This post is part of a new series called “Game On” brought to you by Akamai Technologies. As game publishers deal with increasingly more complex issues, this series looks at issues as diverse as managing worldwide launches, security, second screen integration and the changing business model of freemium games. Read the whole series here.
In an online-intensive industry like gaming, consumers trust companies with a lot of information and access. They set up accounts that may include all kinds of sensitive data such as credit card numbers, addresses, and even their very virtual identities. That’s why publishers need to be prepared for the multitude of different security issues threatening every avenue possible.
And when threats do succeed in penetrating their vigilance, they need to have a plan for dealing with them. To tackle this tricky issue, a lot of publishers are partnering with cloud computing companies to provide the protection needed for their customers.
Cloud computing helps manage spikes in traffic and in getting software launched without a hitch — and it’s this same system that can shore up important vulnerabilities. Cloud security is particularly proficient in protecting web properties in DNS (Domain Name System) and in gathering threat intelligence so that they know what to guard against — a necessary step given how many different kinds of threats are out there. Many, like Akamai Technologies, also hire experts who research, monitor, and act around the clock to help publishers’ servers stay ironclad and protected from threats.
Breaches versus account takeovers
We tend to think of these threats as “breaches”, but according to Michael Smith, Akamai Technologies’ Director of Customer Security Incident Response Team, it’s important to remember that there are vital distinctions to be made. “Breaches are when people break into your site and steal your data, whereas account takeovers give the bad guys control over your account,” Smith clarifies.
These two violations may feel very similar but actually can have very different effects on customers, and require different measures to handle. Breaches are pure info dumps stemming from hacking (often in bulk), while account takeovers can happen through hacking or also through phishing scams from third-party sites, duping users into giving up sensitive login information.
Login and registration pages are prime vulnerabilities
These vulnerabilities can crop up in many different places. Both the login and registration pages are some of the most exposed points in an online-intensive infrastructure. Registration pages can fall victim to automated bulk registration, and login pages are where most account takeovers and data breaches bust through. Threats can also piggyback onto updates, though they’re less sensitive in general. Forums and other user-contributed content also face threats from attacks thanks to cross-site scripting (XSS) — when a script is inserted into a page in order to view what users see off-site — as well as harassment campaigns.
Prevention is the first goal
So how can companies protect themselves from these threats? Sometimes it’s as simple as purchasing more capacity than necessary to avoid traffic spikes, but more sophisticated methods are usually necessary. For registration and login pages, monitoring suspicious activity is key. Registration pages can use a cryptography token to verify that the user is using the actual application rather than a third-party one. Login pages can use login attempt counters to guard against attackers attempting to brute force their way into an account. And forums can utilize web application firewalls and web address filters to shield their users as well as good old fashioned curation (eyes in the field to directly analyze for and remove harmful elements) to guard against harassment and other suspicious accounts.
Companies also need to understand scrapers, which are used by things like search engines and the like to copy web page states, collect business intelligence, do competitive analysis, mine for data, and copy security logs. More often than not these are nothing to worry about – after all, search engine hits are helpful. But scrapers can present other threats, like overloading servers and poking around for sensitive information. Cloud computing companies can simply block these servers to prevent them from doing harm. Of course, some scrapers can’t be identified easily, making their goal unclear. These unknown or benign scrapers can be diverted elsewhere just in case. You can also run verification software to see if a supposed scraper is actually a human trying to access private information.
Correct quickly after an event
Sometimes these preventative measures don’t stop attacks, but cloud companies can adjust for quick corrections after an incident. The steps taken when an attack actually happens follow a linear progression. “The first step is simply understanding when a security event has occurred,” explains Smith. “We continually monitor and research through news reports, blogs, and forums.” Knowledge is everything in security, and knowing what threats are running rampant across the Internet is essential in keeping users safe. The next step is assessing how to handle the intrusion by monitoring it and determining whether it’s damaging or not. Following this, it’s a matter of finding the best response that causes the least impact to customers. The key is being as surgical and invisible as possible with any remedies. Finally, it’s important to start monitoring again right away to see if the threat resurfaces, because attacks are often resilient and persistent.
Good security isn’t just putting up a catchall shield that keeps all the bad stuff out. It takes knowledge and research as well as an understanding of just how many places attacks can come from and how many entry points they can take. Online services are exposed on all sides, so it’s up to publishers to be vigilant to keep consumer trust. Quality cloud computing partners are a vital piece of the security puzzle.
Sponsored posts are content that has been produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. The content of news stories produced by our editorial team is never influenced by advertisers or sponsors in any way. For more information, contact sales@venturebeat.com.