Transcript Department of Information Resources, State

Security for Online Games
Austin GDC, September 2009
Tim Ray, CISSP
Bio
• Security Analyst for the Network/Security
Operations Center (NSOC) Department of
Information Resources, State of Texas
• IT full time since 1996
• Origin Systems 1989-1991
• Wing Commander III, Strike Commander
• MCSE, CISSP, IAM/IEM, CNA
Security is Not:
• Changing the job description of your network
admin.
• Keeping everything about security a secret.
• Having a card swipe on your server room door.
• Hoping the bad guys don’t know you exist.
• Fraud prevention.
• Keeping the backups in the trunk of your car.
• Coding standards (though those are a part of it)
Security Is:
•
•
•
•
•
•
•
A policy with executive support
Not free
Done by professionals.
As transparent as possible.
Not in an appliance.
Not sold by a vendor.
The responsibility of everyone in the firm.
Security Benefits
• Peace of mind, especially for your
investors
• Increased trust from customers and
employees
• Professionalism
• Trust from customer base (example:
Blizzard’s use of two factor authentication)
The Challenge
• The users are out to get you
• The staff is out to get you (though they
don’t mean to)
• Everyone is technical
• Cost center
All is Not Lost!
• Everyone is technical
• Passionate workforce
• Flexible thinkers
Three Things for Today:
• Security Policy Development
• Risk Analysis
• Incident Response
FUD
• Fear, Uncertainty and Doubt
• This isn’t that…
• But there is a threat.
Verizon Data Breach Report 2009
• Industry standard
• http://www.verizonbusiness.com/resources/secur
ity/reports/2009_databreach_rp.pdf
• They report on successful breaches
• Largest single data set on security breaches in
the business world
• In 2008, 90 breaches, 285 million compromised
records.
Threat Sources
• Most from external sources.
• Few were caused by insiders.
• Roughly a third implicated business
partners.
• Many involved multiple parties.
• No such data exists for game companies.
• There is a need for greater transparency!
How does it happen?
•
•
•
•
•
Most were aided by significant errors.
Most resulted from hacking.
Many utilized malware.
Some involved privilege misuse.
Very few occurred via physical attacks.
What can you do?
• Have a security policy
• Take a realistic look at your risks
• Prepare a response team
Security Policy
•
•
•
•
Time for a policy!
What goes in it? We’ll get to that…
Who reads it? Everyone!
Most important that everyone believe in
it… And it starts at the top.
Security Policy
•
•
•
•
Supports the corporate vision statement
Practical
Enforceable
Concise as it can be (they tend to run
long)
• Defines how the policy itself can change.
What’s in it?
• Accountability of roles: Management, users, key
employees (admins)
– Data classification (secret, confidential, Office Use Only)
• Network Service Policy
– VPN, switches, routers, firewalls, partner/vendor connections
• System Policy
– Servers, workstations, use of personal equipment
• Physical Security
• Acceptable Use Policy
• Incident Response Policy
– Who can declare an “incident”?
– Who’s on the CSIRT?
• Security Training and Awareness Policy
• Reference to software security document
Risk Analysis
• Risk is the product of threat impact and
likelihood
• Your threats are different depending on your
firm, IP and situation
• Thus, a risk analysis needs to be done
• Risk analysis is part of due diligence for
investors, too!
• It demonstrates that your company is aware of
the environment.
• It’s often wise to have a third party do an initial
risk analysis.
Risk Analysis
• What are you protecting?
– IP or technology
– User goodwill/trust (hardest to quantify)
– Data (Confidentiality, integrity, authenticity)
– Cash transactions
Risk Analysis
• What are the main threats?
– Players
• Their game is against you, the developer
– Internal
• Does not have to be intentional!
• Leaks
– Partners
• If you share data, or store it on another system, your security
is only as good as theirs!
Risk Analysis
• Quantify the risk
• Assign numbers to the threat and
likelihood
• Make a matrix
• Risk = likelihood x impact
• http://csrc.nist.gov/
Risk Matrix
Low Impact (10)
Medium Impact (50)
High Impact (100)
Unlikely (0.10)
1
5
10
Might happen
(0.50)
5
25
50
Very Likely (1.0)
10
50
100
Risk Analysis
•
•
•
•
•
Every threat gets a score
Put them in order
Work the list from high to low
Every item needs a compensating control
http://csrc.nist.gov/publications/nistpubs/8
00-30/sp800-30.pdf
Compensating Controls
• Control is “security speak” for the answer to a
threat.
• There are policy controls (acceptable use
statement)
• Technical controls (password lockout,
encryption)
• Physical controls (a door lock)
• Most controls address more than one threat.
Quantitative Risk
• Controls cost must be less than the potential
cost of threats they answer.
• Cost limit of a given threat = risk score as a
percentage x estimated loss.
• Thus, if you might lose $1,000,000 to a threat,
and it’s medium impact/might happen (25%),
you could justify $250,000 in control cost.
• No control is perfect!
Incident Response
•
•
•
•
•
•
You got burned!
AAAAIIIEEEEEE! Blamestorm!
Who’s the lead?
Who’s on the team?
Who talks to the press?
What is an “incident?”
CSIRT
• Computer Security Incident Response Team
• Incident Response Manager: Coordinates and directs
• Subject Matter Expert: Expert on the nature of the
incident (floating position)
• Public Relations: This person is the ONLY one allowed to
pass information to the press.
• Legal: Just do it.
• Scribe: Keeps track of the actions of the team.
Now, what do they do?
Incident Response Process
•
•
•
•
•
•
Prepare (establish team, etc.)
Identify (what happened?)
Contain (isolate and partition)
Eradicate (fix the problem)
Recover (back in business!)
Follow up (documentation, talk it over,
policy recommendations)
Thank you!
Please contact me for security or IT
questions!
[email protected]