Blocking ransomware, hackers and more: What you need to know about security for games
Sumo Logic's Iain Chidgey explains the basics of game security
As long as there have been computers, there have been security problems.
For the games industry, attackers may be professionals looking to steal assets in advance of a game coming out in order to profit, as happened to EA.
Hackers may use ransomware to lock up those assets for payment, as CD Projekt Red found early in 2021.
Equally, fans may simply try to get access to files to satiate their curiosity. Valve had the source code to Half-Life 2 stolen by a fan who wanted to know more about when the game would be released.
Keeping things secure from initial development through to commercial release and after involves a range of skills and priorities. To get started around security, here is what you should know.
Software supply chains and security
Managing software development will normally follow a pipeline process, where code is developed and then pushed through testing, QA and into production automatically. Engines like Unity or Unreal have built-in support for this pipeline process taking place, referred to as continuous integration and continuous deployment (CI/CD).
Looking at your CI/CD pipeline can tell you several things -- firstly, how well your team is working together and whether you are on schedule, based on the volume of commits taking place.
By knowing your expected behaviour, you can keep an eye out for activity that does not look normal
This data can be used for security too -- by knowing your expected behaviour, you can keep an eye out for activity that does not look normal, such as a developer account accessing assets out of hours, for instance. While this might be an early sign of crunch coming up, it could also be a warning sign of an attack.
There are some metrics that you can use as good indicators for attacks. This covers standard account details like user names and passwords, but it also covers any APIs or other resources that developers might use, such as file stores and databases.
If you see multiple failed access attempts on an account, this can show an attack taking place, especially when requests come through rapidly. Rate limiting requests can stop hackers abusing a credential or throwing automated password cracking systems at the account. Ideally, make use of multi-factor authentication to solve the problem.
Network traffic is also worth keeping an eye on. Developers and artists can move around a lot of data based on their workloads, but they should follow some standard approaches and leave a reasonably predictable pattern for their work. A sudden spike in traffic volume or a change in behaviour may mean that the development process has shifted up a gear on a project, but it can also be an alert to potentially malicious activity.
Looking at where traffic starts and ends can also point out a potential problem. With everyone working remotely, everyone should use a Virtual Private Network to access their work, but if a developer account starts looking at code or assets that it is not supposed to access then it should be investigated. It's also worth tracking session lengths as this could be an indicator of compromise -- a network session that remains open for an extended period outside working hours could indicate an unauthorised VPN tunnel set up to transfer data.
It is also worth paying special attention to connections established with ports used for remote access, like port 22 (SSH), port 23 (Telnet), and port 3389 (RDP). These are commonly used for legitimate traffic, but they can also be used to exfiltrate data. If they are not needed, then close them by default.
Data management best practices
Game development involves a whole gamut of different files, formats and types, from essential code like a game engine or software components through to art assets and textures. These assets have to be stored somewhere over time and increasingly cloud services are used. To keep these environments secure involves following some best practices around access, data security and backup.
The first area to consider is access -- quite simply, who has access to what assets, and more importantly why. With development teams scaling up and down based on workload, it can be hard to keep track of all the individuals that might need to access code, but using role-based access control and strong authentication can help stop unauthorised access in its tracks.
Using role-based access control and strong authentication can help stop unauthorised access in its tracks
By tying access to code assets to both user accounts and other factors for authentication, such as a one time password sent to a developer's phone, you can be more sure that anyone getting access is who they say they are.
Alongside access control, you should evaluate your network traffic and its behaviour over time. For more traditional companies, this can be a simple job where everything is based in one data centre; for games companies, there will likely be a mix of different environments, cloud services and companies involved. With so many moving parts involved, you have to think more carefully about how you manage security.
You should also have a full data backup plan in place to keep all your assets both up to date and protected. This is particularly important for version control, where you may have bugs or issues that have to be fixed over time, but it is also the best protection against ransomware attacks. Having a full and current backup that is kept separate from your current production environments is essential, as it will mean that you should always have copies of those files available if you need to recover. If a ransomware attack does ever succeed, you can use these backup versions to get operations back to normal as quickly as possible.
Getting the big picture
Alongside internal security during development, games companies also have to think about the infrastructure needed to support games once they have gone live. Protecting this is another job for the security operations centre, or SOC.
