Winter Olympics 2018: Hackers Going for Gold

During past Olympic Games in Beijing, London, and Brazil, there were reportedly millions of attempted cyberattacks a day, of which some were successful. As the breadth and depth of technology used in conjunction with the Games expands, everything from VR to IoT, the attack surface widens and attackers find more creative at ways of leveraging this monumental event for malicious purposes. It seems this year is no different.Reportedly, there was a ‘hack’ on the organizing committee's servers before the Opening Ceremony in Pyeongchang, causing "malfunction of the internet protocol televisions." As a precaution, the servers as well as the Olympic website were shut down, but restored a day later. It appears McAfee has also uncovered a variant of GoldDragon malware that allows adversaries to profile a targeted system and send the results to a control server.Needless to say, security professionals charged with overseeing the event have their hands full as hackers try to go for gold. To protect the Olympics, South Korea has employed cybersecurity analysts and 50,000 soldiers, in what has been described as "one of the most militarized security forces in Olympic history." And for good reason.“The largest cyber threat to the Winter Games comes from non-state actors. Hacktivists, cyberterrorists, and fame seekers all see the Olympics as a great venue for their personal cause, whether it's personal fame, the propaganda of a political message or harm for a political purpose,” warns Ross Rustici, senior director for intelligence services for Cybereason.Perhaps the most concerning security hole hackers can leverage is the large reliance on third party vendors during the game. From an operations perspective, one can only imagine the hundreds of vendors being used for various purposes across various areas of the games. Of these services, IoT seems to pose the greatest threat, especially connected medical devices.“As the technology used in the Olympics evolves, so do the cybercriminals who now target the many connected medical devices that the athletes use. The Olympics exemplify the emerging cybersecurity threats in healthcare, specifically medical device cybersecurity, which is a part of the wave of IoT devices connecting to networks. Hospitals all over the globe are struggling to face off with this new cybersecurity challenge,” explains Jonathan Langer, co-founder and CEO of Medigate.When you consider the multiple countries in attendance and so many sports organizations, each with their own infrastructure, layered on top of the devices and vendors already put in place at the Games, cybersecurity becomes a sport in its own right."Remote hackers could stage denial-of-service attacks on networks supporting the games or steal travelers’ credit card data," writes Wired.com. " They might try to sabotage the Games by altering drug test data, interfering with scoring systems, or doxing competitors by releasing private information to embarrass or distract them before a big event. There are endless avenues that lone wolves, terrorist groups, criminal organizations, or state agents can take to achieve an equally broad range of nefarious goals."With endless possibilities, the question becomes where should those tasked with defending the integrity and safety of the Games focus? It's a similar question for professionals working in the field and unfortunately not an easy answer. Not to mention the threats go beyond just those directly targeting the Olympic Games themselves but include those targeting attendees, mostly in an effort to earn money scamming tickets. Experts advise spectators to follow these guidelines to limit personal security risk:

1. Limit WiFi and Bluetooth usage. Do not connect to unknown networks.
2. Install mobile software updates
3. Use strong passwords and enable two-factor authentication when possible
4. Avoid using sites and services that require personal information for login
5. Enable a lock screen on your device

What the Olympic Games teach us, apart from teamwork, dedication, and respect, is that cybersecurity will continue to become more complex and professionals must be prepared to play on a field that is constantly evolving with many layers. Unfortunately, the cyber 'games' are on the terms of the hackers, so identifying your weaknesses early on and taking precautions against them will rightfully serve you in the long run.Although the Olympics are a global, highly publicized event with an especially complex attack surface, it appears that the trend towards more layered security leveraging multiple vendors and devices will only continue to grow. Practitioners should prepare to defend their organizations as though this was already the case; closely examining vendors and aligning policies to ensure ultimate protection and pinpointing exactly who is responsible for the security of IoT devices.The quicker we adapt the multi-faceted security mindset, the more secure we will be. For those practitioners interested in taking their training to the next-level, follow the CASP learning path to advanced knowledge of enterprise security, incident response, and risk management.

• FREE CASP Course
• CASP Virtual Lab 
• CASP Practice Test 
• CASP Exam Voucher (US Only)
• CASP Certification Learning Essentials (US Only)

Olivia Lynch (@Cybrary_Olivia) is the Marketing Manager at Cybrary. Like many of you, she is just getting her toes wet in the field of cyber security. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.