April 30, 2015

April 10, 2015

Please reload

Recent Posts

I'm busy working on my blog posts. Watch this space!

Please reload

Featured Posts

Your Reputation Doesn’t Come With A Reset Button

February 20, 2013


Have you ever decided to buy a particular make, model, and color of vehicle and then all of a sudden you see dozens of them on the roads where before you rarely saw any? This is colloquially termed “red (or any color really) car syndrome.” It has also been linked to confirmation bias.


The field of information security is sometimes a reverse of that. If one is not in the information security field, or if one does not work for a company or industry that is persistently mentioned by the press for security and data breaches (industries such as banking, medical, or government, for example), there is a tendency to forget about the importance of security in every industry, simply because of the perceived lack of risk or exposure.

This is a mistake. Let's take the gaming industry as an example. In the last couple of years this industry saw the publication of security failures at Sony[1] , EA[2], Ubisoft[3] and Blizzard[4] just to name a few. Couple that with the targeting of Zynga by the group known as Anonymous late last year and it's apparent that the gaming industry has now made it into the pantheon of industries for which information security must become not just a second thought, but a priority.


These are some of the largest companies in the gaming industry with millions, if not billions, of dollars of revenue between them, and yet they each made fundamental errors in their information security strategies. Keep in mind that the attacks on these companies were not the result of some previously unknown attack pattern or zero-day-attack, but were the result of basic failures in and around their technology infrastructures, and the strategies in place to protect those infrastructures.


The gaming industry, in my opinion, has some specific areas where it should focus with regard to security strategy. The first and most important is in the area of user authentication and subsequently protection of personally identifiable information for said users. With laws and regulations such as the Children's Online Privacy Protection Act, it is critical that companies do the best they can to protect their player's identities and private information they collect from them.

The second area is any type of payment information. If the game or it's supporting ecosystem has anything that resembles a store or marketplace where real money or physical goods changes hands, then obviously the protection of both the payment information and the transactional activity themselves are of critical importance.

And lastly, is the area of anti-cheating. Unfortunately this is where most of the effort seems to be placed, at least to date. This is backwards. If someone finds a way to cheat at the game, sure the company loses some reputation points and MIGHT possibly lose some users which could translate into lost revenue, but if either of the two areas above are compromised, such that personal or payment information is lost or stolen, the company will not only lose reputation points, it is also likely to be fined by the government and sued by users, which makes it a fiduciary, as well as a public relations, risk.

In conclusion, don't fall victim to the notion that there is no risk to your company just because you're company or industry isn't in the news.


[1] http://www.reuters.com/article/2011/04/26/us-sony-stoldendata-idUSTRE73P6WB20110426


[2] http://www.joystiq.com/2012/08/20/ea-putting-a-lot-of-resources-to-prevent-another-fifa-hack-s/


[3] http://www.gamesindustry.biz/articles/2012-07-30-Report-Ubisofts-UPlay-DRM-contains-dangerous-security-flaws


[4] http://www.courthousenews.com/2012/11/08/52109.htm

Share on Facebook
Share on Twitter
Please reload

Follow Us

I'm busy working on my blog posts. Watch this space!

Please reload

Search By Tags