Cyber security for high profile conferences

Comprehend Your Cyber Risks

The themes of the conference and the status of its attendees will dictate the level of threats faced. An essential initial step should involve analyzing the context of your specific event and identifying any potential threat actors.

The NCSC website serves as a reliable source for up-to-date threat intelligence. Additionally, specialized guides are available for small businesses, charities, and board members. Those who are members of CiSP can access additional insights, and, in some instances, it may be feasible to sponsor a detailed event-specific NCSC threat assessment.

The next points will address key elements of event security.

Interference by Unauthorized Guests

There are multiple documented instances of online conferences being disrupted. To safeguard against this risk, effective identity verification measures will be necessary.

We recommend implementing strong authentication methods, such as multi-factor authentication, especially for presenters. If this is not feasible, meeting organizers should securely share passwords only with verified participants.

Event organizers must also verify the identities of all participants before the event, checking credentials prior to granting access to virtual waiting areas.

Participants who cannot be successfully identified should be removed from the event as needed. For additional guidance, refer to Video Conferencing Security Guidelines for Organizations.

Active moderation should occur during the event, and a delay (commonly known as a ‘profanity delay’) should be employed for live broadcasts, when applicable.

Denial of Service Attacks

Adhere to the NCSC Denial of Service Guidance to ensure that your services are built to be resilient and scalable. Request that your internet service providers implement upstream mitigation strategies as well.

Where feasible, avoid sharing bandwidth and server resources among evident targets for denial of service attacks. For instance, refrain from combining essential functions with websites, such as management networks. Allocate additional reserved bandwidth for critical services, like live streaming the event.

It’s essential to also consider functions related to registration.

Insider Threats

Secure management of the event and its underlying IT infrastructure is crucial. Therefore, utilize trusted personnel and suppliers whose actions should be logged for accountability. This applies to both event staff and suppliers maintaining any supporting systems.

Compromised Accounts of Suppliers or Administrators

It is vital to ensure the integrity of the IT systems and accounts used by your system or conference administrators.

Devices utilized should belong to the organization and be managed within secure environments. Ideally, they should comply with NCSC Mobile Device Guidance.

Website Security

Websites are often targeted by individuals seeking to undermine or embarrass conference organizers. Ensure that all websites are securely designed, developed, and maintained.

The OWASP Foundation offers resources regarding common vulnerabilities, secure web application development, and testing strategies. Consider implementing the steps outlined under ‘gaining assurance’.

Protection of Sensitive Data

This may not pose a concern for all conferences; however, if attendees (whether virtually or physically present) provide personal information during the registration process, it could create a significant target for cyber threats. This is especially pertinent if the data concentrates on individuals within a specific sector or role.

If data collection is unavoidable, refer to the NCSC guidelines on safeguarding bulk data and ensure that any new solution designs incorporate the NCSC secure design principles.

Some conferences may also feature closed sessions or private discussions. Even if these are not particularly confidential, the reputational fallout from a breach could be severe, necessitating careful consideration when assessing the reliability of suppliers.

On-Site Risks

The potential for disruptions at a conference venue must also be taken into account.

WiFi and internet access for participants may become targets, as could any network-connected devices associated with building management and security.

The venue may also maintain a separate website that could be vulnerable.

It’s vital to establish confidence that your solution’s security is adequate for identified risks. This evaluation should incorporate evidence presented by those providing the services and/or independently gathered evidence.

The NCSC offers guidance on selecting a video conferencing platform. In larger conferences, there may be additional needs for registration, virtual meeting spaces, and other specialized features.

Cloud Security Principles

In all scenarios, consider referring to the NCSC Cloud Security Principles for fundamental security requirements. Encourage potential suppliers to outline how they meet these principles.

The fourteen principles encompass security throughout the service lifecycle, including physical and personnel security (consult CPNI for additional guidance on these topics, if necessary). The risk scenarios discussed above can help direct the assessment according to these principles.

Independent Assurance

Evaluate not only the management environments and end-user devices used by administrators but also the core infrastructure. Independent assessments (like Cyber Essentials certification, ISO27001, and other standards) can enhance confidence levels.

Assessment of Independent Suppliers

Smaller or specialized vendors should provide more detailed insights regarding their internal architecture and processes. Understanding their use of third parties and the corresponding security arrangements is also essential.

Secure Design Principles

Suppliers should demonstrate methods of protecting exposed interfaces with a strength-in-depth architecture and employ Web Application Firewalls to safeguard against typical web vulnerabilities. Implement protective monitoring and ensure security is maintained throughout the software development lifecycle (including managing vulnerabilities in any software dependencies). Once again, refer to the NCSC Secure Design Principles for extensive advice.

Penetration Testing

Independent penetration tests and audits should be conducted whenever possible. Comprehensive web-application penetration tests should be included as appropriate, along with the recommended NCSC IT Health CHECK scheme.

For exceptionally high-profile events, arranging for NCSC Active Cyber Defence services before and during the conference can assist in identifying vulnerabilities or detecting threat activity against a supplier.

In cases where the conference is held in a physical venue, additional factors must be taken into account. These include providing internet connectivity for participants and addressing the safeguarding of any smart or networked functionalities present in the venue. A cyber attack on these could be disruptive and create significant consequences.

Internet Connectivity

It is essential for both delegates and press members attending conferences to have internet access.

A robust network architecture that employs redundant routers and firewalls would provide both functionality and reputation protection. This infrastructure should be updated and patched against known vulnerabilities, with configurations audited and tested wherever feasible.

Regular network monitoring and proactive management are advisable to detect and mitigate any malicious activities or issues arising from misconfigured user devices.

Furthermore, it is recommended to segment the network traffic across various user groups (such as media, event staff, and delegates). Delegates should treat the network as an untrusted connection.

Engage in preemptive denial of service mitigation strategies, and ensure a minimum protection level is discussed with the Internet Service Provider. Bandwidth for the guest internet should be reserved differently from critical denial of service targets, like event-related websites.

Develop a contingency plan for any disruptions in WiFi services. For instance, establish wired connections for users deemed appropriate.

On-Site Networks

Assess the venue for any attached systems used for building management, including heating, ventilation, air conditioning, lighting, fire, or security alarms.

If such systems are identified, consider the potential risks of remote access, as they could be manipulated to cause disruptions. Implementing measures to mitigate these risks may be necessary.

Employing a combination of physical and personnel safeguards around these devices is also advisable to prevent tampering.

Third-Party Vendors

The security and resilience of third-party services should be evaluated by event organizers, including those associated with guest transportation or security personnel. These services require appropriate security protocols and contingency plans. Seek specialized advice as needed.