Yesterday, I attended Forrester’s security forum in Boston. In one of the morning sessions, “Exploiting Online Games,” Gary McGraw, chief technology officer at Cigital (and co-author of a book by the same title) discussed how online gamers are contributing to a multi-billion-dollar industry.
Online games draw up to 900,000 simultaneous users at any given time, McGraw said. The ubiquitous World of Warcraft has 10 million subscribers. If 10 million users pay the $14 subscription fee each month for a year to play the game, you’re talking about $1.68 billion. Wow. I am definitely in the wrong industry.
(Side note: I don’t know much about World of Warcraft, outside an excellent, Emmy-winning “South Park” episode…no, really, you think I’m kidding but I’m not. Probably NSFW, but here are some clips if you want to check it out later on.)
So why was McGraw presenting at a security conference? Because, in online gaming, security problems are built right into a successful business model. Game makers want millions of people to be accessing and interacting within their site. But what if they’re handing that piece of Internet real estate over to unsavory folks who might cause damage with it? And how do organizations in a Web 2.0 world deal with similar challenges?
To bring his point home, McGraw talked about Dan Farmer, whose controversial Security Administrator Tool for Analyzing Networks (SATAN) program would, essentially, allow companies to hack their own systems to determine their vulnerabilities. But, upon its release in 1995, Farmer’s employer fired him, fearing that it would increase malicious hacks.
The irony, McGraw says, is that nowadays, an IT exec charged with minding security could possibly be fired for not attempting to “think like a hacker” and protect his system accordingly. While his presentation got into the legal and financial ramifications of gaming, I think that the most important message for network security administrators was “think like an attacker,” and do the proper code review and architectural risk analysis on the front end to prevent problems later on.
Has your company adopted a “think like a hacker” approach to IT security? Any success stories you would like to share? Or just general love for “World of Warcraft” so that I can better understand the online sensation?