GPWA Times - Issue 20 - March 2012

By Hai Ng F rom governments and regimes trying to lock down Internet channels to curtail riots and protests to high-profile security breaches and the birth of “Hack-tivism,” 2011 turned out to be an exciting year for the Internet and security. The eGaming sector has always seen more than its share of security threats due to the lure of a big payday. While many in the industry will think of DDoS (Distributed Denial of Service) attacks, database breaches and transactional intercepts when they think of security threats, individuals and groups working to game the games, outmaneuver the marketing incentives and exploit customer-service angles can be just as damaging to the bottom line. The rise in the use of cyber attacks as a method of social and political change will also start to affect the security playing field in the eGaming sector as themotivations for attacks will broaden away from money to potentially more philosophical ideals – two words that should send chills down any security officer’s spine. With this threat not likely to go out of fashion, the eGaming sector, and honestly, any organization doing business on the Internet, should take a very serious look at security as an integral part of their activities. Often, security fails because oddly, it’s little more than an afterthought rather than being integrated into the business and technical design of an online enterprise. Security is often seen as a liability, a necessary evil and an insurance policy you need to pay for but hope you never have to use – and this is the wrong approach to security. Security is a business advantage and good security is a marketable, compet- itive advantage. Good security makes customers comfortable with your of- ferings and, more importantly, with leaving their money with you. But we all realize that “infallible” is a famous last word, so how do we take security outside the realm of liability? The first step is to integrate security into the business processes and customer service. Any security officer worth his or her pay grade must realize that how a failure is handled, operationally and publicly, is just as important as preventing a failure. The first gut reaction to a breach is to hide it while trying to fix it. This is often driven by a poor corporate attitude that equates security failure with job security – not good when it comes to operational security. Good security must be able to evolve, and this will require the correct corporate attitude to drive that development in addition to the appropriate technology. You cannot evolve if you believe you have a perfect system, so admitting that there may be a problem is the first step. Security team performance should not only be pegged to the team’s ability to maintain a flawless record but also to how quickly team members can detect a potential weakness and remove or deflect it, all while minimizing damage. Security also needs to be continually tested, and one of the best ways to do this is to form a competitive environment between the security team and a “white hat” infiltration team. One important thing to remember is that testing security on a staging server isn’t always the same thing as testing on a live server. At the end of the day, you are not trying to protect your staging server, so don’t be afraid to test on live servers; when a real criminal attacks your live, unprotected server, the outcome will be a lot worse than anything you can do in a test. So if you haven’t given much thought to security, it should really start keeping you up at night, not because of the money you stand to lose but the money you stand to make when you run a site where customers feel their funds and financial information will always be safe. Continent 8 CIO Hai Ng speaks at various conferences on Social Media and Online Security Matters. “Security also needs to be continually tested, and one of the best ways to do this is to form a competitive environment between the security team and a ‘white hat’ infiltration team.” Good security is a competitive advantage