Excerpt from the article published on the last edition of PenTest AUDITING & STANDARDS 05 2012.
The article offers an overview on cyber security issues relating to sports events, competitions that are a priority target for terrorists and cyber criminals. What weight has the information security component on the overall organization? An analysis of the main types of computer attacks and possible consequences in a highly critical contest such as a sporting event.
Whenever we see a major sporting event we ask how big is the effort in terms of security addressed to ensure the smooth running of the competitions. Sporting events represent a desirable target for terrorists and criminals due wide media coverage that characterize them. It was mistakenly led to believe that the technological components of these events, in terms of security, are limited. The security offered by traditional law enforcement and intelligence agencies is now flanked by sophisticated technological components.
To give an idea of the possible threats and of its size let’s analyze the data provided for the past 2008 Beijing Olympics games, it was reported that during the events more over 12 million cyber attacks per day have hit the organization. It’s clear that the attacks are different in nature and efficiency and most of them haven’t created any problems thanks to cyber defense implemented to protect the games.
Let me had that in 4 years the cyberspace and the related cyber threats are totally changed increasing their power and efficiency. We must expect that the number of attacks will dramatically increase. Cyber terrorism, cyber warfare, cyber espionage, cybercrime and hacktivism are words that are folk today and that identify specific cyber threats able to compromise the success of an event.
Let’s imagine for an instant the consequences of denial-of-service attacks against official websites or the spreading of a malware within the internal network of the organization, these threats are particularly offensive and could cause great problems to the entire system.
In 2003 the Pan American Games held in the Dominican Republic were hit by a computer virus that compromised internal network and in particular the results service making not accessible latest scores and results from competitions to media representatives around the world.
Believe me this is the best case that could impact the competition, as we will note there is a wide set of attacks that could create serious damages.
During the most important events, such as the Olympic Games, there are a series of factors that make the competitions very interesting targets. Usually these events have the ability to convey considerable masses of athletes and spectators in confined places for a short period, this component puts a strain on public and private security services. The organizer machine must be able to prevent accidents and attacks by closely monitoring the progress of operations.
Another factor that makes competitions desirable for attacks is the presences of diplomatic delegations of many countries and the contemporary presence of the principal press agencies of the world. In few words sporting events are an excellent stage on which to represent a striking operation.
Let’s try to think which could be the main activities related to the security events that could be implemented with a massive usage of technologies:
- Information gathering, before and during the competitions.
- IT infrastructure monitoring
- Transportation control
- Communication systems monitoring
- Physical access control
- Logical access control
- Rescue coordination center antimissilistici
- Video Surveillance system
It’s clear that each of these activities requires a high technological component that need the implementation of efficient mechanisms of defense. To better understand how the security of these events is arranged, a competition must be considered the entire manifestation as a monolithic system that is endowed with a series of access ports and exits. The system inside is composed by several entities that exchanging huge quantity of data cooperates to a common targets. In the design of the events every entity is detailed analyzed defining the data managed, the function offered, the services used and the systems with which it cooperates.
The preparing phase
Let’s start from the beginning during the preparing phase, it’s in this time that the organization spend more effort to project the entire IT infrastructure dimensioning its attacks surface. Every automated service is reviewed and every possible vulnerability must be individuated. Security agencies of any countries that will participate to the event will discuss about the organization and of every possible threat that menaces the competition. A cyber attacks represents today one of the principal threat for every events, for this reason one of the most important source is internet and the social platforms. Starting several months before the events low enforcement and security agencies monitor the web, and especially social networks and forums, to find any suspect activities that could be related to the organization of an attacks.
This phase is really important because due the analysis of the web is possible to intercept group of terrorist or hacktivist that are planning an action during the events. Particular attention is dedicated to the "Deep Web" the component of web that is largely used by cyber criminals for commerce activities and propaganda. Task forces of experts try to infiltrate the networks to detect potential threats.
