Kevin McGrail understands the myriad security challenges that are converging in New Orleans this weekend, from the Super Bowl and President Trump’s attendance at the game to the fact that all this comes just more than a month after a terrorist attack in the city.
As cloud fellow and principal evangelist with Google Cloud security partner DitoWeb and in other roles, McGrail has done cybersecurity planning for a range of such high-profile events – including the Tokyo Summer Olympics in 2020 – which tend to attract the attention of cybercriminals, who are drawn to the huge number of people involved and the data and money that flow from them.
With something as large and complicated as this Super Bowl, DitoWeb – which counts the state of Louisiana as a customer – and other MSSPs won’t play a significant direct role unless they are involved in the supply chain for the event, he told MSSP Alert. However, during other such events and holidays, there is always an increased risk of cyber incidents because attackers know that resources are more constrained.
“For us, a lot of the prep is around risk analysis, brainstorming, and preparing with resources appropriate to the risk and business impact,” McGrail said. “We also will do table top exercises and walk through scenarios and incident response plans. We don't usually get to the stage of doing more than table tops in our line of work but having simulated events is ideal.”
There also are case studies of similar events in the past that can be written, he said, adding that “our goal is to have nothing happen that people feel we could have anticipated [or] prepared for better.”
Activity Draws Threat Actors
The ripples from such high-profile events tend to reach far, according to Dan Candee, CEO of Boston-based Cork Protection, which offers MSSPs and MSPs a risk insights platform. They create distractions, increased online activity, and a higher volume of transactions, all perfect conditions for phishing, smishing, and other social engineering attacks, Candee told MSSP Alert.
“Threat actors love big events,” he said, noting that in general, 88% of breaches stem from human error. “They create the perfect storm for social engineering attacks, and credential theft spikes as attackers impersonate legitimate brands, vendors, or even colleagues. The risk lies in clicking the wrong link and trusting the wrong message. Customers need more than just software; they need guidance, awareness, and protection.”
For both MSSPs and cybersecurity vendors, the mission – not only with Super Bowls but to similar events – is to help businesses be more resilient by reducing the human risk, which means education, awareness, and training so organizations recognize and avoid threats before they cause damage he said.
A Lot of Money and Data to Be Had
There’s no mystery to why bad actors are drawn to such high-profile sporting events. Microsoft noted that the global sports market is a rich target worth more than $600 billion. The IT giant provided cybersecurity support during the 2022 FIFA World Cup in Qatar, running more than 634.6 million authentications and delivering security defenses for Qatari facilities and organization for more than a month.
“Information on athletic performance, competitive advantage, and personal information is a lucrative target,” Microsoft’s Threat Intelligence unit wrote. “Unfortunately, this information can be vulnerable at-scale, due to the number of connected devices and interconnected networks in these environments. Often this vulnerability spans multiple owners, including teams, corporate sponsors, municipal authorities, and third-party contractors. Coaches, athletes, and fans can also be vulnerable to data loss and extortion.
Business-critical services like point-of-sale system, IT infrastructures, and visitors’ devices are popular targets.
An Array of Physical and Cyberthreats
Cybersecurity firm ZeroFox published a security assessment of the Super Bowl, from the broad physical security in the city – which includes drones and other surveillance tools and the presence of the CISA and the Department of Homeland Security – to transportation disruptions and cybersecurity threats, which include game and travel ticket scams, betting schemes, phishing, misinformation, and unauthorized social media profiles, which can harbor fraudulent ticket sales.
“Given the Super Bowl’s global prominence, it is very likely that threat actors will exploit the event's popularity to conduct financial scams or attempt to steal personal information,” the ZeroFox researchers wrote.
This is familiar to security vendors and partners, according to Rajiv Motwani, senior vice president of threat research and detection engineering with Denver-based cybersecurity firm Todyl.
"Cybersecurity experts helping MSPs are on the lookout for email scams, phishing, malware, texts, social media, and QR codes that lure victims with Super Bowl themes like last-minute ticket availability, cheaper tickets, fake contests, merchandize, giveaways, and use celebrity names to attract attention,” Motwani told MSSP Alert. “Bad actors also purchase ads on Google and other platforms directing victims to fake betting sites that are scams.”
Self-Defense
There are ways for people and businesses to protect themselves during such events as the Super Bowl, he said, including avoiding unauthorized streaming sites – which pose such threats as malware infections – and not giving out personal or financial information without validating what the other party is claiming.
Education is the first line of defense, according to Cork’s Candee.
“During high-risk events, our focus is on awareness and training,” he said. “It’s about making people harder to trick. Even the best security tools can’t protect a business if an employee falls for a well-crafted phishing email. We work with businesses to help them recognize suspicious activity, avoid common pitfalls, and build a culture of cyber resilience.”
McGrail, with Reston, Virginia-based DitoWeb, is hoping that by the time the game kicks off Sunday, most people will no longer have to concern themselves with such things and instead “can just worry about if the Eagles or the Chiefs will score more points.”
