In one form or another, security measures have always been an integral part of gambling operations, whether simply to protect deposits and winning disbursements or to maintain the integrity of the gambling process. Securing a land-based casino can be accomplished by controlling physical access to different parts of the casino and by restricting outside connections to the casino IT infrastructure. By design, this isn’t possible in the case of Internet-based gambling (iGaming) systems, where constant exposure to the Internet through a public interface is needed to operate the business. The physical controls which operate to restrict access to the casino and manage patron activities must be replaced by logical controls and gateways. The face-to-face interactions used by casinos to verify patron information must be replaced by robust systems which provide the same level of assurance – but do so remotely. What hasn’t changed from moving gambling to the Internet is that security is an integral part of business operations, and even though iGaming is built on the latest information technologies, security cannot just be a function of the IT department, but must be a commitment from the entire business.
THE FIRST STEP – UNDERSTANDING YOUR SECURITY RISKS
Rather than adopting a piecemeal approach to the security of the information systems they control, Internet gaming operators should take the first step in establishing an information security management process – performing a risk assessment on your operations. This can be undertaken internally or by using outside consultants to provide an assessment of your information security risks. Establishing a clear picture of the risks associated with your business should be part and parcel of the governance process.
Once the risks are understood, designing and setting up an information security framework is a well-established process: assess the vulnerabilities and threats to your information infrastructure, establish security objectives in line with an assessment of the risks posed by those threats and vulnerabilities, and implement the appropriate countermeasures to manage the risks.
The security objectives are commonly met by the implementation of known information security controls. The preferred approach uses layered security, which provides redundancy and reinforces the overall security model, as several layers of security must be breached before critical data stores can be accessed.
While no system can be absolutely secure against a determined, skilled and resourceful adversary, the implementation of these controls as part of an overall information security management system provides the most cost-effective defence against security breaches. However, these controls do not address the question of whether the implemented solutions actually work as intended. In order to provide validation that an information security system is working as intended, it must be fully audited and routinely monitored and tested thereafter.
INFORMATION SECURITY MANAGEMENT IN iGAMING
Gaming is a highly-regulated industry with regulators in each gaming jurisdiction establishing technical standards for the offering of fair, secure and auditable gaming operations within their jurisdiction. Early in the development of regulatory regimes for online gambling jurisdictions, it was realized that information security would be a significant factor that would need to be considered, and as a result, many iGaming technical standards have included security elements. These requirements extend to both the technical requirements of the gaming systems themselves and the internal controls needed to manage the gambling operations offered through the online gambling systems.
As the iGaming industry has matured, so have the security requirements of iGaming jurisdictions. The latest iterations of gambling technical standards and licensing requirements from many highly regulated jurisdictions have settled on the latest versions of ISO/IEC 27001:2013 as a general security standard and ISO/IEC 27002:2013 as implementation guidelines for information security management in iGaming jurisdictions. These are global standards and guidelines and provide a flexible baseline for information security management which can be applied to iGaming operations regardless of the variability in the individual businesses operators in this industry.
While these standards may be viewed as just another hoop to jump through, they should be seen, in fact, as an integral part of an evolving information security management strategy designed to ensure the security of the information held by the business. They are not prescriptive in the sense of defining at a detailed level what needs to be implemented, and a real understanding of the use of these ISO/IEC standards shows a way forward to integrate information security management within the overall business processes of the organization.
Some of the benefits of implementing the ISO 27001 standard are as follows:
- Brings your organization to compliance with legal, regulatory, and statutory requirements.
- Provides a process for Information Security and Corporate Governance.
- ISO 27001 certification is recognized on a worldwide basis and can be a market differentiator due to its recognition.
- Increase in overall organizational efficiency and operational performance.
- Minimizes internal and external risks to business continuity.
- Provides your organization with continuous protection that allows for a flexible, effective and defensible approach to security and privacy.
