information security in the gaming world
TRANSCRIPT
![Page 1: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/1.jpg)
Dimitrios Stergiou
![Page 2: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/2.jpg)
About Dimitrios
• Has a keen interest in Information Security (10 years and counting)
• Currently holds: CISSP, CISA, CISM, BS 7799 LA, CCSP
• Newbie Python coder
• Amateur social engineer • Loves vendor t-shirts • Avid World of Warcraft gamer
![Page 3: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/3.jpg)
Security and Quantum Computing
![Page 4: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/4.jpg)
So, what do we talk about
• History lesson • Threats • Compliance • Information Security
• And no, I am not selling
anything, don’t panic
![Page 5: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/5.jpg)
What we don’t talk about
• ROI (ROSI) – Actually we do
• APT • Cyber- • Hacker
– Attacker
• SSL / PKI
![Page 6: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/6.jpg)
A bit of history • Early Internet era
– Exploit vulnerabilities – Take pride
• 10 years later – Attack the server – Steal or destroy data
• Last 5 years – Attack the application – Steal / hold data – Financial gain
![Page 7: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/7.jpg)
… and more recently
![Page 8: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/8.jpg)
What causes the issues then?
1. Malware 2. Malicious insiders 3. Known vulnerabilities 4. Careless employees 5. Mobile devices 6. Social networking 7. Social engineering 8. Zero-day exploits 9. Cloud computing
![Page 9: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/9.jpg)
Oh well, what now
Meet Information Security Compliance Standards
![Page 10: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/10.jpg)
Information Security Compliance • Payment Card Industry Data
Security Standard (PCI DSS) • ISO 27000 series • Health Insurance Portability
and Accountability Act (HIPAA) • Sarbanes-Oxley Act (SOX) • Federal Information Security
Management Act (FISMA) • Bundesamt fur Sicherheit in
der Informationstechnik (BSI) • SAS 70 Type 2 • National / other standards
![Page 11: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/11.jpg)
A typical example
![Page 12: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/12.jpg)
How it’s all done
Policy Policy
Procedure Procedure
Guideline Guideline
Audit records Audit records
![Page 13: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/13.jpg)
… that now I take you now through the compliance process
![Page 14: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/14.jpg)
![Page 15: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/15.jpg)
(Doing only) Compliance fails
![Page 16: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/16.jpg)
Why?
• “Word” engineering • Checklist approach • Baseline becomes
“the ceiling” • Snapshot in time • Non-continuous
process
![Page 17: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/17.jpg)
The audit has finished…
• Management thinks that compliance equals security
• Does enough to “pass” the audit
• Do not talk security until next audit
• Business as usual
![Page 18: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/18.jpg)
Meanwhile, developers…
![Page 19: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/19.jpg)
And Security people… Process / Procedure / Guideline / Standard Instruction / Audit / Vulnerability / Risk Threat / Exploit / Attack Vector / <buzz>
![Page 20: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/20.jpg)
And attackers are efficient!
In touch with reality
![Page 21: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/21.jpg)
As a result
The “sad” day comes when management realizes that
Or even worse:
![Page 22: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/22.jpg)
Bottom line
s/YOU/Compliance/g
![Page 23: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/23.jpg)
But Compliance can be the answer if
• It comes as a by-product of a security management program
• It is used in a bottom-top approach
• It can “secure” budget for security
• It does not become panacea
![Page 24: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/24.jpg)
Security Management
• Reputation • Regulation • Revenue • Resilience • Recession
![Page 25: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/25.jpg)
Do we REALLY need security?
![Page 26: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/26.jpg)
But are you 100% sure we need it?
![Page 27: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/27.jpg)
Könsneutral / Jämställdhet
![Page 28: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/28.jpg)
Security management mini-HOWTO
Risk management
Risk assessment
Risk analysis
Determination of scope
of information security
Creation of
executive policy
Development of systematic
risk assessment
method
Identification of
information assets
Estimation of
threats and
vulnerabilities
Inventory of assets
Risk
evaluation
Risk assessment
report
Risk
treatment
Risk
acceptance
Risk analysis
table
List of
assets
Risk assessment procedures
Plan D • C • A
P D
C A
![Page 29: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/29.jpg)
The “checklist” approach
1. Device inventory 2. Software inventory 3. Secure system device configuration 4. Secure network device configuration 5. Boundary defense 6. Monitoring and analysis of audit logs 7. Application software security 8. Control administrative privileges 9. “Need-to-know” access 10. Vulnerability assessment
11. Account monitoring 12. Malware defenses 13. Control network ports 14. Wireless control 15. Data Loss Prevention 16. Secure Network Design 17. Penetration test 18. Incident response 19. Data recovery 20. Training
![Page 30: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/30.jpg)
The IT Security field is always in need of new clichés!
• Nothing will ever be 100% secure
• Know thy risk • Security is the
means, not the end • Security yes,
obscurity no • Talk to them, not at
them
![Page 31: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/31.jpg)
![Page 32: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/32.jpg)
![Page 33: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/33.jpg)
What is that ROI again?
![Page 34: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/34.jpg)
Why we don’t talk about ROI "ROI" as used in a security context is inaccurate. Security is not an investment that provides a return, like a new factory or a financial instrument. It's an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. Bruce Schneier
![Page 35: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/35.jpg)
Net Present Value (NPV)
C0 = Initial investment B1 = Benefit for Year 1 t = Time period k = discount rate (average cost of capital) • NPV > 0 Go ahead • NPV < 0 Project cancelled • NPV =0 Can do, can ignore, no difference
![Page 36: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/36.jpg)
Net Present Value (Example)
Net Present Value (discount rate = 15%)
C0 T1 T2
Initial Investment -200,000
Annual benefits 400,000 400,000
Annual operating costs -100,000 -100,000
Net Cash Flow -200,000 300,000 300,000
NPV -200,000 + 300,000 /(1.15)1 300,000 / (1.15)2
NPV -200,000 + 260,870 + 226,843
NPV = 287,713
![Page 37: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/37.jpg)
Internal Rate of Return (IRR)
C0 = Initial investment B1 = Benefit for Year 1 t = Time period k = cost of capital • IRR > k Go ahead • IRR < k Project cancelled • IRR =k Can do, can ignore, no difference
![Page 38: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/38.jpg)
Net Present Value (Example)
Internal rate of return (k = 15%)
C0 T1 T2
Initial Investment -200,000
Annual benefits 400,000 400,000
Annual operating costs -100,000 -100,000
Net Cash Flow -200,000 300,000 300,000
IRR 0 = -200,000 + 300,000 / (1+IRR)
+ 300,000 / (1+IRR)2
IRR = 118.61 %
![Page 39: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/39.jpg)
Unfortunately
Everything that can be counted does not necessarily count; everything that counts cannot necessarily be counted. “Albert Einstein”
![Page 40: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/40.jpg)
![Page 41: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/41.jpg)
you need 1337 skillz to be hax0r?
• Beware of “script kiddies”
• Fame seekers • Insider pwnage • Revenge!!! • Demo (3 slides
to go)
![Page 42: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/42.jpg)
![Page 43: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/43.jpg)
Good keywords to Google
• metasploit • set • w3af • nmap • nessus • beef • sqlmap
![Page 44: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/44.jpg)
Are you talking to me?
• Blog: blog.nihilnovo.eu
• Twitter: twitter.com/dstergiou
• Email:[email protected]
om
![Page 45: Information Security in the Gaming World](https://reader034.vdocuments.us/reader034/viewer/2022042715/5588dd48d8b42a66198b45c5/html5/thumbnails/45.jpg)
Demo
• Client-side attack with IE • Browser exploitation