Online Gaming: Mapping Threats to High Level Business Channels

Online Gaming: Mapping Threats to High Level Business Channels

In a previous blog, we covered the most common threats seen in the gaming industry, in addition, we described a high-level approach for a security improvement program (SIP).

As a reminder from previous blog, the high-level approach for improving security for businesses in the gaming industry is comprised of three main layers we can apply a SIP to and holding the essence notion that security should be prioritised from the Core to the Outer Tier inside out:

The Core (red):

  • SIP for all assets owned by the business
  • SIP to adapt to regulation requirements: GDPR, PCI, local jurisdiction etc.

The Middle tier (green):

  • SIP for assets accessed by partners and 3rd party vendors

The Outer tier (blue):

  • SIP for data gaming data used by gaming platform consumers

Here is a recap of the most prevalent threats in the gaming industry:

  • DDoS Attacks
  • Targeted Attacks, types:
    • Cyber espionage
    • Crimeware
    • Web Application
    • Privilege misuse
  • Gaming Platform Abuse, types:
    • Consumer Credentials
    • Employee\Partner Credentials
    • Game Integrity & Logic
  • Transactional Loss
  • Physical data theft and Accidental data loss

We have defined the most common threats, now they can be mapped into our high-level security improvement approach. Mapping the threats will allow the business to see whether there are common tier or channel denominators to certain type of threats and thereafter explore whether an approach can be built for a SIP the right way from the inside out. The mapping also allows the business to breakdown the threat landscape to consumable elements and understand where to priorities lay; an external tier doesn’t mean it’s less of a priority, for e.g. a business would like to focus on ‘Platform Credential Abuse’ threat on the consumer side, then they could embark on a SIP for that tier, however, now the business will know that the approach they’re after will have to satisfy and accustom to a SIP for in the ‘Core’ tier for internal business resources, this consideration will help the business avoid potential roadblocks down the road and search for a solution that will be optimised for all impacted tiers.

High Level Mapping Process

The mapping process is individual to each business as most businesses are unique, the next image shows an example mapping done on an Online Gaming operator. The mapping shows us that there are threat types that have tiers in common, specifically the ‘Gaming Platform Abuse’ and ‘Targeted Attacks’, by keeping this in mind the gaming operator can choose to embark on a SIP to protect the core layer against ‘Targets Attacks’ but also ensure that the SIP will cater for the other tiers where possible and ensure it will not block them. After choosing the threats and focus tiers, we can start working on tailoring a SIP plan for the relevant tier in the business.

Focusing on Security Improvement per Tier

Focusing and prioritising the actions that need to be taken inside each tier to improve security is an ad-hoc process that results in different outcomes from business to business. The first step is to understand whether the business would like to prioritise their regulatory requirements, embark on a SIP without considering regulation or both. In case it’s one or the other at that specific point in time, the recommendation would be to consider other SIP programs, that may have started already or not, with common threat denominators.

In the next blog we’ll describe a holistic security improvement approach that can allow gaming businesses to prioritise security controls at the most fundamental levels of the ‘Core’ and the ‘Partner’ tier.