firewalls!

We were told that Online Gaming is a £21 Billion market (a bit of googling reveals much higher figures, especially for Asia at $79 Billion), William Hill alone has a turn over of £946 Million. The UK Gambling Commission states the GGY (Gross Gambling Yield) for 2014 was £6.3 Billion, GGY is the value of the wagers retained by gambling operators. Any way you look at this, these are huge figures, attackers can get rich by syphoning off even small percentages.

The delegates certainly got the impression that there was a lot more left unsaid, one presenter announced that their legal department had cut every slide and asked for a title change. We found that procedurally the Online Gaming industry follows very similar development cycles to Osirium. We use a two-week Sprint cycle as do they, and that they rate all code as being risky and rate the risk based on the external interfaces that a code module uses. We heard ‘peer review’ several times throughout the day.

Continuous Integration, where software is under test throughout the development lifecycle was seen as key to producing secure software. We were rather pleased to see several screenshots of Jenkins systems since we’re also heavy users of Jenkins test automation.

Since we are bound by Chatham House Rules I’ll not go into the actual attack vectors, suffice to say that the attackers seek to take over personal accounts and extract personal details.

One would surmise that the Online Gaming Industry is at the top of their game security-wise, we were kept busy on the Osirium stand demonstrating Privileged Account Management and Privileged Task Automation all day!

Click to chat