How to Prepare for Elevated Cybersecurity Risk at the Super Bowl
Super Bowl 2024 in Las Vegas is a magnet for cybercrime. Here are a few things businesses should consider to minimize their risk.
COMMENTARY
Major sporting events such as the Super Bowl are fertile ground for threat actors: They attract huge audiences and offer a treasure trove of valuable data for hackers — from payment card data to user credentials that grant access to an organization's network. They also have a large concentration of high-profile targets, including celebrities, media personalities, political dignitaries, and famous athletes.
It's not only the volume of targets and data that draw threat actors to these live events. They also create a sense of urgency, one of a hacker's greatest allies. If a threat actor can compromise critical systems, such as ticket entry or on-premises point-of-sale (PoS) payment systems, the venue, event organizers, and vendors may be highly motivated to pay a ransom to restore their systems quickly.
Businesses must be extra vigilant in the lead-up to Super Bowl LVIII, as "for ransom" threats are increasingly significant. While ransomware is the best known, other "for ransom" threats include sustained distributed denial-of-service (DDoS) attacks and exfiltration of sensitive or embarrassing data with the threat to disclose it unless the ransom is paid.
The Offensive Line-up: Adversary Personas
As in football, it's important to know your opponents. The adversary's offense can come at you from many angles.
Cybercriminals are primarily driven by financial gain, look to monetize exploits quickly, and attack in large volumes. They are among the most prevalent of the threat actor lineup and often start attacking well before the event with social engineering and phishing campaigns to harvest credentials. Then they double down during the event with more destructive actions, including launching "for ransom" attacks and deploying information-stealing malware to siphon payment card data from PoS systems.
Hacktivists are generally driven by ideology, with website defacement their weapon of choice. These hacktivists are trying to get their message out, and what better time than when the huge Super Bowl audience is watching?
Deliberate disruptors typically use DDoS or destructive malware attacks to degrade or disrupt the event experience. Deliberate disruption includes "for ransom" activities and disinformation and misinformation campaigns, often using social media and possibly deepfake technologies, to dissuade or persuade their target audience of something (usually nefarious).
Nation-state or state-affiliated threat actors are driven by national security, geopolitical positioning, and competitive advantage. These highly sophisticated cyber adversaries are drawn to large events due to their VIP audiences and the types of intelligence they can potentially collect.
Don't Underestimate the Home-Team Advantage
While it's common to focus on threats from foreign cybercriminal enterprises looking to do harm, don't overlook often-inadvertent threat actors much closer to home.
Employees with legitimate access to organizational resources can cause significant (usually unintentional) damage through mistakes and abuse of access privileges.
A temporary workforce, brought on to cover increased staffing demand, may have similar access rights as full-time employees, but often undergo less scrutiny or security checks.
Vendors and partners with physical or logical access to key resources can be a pivot point for threat actors through supply chain attacks. Vendors and partners are often prime targets for attackers on their own.
How Cyber Adversaries Do Harm
The cyber adversary's playbook includes multiple tactics, techniques, and procedures (TTPs).
Targeting infrastructure provided by the event venue, city and state governments, and third parties (such as local businesses, sponsors, and hospitality providers). These can degrade or disable services, often with the intent of financial gain through ransomware or DDoS attacks.
Increasing in social engineering campaigns using the event or related topics as lures to target and trick victims into giving up information including credentials or clicking links that trigger malware.
Disseminating misinformation and disinformation — generally for ideology reasons, (geo)political motivation, or competitive advantage.
Exfiltrating sensitive data to discredit, bribe, monetize, or coerce victims, often with a ransom demand asking for cryptocurrency payment.
Strengthen the Human Element
With the Super Bowl rolling into town, Las Vegas, already known for hospitality, will see a massive influx of guests. Cybercriminals often use social engineering techniques to target and defraud tourists because they may have a harder time distinguishing between legitimate and malicious communications while outside their normal routines. This makes them especially vulnerable and attractive to cybercriminals.
Businesses must also be wary of social engineering in the runup to the "Big Game." Even though Las Vegas is home to some of the biggest hospitality brands in the world — companies with multimillion dollar cybersecurity budgets — social attacks can bypass even the most sophisticated security systems by targeting the biggest vulnerability of all: people.
Businesses don't have time to do a complete cybersecurity overhaul ahead of Super Bowl weekend, but they do have time to remind employees of cybersecurity best practices. Social attacks can target virtually any employee, and an educated workforce helps mitigate risk.
Employees who learn how to spot the most common social engineering tactics — phishing, vishing, smishing, pretexting — can help reduce points of entry. Remind employees to change passwords often and not use the same credentials across different systems and websites. If an employee's password has been compromised in another data breach, attackers can use it to gain access to your business.
Also have incident response plans in place so that employees know how to respond if a suspicious incident happens. Having a plan can prevent a wider breach. Isolating incidents is just as important as preventing them.
Consider Partners Wisely
Attackers can also bypass sophisticated cybersecurity systems by targeting third-party vendors. Many major breaches are traced back to vulnerabilities in vendors with valuable data from larger companies. This should be a cause for concern for as Super Bowl event organizers, who work with a vast constellation of third-party vendors. While it's too late to reevaluate vendors now, there may be time to evaluate third-party exposure, touch base with vendor partners, and take measures to mitigate potential risk.
Remove Weak Links
An organization's cybersecurity is only as strong as its weakest links. Strong cybersecurity doesn't depend only on technology solutions; it's also about behaviors and culture. In that sense, cybersecurity is a manifestation of discipline. An organization may have rules to help prevent cyber incidents, but if they're not strictly and uniformly applied, its systems remain vulnerable. Threat actors are unlikely to change their tactics as long as they remain effective. Don't make it easy on them. Implement systems, establish protocols, make plans, and stick to them.
About the Author
You May Also Like