SOC analysts spend their days looking for real-time updates on what is happening across their organisation's IT, and following up on potential anomalies. By getting data feeds from the systems that support players, the SOC team can see where things are operating well and where there might be attacks in progress.
The SOC approach is a traditional one that large enterprises have had in place for years, and large games companies have adopted the same model to run their security operations. However, there are some specific requirements that games firms have to consider too.
It is worth looking at how you can manage your costs around security so that peak consumption does not automatically lead to a huge increase in spending
The first is around scalability. When a big game launches, the number of players can go up rapidly from almost none to millions. Coping with the sheer volume of data that the launch leads to is a challenge in its own right.
At the same time, the level of traffic will vary massively over time as well, based on player behaviour and the demographics of your audience. As a general example, games aimed at younger age groups would peak during after-school hours, while those aimed at adults would peak much later in the day and into the evening.
For many services in the cloud, for example, you pay for capacity. If you have to keep paying for that capacity at the highest level, rather than for the average, then you are effectively penalised for success. Instead, it is worth looking at how you can manage your costs around security so that peak consumption does not automatically lead to a huge increase in spending as you save and analyse all that data.
The second big difference is around the kind of behaviour that teams will investigate. Analysts look out for anomalies in the data that can then be followed up, such as requests for access to infrastructure or API assets that are out of the ordinary.
However, gaming telemetry can also be useful to see how players behave in the game and what is expected. Players may find flaws in game logic that can lead to issues, from harmless things that might break a feedback loop and allow them to progress faster, through to faults that might break the game or corrupt a save file. While these issues are not security risks, they would represent risks to the game and to the business behind it.
Developers often use data from the game to see what is taking place in the player community and how the overall experience is, while security teams use that same data for security risk management. By coordinating and consolidating your approach here, both teams can benefit from the same data over time, rather than having to run their own separate tools and sets of data.
Thinking about the players
Another aspect to security is the player data itself. For many games, players have to create accounts with their real names and details. This is personally identifiable information or PII, which has to be protected, particularly for players under eighteen.
In the European Union, and in the UK, PII for children has to receive enhanced protection for privacy and security, as well as needing more specific plain language descriptions for consent purposes.
Alongside the formal compliance side of security, there are other areas of security around player accounts that you should consider
Protecting this data is a full time requirement for your security team. It involves understanding what data is gathered and where PII is included in this, the business reason for that, and how long the data may be gathered for. By understanding this from the start, it is easier to look out for potential situations that would jeopardise compliance. Most companies have already implemented approaches and policies that reflect GDPR, so the challenge is checking that any changes you make don't break those processes or lead to compliance failures over time.
Alongside the formal compliance side of security, there are other areas of security around player accounts that you should consider. When games are based on subscriptions, or can have paid items associated with user accounts, account hijacking is a risk.
This describes how players can have their accounts stolen through guessing weak passwords, brute force attacks or by social engineering. Whatever the process, the aim for hackers is to get access and then either steal or sell the items on that account. The problem has existed for years -- high profile cases include a conviction for murder in China in 2005 linked to the theft and sale of a high level item, as well as arrests around theft and resale of virtual items in countries around the world.
Thankfully, most developers take this problem seriously. A good example of best practice is Fortnite, which mandates two factor authentication for any kind of gifting or transfer. For other game publishers, putting authentication in place around accounts should be strongly considered.
Not only should this help players feel more secure, it can also work alongside analytics into how people play. This can show up incidents where behaviour in the game such as exploiting poor AI or broken game logic might affect players. While this is not a traditional security issue, it can affect how players experience the game, and lead to cancellations or refund requests if not managed properly.
The games sector is growing and earning, and like any industry in these circumstances it has to be kept secure. GlobalData estimates that the market will more than double in the next decade, from around $200 billion in 2021 to more than $450 billion in 2030 -- keeping all this infrastructure secure and protected is essential.
To keep gaming secure, better use of data from across every company involved in delivering games -- from the code and IP assets through the actual games and infrastructure supporting them -- is needed. Without this ability to get the right data together, games companies will face potential theft, ransomware and poor player experiences. Getting a continuous intelligence approach in place can help.
Iain Chidgey is vice president EMEA at Sumo Logic. He has over 20 years of information technology experience with a focus on security and cloud computing. Chidgey joined Sumo Logic via a company acquisition in 2019. Sumo Logic is a continuous intelligence company covering security, observability and modern applications.