Security for Online Games Austin GDC, September 2009 Tim Ray, CISSP

Bio Security Analyst for the Network/Security Operations Center (NSOC) Department of Information Resources, State of Texas IT full time since 1996 Origin Systems Wing Commander III, Strike Commander MCSE, CISSP, IAM/IEM, CNA

Security is Not: Changing the job description of your network admin. Keeping everything about security a secret. Having a card swipe on your server room door. Hoping the bad guys don’t know you exist. Fraud prevention. Keeping the backups in the trunk of your car. Coding standards (though those are a part of it)

Security Is: A policy with executive support Not free Done by professionals. As transparent as possible. Not in an appliance. Not sold by a vendor. The responsibility of everyone in the firm.

Security Benefits Peace of mind, especially for your investors Increased trust from customers and employees Professionalism Trust from customer base (example: Blizzard’s use of two factor authentication)

The Challenge The users are out to get you The staff is out to get you (though they don’t mean to) Everyone is technical Cost center

All is Not Lost! Everyone is technical Passionate workforce Flexible thinkers

Three Things for Today: Security Policy Development Risk Analysis Incident Response

FUD Fear, Uncertainty and Doubt This isn’t that… But there is a threat.

Verizon Data Breach Report 2009 Industry standard rity/reports/2009_databreach_rp.pdfhttp:// rity/reports/2009_databreach_rp.pdf They report on successful breaches Largest single data set on security breaches in the business world In 2008, 90 breaches, 285 million compromised records.

Threat Sources Most from external sources. Few were caused by insiders. Roughly a third implicated business partners. Many involved multiple parties. No such data exists for game companies. There is a need for greater transparency!

How does it happen? Most were aided by significant errors. Most resulted from hacking. Many utilized malware. Some involved privilege misuse. Very few occurred via physical attacks.

What can you do? Have a security policy Take a realistic look at your risks Prepare a response team

Security Policy Time for a policy! What goes in it? We’ll get to that… Who reads it? Everyone! Most important that everyone believe in it… And it starts at the top.

Security Policy Supports the corporate vision statement Practical Enforceable Concise as it can be (they tend to run long) Defines how the policy itself can change.

What’s in it? Accountability of roles: Management, users, key employees (admins) –Data classification (secret, confidential, Office Use Only) Network Service Policy –VPN, switches, routers, firewalls, partner/vendor connections System Policy –Servers, workstations, use of personal equipment Physical Security Acceptable Use Policy Incident Response Policy –Who can declare an “incident”? –Who’s on the CSIRT? Security Training and Awareness Policy Reference to software security document

Risk Analysis Risk is the product of threat impact and likelihood Your threats are different depending on your firm, IP and situation Thus, a risk analysis needs to be done Risk analysis is part of due diligence for investors, too! It demonstrates that your company is aware of the environment. It’s often wise to have a third party do an initial risk analysis.

Risk Analysis What are you protecting? –IP or technology –User goodwill/trust (hardest to quantify) –Data (Confidentiality, integrity, authenticity) –Cash transactions

Risk Analysis What are the main threats? –Players Their game is against you, the developer –Internal Does not have to be intentional! Leaks –Partners If you share data, or store it on another system, your security is only as good as theirs!

Risk Analysis Quantify the risk Assign numbers to the threat and likelihood Make a matrix Risk = likelihood x impact

Risk Matrix Low Impact (10)Medium Impact (50)High Impact (100) Unlikely (0.10)1510 Might happen (0.50) Very Likely (1.0)

Risk Analysis Every threat gets a score Put them in order Work the list from high to low Every item needs a compensating control /sp pdf

Compensating Controls Control is “security speak” for the answer to a threat. There are policy controls (acceptable use statement) Technical controls (password lockout, encryption) Physical controls (a door lock) Most controls address more than one threat.

Quantitative Risk Controls cost must be less than the potential cost of threats they answer. Cost limit of a given threat = risk score as a percentage x estimated loss. Thus, if you might lose $1,000,000 to a threat, and it’s medium impact/might happen (25%), you could justify $250,000 in control cost. No control is perfect!

Incident Response You got burned! AAAAIIIEEEEEE! Blamestorm! Who’s the lead? Who’s on the team? Who talks to the press? What is an “incident?”

CSIRT Computer Security Incident Response Team Incident Response Manager: Coordinates and directs Subject Matter Expert: Expert on the nature of the incident (floating position) Public Relations: This person is the ONLY one allowed to pass information to the press. Legal: Just do it. Scribe: Keeps track of the actions of the team. Now, what do they do?

Incident Response Process Prepare (establish team, etc.) Identify (what happened?) Contain (isolate and partition) Eradicate (fix the problem) Recover (back in business!) Follow up (documentation, talk it over, policy recommendations)

Thank you! Please contact me for security or IT questions!