Cyber security for high profile conferences

Comprehending Your Cyber Risks

The nature of the conference topics and the caliber of attendees will directly impact the threat level faced. This insight will inform the necessary protective measures. The first step is to analyze the context of your conference and identify potential threat actors.

The NCSC website serves as a valuable resource for up-to-date threat information, alongside sector-specific guidance for small businesses, charities, and board members. For further details, CiSP members can access additional support, and event-specific NCSC threat assessments may be available for sponsorship.

The following sections will address key factors concerning event security.

Addressing Unauthorized Guests and Disruptions

Publicized incidents of video conference disruptions underscore the need for effective identity verification processes.

Implementing strong authentication methods, such as multi-factor authentication, is advisable, particularly for presenters. Alternatively, meeting organizers should securely share passwords solely with participants.

Verification of participant identities should occur prior to sessions, with credential checks implemented to limit access from individuals in virtual lobbies.

If identification is unsuccessful, those participants should be removed from the event. Further guidelines can be found in Video Conferencing Services: Security Guidelines for Organizations.

Moderation should be enforced throughout the event, utilizing a time delay for live streams when necessary.

Mitigating Denial of Service Attacks

Refer to NCSC’s Denial of Service Guidance to implement resilient and scalable structures. Collaborate with your internet service providers to establish upstream protections.

Separating bandwidth and server capacity for high-risk areas is wise; avoid conflating essential services with high-target websites. Additional reserved bandwidth should be allocated for vital functions such as event livestreaming.

Insider Threat Preparedness

Effective event management and IT infrastructure security hinge on the reliance on trusted personnel and suppliers. It’s critical to document their actions to ensure accountability, applying to both event staff and supplier management teams.

Securing Supplier and Administrative Accounts

Gaining assurance regarding the IT devices used by conference administrators is essential.

These devices should be corporate assets managed within safe environments, preferably configured following the NCSC Mobile Device Guidelines.

Avoiding Website Defacement

Websites serve as prime targets for those seeking to undermine or embarrass conference organizers. Thus, it’s important to ensure that all web pages are developed, managed, and secured appropriately.

The OWASP Foundation is a valuable resource for guidance on identifying common vulnerabilities, secure web development, and testing methodologies.

Handling Sensitive Data

For some events, data protection might not be a prime concern. However, if attendees provide personal information during registration, this data could attract cybercriminals, especially when it is concentrated among specific sectors.

If data collection is necessary, adhere to the NCSC Guidance on Protecting Bulk Data and integrate NCSC’s secure design principles into all new developments.

Even non-sensitive sessions may have significant reputational repercussions if compromised; thus, this aspect requires careful consideration in supplier assurance processes.

On-site Challenges

Potential disruptions at the conference venue must also be evaluated.

Attendee access to Wi-Fi and other networked devices that contribute to building management systems may be vulnerable, as might the venue’s own website.

Establishing confidence that your solution’s security is adequate for identified risks is essential. This evaluation should include evidence from service providers and/or independent verification.

The NCSC has resources available to help in selecting a video conferencing platform. Larger conferences may require additional features like registration and virtual meeting rooms.

Cloud Security Principles

In all scenarios, the NCSC Cloud Security Principles serve as a comprehensive guide to essential security standards. Suppliers should be encouraged to explain their adherence to these principles.

The 14 principles encompass security considerations throughout the service life cycle, including physical and personnel security — further advice from CPNI can be consulted as needed. Use the identified risk scenarios to concentrate your assessment around these principles.

Independent Verification

Both management environments and end-user devices used by administrators require attention, alongside the core infrastructure. Independent verification (such as Cyber Essentials or ISO27001) can enhance confidence levels.

Supplier Integrity

For smaller or specialized providers, a higher degree of transparency regarding their internal architecture and processes should be expected. It’s equally important to understand how the provider utilizes third parties and the corresponding security protocols in place.

Adhering to Secure Design Principles

Suppliers must show evidence of protecting exposed interfaces through comprehensive architecture and utilizing Web Application Firewalls against common web vulnerabilities. Continuous protective monitoring ought to be established, with a focus on security throughout the software development lifecycle, including the management of software vulnerabilities. The NCSC Secure Design Principles are valuable for delving deeper into these strategies.

Conducting Penetration Tests

Whenever feasible, independent penetration tests and audits should be conducted. Specialized tests for web applications should be included as necessary, and it is advisable to utilize the NCSC IT Health CHECK scheme.

For exceptionally high-profile events, arrangements may be made for NCSC Active Cyber Defence services to be deployed before and during the conference, which could assist in identifying vulnerabilities or observing threat activities affecting the supplier.

When there is a physical venue for the conference, several other aspects need consideration. This includes providing internet access for delegates and visitors, as well as securing any smart or networked functionality within the venue. Cyber-attacks against these systems could be disruptive and cause significant repercussions.

Providing Internet Access

Internet connectivity is essential for delegates and press attending conferences.

From a functionality and reputation perspective, a network with resilient architecture, featuring redundant routers and firewalls, is preferable. The infrastructure should be regularly updated and vulnerabilities patched, with configurations audited and tested whenever possible.

Regular network monitoring and proactive management should be implemented to detect and respond to malicious activities or problems stemming from incorrectly configured guest devices.

Network traffic types should be segmented (media, event staff, delegates), with delegates treating the network as untrusted internet access.

Mitigation strategies against denial of service threats are advisable, and subsequently negotiating adequate levels of protection with your internet service provider is important. Reservation of bandwidth for guest access should be done separately from other high-risk resources, like event-linked websites.

Have contingency plans for potential Wi-Fi failures, ensuring wired connections are available for priority users.

Assessing On-site Networks

The venue should be evaluated to identify any networked systems for building management (e.g., heating, ventilation, air conditioning, lighting, fire safety, security alarms).

If remote access to these systems is possible, measures to mitigate disruption must be considered, including implementing heightened security protocols.

Evaluating Third-Party Security

The security robustness of any third-party services, such as guest transportation or security staff, needs careful consideration by event organizers. Appropriate security measures and contingency plans must be established, and specialized advice should be sought whenever necessary.