Mitigating Cyber-Threats to High-Profile Events

The delayed Tokyo 2020 Olympic Games is now well underway, displaying the incredible skills and physical prowess of the top athletes in the world. Sadly, no spectators can attend this prestigious occasion due to COVID-19 restrictions in Japan. Yet, the games are providing plenty of entertainment for many millions of TV viewers worldwide.

With high-profile events like this returning on mass as the world gradually emerges from the COVID-19 crisis, we must consider the potential cyber-threats they will likely face. As Trevor Morgan, product manager at comforte AG, noted, it is all too easy to only focus on physical security for events such as the Olympics. “No doubt it’s the physical security that is on most minds when we think about the Tokyo Olympics and other public games, concerts and events. Everybody wants to be physically safe at these venues, so most of us don’t have too many concerns about long security lines, bag checks, metal detectors and a robust law enforcement presence. All of these methods (and more) enable us to enjoy the games or the shows with a little more peace of mind,” he outlined.

However, in an increasingly digitized world, exacerbated by the COVID-19 pandemic, cyber-threats have grown in all areas of life, and physical events are no exception. What are the main ways cyber-threat actors will target high-profile events, and what should organizers put in place to stay secure?

Threat of Scams

The first thing to consider is that there will always be a surge in online scams surrounding significant occasions, from sporting events to music concerts. Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, explained: “Many fake, fraudulent websites or emails that appear official luring fans into cheap tickets, free merchandise or simply to stream and watch these events live will come with many scams. These scams can result in stealing the victim’s credentials, passwords, credit card information, infecting their computer or smartphone with malicious software or even ransomware. These can lead the unknowing victim spreading the malware to family and friends, losing sensitive data or a major financial impact.”

The ban on spectators for the Tokyo Olympics means that more people than ever will want to observe the action digitally, which offers increased opportunities for cyber-criminals. Sounil Yu, chief information security officer at JupiterOne, said, “Attackers often exploit events that gather significant media attention as a pretext to entice and entrap unwary users. For high profile sporting events, when broadcasters introduce regional blackouts or paywall mechanisms to watch those events, eager viewers will look for ways to bypass those restrictions, and attackers will often be waiting for them.”

Javvad Malik, security awareness advocate at KnowBe4, noted that online scammers will always ramp up their activity when high-profile events like the Olympics occur — in much the same way as attackers targeted the COVID-19 pandemic. “Whenever there is an event, these attacks will usually come in the form of phishing emails. Sometimes it’s the offer to win exclusive tickets to a must-see final, promise to unveil a hidden secret or claim to be a charitable organization collecting funds to help a particular cause,” he explained. “Ultimately, these all rely on levers of human deception in an attempt to pull on the emotions of recipients using a current event that most people will be invested in. We saw many COVID and stimulus payment scams going around last year. We see similar scams during world cup events, Olympic games or even during a natural disaster.”

"Ultimately, these all rely on levers of human deception in an attempt to pull on the emotions of recipients using a current event that most people will be invested in"

Therefore, users must be cautious about any digital communication or website link they see linked to high-profile events. “During major events, avoid clicking on a suspecting email or website links. Use the latest web browsers and do not enter credentials, passwords or credit card information into these websites as it is a high probability that they are scams and you will be the next victim,” advised Carson.

Yu believes there are actions event organizers can take to help people falling foul of such scams. “There’s only so much that organizers can do to deter determined sports fans from taking ill-advised actions on their computer to watch their favorite team or player, but organizers can mitigate some of these risks on behalf of these eager viewers by optimizing search results for authorized sites using common terms that viewers may use in their search for ways to bypass the broadcaster’s restrictions,” he stated.

These actions should include growing the cyber-awareness of fans as far as possible, according to Dennis Kengo Oka, principal security strategist, Synopsys Software Integrity Group: “In preparation for high-profile events, organizers should build cybersecurity awareness, including warning the public about fake ticket websites, fake web streaming services, etc.,” he stated.

Threats to Personal Data

With the COVID-19 vaccine rollout enabling the return of full-capacity crowds in many countries, such as the UK, organizers must be conscious of the wealth of personal data being collected of those in attendance and the value that holds for cyber-criminals. Morgan explained: “Think about how much of your personal data is collected and processed for events such as these. From event registrations to payments, every single one of us is giving up a lot of our PII (and now potentially PHI, if vaccine passports become prevalent) in order to attend. And those companies that require all this data? Yes, they are prime targets for threat actors. Lots of sensitive personal data in play means a bullseye is squarely on each and every organization related to public events like these.”