While it exists as a standard, ISO 27001 should be seen as part of the process of continually evolving improvement and adaptation to the needs of the iGaming business. The plan-do-check-act (PDCA) cycle of continuous refreshment and reinforcement associated with compliance enables a business to adapt their processes while still remaining compliant with the standard.
In addition, many of the security standards adopted by iGaming jurisdictions were based on the controls described in ISO 27001, as is the case for the UK, even if they were not as explicitly identified. The key lesson in the adoption of a standard such as ISO/IEC 27001 is that this adherence to the standard reinforces for a business that information security is an integral part of business operations and requires the involvement of management at every level up to the C-suite.
INFORMATION SECURITY FRAMEWORK OVERVIEW
Adherence to an information security management system standard, such as ISO/IEC 27001, does not necessarily make your information system secure. In addition to the controls and business processes that must be adopted as an inherent part of seeking compliance to a standard, such as ISO 27001, is the additional focus on the particular technical aspects of security, which can impact the iGaming business.
A commonly accepted information security framework uses the Confidentiality, Integrity and Availability triad, or CIA triad, as a model designed to guide policies for information security within an organization. The elements of the triad are considered the three most crucial components of information security and can be related back to operational requirements of the business.
How do these CIA triad components relate to iGaming security? This is summarized in the following sections, where we discuss how aspects of each of these areas can be related back to the security of online gambling operations.
Confidentiality
Keeping sensitive information secure
The first thought that comes to most people’s minds when considering information security are the stories of security breaches which result in the loss of large amounts of personal information or expose people to possible identity theft or credit card fraud. This includes the highly publicized breaches of the Sony network and Las Vegas Sands Corporation.
Aside from the difficulties of being a part of cyberspace, Internet gaming systems have other risks associated with the nature of their business. The first is that Internet gambling sites collect a lot of personal information from their players. They don’t do this in order to amass information, but in order to be able identify their players in a scenario where the player isn’t across the desk from them, but may be located in a different country altogether. Unfortunately, the information that Internet gaming sites collect on their players to verify identity remotely is precisely the information needed for identity theft. There really isn’t much difference between establishing your identity through the Internet for gambling purposes and establishing your identity as part of a scam.
Protecting all of this personal information is a prime consideration for Internet gambling sites because a release of personal information on a large scale could result in catastrophic losses for the business as well as legal issues if the Internet gambling site operates in a regime where breaches of personal information must be dealt with in a prescribed manner by law.
Web application vulnerabilities, which leave operators open to attacks, are well known – see, for example, the top 10 vulnerabilities list from the Open Web Application Security Project (OWASP). OWASP has also published guides to secure coding practices designed to protect web applications from the common attacks which exploit vulnerabilities resulting from insecure coding practices.
If approaches are already available and known to ensure the security of the web application interface from attack, then are there any other sources of vulnerabilities which should be considered in an iGaming context? There are two areas where the activities of online gambling operations may be exposed to confidentiality risks which are not directly related to the vulnerability of the web application software itself: gaps in security resulting from differences in the security posture of integrated architectures and gaps in security resulting from the access to the gaming platform granted to third-party service providers.
Integrating Other Architectures
When a company that has a culture of stringent information security practices acquires another company with a different corporate culture and a different security philosophy, how far should they go to integrate the newly acquired products into their existing platform architecture? The best solution may be to leave the acquired product as an independent entity, but this is not always why the purchase was made. Then what are the security risks associated with the acquired product that will put your systems at risk?
Industry consolidation through mergers and acquisition continues to increase. Securing each acquired asset or business unit on its own is no longer sufficient; an overall security strategy encompassing all business units must be in place to ensure there are no unintended gaps in security.
One early consideration may be a data transfer between the information systems of the acquired company and those of the acquiring entity. In this case, not only must the data transfer be conducted in a secure manner to ensure the confidentiality of the data, but the integrity of the data must be maintained and a careful plan established to validate the data after transfer.
In addition, if the infrastructure of the acquired company is being integrated into that of the acquiring entity, a complete risk assessment of the infrastructure should be performed to determine if the security posture of the two infrastructures is compatible and to de.ne which configuration changes or upgrades may be necessary to ensure the final system has a seamless security profile and no gaps exist.
