Article published on The Malta Indipendent
by Ron Kelson, Pierluigi Paganini, David Pace
The London 2012 Olympics will bring together 10,500 athletes, diplomats, politicians, business leaders and millions of spectators from all over the world. Behind the scenes there is an immense effort being made to ensure the security and well-being of everyone participating, in any capacity, in this grand event. This article gives an inside-look into the thinking, business processes and security controls put in place to manage the risks in large sporting events. Many, but not all, of these principles and techniques can also be effectively applied by any business or organisation.
The basic process in preparing and securing any (business) system is:
- Identify the actors and motivations for attacks.
- Identify and assess the threats.
- Identify the attack surface including people, places, things and intangible items such as revenue, reputation and stakeholder well-being that we seek to protect.
- Identify risks, potential failures and their effects.
- Identify and prioritise the key risks areas to be addressed.
- Mitigate the most important risks through various controls and adjustments.
- Evaluate the effectiveness of our activities to secure the system.
- Understand the residual risks.
- Actively manage events during execution of the event(s).
Identifying the actors and motivations for attacks
Large prestigious sporting events represent a highly desirable target for terrorist and cyber criminals. These events attract a considerable number of athletes, and millions of spectators, who occupy confined places for a short period of time. The presence of major press agencies from around the world bring significant international visibility to these events. For politically motivated terrorists, there is the opportunity to cause violent disruption, which could severely injure many people and undermine confidence in the host country. For financially motivated cyber-criminals there is the opportunity to profit by attacking the personal and financial information of participants.
Identifying, characterising and assessing the threats
In the 2008 Beijing Olympics games, over 12 million cyber attacks per day, of varying types and lethality, were detected. Attacks range from denial of service attacks, propagation of viruses and malware, to highly targeted attacks against critical systems. Many, if not most, of these attacks were successfully defended in 2008. However, in the last four years, cyberspace and the related cyber threats have significantly evolved, increasing in sheer number, stealth, diversity, and capability for damage.
Identifying the attack surface
A sporting competition must be considered in its entirety, as a monolithic system that is endowed with a series of access ports and exits. The inside of that system is composed of many people and devices exchanging huge quantities of data and are cooperating to achieve a common objective. In addition to this, we must consider the event as a “system of systems”. This includes third party web-servers, email servers, the millions of personal computer systems remotely participating, and so on.
In the design of sporting events, every element is analysed in detail, the data it manages defined, the functions offered articulated, and the dependencies between various systems and services well understood.
Identify and prioritise the key risks areas
The principal services that must be protected during an event are: 1) telecommunications, 2) internal financial services such as point of sale, 3) third party financial services such as online credit card transaction systems, 4) marketing and business communications, 5) public and private transportation, 6) organisational logistics, 7) public works, 8) public health and safety, 9) surveillance and reconnaissance, 10) policing services, and 11) military defence. Each of these services produce and process large amounts of data. 12) The security of social networks and other online websites the sporting event advertises and promotes its activities on, 13) the security of web-browsers and computers used by visitors to the event’s websites, and 14) the identification and control of email scams and scam websites which attack those interested in the sporting event.
This last point (#14) is particularly interesting. Important sporting events are promoted on the Internet, with the publication of millions of images, videos, which lead to viral recommendations. This presents a unique opportunity to exponentially increase the spread of malware in social networks and other Internet mediums. For example, Kaspersky’s experts have warned Internet users to be on their guard against cyber criminals using the Olympics to start marketing fake tickets and merchandise websites, phishing scams and DDoS attacks. Furthermore, foreign governments or large cyber-criminal organisations could use this opening as an opportunity to infiltrate a large number of computer systems to launch attacks completely unrelated to the sporting event itself.
Identify and prioritise the most important risks to be addressed
It is clearly impossible to address all risks. However the highest risks in each category are addressed in a systematic way to protect the sporting event itself, and the participants / stakeholders involved.
Mitigate the most important risks through various controls and adjustments
There are a wide range of tactics, processes and technologies that are used to protect the different elements of a sporting event.
Consider the internal networks that are the backbone of the sporting organisation. A good cyber defence strategy must protect that network from external attacks as well as internal attacks. Rigid policies must address every vulnerability and attack vector that could compromise that network, such as attacks through mobile devices and USB memory sticks. Possible attacks against the internal network backbone include targeted viruses designed to compromise the operations of critical sporting services.
