Betting Fun leave nothing to chance<br>with security testing from GSS

Betting Fun leave nothing to chance
with security testing from GSS - Monthly Newsletter April 2008

Monthly Newsletter April 2008

Betting Fun leave nothing to chance
with security testing from GSS

It is true to say that the Internet has finally come of age as it is now widely available with many individuals accessing it from the comfort of their own homes. This increase in recreational use has seen the recent introduction of e-gaming facilities. Player privacy and the security of confidential personal details are priorities to which regulatory bodies demand all online gambling operators adhere. As do independent standards and player protection organisations like eCOGRA. Betting Fun Isle of Man (BFIOM) Limited is an online gaming provider that operates in this extremely regulated sector.

As Internet-based business becomes more commonplace, the consulting service of Global Secure Systems (GSS) is seeing huge growth in the number of available e-commerce operations, many of which are custom-coded. Programming an application is easy, but making it secure is difficult. Understanding the potential vulnerabilities that attackers exploit in servers and applications can help prevent the network from being victimised.

The Challenge

For Betting Fun, Isle of Man, as with any e-business where customers are depositing funds over the Internet and carrying out multiple regular transactions, the supplier/customer relationship is one that is based on a high level of trust. Simply translated this means that its customer details and their transactional data must be secure. This is coupled with the simple, yet fundamental, principle that the functionality of all of its systems are protected from unauthorised access or manipulation.

If it were to fail in any of these areas, the consequences are likely to be 'fatal' for the business and cause significant jurisdictional and reputational damage to the Isle of Man.

Primarily, prior to being granted its gaming license by the Isle of Man Government, BFIOM needed to demonstrate that all of its systems were secure in preparation for the launch of its first e-gaming site, www.betluck.co.uk.

It was essential for BFIOM that, as part of its due diligence processes before commencing trading, and on an ongoing regular basis, that it engaged specialist professionals to carry out independent rigorous testing of all aspects of its systems and infrastructure to gain complete assurance.

The GSS Approach

Bill Mummery, formerly eGaming Ambassador for the Isle of Man Government and now Director of BFIOM explains that, “Although we operate in a field that is based on chance, when you're dealing with your clients most personal and sensitive information it would be illogical to hedge your bets that your systems can't be violated. We chose Peapod Consulting, which is now operating under the GSS brand, based upon its proven track record, thorough and professional approach to our needs, and the quality of reporting it provided on completion of its work.”

Robin Hollington, Director of Consulting for GSS, picks up the story “We were initially contracted by BFIOM to conduct some network penetration and web application level security testing on its new e-Gaming offering in preparation for it to receive its gaming licence. The site we evaluated was totally in Japanese, which presented some interesting challenges during testing, although as our system is flexible we were therefore able to overcome the language barrier.”

GSS's testing provides independent assurance of whether or not, an application is strong enough to go live and provides recommendations of fixes required to make the application robust for a live, production environment.

Its approach employs manual inspection and analysis, the use of appropriate commercial and in-house application testing utility scripts and on-the-fly development of bespoke scripts. Once flaws are identified, it explores and verifies the impact of each issue, exploiting relevant vulnerabilities that could provide deeper access into the application. In the case of BFIOM, as with all such undertakings, GSS's approach was to:

Review the systems for known security flaws
Confirm the infrastructure was implemented to allow secure (hardened) operation
Examine the application functionality to ensure the protection of sensitive information and all - administrative functions
Ensure only essential functions were included on web-facing servers
Inspect network traffic for plaintext transmission of passwords and other sensitive codes
Subject the application to a battery of benign and malicious test input data to expose reactions to unexpected content or volumes of data - this assesses whether or not the application is likely to "fail open", and is resilient to garbage-in.
Application level checks included: SQL injection, Cross Site Scripting, Encryption, URL & Parameter tampering, Hidden field manipulation, Session Crossing, Log out and Lock-out checks……and a host more.

Following the initial set of tests a substantial report was produced and, before its distribution, GSS provided the client's technical team with a short informal, technical summary of the primary issues identified so that they could work immediately on fixing them whilst the formal report was being produced. Where vulnerabilities were discovered, remedial actions were suggested. Despite the risk ratings being low, some of the issues identified by GSS with BFIOM's configurations had the potential to be quite colourful if they had been combined with other vulnerabilities.

The Outcome

Working together, GSS and BFIOM addressed these issues until a positive test result was achieved. The IoM government granted BFIOM its Gaming license in March 2007 and www.betluck.co.uk commenced trading in August 2007.

In addition to the initial services the plans for 2008 include additional testing and regular security testing, giving BFIOM a web based report which allows one month to be directly compared against previous months (up to 12 in total), pinpointing any new vulnerabilities introduced since the system was last assessed and identifying what was and wasn't fixed since the last test. Visible to those who have access, it's easy to monitor and clearly distinguish what needs doing rather than ploughing through wads of paper which realistically can be a problem in itself as well as time consuming and therefore expensive.

Bill concludes, “Using the skills of consultants within GSS, we are able to determine that illegitimate access to our systems is not possible. This provides the company with a high level of comfort that our business is secure and our players are protected. It also demonstrates to the regulator that we are behaving responsibly. GSS has fully met, and indeed exceeded, our requirements and we would regard it as an important strategic partner to our business.”

This story was originally featured in the GSS Monthly Newsletter April 2008