Place your bets now

With the threats from hackers to high profile websites becoming ever-more prevalent, we catch up with Oliver Eckel, Head of Corporate Security at Austrain-based online betting site bwin, which process 70,000 transactions a day.

How do you strive to keep these transactions safe and secure from hackers when just one security breach can have a serious effect on the business' integrity, along with damage to reputation? And does being such a high-profile company increase your chances of being targeted?
Oliver Eckel. Online gaming is all about being high profile. The brand and the reputation are very important in our industry. On the one hand our profile perhaps increases the chances of being targeted, as the first gaming company that comes to a hacker's mind is probably bwin. Then again, due to our size, we are in a position to invest more money and effort into securing our systems. bwin operates under a detailed, rigorous information security policy designed to protect the integrity and confidentiality of our financial transactions. Security measures include, but are not limited to, the implementation of state of the art anti-virus protection on all computers, sophisticated firewalls to block unauthorised access to the bwin network, intrusion detection systems to spot suspicious behaviour and highly secure encryption systems to ensure that transmitted and stored information remains confidential. In order to ensure the integrity of our systems, all changes are managed and need to be approved. Additionally, periodic audits of infrastructure, application and access rights are performed to ensure that systems are secure. For our source code audits, we use Fortify to make sure that potential vulnerabilities in the developed software are identified and fixed before deployment.

A few years ago many of the major betting companies, mostly in the UK, were bombarded by ongoing Denial of Service (DoS) attacks that crippled their websites. The hackers said they would stop the DoS threats in return for hefty ransoms. Was bwin affected by this and would you ever give into ransom demands like this.
OE. Occasionally, bwin is the target of DOS attacks. However, giving into ransom demands would mean that bwin is not able to set efficient counter-measures and doesn't have the necessary controls in place, which is definitely not the case. As part of bwin's risk management strategy, a layered defence strategy was adopted to mitigate effects of service degradation pertaining to types of DoS attacks on applications, platforms and network service infrastructure. Dynamic monitoring allows automated spotting and analysing of anomalies, whereas in case of a DoS detection defensive measures are activated. Applications and infrastructure are regularly audited to detect systems prone to DoS attacks so that potential vulnerabilities can be fixed before they can be exploited. Redundant systems and load balancers increase reliability and availability to act as a buffer in case of successful DoS on single machines.

What would you say are the biggest challenges that you face as Head of Corporate Security? Is following strict compliance regulations one of them?
OE. Assuring compliance is certainly one of the main challenges for me as Head of Corporate Security, as it includes more or less all other security-related challenges. As an international online gaming operator, bwin is subject to a wide range of laws, standards and regulations. Therefore, compliance assurance is a major factor of our business continuity management. If we were to fail to comply with the requirements of our gaming licenses for example, we would be out of business in no time. Beside the regulatory requirements, we are also striving to comply with various industry and governance best practice standards and frameworks. This is extremely important for the development of our organisation. It helps us to raise the maturity of our processes and therefore improve the quality of our services, which gives us the edge over our competitors in an extremely dynamic market. On top of that, assuring compliance with several security standards, such as PCI DSS or ISO 27001, makes my life as Head of Corporate Security a whole lot easier, as I can rely on state-of-the-art security measures and processes being in place. So even the operational side and the daily security business is directly linked to our compliance efforts.

Sometimes the most serious security threat you face is from within. How do you go about trying to prevent a rogue employee from stealing customer information or leaving bwin offices with confidential data possibly stored on a small memory stick?
OE. There is no doubt that the highest security risks for organisations can be internal ones, not external ones. Our strategy is to prevent data theft from happening in first place. We use state of the art access right audit tools and our back office application logs relevant events. Log files are collected and evaluated centrally by Corporate Security. Our dedicated Data Protection Officer ensures that access to data is kept to a need-to-know basis. Security awareness is constantly raised and everyone with access to sensitive data is informed about the consequences of a potential disclosure. With all these measures in place, we are confident that data theft at bwin is unlikely. In general, we feel that we are also handling the soft factor of data theft prevention well. So why are people tempted to steal data? Well, most of the time, they are unhappy with their job or their employer. At bwin, employees feel that each and every one is contributing to the big picture, which is nothing less than the best online gaming platform in the world. We have lots of teambuilding events and there's definitely a strong spirit within our organisation.

You have signed a deal with Fortify Software. How will it strengthen your security?
OE. We wanted to emphasise security awareness within development department to make it a top priority. But we were aware that technology alone wouldn't guarantee security. Other factors such as training and metrics were required, too. A concerted effort to introduce security procedures and technology at the earliest possible phase of development and throughout the lifecycle of the application helped us identify and fix security vulnerabilities at the very beginning of the software development lifecycle.

The integration of Fortify into the software development process – especially in our nightly builds – helps to actively manage application security risk. As for PCI-DSS compliance, the automated scans and the reports generated by Fortify are crucial for passing the strict audits. Compliance, especially compliance with PCI-DSS, is a complex task and the more support you can get by deploying tools, the easier it gets. The most important benefit from deploying Fortify, however, is the general improvement of the development process with regard to security. Installing, deploying and dealing with Fortify's results helps the company see application security in a new way. Development systematically weeds out vulnerabilities and executives receive detailed risk reports on a regular basis. Security is now a part of our corporate DNA like never before. Ultimately, bwin is able to deliver highly secure applications to our customers, which is critical in our business.