Cyber security for high profile conferences

Identify Cyber Risks

The type of conference topics and the profile of the participants will impact the level of threats faced by the event. Thus, it is vital to evaluate the specific circumstances of your conference and possible threat actors.

The NCSC website offers insight into current threat landscapes. Additionally, there are sector-specific resources available, such as those for small enterprises, charities, and board members. Members of CiSP can access more detailed information, and in certain instances, it may be possible to arrange a tailored NCSC threat assessment for your event.

Next, we will highlight key components of event security.

Disruption from Unauthorized Guests

There are numerous documented instances of video conference disruptions. To mitigate this risk, effective identity verification processes are essential.

Implement robust authentication methods (e.g., multi-factor authentication), especially for speakers. If this is not feasible, organizers should securely distribute passwords to participants only.

Organizers must also confirm the identity of participants beforehand and authenticate these credentials before granting access from a virtual waiting room to the conference.

Any unverified participants should be removed if necessary. Additional recommendations can be found in Video Conferencing Security Guidance for Organizations.

During the event, moderation should be enforced. A time delay (known as ‘profanity delay’) might be necessary for live streams when applicable.

Denial of Service Attacks

It is important to adhere to NCSC Denial of Service Guidelines and ensure that services are built to be resilient and scalable. Also, request that your internet service providers implement upstream protections where achievable.

Whenever possible, avoid sharing bandwidth and server resources between obvious targets for denial of service attacks. For instance, refrain from co-locating websites with critical functions, such as management networks. Allocate separate bandwidth for crucial services like event livestreaming.

Do not overlook related tasks, such as those required for registration.

Internal Threats

Managing the event and the underlying IT infrastructure is crucial for security. It is essential to employ trusted personnel and suppliers whose actions are logged for accountability. This applies to both the event staff and the system administrators.

Compromised Supplier or Admin Accounts

It is equally critical to ensure the safety of any IT systems used by your conference administrators.

These systems should comprise corporate devices managed in secure environments and ideally adhere to NCSC Mobile Device Guidelines.

Website Defacement

Websites are prime targets for those aiming to undermine or embarrass conference organizers. Thus, it is essential to ensure that all websites are designed, developed, and maintained with security as a priority.

The OWASP Foundation provides guidance on addressing common vulnerabilities, secure web application development, and assessment. The measures outlined below under ‘gaining assurance’ should also be implemented.

Handling Sensitive Data

While might not always pose a challenge for certain events, collecting personal information during registration can lead to a data repository that is appealing to cybercriminals. This is especially true when the data includes individuals from specific sectors.

If data collection cannot be avoided, it is critical to follow NCSC Guidance on Bulk Personal Data Protection. Additionally, any new system designs should consider NCSC Secure Design Principles.

Some conferences may incorporate closed sessions or private discussions that could also be at risk of reputational damage, so these factors should be thoroughly assessed when ensuring supplier reliability.

On-Site Threats

The potential for disruption at the conference venue must also be evaluated.

Internet access for attendees could be compromised, as could any network-connected devices related to building management and security, as further detailed below.

The venue may also feature its own website, which could be vulnerable to attacks.

It is vital to ensure that the security measures in place adequately address the identified risks. This evaluation should involve verifying evidence presented by service providers and/or gathering independent insights.

The NCSC offers guidelines for selecting a video conferencing platform. Larger conferences may have additional requirements for registration, virtual meeting rooms, and other specialized functionalities.

Cloud Security Principles

In these cases, the NCSC Cloud Security Principles can serve as a framework for meeting fundamental security needs. Suppliers should be encouraged to articulate how they comply with these principles.

The fourteen principles address security throughout the service lifecycle and include considerations for both physical and personnel security (consult CPNI for further guidance on those areas, if necessary). The risk scenarios mentioned earlier can be leveraged to focus the assessment on these principles.

Independent Verification

Evaluate not only the management environments and end-user devices used by administrators, but also the core infrastructure. Independent verification (e.g., through Cyber Essentials, ISO27001, and other standards) can provide some level of reassurance.

Third-Party Assurance

For smaller or niche providers, it is reasonable to expect detailed disclosures regarding their internal architecture and procedures. Additionally, it is essential to understand how the provider utilizes third parties and what security arrangements are in place to protect them.

Secure Design Practices

Providers should demonstrate protection for exposed interfaces using architecture with layers of security, including the deployment of Web Application Firewalls to mitigate common web vulnerabilities. Protective monitoring must be established, and security planning should encompass the entire software development lifecycle, including managing vulnerabilities in software dependencies. Again, the NCSC Secure Design Principles should be consulted for more comprehensive advice.

Penetration Testing

Independent penetration tests and audits should be conducted where feasible. Specialized web application penetration tests should be included when appropriate, and the NCSC IT Health CHECK scheme is recommended.

For extremely high-profile events, it may be possible to arrange for NCSC Active Cyber Defence services to be available before and during the conference to identify vulnerabilities or detect threats against a provider.

When a physical conference venue is involved, additional factors must be taken into account. These include the provision of internet access for attendees and visitors, and the safeguarding of any smart or network-enabled functionalities at the venue. Cyber attacks on these systems could be disruptive and cause considerable consequences.

Internet Access

Delegates and media representatives will likely require internet access in conference venues.

From both operational and reputational standpoints, a network with a resilient architecture, employing redundant routers and firewalls, is advisable. The infrastructure should undergo regular updates/patching for any known vulnerabilities, and configurations should be audited and tested when possible.

It is advisable to implement active network monitoring and management to detect and respond to any malicious activities or issues arising from misconfigured guest devices.

Network traffic should be segmented among different user groups (such as media, event staff, and attendees). Delegates should treat this network as an untrusted internet connection.

Negotiate an acceptable protection level with your Internet Service Provider for upstream denial of service mitigations. Ensure guest internet access bandwidth is reserved separately from that allocated for identified denial of service targets, such as event-related websites.

A contingency plan should be established in case of internet access issues, such as providing wired connections to priority users.

On-Site Networks

Evaluate the venue to identify any networked systems in place for building management functions like HVAC, lighting, fire safety, or security alarms.

If such systems exist, consider their potential for remote access and whether they could be exploited to create disruption. Measures to mitigate this risk may be needed.

Implement a blend of physical and personnel security measures around these devices to prevent tampering.

Third-Party Services

The security and resilience of third-party services must be evaluated by event organizers. This could encompass transportation for guests or security personnel. Appropriate security levels and backup plans should be established for these services. Specialist guidance should be sought as necessary.