As more and more UK colleges and universities realise the benefits of adding esports to the curriculum, the cyber security threat exposure that comes with it increases too.
There are many potential pitfalls:
- Games are changing all the time
- New modifications are being introduced
- The risks and attack vectors are rising
The consequences can be severe, ranging from loss of an individual player’s money to IT failure across the entire institution.
Segregation, segregation, segregation
Without a doubt, the best way to protect an esports network is to segregate it from the outset.
Kylie Kendrick, technical specialist for esports at Durham University, is in the process of setting up the esports lab there and does not yet have a dedicated space. She says:
"Currently, our students play from their university halls and on-campus accommodation. Ethernet was removed from those spaces in an effort to eliminate any danger of the network being affected negatively. All play is now done over wifi."
An institution with an established esports lab should ensure it is completely segregated from its Janet Network connection. Neil Shewry, Jisc’s director of service, explains:
"Ideally, an esports lab should have its own hardware and rule set, and its own firewall, so if an attack gets through to one machine it’s contained there. In commercial tournaments, it’s best to use physically segregated networks and separate virtual local area networks (VLANs) to ensure quality of service.
"It's also a good idea to look into getting a virtual private network (VPN) as an additional layer of security. It can reduce the risk by blocking malicious URLs and encrypting all connections, even over public wifi."
As part of standard business operations, patches should be checked daily and game updates scheduled to run at times when they will not adversely affect play. Policy controls can help avoid a single person bringing down the network, and bandwidth throttle will ensure that concurrently running events don’t affect performance.
DDoS mitigation is a priority
Managing students’ devices when they are all different and there is no single point of control over platforms can present problems. Players expect to be able to use their own kit, which increases the threat: even keyboards can be affected by malware.
The greatest risk here is distributed denials of service (DDoS) attacks, which can cause outages, loss of important data and even complete failure of an institution’s IT systems.
Having a clear overview of network traffic is a useful part of any DDoS mitigation strategy. If you’re connected to the Janet Network, you can view traffic on your connection by accessing Jisc’s cyber security portal. The portal also gives details of alerts or DDoS mitigations, whether in the past or currently in progress.
Kylie Kendrick says:
"DDoS can’t be completely eliminated, but the DDOS protection built into Jisc’s Janet Network helps mitigate the effects. At Durham the only thing we noticed as a result of a recent attack was slower web browsing.”
Raising cyber security awareness in esports
As Alex Postbechild, penetration tester at Jisc, points out:
"Esports might be a game, but it has inherent real-world risks with severe implications. Everyone should have the opportunity to learn about that in some way before they learn it by experience. Frankly, basic cyber security should be taught in primary schools."
Until then, however, cyber security awareness remains a challenge, even among students and gamers.
Kylie Kendrick says:
"I’d like to see a first-year cyber security module for all students, either instructor-led or put on a virtual learning environment (VLE) for self-paced learning, that leads to a recognised addition towards their course. And that should apply to all courses, not just computer science or esports."
Gamers need to be aware that, while their college or university has a requirement to protect user data, they also need to know how to protect their own accounts, says Alex Postbechild.
“There are simple things that it’s okay to do online and things it’s not. For example, mods for games usually come from community-driven coding and the average player has no clue what’s happening in something they pull off the internet. This can lead to things like the transfer of in-game currency, which can cost esports professionals their livelihood.
“Another basic rule is never to sign T&Cs when you don’t know what they contain. Some T&Cs even allow permission for the software to scrape IP addresses, home addresses, credit card details and everything in between. It’s easy to click ‘agree’ and unwittingly give permission for your data to be harvested without your knowledge.”
He also advises enabling multi-factor authentication (MFA) wherever possible and always keeping software up to date: it's important to allow all updates because these often contain security patches.
There’s no need to do this alone
Jisc provides the advanced security and capacity needed to keep an institution’s network and systems available when running esports. When it comes to setting up an esports course with cyber security built in from the offset, Jisc can advise on best practices and share experiences across the sector.