Gus Fritschie has been involved in information security since 2000. About 8 years ago he transitioned a significant portion of his practice into the gaming sector. Earlier this year SeNet merged with GLI/Bulletproof and the combined team provides a comprehensive set of security services to the gaming sector. He has supported many clients across the gaming spectrum from iGaming operators, land-based casinos, gaming manufacturer, lotteries, tribal gaming, and daily fantasy sports.
Originally appeared in Global Gaming Business Magazine.
When I wrote my first article for Global Gaming Business magazine back in January 2012, just one state, Nevada, had regulated online poker.
Much has changed since then. Now, iGaming has expanded to multiple states such as New Jersey and Pennsylvania, including online casino games.
Land-based gaming has also seen great growth. Sports betting (online and land-based) has grown rapidly, leading to greater acceptance in states where gaming once was frowned upon. In addition, niche products such as daily fantasy sports, esports, and skill-based gaming have captured market share.
My role in supporting the gaming industry has changed, too. In 2012 when I penned my initial thoughts on gaming security, I was establishing SeNet as an information technology security leader in the gaming sector. While it took time to get the ball rolling, I eventually worked with the biggest names in the business, both online and land-based, from MGM and Caesars to GVC and Scientific Games. The company also expanded in the lottery sector and played a major role in the forensic investigation and successful prosecution of lottery executive Eddie Tipton in association with the Hot Lotto RNG fraud.
In 2011, I gave my first talk at Defcon on security weaknesses in iGaming sites, and gradually established a vibrant gaming practice at SeNet, building on the valuable work that SeNet already provided in other sectors. Recently, SeNet was acquired by Gaming Laboratories International, partially on the strength of its service to the gaming sector.
However, the more things change, the more they remain the same.
In 2012, I said of Nevada’s iGaming regulations, “Despite these items, the current emphasis seems to be on regulation related to the financial and management aspects of online poker. This is understandable, as there is no need to bypass a firewall or perform a sophisticated structured query language injection attack if the owners of these companies can simply steal players’ money by transferring it into their bank accounts. As we move toward regulated online gaming in the United States, computer security controls need to be enforced in addition to financial controls.”
The Weak Link
This call for greater security requirements has only been partially met. There are some good examples of regulators incorporating security requirements and independent testing and validation into their requirements. New Jersey rises to the top of our list, as we have supported operators in that state for several years. Where IT security testing was only required for iGaming, testing requirements have expanded to include brick-and-mortar, too. In addition to New Jersey, other states have some form of required testing (Louisiana, Michigan, Maryland), but in many jurisdictions, it’s left to the operator or casino to perform this important activity.
February 2014 served as a wake-up call to the casino industry. That’s when Las Vegas Sands Corp. suffered a major cyber breach that impacted the company both operationally and financially. If one of the largest gaming organizations in the world could be hacked, everybody was vulnerable. For every Las Vegas Sands, there are many more that escape media attention. My firm has responded to a number of gaming organizations that have had ransomware or other types of attacks. And there’s no sign of this slowing down.
Over the past eight years, we’ve performed hundreds of security assessments on gaming operators across the country and in cyberspace. Several common weaknesses and mistakes are typically noted. None of these are unique to gaming organizations, but they pose a risk, as the integrity of gaming operations is paramount.
There are four elements that will guarantee the integrity of your gaming operation:
1. Vulnerability Management/Risk Management: Vulnerability management is the process of discovering and developing a plan on how to mitigate vulnerabilities in your network and systems. Of course, you’ll never have 100 percent security, and that’s where the process of risk management comes into play. Typically, vulnerabilities are enumerated by a third party performing a security evaluation or the organization itself performing vulnerability scans.
Some organizations don’t even perform this important task. If you don’t know where your vulnerabilities are, how can they be managed? I once had a potential customer tell me he would rather not have a security test performed because that way, he could claim he didn’t know if the company was vulnerable or not. I’m sure you can see the flaw in that approach.
I advise companies that not all vulnerabilities are equal. That SQL injection flaw in your iGaming application has a much larger impact than a default password on a backend internal system. It’s all about making informed business decisions based on your risk appetite on what to mitigate and when. Unfortunately, this is an item many are failing at.
2. Patch Management: Patch management is something you probably think should be easy to perform. Just set your systems to auto-update and forget about it, right? Unfortunately, it’s not that easy. Both operating-system and third-party patches have to be tested to make sure they don’t break anything. Gaming manufacturers often don’t make this easy. Their products and applications are often tied to a specific version, and they don’t want the casinos to upgrade as often as they should, for fear of breaking something.
Casinos also bear some of the burdens as they don’t patch as often as they should (i.e., quarterly versus monthly) even when they can, and sometimes perform this function manually rather than using an automated patch solution, which leads to more delays.
As much as organizations would like to not have to worry about patching, it’s a necessity, and this task can eliminate a number of vulnerabilities. It becomes even more important when you realize that the No. 1 method organizations get breached is via client-side attacks (i.e., phishing, and outdated third-party patches such as Java and Adobe are often to blame).
3. Cyber-Hygiene: Cyber-hygiene is another area where many gaming organizations are lacking. What is cyber-hygiene? Same as hygiene is for us—making sure we are clean and healthy. Often, networks and systems get implemented with default parameters configured, unnecessary services enabled, and weak security baselines. Many of these issues are low-hanging fruit that alone may have a low severity. But when chained with other misconfigurations, they could lead to a breach.
Like patch management, casinos’ partners are often part of the problem. We performed an assessment on a casino where we were able to get access to the slot controller in the gaming machines from the corporate network. When discussing with the IT staff, we learned this is the way the vendor installed it. Rather than taking the time and effort to further restrict access, the easy approach was used to make sure everything was working correctly. Recently, we were performing a security test and the operator had upgraded the slot accounting system. The new version had a JBoss component, where the console was not password-protected. This could lead to an attacker from the corporate network gaining unauthorized access to the gaming segment. These examples highlight the need for proper cyber-hygiene.
4. Secure Software Development: Secure coding is extremely important for gaming systems, both on-property and in iGaming. If applications are not developed securely, it puts the players and operators at risk. The gaming regulators require games to be tested either in their own labs or by a third party, such as our parent company GLI. However, the majority of this testing is focused on the math and verifying that payouts are correct.
How do we know that the software development life cycle (SDLC) of these major gaming manufacturers is building security in? As the pressure mounts to create new games on multiple platforms, including mobile, and to go live sooner, a solid SecDevOps program is needed. SecDevOps is a set of best practices designed to help organizations implant security deep in the heart of their DevOps development and deployment processes. A gap in security at the SDLC level could lead to a severe breakdown in the integrity of gaming applications. We don’t need to look any further than the Ultimate Bet/Absolute Poker scandal from the early days of online poker. An event like that in today’s regulated environment would be devastating.
Security Is Paramount
So, where do we go from here? Gaming is a very competitive sector; the margins are not great. Many operators and manufacturers are not going to perform the level of testing that’s needed unless required by regulations.
Don’t get me wrong; there are several that are doing this work even when not required. They perform it because security has become a core objective and upper management has bought into the need. These are the types of companies we like to work with.
I believe what’s needed is for all regulations to require security testing on an annual basis and have the requirements flexible enough so that they can be adapted based on changing technologies and needs. Operators who go above and beyond should get rewarded, and players should know who is approaching security seriously. However, these requirements must be balanced with cost and level of effort. If they’re too difficult or expensive, operators may look for shortcuts and not perform a comprehensive assessment.
Lastly, all operators should remember that while they may start their security journey because of regulatory requirements, compliance does not equal security. But if you are secure, compliance will follow.