Last year, in 2018, the states that are part of the European Union enacted the General Data Protection Regulation (GDPR) to provide extra data security for its citizens. As the implications of the GDPR sinks in, it is clear this is not simply a compliance exercise, but an altering of mindset industry-wide, which is the key to effective data security.
The online gaming industry has always been a target for hackers, in reality, and fiction. From The Sting to Ocean’s Eleven and Lock, Stock, and Two Smoking Barrels, the cinema world has always relished the idea of cunning thieves taking over an organization, such as a casino. Something is satisfying about attractive rogues that beat anonymous enterprises which are perceived as almost innocent. In the fictional world of Hollywood, the inevitable sequels roll out reflecting the reality of the situation, unintentionally.
The reality is that repeated breaches are increasingly experienced by online and gaming enterprises. What these examples don’t know or necessarily show, is the other reality. In the new era of online gaming, the casualties are very real. These casualties are individuals whose personal data is taken away.
Cyber attacks can come in many forms, but they can also be broadly categorized into those that disrupt operations, such as DDoS attacks (Distributed Denial of Service), where infected computers flood the network with traffic. Some players are well aware of these attacks, online games like World of Warcraft is known to have its servers attacked by DDoS attacks a few times during the year.
Also, for other online corporations, some attacks are aimed at data theft, targeting customer data, and other essential information, which is then sold on the dark web or used for identity scam and ransomware attacks. This type of credential exploitation is particularly concerning in the gaming industry because it leads to loss of reputation and loss of users.
Although the adversarial threat is significant, the threat posed by an insider, often trusted employees, can pose an even greater risk to a business. With privileged access, employees can, in most cases unintentionally, be involved in a targeted breach of data. As an example, staff in the casino industry tend to switch roles between competitors, requiring a robust “Joiners, Movers, Leavers” process. It also necessitates a heightened awareness of data leakage from within each casino or other online organization.
GDPR and PCI DSS
The GDPR framework became an EU law in May 2018, and since the legislation was first announced, a lot has been written about it and the impact it has on the way companies manage their data. However, there is an important misconception that needs to be known. The current public perception is that there is GDPR compliance, but there is none of that.
GDPR is a regulation that requires data systems to be safe but it is open to interpretation and provides nothing in the way of detailed guidance. There is also no annual review to validate GDPR compliance. However, the PCI DSS validation is performed annually or quarterly, either by an external Qualified Security Assessor firm. Also, the regulation provides a detailed framework that specifies what needs to be done and how.
And to make things even easier, PCI DSS even provides regular updates and guidance on reviews. Those who are compliant with the framework are well on their way to meet the requirements of GDPR. The role of Chief Information Security Officers, Data Protection Officers and their advisers are to work out where the gaps exist to ensure that an organization adheres to GDPR in practice.
While the PCI DSS is very useful, it only applies to a given moment in time. If one change of control is wrong or some alteration to the process happened, invalid compliance is rendered. Ongoing tests and updates are essential, and it is best managed through a new mindset which implants data security at every level of the organization.
Effective data security
The GDPR and PCI DSS complement one another, and if both are managed holistically it can deliver immense benefits to efficiency and reputation as well as mitigate the potential damage of a breach. However, PCI DSS compliance simply provides validation of compliance at a given time. The key to data security is not to focus on specific compliance targets, but to develop a corporate mindset which features a “compliance out of the box”. And of course, not to forget the ongoing updates and maintenance.
This type of altered mindset requires a company-wide strategy that is developed at the board level and then distributed in a practical and simple form to every partner or employee. For this to be a realistic goal, the responsibility for data security cannot be simply devoted to CISO or DPO, nor should it be seen as an IT department job. To be truly effective, data security is the responsibility of every member on the board who drives and oversees the organization’s data security responsibilities. Data security should be on the agenda at every meeting.
However, in reality, given the complexity of data and compliance processes, specific ownership will be in the hands of those who are technically qualified. There won’t be an effectively exerted influence at the board level unless there is specialist support and resources. The CISO needs to have access to a specialist in data security who has to provide strategic guidance and technical abilities to enhance the scope of the operation.
Key elements in data security
The key elements in data security are threat monitoring, penetration testing, red teaming and retained forensics. Also, developing a robust strategic cyber defense is needed. It is not enough to develop a strategy and build a defense based on what is already known. Cyber rogues are ingenious and exploit not only the known threats and vulnerabilities, but they also have ways to detect the vulnerabilities that are not yet known or understood.
Those who use only the known defense will be limited by the extent of their knowledge. Testing and confronting that knowledge on an ongoing basis is crucial. This is where a continual program of threat monitoring, penetration testing and the use of retained forensics comes in.
Threat monitoring is the process of observing the developing nature of cyber-attacks. All commercial websites will be probed for vulnerabilities, initially by automated tools and once something has been found, a more concerted manual attack will be launched. Having alerts that can also monitor the nature of these attacks is essential, especially for the players in the online gaming space, mostly because these attacks can be countered.
The next step in data security is penetration testing, which needs to have both automated and manual elements. Mostly because the rogue communities use both advanced scanning tools where they can identify potential weak areas as well as an additional sophisticated human mind who develops and explores these vulnerabilities. How does penetration testing work? Well, let’s imagine a room with almost limitless doors. The automated penetration test will identify which door conceals potential vulnerabilities. Then, the manual tester will pry these doors open and looks at what is behind them.
Now, let’s take this analogy further, red teaming will open these doors wide and will delve and explore into what is behind them. Red team testers have ethical hacking experience from the industry’s most respected accreditations such as CREST and OSCP, where they use their skills to root around and uncover unforeseen vulnerabilities.
Having this information, the process of closing off potential opportunities for cyber attacks before they are even exposed can begin. In this way, the data security strategy can be developed where vulnerabilities are anticipated. These experts will work in partnership with a specialist retained forensics team who will manage the defense process. In some specialist consultancies, the red team can also be part of the retained forensics team, where they can ensure that the process is an ongoing one, with regular exposure to build in testing.
Engaging a retained forensics team will not only assist in managing a continually evolving defense but they can also build in resilience for a potential attack. However, it is impossible to ever consider an organization to be immune from attacks, given the ingenuity of the hackers. The strategy has to include a detailed plan if an attack ever occurs, particularly for prompt reporting in the event of a breach. GDPR requires any breach to be reported to the relevant regulatory authority within 72 hours and failure to do so will result in punishment.
When it comes to issues of business continuity, failure recovery, and containment by having a retained forensics team on hand, they will be able to manage this process swiftly, which means that any potential damage is limited. It is also worth noting that the engagement of a retained forensics team will not only facilitate the ongoing testing of system security, they will also provide strategic intelligence for effective maintenance and development. They will also demonstrate to the relevant authorities that a robust, ongoing process is in place, therefore this will reduce the level of potential dangers.
In a few words, GDPR shouldn’t be considered an encumbrance or an onerous chore. It was created to build in safeguards to data security systems by protecting both the organizations and their users from cyber attacks. Those who embrace the GDPR and build an ongoing test and exercise regime into their systems will benefit from the enhanced reputation and player loyalty. Those who make data security responsibility for all members of the company. And those who develop a constant evolving defense strategy can demonstrate to both users and regulatory authorities that these organizations take security very seriously. These are part of things the online industry needs to do and will position them in the best possible shape to resist potential cyber-attacks, or at least deflect or reduce the impact of one. Accepting the GDPR and having cyber resilience is the best business decision.