The web is only one of the main access gates to this events and need to be adequately protected, thinking the competition as nation every critical infrastructure need to be covered by a specific cyber strategy. The principal services that must be covered during an event are:
- Financial Services
- Public Works
- Surveillance and Reconnaissance
- Health Affairs
Each service produces and consumes for its implementation an impressive quantity of data that must be protected. Let’s thinks for example the accreditations process, each individual must be identified and based on its role mist be assigned to him the permission to operate in the opportune areas. When we introduce the word “area” we refer an atomic space inside of infrastructure that must be subject to control, accesses and communication to and from to the sector must be monitored and controlled and the related data must be feed into a centralized system for its processing.
Gerry Pennell, chief information officer for London 2012, has remarked that a key principle to ensure the security of the event is to
“keep mission-critical games systems quite isolated from anything web-facing. So very much partitioned and separated, thus making it hard for an external attack to succeed.”
If an attacker find the way to exploit vulnerability in the process it could be able to have free access inside the places of the event, a rick that must be absolutely avoided. How to prevent this incident? It must be in a rigid protocol that validate and monitor each transaction in the informative system of the event that must alert on every suspect activities or malfunction of any component subject to the control (e.g. access control, telecommunications, networks).
Internal networks are the backbone of the architecture and an opportune cyber strategy must preserve it from external attacks that could be moved for example by hackers but also but potential internal cyber threat. Rigid policies must address every single aspect that could compromise the entire infrastructure such as the usage of mobile devices and storage devices (e.g. USB memory sticks). Possible attacks against the backbone could use for example targeted virus that could be able to infiltrate the networks compromising the “correct” operations.
During the preparation phase, the intelligence services have to identify the possible source of attacks and their techniques of offense. Cyber terrorist and hacktivist for example must be addressed in different way and they use to operate in totally different mode, however during a public event it’s possible that different cyber threats will combine their attacks.
Great attention must be also ensured on the organization of communications channels, identify the different type of information to transfer and ensuring the needed quality of service for each transmission. The organization must be confident to be able to ensure the continuity of the connections in every case, with particular attention to the service and emergency communications. In case of attacks reserved communications must be in place to alert relief and to communicate to external units the request for appropriate intervention. Let’s consider that today communication environments are all sensible to cyber attacks and the majority is based on digital technology, this means that every single component of the overall infrastructure must be attack proof and backup units have to be in place in case of problems.
Can we imagine what could happen if a virus will compromise the communications servers?
The communication architecture must be constantly monitored by sentinels and probes that have to be able to identify cyber threats and any other tentative of tampering.
Once defined the entire IT infrastructure it must be tested and monitored verifying the response to the ordinary workload, to external and internal attacks and to possible incidents.
Regarding the incoming London Olympic, the entire IT infrastructure will be massively tested during the period from March and May, simulating cyber attacks and registering the response to the events. The organization has declared that a team of about 100 specialists will try to compromise the systems.
Patrick Adiba from Atos, the Olympics IT supplier, told the BBC.
“We are using a simulation system so it doesn’t really matter if we corrupt the data. We simulate the effect and see how people react.”
Confirming the importance of the test phase of the system before the events.
Once the event is in progress it clear that the IT architecture represents the core of the organization that is responsible for the management of every data necessary to the correct conduct of activities. We have focused the discussion on the possible attacks on the IT infrastructure but we have also to consider the equipment used to monitor events and its vulnerability to attacks, none of them could be totally secure and the only way to prevent attacks and intrusions is adopt hybrid techniques in the same solution.
Facial recognition systems, cryptographic cards for storing digital identity of the participants and organizers are just some of the security options implemented during an event. Any suspicious activity is analyzed in real time by experienced agents with the aid of advanced technologies that are able to detect any abnormality, but the unpredictable is around the corner and the organization must be able to meet any sudden need and to 'the unexpected, it have to response to an unplanned event to avoid dangerous situations. For this reason, the computer system requires a continuous analysis and must have been subjected to multiple simulations before entering into operation. An unexpected fault during an attack could cost the lives of hundreds, thousands of individuals.
