Cyber threats and how to be a good sport
06 August 2020
The sports sector was recently identified as a target for cyber attackers in a report published by the National Cyber Security Centre (NCSC). The report highlights the cyber threats faced by the sports sector and suggests how to stop or reduce their impact on sports organisations of all sizes – from local clubs to national federations.
Many of the report’s findings and recommendations are equally valid for other sectors and worth a read for organisations assessing measures likely to contribute to their overall security posture as well as help them to comply with the GDPR’s security principle.
The report follows a survey which found that:
- Sports organisations are more than twice as likely to experience at least one cyber incident;
- 30% of organisations recorded over 5 incidents in the last 12 months, of which just under a third resulted in direct financial damage; and
- The average cost was more than £10,000 per incident and the biggest loss, which was excluded from the averages, was over £4 million.
3 trends are identified in the report:
1. Business Email Compromise (BEC) – this is the biggest cyber threat to sports organisations and involves attackers seeking to gain access to official business email addresses which they then use to engineer such things as fraudulent payments or data theft. It’s been facilitated by increased adoption of SaaS solutions such as Office365 and GSuite which, by default, offer access from anywhere to anyone with a valid username and password combination.
Attacks can be highly targeted ‘spear phishing’ which trick users with senior roles or who can authorise financial transactions into doing the wrong thing by leveraging information about staff or the business to make communications more convincing. Attacks can also be large-scale technical attacks such as ‘credential stuffing’ (i.e. using valid username and password combinations for one site on other sites) and ‘password spraying’ (i.e. trying common passwords on large numbers of accounts using brute force). Successful attacks will usually result in putting auto-forward rules in place on compromised accounts to steal sensitive information, often over the course of thousands of emails.
Case studies provided include an MD of a Premier League club who clicked on a phishing email and was diverted to a spoofed Office365 login page where he entered his email address and password. Criminals used those credentials to impersonate the MD in emails and, during the transfer window, they amended bank details on a payment request for £1 million to divert funds. In another case study, following a staff member reporting an unusual auto-reply to their IT team as suspicious, an organisation holding athlete performance data realised that for several months 9 compromised email accounts had auto-forwarded some 10,000 emails to external email accounts.
The use of multi-factor authentication and considering a conditional access policy are mitigations recommended by the NCSC.
2. Cyber-enabled fraud – this is essentially fraud facilitated by cyber technology. It often relies on social engineering such as phishing to trick staff. Tools favoured by fraudsters include ‘typo squatting’ where a website is created which looks like a genuine brand, and ‘email spoofing’ which involves a forged sender address on an email being used to convince a recipient that the email is genuine. The report observes that despite 30% of organisations indicating that they had experienced people fraudulently impersonating the organisation in emails, very few had configured the 3 technical anti-spoofing controls recommended by the NCSC (namely SPF, DKIM and DMARC). The report includes a case study of a racecourse which sought to purchase an item of equipment for sale on eBay. The seller sent the staff member bank details via an eBay message which took the member to a spoofed version of eBay where the payment page looked legitimate so a bank transfer of £15,000 was made.
In terms of mitigations, the NCSC recommends that organisations refer to its guidance on defending from phishing attacks, as well as use of effective anti-spoofing controls on organisations’ domains to make it more difficult for fake emails to be sent from them.
3. Ransomware – 40% of attacks on sports organisations involved ransomware, a type of malware that prevents users from accessing their computer or data stored on their computer. Increasingly attackers first analyse networks to ensure that they have maximum impact by denying access to business-critical files and systems. Sports organisations typically implemented basic controls such as antivirus, firewalls and user access controls. However, almost a quarter didn’t have a patching strategy to ensure that software is kept up to date (ransomware often takes advantage of vulnerabilities for which patches already exist) or make backups of data (with the result that recovery is more difficult and costly).
A case study is provided of a football club which suffered a ransomware attack, crippling its corporate and security systems leaving it unable to use corporate email and rendering CCTV and turnstiles non-operational – almost resulting in a fixture cancellation. The infection was thought to have found its way in through remote access via the CCTV system. Once in, it spread quickly across the IT estate because all systems were connected to one network. A 400 bitcoin ransom was sought but declined. Lost income and remediation cost the club several hundred thousand pounds.
Mitigations referenced in the report include keeping devices and networks up to date, applying patches promptly, using antivirus and scanning regularly. Keeping safe backups of important files is also recommended because even if a ransom is paid there’s no guarantee that you’ll regain access. Segregating networks (i.e. by splitting a network into segments) makes it more difficult for an attacker; e.g. if a venue CCTV is compromised, an attacker can’t easily reach the main corporate IT network.
The report also uses the ransomware case study to make the point that modern sports venues have developed their IT estates over time, relying on combinations of normal office networks with internet connected industrial control systems and physical security hardware. This makes it difficult to understand fully all the ways in which an attacker can gain access. On the topic of venue mitigations, the report refers readers to its guidance on mitigating malware, preventing lateral movements, supply chain security as well as its ‘Stadium Cybersecurity Best Practices Guide’.
The report doesn’t just highlight email security and staff empowerment through training as key areas for sports organisations to review. It also addresses cyber risk management and the impact of the GDPR, recognising its role as a primary driver when it comes to organisational approaches to cyber security in the sports sector. However, the NCSC counsels organisations to look beyond ‘defensive risk management’ where an excessive focus on GDPR compliance to avoid being fined prioritises the protection of personal data over other objectives such as fraud prevention. The danger of not adopting a more holistic approach, the NCSC warns, “can mean that people focus on the wrong things, and do not identify and prioritise the security measures that would actually make their organisation safer.” That’s something for organisations in all sectors to think on.