A complete iGaming solution often relies on several independent parties integrating with your site. Security responsibilities must be clearly defined for all external parties who are agreeing to access the same systems.
The integration of third-party systems with iGaming platforms is an inevitable part of the architecture of these systems since various functions needed for the full operation of the iGaming system – identity verification, geolocation and payment processing – are often provided by third parties in addition to scenarios where game content may be provided by remote gaming servers. However, in order to minimize potential risks, the access of third parties to your systems must be clearly defined in any agreement with the third party, and the technical controls defining the communication protocols between the platforms must be carefully implemented. Testing of the Application programming Interface (API) security is advisable in most cases.
Integrity
Preventing interference in gaming processes
Maintaining integrity in the gaming process is a primary regulatory concern, and this is reflected in the focus of security regulations on controlling access to critical components of the iGaming system, such as the random number generator (RNG), the databases that store player information and gambling information, and the communication systems that link these different components of the iGaming platform together.
While the technical architecture of the iGaming platform is used to restrict access to critical components and the implementation of secure coding practices and communication protocols will provide the underlying basis for maintaining integrity in the iGaming system, internal controls and procedures also play an important role.
Security threats can come from outside and within your business. A robust system of internal controls and security procedures simultaneously protects you, the business and your employees.
Unfortunately, history has shown that threats to the integrity of gaming operations can come from internal sources as much as external sources. Maintaining integrity requires establishing a good system of internal controls which can:
- Provide management oversight
- Ensure accurate reporting
- Mitigate business risks
- Segregate work duties
Ensuring these controls are aligned with information security management requirements of a standard, such as ISO 27001, will improve the security posture of the organization.
Availability
Ensuring access to gaming systems
If the iGaming site is not available to players, then it cannot generate revenue. Improvements in the reliability of computer and network hardware and the use of virtualized redundant server clusters has increased the availability of complex computer systems enormously. However, systems still remain vulnerable to environmental threats and to operational threats. Operational threats result from human error in the operational processes surrounding the system infrastructure while environmental threats result from deliberate or uncontrollable events external to the online gambling system, in particular natural or man-made disasters and deliberate attacks against the online gaming system.
Disaster Recovery Planning
It can be costly to the iGaming operator in terms of lost revenue and reputation if there is an outage, whether temporary or long term, at the data centre that is hosting an online gaming system. As part of the architectural design of the iGaming system, a secondary or backup site should be put in place to provide service in the event of a disaster, preventing access to the primary data centre.
It is no secret that the world is experiencing an increase in the number of serious environmental catastrophes and geopolitical incidents. Disaster recovery planning must be an integral part of your operations.
In an online gambling context, however, there is more to disaster recovery planning than simply having a second site available:
- There must be complete mirroring between the two sites to prevent the loss of gambling data in the event of a disaster. While synchronized data transfer may be too costly to implement, a process offering almost real-time data updates with as small a recovery point objective as possible is needed.
- The disaster recovery plan must be tested and exercised on a regular basis to ensure that the infrastructure is capable of supporting the disaster recovery process and that the technical staff at the online gambling operator is comfortable with executing the disaster recovery procedures.
Distributed Denial of Service (DDoS) Attacks
Online gambling activities, such as sports betting, peer-to-peer games and live dealer games, occur in real time and are sensitive to service disruptions or transaction delays. A leading infrastructure provider reported that online gaming has remained the most targeted industry since Q2 2014, consistently being targeted in about 35% of DDoS attacks. In some cases, the DDOS attacks have been accompanied by extortion threats where the attacker has demanded a ransom in untraceable funds (such as bitcoin) to stop the attacks. While these attacks have been investigated by law enforcement authorities, gathering sufficient evidence to prosecute the attacking parties has proven difficult.
For the iGaming operator, a DDoS attack resulting in a service outage or disruption can lead to players abandoning play at a site or placing bets on other sites. Where ransom is the objective, DDOS attacks have been timed to coincide with large sporting events, increasing the potential losses to the targeted operator.
