Cyber security for high profile conferences

Identifying Cyber Risks

The nature of the conference topics and the profiles of attendees will affect the threats facing the event. This assessment will dictate the required security measures. An important first step is to evaluate the specifics of your conference and identify potential threat actors.

The NCSC website serves as a valuable resource for current threat information. Additionally, sector-specific guidelines are available for small businesses, charities, and board members. More detailed information is accessible to CiSP members, and in some cases, it’s possible to sponsor an event-specific NCSC threat assessment.

Next, we will review key aspects of event security.

Disruption by Uninvited Guests or Misconduct

Numerous publicized cases exist of disruptions during video conferences. To mitigate this risk, effective identity verification measures are essential.

Utilizing strong authentication methods, such as multi-factor authentication, is advised, particularly for presenters. If this is unfeasible, the meeting organizer ought to securely share passwords with participants.

Organizers should verify the identities of all participants beforehand and confirm these credentials before allowing entry for those waiting in a virtual lobby.

Any unverified participants should be expelled if necessary. Additional recommendations can be found in Video Conferencing Services: Security Guidance for Organizations.

Moderation during the event is crucial. A time delay (‘profanity delay’) should be implemented for live streams when appropriate.

Denial of Service Attacks

Refer to NCSC Denial of Service Guidance, ensuring that services are resilient and scalable. Engage your internet service providers to establish upstream mitigations.

Whenever feasible, prevent sharing network bandwidth and server capacity between known targets of denial of service attacks. For instance, avoid mixing essential functions and websites, such as management networks. Designate additional bandwidth for essential services such as livestreaming the event.

Consideration should extend to related functions like registration systems.

Insider Threats

Proper management of the event along with the underlying IT infrastructure is critical for security, necessitating the use of trusted personnel and suppliers. Their activities should be logged to ensure accountability, applicable to both the event management staff and suppliers managing underlying systems.

Compromised Supplier or Administrator Accounts

Assurance about the IT utilized by your system or conference administrators is equally vital.

These should be corporate devices managed from secure environments and ideally configured according to NCSC Mobile Device Guidance.

Website/Portal Defacement

Websites are prime targets for those aiming to discredit or embarrass conference organizers. Therefore, it’s imperative that all websites are securely designed, developed, and operated.

The OWASP Foundation provides guidance on common vulnerabilities, secure web application development, and testing. Steps outlined in the ‘gaining assurance’ section should also be implemented.

Handling Sensitive Data

While it may not apply to all events, if attendees provide personal data during registration, this creates a bulk data reservoir that can attract cybercriminals or other malicious actors. This risk is especially pronounced when the data comprises information about individuals from specific roles or sectors.

If collecting data is unavoidable, follow NCSC guidance on protecting bulk data and ensure that any new solutions adhere to the NCSC secure design principles.

Conferences may also feature closed sessions or private discussions. Although these may not be highly sensitive, the reputational repercussions of a breach could be severe, requiring careful consideration when securing supplier assurance.

On-Site Risks

The potential for disruption at the conference venue requires careful assessment.

Provision of WiFi and internet access for participants could become targets, alongside any network-connected devices related to building management and security.

The venue may also possess its own website, which could be at risk.

Obtaining confidence that your solution’s security is suitable for identified risks is vital. Your assessment should incorporate evidence provided by the service deliverers and/or independently gathered evidence.

The NCSC offers guidance on selecting a video conferencing platform. For larger conferences, additional requirements may include registration, virtual meeting rooms, and other specialized features.

Cloud Security Principles

The NCSC Cloud Security Principles can be leveraged as a guideline for fundamental security requirements across all cases. Suppliers should be encouraged to detail how they address these principles if they have not already done so.

The 14 principles encompass security through the lifecycle of the service and include considerations for physical and personnel security (consult CPNI for further guidance if needed). The aforementioned risk scenarios can help direct your assessment in the context of these principles.

Independent Assurance

Both management environments and the end-user devices utilized by administrators must be assessed alongside the core infrastructure. Independent assurance (for instance, through Cyber Essentials, ISO27001, or other standards) can provide a certain degree of confidence.

Third-Party Suppliers

Smaller or specialized providers should be expected to provide detailed insights into their internal workings, architecture, and processes. It is also important to understand how these suppliers utilize third-party services and the security measures in place for them.

Secure Design Principles

Suppliers should demonstrate that they are shielding exposed interfaces through a security architecture featuring layered defenses, employing Web Application Firewalls to counter common web vulnerabilities. Continuous monitoring should be instituted, and security must be part of the software development lifecycle, including managing vulnerabilities in software dependencies. Again, refer to NCSC Secure Design Principles for extensive insights.

Penetration Testing

Independent penetration tests and audits should be conducted whenever possible. Include specialized web application penetration tests where relevant. The NCSC IT Health CHECK scheme is advised.

During particularly high-profile events, arranging for NCSC Active Cyber Defence services before and during the conference can help identify vulnerabilities and detect threat activity against suppliers.

When a conference occurs at a physical venue, various additional factors must be considered. These include providing internet access for delegates and visitors, as well as securing any smart or networked functionalities within the venue itself. Cyber attacks on these elements could disrupt the event and result in severe impacts.

Internet Access

Conference venues will likely need to provide internet connectivity for attendees and the media.

From both functional and reputational perspectives, a network with a resilient architecture, utilizing redundant routers and firewalls, is advisable. Ensure that the infrastructure is updated and patched against known vulnerabilities, with configurations audited and tested when feasible.

Active network monitoring and management are recommended to identify and counter any malicious activities or issues arising from misconfigured guest devices.

Segment network traffic from different user groups (such as media, event staff, and delegates). Participants should treat the network akin to any untrusted internet connection.

It is prudent to arrange for upstream denial of service mitigation and to negotiate an adequate level of protection with the Internet Service Provider. Reserve separate bandwidth for guest internet access, differentiating it from bandwidth linked directly to event-related denial of service targets, like related websites.

Should WiFi issues arise, having a contingency plan ready is critical. For example, ensure wired connections are prioritized for essential users.

On-Site Networks

Assess the venue to check if there are any networked systems for building management, including heating, ventilation, air-conditioning, lighting, fire or security alarms.

If they exist, consider the risk of remote access to these systems, as such access could be exploited to create disruptions. Measures should be implemented to minimize this risk.

A blend of physical security and personnel security measures is also advisable to safeguard these devices from tampering.

Third-Party Considerations

The security and resilience of third-party services must also be scrutinized. This encompasses services related to guest transportation or security staff, necessitating proper security measures and contingency plans. Seek specialized advice where appropriate.