Last night, I gave a presentation at the Dallas chapter of the National Information Security Group on “After Action Reviews in Incident Response”. While I’ve already given a version of this presentation quite a few times over the years, a few things made this different. First, I usually give it internally when explaining the process I intend to implement and why. Also, I used a new tool called Prezi. I’ve made the presentation deck available online, though of course it doesn’t include the actual presentation (audio, video, etc.)
Oh, and I used the recent forum security debacle for EVE Online as a case study (hence the use of some fansite graphics throughout). Tellingly, this part of the presentation got the most response from the fairly small audience (about a dozen people, all told). With the recent Playstation Network intrusion, security in online gaming didn’t seem quite so unimportant to this group of folks largely working in security for healthcare providers and financial services firms. I made sure to lead off that phase with a brief discussion of subscriber numbers and rates: CCP Games may not have the largest revenue base in the industry, but they certainly have advanced well past startup phase.
The ensuing conversations raised some interesting questions. I couldn’t answer them, of course, not knowing the actual people and processes, but they did reinforce the idea that CCP has not yet achieved excellence.
- Why did they conduct a large deployment on a Friday, with people leaving the office for the weekend and just before peak loads?
- Why do they require the majority of their IT staff (such as web developers) to locate in Reykjavik? This likely interferes with their abilities to attract and retain talented professionals.
- Given that the exploitation occurred so quickly, why did CCP bring the forums back up after just a few minutes of “fixing” on a Friday evening? The consensus among the group seemed to lean towards taking the time to ensure that the application got a thorough review (as CCP finally did), rather than come back up so quickly.
I really hope CCP has thought, or is thinking, about these things. As I emphasized in my talk, no actual data breach occurred — certainly no accounting loss. But the economic loss as players (continue to) lose trust in CCP certainly hurts, and I discuss these matters because, as a customer and as a fan, I want CCP to succeed.