The easy availability of cloud-based resources has enabled an increase in DDoS attacks with online gaming companies becoming a favourite target. DDoS mitigation must be part of your core security strategy.
How can an iGaming operator protect themselves against a DDoS attack? There are three possible strategies:
- An in-house solution using specialized hardware or software to filter and discard unwanted traffic. This approach suffers both from the fact that few businesses will have the bandwidth to cope with the traffic volumes in the first place, and the development of filtering software is both costly and uncertain depending on the security experience level of the development team.
- Relying on a solution from an ISP provider. While ISPs may have more bandwidth available to them and may be able to spread the capital cost of filtering software across a number of customers, depending on their size, they may not have the expertise to manage such an attack.
- Contracting a dedicated DDoS mitigation service. This approach involves using a cloud provider against the cloud-based attacker. These dedicated services have massive bandwidth and dedicated filtering software able to redirect unwanted traffic away from the target site. The best strategy will depend on the risk assessment of the gaming operations and the business case for the level of protection necessary.
SECURITY ASSESSMENTS AND AUDITS
The only way to ensure the correct functioning of an information security framework is to test it. Depending on the business requirements of the organization, testing can take a number of forms ranging from an assessment of the effectiveness of a particular information security framework element’s effectiveness to a complete compliance audit of the information security system to achieve certification of the system.
An Information System Security Assessment is an evaluation of how well elements of the information security framework have been implemented in order to reveal areas of weakness or identify vulnerabilities and their impacts. Assessments are usually determined by specific business needs (e.g. a wireless security assessment may be requested to provide an independent assurance that a newly implemented wireless network has been configured properly and operates safely; a vulnerability assessment may be requested to verify that all of the servers on a particular network have been hardened according to their respective roles; penetration testing may be requested to provide assurance that web-facing applications are not vulnerable to attack from the Internet; etc.).
An assessment can also be performed on a similar set of controls to a published standard and the findings reported, but these findings would not confer a status of compliance or non-compliance.
An Information System Security Audit is an evaluation of how the information system security of an organization is implemented against a particular standard. The goal of an audit is to provide a determination of compliance. Compliance to a third-party standard may result in certification or accreditation to that standard. During an audit, any areas of non-compliance with the standard are brought to the attention of the audited organization in the form of non-conformance reports which must be addressed before a system can be deemed compliant.
An audit is the only way to formally establish that the requirements of a policy are being followed in practice. Audits may be performed internally or externally:
Internal Audit
An internal audit is conducted by designated staff members to determine if the organization is following the requirements laid down in its own corporate information security framework. Aside from making good business sense, the existence of an internal audit process is often a requirement for certification to a third-party information security standard.
External Audit
An external audit is conducted by a qualified, independent third party to determine if the organization’s information security framework is compliant with a specific standard. Depending on the standard chosen and the auditing body, an external audit can lead to certification to a third-party information security standard.
An audit can be performed to only part or to the complete requirements of a published standard.
ASSESSMENTS VS AUDITS
An Information System Security Audit is an evaluation of how the information security of an organization is implemented against a particular standard. This may be an evaluation against the organization’s internal security policy and/or against an external security standard (e.g. ISO 27001:2005). The goal of an audit is to provide a determination of compliance.
An Information System Security Assessment is an evaluation of how well elements of the information security framework have been implemented in order to reveal areas of weakness or identify vulnerabilities and their impacts. The goal of an assessment is to provide a report on the assessment findings and make recommendations for improvement.
The difference between an “audit” and an “assessment” is that auditing is a measure of something against a specific standard, while an assessment measures how good or bad something is based on the expertise of the assessor and criteria agreed upon prior to the commencement of the engagement.
In both Security Audits and Security Assessments, the analysis can be performed against the technologies, people, and process applicable to information security within the organization. An assessment may take place before an audit in order to identify areas of improvement prior to an audit, or after an audit to investigate its effectiveness.