To further reduce risks, different types of unrelated systems are isolated from each other. Gerry Pennell, chief information officer for London 2012, said that a key principle to ensure the security of the sporting event is to “keep mission-critical games systems quite isolated from anything web-facing. So very much partitioned and separated, thus making it hard for an external attack to succeed”.
Unfortunately, today one cannot rely on any computing or communication systems being secure, or the controls being perfect. To this end, event monitoring systems are used to track the (mis)behaviour of all systems, including collecting metrics such as network usage, number of completed transactions, suspicious transactions, and so on.
This type of monitoring occurs not just within the organisation, but also outside it. For example, starting several months before the events, law enforcement and security agencies monitor the web, especially social networks and forums, to identify any suspect activities that could be related to the organisation of an attack. Governments see this phase as really important because it may be possible to detect and neutralise a group of terrorists or hacktivists that are planning an action during the events.
One of the most effective ways to manage successful attacks and intrusions against specific components is to adopt hybrid techniques in the same system. For example, facial recognition systems and cryptographic cards for storing the digital identity of participants and organisers are just some of the overlapping security controls implemented during an event.
For critical services the sporting event must also assume that a successful compromise is possible, even after aggressive security controls have been put in place. To address this, backup systems, redundancy, and even diversity, are used to provide a secondary network backbone (redundancy) from components from a different vendor (diversity). For example, creating a wired network using one product from one vendor, and creating a wireless network using a different product from an entirely different vendor is done to try and avoid the same vulnerability being present (and thus exploitable) in both networks.
Evaluate the effectiveness of our activities to secure the system
Testing and monitoring are main priorities for the organisers of the event. The impact of simulated external and internal attacks against a typical workload of the network must be studied so we know what to look to detect real attacks. As regards the forthcoming London Olympics, each component of the IT infrastructure has been stressed in the period from March to May, simulating cyber attacks, and registering the response to the offences. The organisation said that a team of about 100 specialists will try to compromise the systems. Patrick Adiba from Atos, the Olympics IT supplier, told the BBC: “We are using a simulation system so it doesn’t really matter if we corrupt the data. We simulate the effect and see how people react.”
Residual risks
The unpredictable is always a constant companion in all endeavours, particularly large complex ones. To manage the unknown, the sporting organisation must be adequately equipped and staffed to meet any sudden unanticipated need rapidly. There must be a modest amount of human over-resourcing available to manage peak situations without compromising other activities.
Actively managing the event
Installing security controls and performing penetration testing are clearly critical steps. However, security is not achieved just by installing good security controls. Security is a process that must be actively managed long after initial preparations are completed.
This is best described in the Observation, Orientation, Decision and Action (OODA) loop. Event monitoring systems must be operational to observe the actual activity of all systems participating in the event. Analysis must be performed by security experts, with advanced technologies, in real-time to orientate themselves to any abnormalities and suspicious activities that could indicate an attack is in progress. If the experts determine there is a problem, a line of action must be decided on, and action taken to address that concern.
The security of a sporting event is extremely complex because of its sheer scale and the multitude of contributing factors. Due to the excellent work of private and public security organisations, previous Olympic events have been highly successful. Many of these winning processes and techniques can also be employed by medium to large organisations to protect the legitimate interests and well being of all stakeholders.
Sig. Paganini, Security Specialist CISO Bit4ID Srl, is a CEH Certified Ethical Hacker, EC Council and Founder of Security Affairs (http://securityaffairs.co/wordpress)
Ron Kelson is Vice Chair of the ICT Gozo Malta Project and CEO of Synaptic Laboratories Limited.
ICT Gozo Malta is a joint collaboration between the Gozo Business Chamber and Synaptic Labs, part funded in 2011 by the Malta Government, Ministry for Gozo, Eco Gozo Project, and a prize winner in the 2012 Malta Government National Enterprise Innovation Awards. www.ictgozomalta.eu links to free cyber awareness resources for all age groups. To promote Maltese ICT, we encourage all ICT professionals to register on the ICT GM Skills Register and keep aware of developments, both in Cybersecurity and other ICT R&D initiatives in Malta and Gozo. For further details contact David Pace at [email protected] .
Share On
