Online games have taken off over the last decade. In the early years, multiplayer gaming was achieved by linking...
hosts directly together with peer-to-peer systems over public or private networks. Today, millions of players are gaming online every day through large, cloud-based platforms such as the PlayStation Network, Xbox Live and various dedicated game servers. Dutch company iQU predicts global gaming revenue to reach $35 billion by 2017. Most of that is due to online, cloud-based gaming. The extremely competitive gaming industry is vulnerable to cyberattacks that specifically impact reputation or availability. Because of this, there are some unique characteristics to securing cloud-based gaming platforms.
The threat of DDoS attacks to gaming security
The most obvious and the most publicized threat to the cloud-based gaming industry is the distributed denial-of-service (DDoS) attack. Because so many games contain online content and store saved games on the cloud, a service disruption will render the game unusable. A DDoS attack can be executed by directly targeting the game servers. However, a large-scale attack on platform cloud services such as Microsoft Xbox Live or Sony's PlayStation Network or the Steam network is far more effective. This can take an entire gaming platform offline by denying users logins to their cloud-based accounts and saved games, for instance.
Many examples of these attacks exist, and they are usually scaled up significantly around the busy holiday season. The Steam digital game store was taken offline on Christmas 2015, for instance. Some high-profile DDoS attacks took down the PlayStation Network and Xbox Live during the December 2014 and 2015 as well. Shuhei Yoshida, president of Sony Worldwide Studios has stated the PlayStation Network is under attack every day, only varying in scale. Every time an attack is successful, it has an impact on the company's reputation and indirectly -- and in some cases directly -- on sales.
The good news is there are a number of DDoS mitigation methods available for cloud-based gaming companies. For example, enterprises can use cloud providers to filter out the DDoS attack traffic through DNS rerouting, or they can employ additional infrastructure, either on premises or in the cloud, to handle the massive influx of traffic.
Information theft in cloud-based gaming
In April 2011, as a result of a large compromise, Sony brought down the PlayStation Network for 23 days. During this time, Sony tried to contain the fallout from the theft of personal information from its 77 million users and strengthen its security controls. When the service went back online, users were given free games and membership fees to reimburse them for the outage. The costs to Sony's reputation and profit were enormous -- estimated over $1 billion in losses.
Cloud-based gaming platform providers maintain a large database of users' personal data, including credit card information for automatic payments. A breach can have dire consequences for a company. This makes them an interesting target for extortion practices or theft of credit card information. Data loss prevention, which intelligently detects and blocks large amounts of personal or credit card data leaving the company network, must be implemented and monitored at all times. In addition to using DLP, organizations should also consider encrypting or tokenizing customer data and payment information that users submit to the cloud gaming platforms. That way, in the event of a breach, the information will be useless to attackers.
The effects of cheating on gaming security
Online multiplayer games rely on a balance between a server and a client application, to share game information between players in the most efficient way. Some games use a larger client application focusing on latency reduction. Other games use a larger server application that takes away control from the user and minimizes exploitation options for hackers and cheaters.
This gaming exploitation -- which is mostly prevalent on the more flexible PC platforms -- is a big issue for game developers and publishers. Cheaters can completely destroy the success of an online multiplayer game by rendering the skills and achievements of genuine players worthless. This leads to a reduced community of active players and with it comes a reduction in sales profits. And with potentially millions of dollars at stake in professional eSports competitions, cheating exploits could have even more tangible and devastating effects.
See Infosec Institute's accompanying article on Security Considerations in Games Platforms
Many anti-cheating controls have been put in place, some more effective than others. The Swedish development studio DICE for instance, has an actual anti-cheating team in place for manual intervention. Online gaming platform Steam actively bans cheaters as well. The development studio Valve uses Valve Anti-Cheat software, and many other developers use third-party products such as PunkBuster. In 2014 three allegedly cheating teenagers were arrested in Japan on the grounds of obstructing business.
Cheating in games goes back thousands of years. The main difference now is that the online, cloud-based gaming infrastructures have significantly increased the scale and impact. As a result, cloud gaming companies should actively scan for vulnerabilities that could be exploited by cheaters as well as suspicious player activity that could indicate cheating.
In every branch of business, security needs to be customized toward the business goals and the processes needed to achieve them. It's the same in the cloud-based gaming industry. There are plenty of examples of successful DDoS attacks, information theft cases and large scale game hacking which have cost the industry billions of dollars over the years. Putting the focus of IT security on these areas of concern, while not losing sight of every other gaming security risk, is an everyday battle that all organizations out there need to fight.
Check out the 2016 readers' top picks for DLP products
Learn more about CASBs helping to implement DLP controls for the cloud
Discover how cybercriminals are using APT-style attacks