According the London 2012 Olympic Safety and Security Strategic Risk Assessment (OSSSRA) the types of risks for security are related to the following distinct areas:
- Serious and organized crime;
- Domestic extremism;
- Public disorder; and
- Major accidents and natural events.
Every element of the above list could be directly or indirectly impacted by cyber attacks with variable likelihood.
The technology in modern events represent a key component that cover each critical area and a possible attack could have a cross effect, impacting at the same time different sectors of the sporting competition. To provide a valid example let’s examine the airspace defense systems that will be used to protect the next London Olympic.
Missile batteries will be willing to protect the main structures that host the games, it's obvious that those systems will be electronic managed, for this reason the organizers must be sure that their weapons will be available and ready to very emergency and they must be protected by external interference.
We can imagine how critical is this aspect, conventional electronics weapon could be damaged through a cyber attack, an hacker could take the control of management console of the missiles or disturb during the launch the defined trajectory using GPS jammer.
During a sporting event intelligence discipline is used to acquire information concerning specific subjects, the common categories of these methodologies include human intelligence (HUMINT), signals intelligence (SIGINT), imagery intelligence (IMINT), measurement and signatures intelligence (MASINT), and open source intelligence (OSINT) and Geospatial Intelligence.
Many experts ignore the great importance of MASINT, it was recognized by the United States Department of Defense as an intelligence discipline in 1986, under its umbrella we identify the processes to retrieve information using quantitative and qualitative analysis of data derived from specific technical sensors for the purpose of identifying any distinctive features associated with the source emitter or sender.
The ability to promptly identify sources of energy and abnormal signals is an indispensable requirement for the control of critical infrastructures to accommodate sporting events, for this reason the above-mentioned techniques, while not mentioned, are the basis of an efficient system of defense.
The intelligence process can then associate the measurements to a particular phenomenon or environmental condition recognizing any deviation from what is considered an ordinary situation. Examples of MASINT disciplines include radar intelligence (RADNT), infrared intelligence (IRINT), and nuclear intelligence (NUCINT).
The smooth running of the event is guaranteed by all the above measures, however sudden and unexpected events can be sources of serious problems. In the case of cyber attacks the problem becomes critical, many types of offense in fact are not predictable. Wanting to give an example we mention 0-day attacks which are practically impossible to respond adequately. In this scenario the measures to protect the systems can fail, yet the ability for early detection of the attack is crucial to limit the effects.
The scenarios illustrated and the risks examined are the fundamental to perform the risk identification and to implement mitigation process that is composed by the following phases
- Identifying the risks
- Mitigation the risks
- Understanding residual risks
With specific references to cyber scenario we must also consider one of the major cyber threats that I deliberately left until last, the social engineering.
While imagining a perfect organization and an impenetrable IT infrastructure it is necessary to deal with the human factor. An inappropriate behavior, an accident or worse still the possibility of misleading the staff of the event could open holes in the security of the entire structure. An erroneous human behavior could lead to unauthorized access to the information infrastructures or to the exposure of sensitive information used by the organizing committee. This type of attack is extremely dangerous and exploits human weakness to penetrate the victim's system.
Defending against these cyber threats is complex and it is essential to properly train staff to operate properly in every situation.
Another fundamental aspect is the adoption of strict processes that cover all possible scenarios and related operational responses of the staff, in this way risky behavior can be reduced significantly.
We have understood that the security of an event is extremely complex because of the multitude of contributing factors, until today thanks to the excellent work of law enforcement and security agencies it has been ensured the safe conduct of major sporting events .... I hope that in future it can get better and better.
About the Author
Pierluigi Paganini has a Bachelor in Computer Science Engineering IT, majoring in Computer Security and Hacking techniques. Security expert with over 20 years experience in the field. Certified Ethical Hacker at EC Council in London. Actually he is Company Operation Director for Bit4Id, Researcher, Security Evangelist, Security Analyst and Freelance Writer. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to found the security blog „Security Affairs”.
Security Affairs ( http://securityaffairs.co/wordpress )