tiero - Fotolia
Several rounds of intensive penetration testing, cyber war games and user awareness training were the key elements to ensuring cyber security at the Olympic Games, according to Bruno Moraes, former Rio 2016 chief information security officer (CISO).
“Incident response planning, network access control, critical infrastructure protection and integrated threat intelligence were also important,” he told the Palo Alto Networks Ignite ‘17 conference in Vancouver, Canada.
Security was particularly challenging due to the size of the infrastructure and the large number of staff, athletes and members of the press involved.
The IT infrastructure for the Rio Games included 850 servers in six datacentres, 15,000 computers in 144 venues, 100,000 network ports and 7,000 network access points, while there were more than 92,800 staff, more than 57,200 members of the press and more than 18,000 athletes all connecting to Wi-Fi.
Moraes said there were several cyber security teams working around the clock, as well as a core cyber security team working in collaboration with the Brazilian government’s incident response team and critical infrastructure protection teams, various computer emergency response teams, internet service providers and companies providing monitoring and situational awareness services.
One of the most important and useful strategies, he said, was to conduct continual security testing to raise security awareness, to increasingly harden the infrastructure, and to ensure a robust response to incidents and effective collaboration between the security stakeholders in the run up to the games.
“A big focus for us was on penetration testing and vulnerability management for all the systems, people and infrastructure involved in the games,” said Moraes.
Around 8,000 of testing, 125 tests and 15 black box tests identified 400 logic flaws and 12 potentials sources of data leaks, enabling the cyber security team eliminate opportunities to commit fraud through the ticketing portal, steal personal and confidential data, compromise computers, spread malware and gain unauthorised access to systems.
Read more about red teaming
- Red teaming is set to become a key approach to ensuring cyber security controls and processes are fit for purpose and compliant with regulations, and the UK is leading the way.
- How to use red teaming to find real-world vulnerabilities.
- Incident response lessons from Facebook’s red team exercises.
- Plunging top managers into the middle of a cyber attack is the best way to get their attention.
The results of the initial penetration tests were useful in getting the top executives of the Olympic Games to understand the importance of information security very early on, said Moraes.
A daring phase of the penetration testing targeted the board of directors by compromising the chief executive’s email account and using it to send fake news stories about the games to board members - this was instrumental in getting their attention, commitment and the necessary budget, he said.
“This helped to ensure that everyone understood that information security was one of the most important pillars of the games and in getting everyone to agree to the same goals around information security.”
Cyber security teams tested skills through cyber war games
To give the cyber security teams the chance to test their incident response skills and evaluate the effectiveness and readiness of security controls, Moraes conducted three rounds of increasingly sophisticated cyber war games.
After each round, the cyber security teams made necessary changes to harden the infrastructure and improve security processes to reduce the attack surface and mitigate the effect of potential attacks.
An important learning from the war game exercises was that the red team always got important information from social networks, said Pedro Prudencio, operations director of Morphus Information Security and former member of the Rio cyber security team. “So we developed a tool to collect all public social media posts about anyone connected to the Olympic Games,” he said.
As a result, the cyber security teams were alerted to fact that volunteers were posting images that revealed details of access badges, office facilities, IT operating systems, the phone number of the IT service desk, and even IT system passwords.
This enabled the cyber security team to raise awareness of the risk of this type of social media activity and make changes where necessary to ensure attackers were not able to make use of the information already available on social media, such as by introducing two-factor authentication.
Three levels of response
Moraes said there were three levels of incident response. The first was dedicated to monitoring and triaging alerts and potential incidents, the second was dedicated to incident response and threat hunting in the infrastructure, and the third was external support in the form of reverse engineering and malware analysis.
By the time the Olympic Games started, he said a 24/7 technology operation centre had been established, with an incident response team of more than 80 people, including the red and blue teams used in the war game exercises, and 15 partner companies. There were also threat intelligence feeds available in nine different languages and daily cyber security reports to raise awareness.
“As a result, there were no successful attacks despite lots of attempt to carry out distributed denial of service [DDoS] attacks, as well as DNS amplification, spear phishing, Wi-Fi, ransomware, web application and data theft attacks,” said Moraes.
In total, his team was able to block three million attacks, identify 1,200 fake domains and take down 140 malicious websites.
One of the top lessons learned, said Moraes, that applies equally to future Olympic Games and corporate security is that information security must be prioritised to reduce risk of business disruption. “Second, when you have the commitment of the board of directors, awareness and penetration testing is never too much,” he said.
Other lessons learned that are applicable to any cyber security strategy, said Moraes, include:
- Targets, assets, and threats are not the same everywhere.
- Incident response processes demand continuous and dedicated training.
- Always think like the attackers.
- Co-ordination and collaboration are key elements for success.
- An effective ecosystem of threat intelligence takes time and hard work.