Game Development: Managing the rules of the game
(Image Credit: iStockPhoto/Gladkikh)
The rules of the gaming industry are changing. In a highly-competitive market, game makers need to ensure they’re not only developing products which meets the needs of an increasingly demanding market, but that also stand up to the rigours of security. Be it online gaming or gambling, users are sharing sensitive data such as personal information or credit card details which means they could be open to exploitation.
These are security concerns which consumers seem to share. According to a recent survey, the majority of gamers want developers to better protect their data and improve cybersecurity and fewer than 40 percent of gamers said they feel confident with current safeguards for security by games developers. It would be a matter of course that customers need reassurance their personal information and bank details are safe.
Dealing with threats from external hackers is one thing, but one of the most challenging cyber dilemmas that organisations are faced with is that of the insider threat and how to protect against it. For gaming companies there are risks from privileged users within the organisations – those with the keys to the ‘crown jewels’ – the game developers themselves. With millions of users sharing information there is the potential for a rogue developer to insert code for insider exploitation.
Given these challenges, how can gaming companies create a secure audit trail of who did what and when in production? And for fixes in games, is it possible to provide a fully audited trail of developers’ activity? There are added complications when outsourcing development to third-party users with direct access to production hosts or technicians or code developers that must remotely access production servers. Game makers don’t want to disrupt the player’s experience, but managing security is paramount.
Managing Privileged Users
Game developers are in a position of enormous responsibility, and gaming companies need to build in checks and processes to ensure that all activity is accountable and traceable. As the equivalent of the systems administrator, they have a position of trust: troubleshooting issues or providing support resolution requires escalated privileges – and this has inherent security risks. There are several challenges for gaming companies: not only in ensuring the security of games during the product development process, but also having confidence that any live fixes to games are fully traceable and there are no ‘backdoors’ that could be exploited.
- A Note on AML
The fourth Anti Money Laundering Directive came into place in June last year, and it has meant the gaming community must increase their diligence. Casinos and online platforms will be responsible for reporting suspicious transactions and maintaining sufficient records of their incoming and outgoing payments in order to adhere to the new directive, and companies have to conform and notify players on how they secure funds. With the risk that games could be manipulated for either stealing financial or personal data, the millions of transactions that are made could leave an organisation exposed when it comes to protecting data, as well as violating compliance with PCI-DSS.
Records of Activity
What can gaming companies do to ensure the security and integrity of games during production and for any post-production fixes? The best approach is to log operations and store records of activity in a tamper-proof way, which is time stamped and independent of users and other devices – similar to a “black box” on an aeroplane.
However, whilst log management systems will provide some information, many don’t go far enough as they’re not always capable of recording the actions performed by privileged users. This gap is filled by Privileged User Monitoring (PUM) solutions, providing detailed and traceable records. More advanced solutions operate host-independently and transparently; therefore, implementation of these systems does not interfere with daily business and operations.
Advanced PUM solutions provide encrypted, digitally-signed and time-stamped recordings of administrative sessions. The recorded audit trails can be used as irrefutable evidence to settle any accountability issues about remotely administered systems which is in the common interest of both the developer and gaming companies. This provides tamper-proof evidence of activity that is forensically sound.
Preventing developers from abusing their position of privilege is vital for the integrity, security and reputation of online gaming. With more stringent requirements now in place for protecting payments, gaming companies have a responsibility to ensure that transactions are secure and that measures are in place which place the protection of user’s data front and centre of their operations.
Do you have any tips for protecting games from hackers? Share them in the comments.
- » Raspberry Pi 4 is now OpenGL ES 3.1 conformant, Vulkan incoming
- » Safari soon won’t accept HTTPS certificates longer than 13 months
- » Linux Foundation and LISH publish latest open-source census with suggestions to boost security
- » SoundCloud repairs API-related security snafus after Checkmarx research