YuGardenShanghai.jpg

Hey everyone!

Welcome to my tech-blog. I write about what I learn and share it with the world.

Video Game Security Overview

Video Game Security Overview

Video Game Security Overview


For a long time, video games have been a huge part of my life. Since before working in the information security field, I’ve often been curious to exploring more on game security. Rarely could I find resources discussing it within the scope of the gaming industry. In general, security is still looked at as an afterthought for most industries and for gaming some would think its non-existent. Like any other digitally operated entity, security breaches happen in game companies and they can affect interoperability, user protected info, end-game product, and the overall business model.  As the gaming industry grows, I want to contribute to the encouragement of security awareness by sharing what I learn.

 

Global Gaming Overview

Global Gaming Industry Financials.PNG


The Global Games market continues to grow with mobility being the highest revenue contributor. It is predicted that this trend will continue, and revenue will reach 174B by 2021. Its because of this growth that the video game industry is more of an attractive target to outside threats. Some of the biggest attack trends that are starting to infiltrate the industry are in social engineering and piracy. Hackers have started manipulating younger gamers into providing personal information to more easily perform hacks. Stealing game content and redistributing it for profit is something that has also increased with eCommerce platforms being used to distribute games as the norm.



 Governance & Compliance

Currently there are some available compliance regulations that the industry can follows that can aid in a better security posture. There are government regulatory policies like Global Data Protection Regulation (GDPR) and Payment Card Industry (PCI) that protect consumer personal data as well as financial information. Community based organizations like Open Web Application Security Project (OWASP) help provide security guidelines that the working professionals and consumers discover together and want to share. To publish a game onto a platform for users to play most game developers and companies must abide by vendor specific guidelines to be certified.

Compliance.PNG



Risks

There are multiple risks for video game enterprises that tear away at the threads of business. Damaged reputation with consumers, loss of competitive advantage and market share can affect the long-term strategy of a company. Operation disruptions throughout an organization will literally bring it to a halt. Non-compliance with governing bodies can result in large fines. All these things can cause overall profit loss in all market regions.

 Threat Motivators

Motivators.PNG

Motivations for an attacker can be varied and often are connected. There is the obvious financial gain that can be attributed to the allure of hacking a gaming company. It is also looked as a fun or thrilling endeavor to say that you found a zero-day vulnerability and exploited it first without the company knowing. If you are a leading company it may be “advantageous” to have your competition hacked to push them out of the market and take over their customer base. This is also true for organizations that may be aided by a foreign government as cyber espionage is global between countries. Finally, something that is often missed is that fact that the gaming community celebrates hackers and are usually apart of the consumer base. Gamers tend to believe that hackers are good in nature and always share their knowledge of security flaws, hacks, etc for the community. There is a general perspective that a hackers’ goal is more about ensuring a company is secure to play, rather than stealing their own personal information.






 Know Your Assets

As an organization, it’s important to understand the assets that are of value to an outside entity and rank them as these will become an attacker’s internal target. Game content assets can include software patches, downloadable content (DLCs), and any add onto that is planned to be distributed to consumers for profit. Inside that content there could be assets such as character inventory, health, and in-game currency. User account info such as name, address, username and password are also typical targets in an online gaming environment. Enumerating things like this can lead to breaches in account billing, payment, and even disclosed gift card information. A newer asset that is becoming more valuable is a company’s data analytics. This is increasingly being used to help map user activity trends, show security vulnerabilities, and with fraud detection.






 Attack Methods

Attacks.PNG

Attack methods are often deployed by an outside agent that has a specific purpose and effects operations in various ways. Denial of Service (DDOS) is an attack on the availability of a web application, web server, networked system or interface from various sources. If used on a game server, then users can’t play the game. Botnet automation is when a computer program is controlling a virtual character and imitating human activity. This could allow a user to level-up without playing giving them an unfair advantage. Hi-jacking involves exploiting vulnerabilities to view or steal session data communicated between a game server and another user. Utilizing this, an attacker can easily steal account information. Fraud is something usually done after a phishing scam. An attacker will take over a user’s account and perform illegal activity as a legitimate user.






 Scenarios

There is an endless amount of attack scenarios an attacker may choose by situation. Depending on the device platform and the game genre, one can adjust the attack method in their favor. If the game platform is primarily a mobile device and the genre is real-time strategy (RTS), then it may be best to use a map hacking technique to gain an advantage. If a computer is being used primarily in a massively multiplayer online role-playing game (MMORPG) then an attacker may be attempting account theft through phishing techniques. In first person shooter (FPS) games used on consoles, it could be possible that a user is utilizing aim bots to help them out.






 Effects on Monetization in Gaming

These attack methods and scenarios effect the different monetizing methods game companies utilize. Online play is affected due to interference in overall access, distribution, and reliability of gaming infrastructure. Ecommerce platforms like online game stores are affected by disrupting product and user purchase items. If the ability to purchase an item was taken away or a user’s shopping cart was constantly incorrect it would not only stop monetization, but a user experience would be bad. The virtual economy that many games create to stop fraud can be affected by attacks where he rules for in-game asset trading and purchasing can be circumvented.






Prevention

DefenseInDepth.PNG

The best way these companies can act in this current security landscape is to adopt a defense in depth mindset. This means ensuring you have the right security controls in place, and at the right place for end-to-end protection. Making sure that security governance and compliance is up to date for auditing purposes. Physical security is maintained to ensure access to on premise items are given only to authorized personnel and its managed. Network security to ensure access to a company’s virtual environment is managed. System integrity needs to be in place such as keeping systems updated and verifying security issues are patched. Game software needs to be developed with security in mind and ensure there is proper control for changes. Finally, user security needs to be in the overall strategy as its beneficial for a company to push for their consumers to become more aware of the security and do their part to protect themselves.





Future Security Issues

As the landscape for gaming changes with newer technology being pushed out its important to adopt these new capabilities with security in mind. Augmented reality (AR) is becoming more popular in mobile gaming can prove dangerous to its users. Gaming as a service (GaaS) is the quickly become the future industry operating model but creates an increased reliance on reliable infrastructure for user experience. Virtual Reality is being introduced more in gaming and it already has its own privacy issues that are being exposed. Hopefully security in the gaming industry will continue to develop and combat the ever-changing attack surfaces that arise.

 

Photo Credits:

Main Photo by Glenn Carstens-Peters on Unsplash

 





Im an OWASP contributor! Video Game Security Framework (VGSF)

Im an OWASP contributor! Video Game Security Framework (VGSF)

How I got into InfoSec

How I got into InfoSec