What’s in Your Event Cybersecurity Strategy?
Authored by Theresa Payton, CEO, Fortalice Solutions LLC and former White House CIO.
In the wake of the violent attack on Bastille Day in Nice, France, and recent other events, it would be negligent to think of physical security and digital security as two separate entities. At the White House, we discussed in great detail that an event cybersecurity strategy must dovetail physical and digital security together and that a one-sided approach was doomed to fail.
It is no secret that large crowds and popular events, especially those with controversial topics or provocative speakers, are a target for ne’er-do-wells. Thankfully, there are a host of proven strategies and tools that can help you manage a proactive and dynamic security strategy and, if the inevitable breach happens, an effective recovery effort. If you leverage these strategies and tools, you can improve the digital and physical security of the guests of the event.
There is not a specific or single recipe for success. Rather, you must first define what you are protecting, brainstorm the various threats targeting your event and then conduct a risk/reward analysis to prioritize resources on your digital and physical security strategy.
Open Source Intelligence
An area often overlooked and widely misunderstood is the use of open source intelligence, also known as OSINT, as part of the overall event cybersecurity strategy.
When you target your own organization as if you are the adversary, you can identify the information leaking out of your vendors’ connections to your data or through your own technology before cybercriminals use that same intelligence to launch an attack against your organization.
Digitally, you can use OSINT tools to identify everything you can about the technology and people that work at your organization. You can also use OSINT to see if your sensitive data has leaked online.
Physically, you can use an OSINT technique to digitally geofence a specific and physical land area and monitor the digital traffic that mentions or occurs in the location. In the case of fighting terrorism, private sector companies and law enforcement can geofence critical infrastructure, significant events and venues, and then monitor to identify terrorist capabilities, sympathizers, motivation, flashpoints and intention through various OSINT tools.
When thousands of people converge into cities, including presidential candidates, notable politicians, major donors, etc., several cybersecurity concerns arise. What’s worth stealing digitally? To most cybercriminals, if it’s digital, it’s worth taking. Many assets are valuable, but the top three targets at a large event are:
- Finding the schedules of notable people and their security detail assignments;
- Being able to spoof or fake credentials online or in person; and
- Stealing personally identifiable information (PII) or the right credentials to access payment information and bank accounts.
Cybercriminals: Modern-Day Bank Robbers
The guests that arrive to attend a festive event, conference, convention or just enjoy a national holiday want to connect so they can stay in touch with loved ones, post on social media and more. This strains the infrastructure and leaves it vulnerable.
Political conventions, for example, don’t just hop onto a public network; they couldn’t leave it to fate that they’d have enough bandwidth or security. They work with various vendors to set up their own infrastructure for the event so they can monitor, protect and ensure a successfully promoted party convention.
As today’s conventions are more complex, so are today’s campaigns. Never before have they collected so much essential information that would be lucrative to so many cybercriminals. The same goes for conferences, concerts, sporting events and more. Credit card numbers, bank account information, addresses, online identities — the list of valuable assets go on and on.
Cybercriminals are just like bank robbers in the old days: They follow the money. That is why in this day and age, if you are running a large public event that draws thousands of people, whether it be at the state, national or local level, you need to be as vigilant about protecting data as any business. Otherwise, you will lose your customers.
Whose Job Is It Anyway?
Venues and cities typically handle increased demand for cellular and internet services quite competently, but often the idea that the traffic must be protected as confidential and sensitive is seen as someone else’s job. But just whose job should it be?
You aren’t going to like the answer: It’s your job to protect the traffic and its contents as confidential and sensitive. It’s also your job to have a security plan that is both digital and physical. Fundamentally, you cannot assume that safety is someone else’s job.
Event Cybersecurity Checklist
Over the course of my career, one thing rings true over and over again: A breach is inevitable, but how you plan to respond to one is not. If you create and store data, there will be cybercriminals waiting to copy it, take it, post it, ransom it or destroy it.
The answers to these five key questions will help you define your event’s security strategy checklist:
- Do we or does a third-party track our organization, physically and digitally (like an adversary would), using open source intelligence techniques?
- For large physical events or concentrated places of work or travel for our executives, have we set up geofenced locations, and do we monitor for chatter or traffic that could be targeting the people at the event or our critical data?
- Have we defined the top two assets that would destroy us if they were stolen or compromised? Have we made sure all human and technology processes ask about those two assets first?
- What’s our worst digital and worst physical nightmare? Do we have a disaster plan to address these?
- When is the last time we got all relevant parties together to conduct a tabletop exercise against our worst nightmare? If there are multiple stakeholders, do we have a simple, straightforward memorandum of understanding or agreement in place to define roles and responsibilities?
Offensive strategies with defensive mitigating controls work. A purely defensive strategy is a losing strategy. For every defense you put in the path of a cybercriminal, they will find a way to get around it to grab the data.