Even for the spectator-less Tokyo 2020 Olympics, there are a plethora of people in attendance, meaning vast levels of personal data have been gathered and stored. Steve Bradford, senior vice president EMEA at SailPoint, noted, “The Olympics is a potential hotspot for cybercrime. Even though the games will be spectator-less, there will be a flux of people coming to Tokyo: journalists, foreign officials, and, of course, athletes will add to the 117 million active internet users in Japan.”

Similarly, sports teams and organizations hold swathes of personal information, including information of high-profile athletes and other individuals, making them high-value targets for cyber-criminals. “Sports organizations have access to sensitive data for high-profile athletes. This could include medical records, financial accounts, the address, phone number and more,” said Burak Agca, security engineer at Lookout.

The fact that the activities of sports organizations are well-publicized makes it easier for attackers to “target a team’s executives or players with attacks,” according to Agca. He cited a case from 2019 in which a Premier League club came close to losing £1m during a transfer deal because of cyber hackers.  

Sports teams are also particularly vulnerable due to the nature of their work — they are frequently traveling to different venues both nationally and internationally, meaning that they cannot stay in complete control of their cybersecurity. Agca added, “When traveling, data protection becomes an even bigger concern for the organization. Mobile phishing, unsecured networks and physical device theft are risks personnel could face while on the road.”

Targeting of the Event

As well as looking to steal personal data, which is primarily perpetrated by those motivated by financial gain, high-profile events such as the Olympics are tempting targets for groups and individuals with political aims, including nation-state actors. George Papamargaritis, MSS director at Obrela Security Industries, pointed out: “If a threat actor is able to destroy or interrupt the operations of the Olympic Games, this is going to be one of the most visible incidents in cyber history.”

"If a threat actor is able to destroy or interrupt the operations of the Olympic Games, this is going to be one of the most visible incidents in cyber history"

Boris Cipot, senior security engineer at Synopsys Software Integrity Group, added, “The motivation could also be Hacktivism — a breach carried out to further a political agenda or social cause. This type of attack could hinder an event’s operations or display a message in place of an advertisement, for instance.”

Enhancing Event Cybersecurity

Given the scale of cyber-threats facing individuals, teams and the running of high profile events, it is clear that organizers have a responsibility to ensure they have the most robust possible cybersecurity in place. This is not a simple task, especially considering the IT infrastructure for one-off events like the Olympics typically has to be developed in a short timeframe.

The first step is to ensure the entire security strategy for the event is coordinated correctly, particularly in such a digitized age. Papamargaritis said, “Because of the size, the openness of the target, the great number of operations that take place on the ground in parallel with the event, the huge numbers of spectators (in Tokyo’s case watching on TV or in some outdoor gatherings), such events are very complex to protect and cybersecurity has to be coordinated centrally and with singular decision making. If you separate the protection of the physical universe and the digital universe, you’re making a very big mistake because those two are integrated.”

Overall, a thorough approach should be taken, following best security principles and practices. Kengo Oka, principal security strategist, advised: “Organizations responsible for developing and operating relevant systems for the event should also establish appropriate security processes and follow best practices for secure software development. In particular, high-risk systems relevant to the event should be designed with appropriate security controls (e.g., proper authentication, secure data storage to prevent data leakage, etc.). Additionally, using white hat hackers to perform security testing on high-risk targets to identify potential vulnerabilities and fix them before release to the public.”

Security strategies should extend to third-party suppliers and the broader supply chain, which have increasingly become a means by which cyber threat actors target high-profile organizations. Kenga Oka said, “They should also consider threats to other systems that may not be directly related to the event itself (such as the event ticket websites, web streaming services). If it is a high-profile event, attacks on systems that indirectly affect the event should be considered part of the threat vector. These types of systems include critical infrastructure such as the electrical grid, transportation, etc. Even though the systems relevant to the event itself may be protected, cyber-attackers may want to make a statement by attacking other high-profile targets that could indirectly disrupt the event itself.”

Cipot added, “Ensure your suppliers follow secure software development guidelines. It’s not uncommon to request a software bill of materials displaying the components that are built into a given piece of software and any known vulnerabilities that are present.”  

As the welcome return to high-profile events continues, organizers must consider the ways these are likely to be targeted by cyber-threat actors and focus on the more obvious physical security dangers. Such occasions are a tempting target for a wide range of malicious actors, and organizers have a duty to protect participants and fans in the cyber-realm, allowing the focus to stay where it should — on the great entertainment on display.

What’s Hot on Infosecurity Magazine?