Securing the Gaming ecosystem. How to secure global gaming deployments and the online game threat model.

1. Hack and Slash: Hacking Games
for Fun & Profit
A Journey through securing the video game ecosystem

2. Hello – I’m Eoin
Eoin Keary - CEO/Founder - edgescan
Delivering 1000’s Cybersecurity Assessments every month
15 years Web Development and Cyber Security
Global Board Member of The Open Web Application Security Project (OWASP.org) – 2011 to 2015
Gamer since 1983 and still going!! – (Not a very good one)

3. edgescan and Gaming
Global Gaming clients
Helping secure millions of users daily
Delivering 1000’s of assessments in the gaming sector
every month via SaaS
Fullstack Security of Gaming platforms
Integration into DevOps environments (DevSecOps)

4. Hacked!

5. Evolution

6. How Games have changed

7. c0mp73x17y
“The convergence of connectivity, functionality and of
multiple mediums has greatly increased the Attack
Surface of modern gaming.”
The attack surface of a software environment is the sum of the different
points (the "attack vectors") where an unauthorized user (the "attacker") can
try to enter data to or extract data from an environment… - Wikipedia

8. Every additional function/feature increases attack surface

9. • Micropayments/Loot boxes
• Cloud Instances
• Data Centre Infrastructure
• Services and Ports
• Voice Channels
• Social Communities
• Item Trading
• Web Applications
• Mobile Portals
Convergence
Threat Model

10. Protecting Modern Attack Surface
Video games should employ a number of security features that should be implemented in any
software that has access to sensitive data or sensitive functionality.
Server-side checks.
Client-side security will always fail. The preferred solution is to check periodically with a server to
validate that there have been no modifications to the game and that everything is performing as
it should.
Live/Over-the-air updates.
Vulnerabilities will be discovered. There needs to be a means of patching those vulnerabilities as
soon as possible. Minimising on client interruption.
Anti-debugging protection.
If attackers can step through the source code (debug), there’s good chance they will find a way of
circumventing controls to their advantage.
Code Obfuscation.
Obfuscation is not about a security controls but rather raising the bar of entry to attackers. It
slows an attacker down giving you time to fix issues.
Runtime integrity checks.
Protect software from piracy and having software be used as a vector for injection attacks.

11. Full Stack Security

12. Why?
Stolen Credentials and Accounts
Steal Loot / Items and sell those items and currency to
other players (for real money) or wholesales them to
online grey markets.
Password Reuse – “One ring to rule them all”
Same passwords used for social media, web mail,
payment processing etc.

13. Why?
Source Code / Intellectual
Property (IP) Theft.
Card Fraud
Identity Theft
Bigger than Some Banks

14. Stats from the real world
https://www.edgescan.com/company/vulnerability-stats/

15. Real World Example
Example Gaming Company
• Over a 12 month assessment period.
• Fullstack (Cloud/Datacentre/Apps)
Applications:
• 25 - Social platforms, community portals,
merch sites
• Infrastructure: 30,000 endpoints - AWS, Data
Centres, Game servers etc
• 360,000 Assessments in total

16. 12 Months…….
125 Vulns discovered.
5% of vulns were Critical risk
9% of vulns were High Risk
Average time to fix: 4 months
Fastest time: 1 day
Longest time: 6 months

17. Vulnerability Types & Attacks
Client-side Vulnerabilities (Attacking the user):
XSS, Session Hijacking, Account Theft, Malware
Crypto Vulnerabilities (Attacking Privacy):
SSH, SSL/TLS
Vulnerable Libraries (Old components):
Insecure Javascript and backend components.
Old Known Vulnerabilities:
CVE's - No Patching, Unsupported services, Mis configured servers.
Injection Attacks:
Backend Servers, SQL Injection, DNS Attacks, VoIP attacks
Malware:
Leverages known vulnerabilities as a result of poor patching or slow updates

18. Continuous Asset Profiling
Change can introduce risk
Constant change requires continuous profiling.
Keeping the lights on detecting change, hence risk
Change Agents:
Source Code/New Functionality
Services
Patches
Zero-Days+1
Even when “standing-Still” change occurs around us.

19. Continuous Testing:
Keeping Pace with:
Development
New Vulnerabilities
Continuous patching requirements
New Deployments (Services, Systems)
“Continuous” Approach

20. Alerting and Real time visibility
Alerting on what matters –systems/services
Alerting based on Criticality – Acceptable risk
Compliance related alerts – Compliance (duh..)
“Opportunities present themselves every day -
to everyone. You just have to be alert and
ready to act.”
- Marc Ostrofsky

21. Integration
WAF (Web Application Firewalls)
Rule Generation & Virtual Patching
SIEM (System Incident Event Management)
Vulnerability Data / Correlation Data with events
GRC (Governance Risk and Compliance)
Risk Tracking
Bug Tracking (Fee Vulns into the Development Lifecycle)
Vulnerabilities as Bugs.

22. Helpful Resources
edgescan Training Material:
https://www.edgescan.com/?post_type=post&p=568
• Secure application development training material – free to use internally in your company.
OWASP ASVS:
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#tab=Home
• Basis for testing web application technical security controls
• Provides developers with a list of requirements for secure development.

23. Conclusion
There is no conclusion, this is not near over………
-BUT-
Security is a real “thing”.
More Features, More Data, More Users, More footprint, More issues, More Risk – All
we can do is consider & manage it.
Security is not point-in-time, either is code, what is??
Even a stopped clock tells the right time twice a day.

24. Questions
eoin@edgescan.com
@eoinkeary
@edgescan