The banner headline this morning for the San Jose Mercury News was: Sony says PlayStation users' personal and credit data may have been stolen.
Congratulations, games are mainstream and so are their problems.
As you may have noticed, I've taken a break from writing here. After 5 years (yes, 5 years), it has been time to reassess and consider where I want to take this blog. It has gotten a bit frustrating. If I look back, I see the same problems today that I did when I started only happening more frequently as there are more games.
There are just too many incidents for me to write about all of them and, quite frankly, it gets a bit dull saying "I told you so" when there are solutions available and they've been available for years. In the past couple of months:
- A new MMO has critical account security problems at launch.
- A major publisher's DRM system causes major problems for users.
- A European MMO has its entire player account system compromised.
And those are just some of the "highlights".
When I started talking about game security around ten years ago, people told me that the industry would take security serious when there was a "Pearl Harbor" incident.
If a banner headline in the major newspaper for Silicon Valley is not a Pearl Harbor moment, I don't know what is.
And it could happen to pretty much anyone.
Let's talk about some simple measures to avoid being the next big headline:
- Separate your Back Office from your Front Office online operations.
There is no need to have the operational servers that hold payment. emails, and personal info be the same machines or databases that store your login info and core online service. Servers are cheap. At the very least, hackers would need to make a separate hack to get into your back office systems.
When new accounts are created or need to be edited, push the information into the front office system and then pull them off as quickly as possible.
While you are at it, make your authentication servers separate and don't force people to have stupidly complex passwords.. you are the source of more of the compromises, not them.
... and use the password transform trick on the emergency password recovery data.
... and watch your password recovery system.
The whole notion of 3-tier or n-tier web sites short changes the need to separate back office systems from front line services. This isolation provides a simple, strong way to protect your core business assets. If the data does not need to be online in real time, GET IT OFF THE __ INTERNET!!!
- Buy commercial server and network scanning tools and run them daily.
And make sure management looks at the reports. Why commercial tools and not free ones? Because you'll have someone to yell at, they are likely to be kept up to date, and, if popular, are going to have a reasonable pool of people who you can hire to run them.
All of your system and network administrators should be adept at these tools and they should be run regularly on your systems.
These tools should be used as management tools to ensure that your systems and network components are kept up-to-date and patched and configured properly.
- PCI DSS compliance does not mean you are secure
I'm looking forward to the follow up stories on Sony's PCI DSS status. They should be in good PCI DSS standing if they are taking credit card payments, so this would mean that they are passing audits and failing security.
This is true for you too.
- Good security is not expensive, but it is not free
Sony's Playstation Network problems have probably already cost them more than their previous annual security budget in less than a week. Likely lawsuits from developers for lost revenue, costs of sending out data disclosure notifications under California and other data disclosure laws, other direct costs, plus hidden reputation and future business costs are never going to be fully quantified.
Think about the value of what you are protecting - now, how much are you willing to spend to protect it? If your business is online, you MIGHT want to invest a bit to avoid problems.
- Security requires deep technical and business knowledge
Don't think a programmer with a book is going to solve your security problems. Don't think a person with a brand new CISSP has any appreciation of where the money is in your business. If someone doesn't ask about your business and your online service, they are not going to protect it.
I've heard from some of you, but I'd like to hear more about what you'd like me to write about. I have a couple of new projects that I'm working on and I'll be covering those as well.
Republished with permission.
Steven Davis is the author of Protecting Games: A Security Handbook for Game Developers and Publishers. Davis runs PlayNoEvil and has more than 20 years of IT and IT security expertise and has focused on the security issues of the gaming industry for more than a decade.