Managing third-party risk in the SaaS era demands a proactive, data-driven approach beyond checkbox compliance.

Source: Olekcii Mach via Alamy Stock Photo

COMMENTRY

In June 2023, the MOVEit supply chain attack served as a harsh reminder of the vulnerabilities in our software-as-a-service (SaaS) ecosystem. Third-party risk management (TPRM) in today's world of SaaS applications is no longer just about ticking boxes on a checklist. The old methods, with their static questionnaires and outdated ISO 27001 and System and Organization Controls (SOC) — SOC 1, SOC 2, and SOC 3 — reports are simply not efficient anymore. With cyber threats, such as supply chain attacks and third-party integration exploits, becoming more sophisticated, organizations need a dynamic approach to managing SaaS vendors. Embracing automation, real-time visibility, and targeted assessments are crucial steps to stay ahead of potential risks.

Let's explore how organizations that rely heavily on SaaS apps can evolve their TPRM strategies to face modern security challenges head-on.

**The Growing Complexity of SaaS Oversight**

SaaS adoption is growing rapidly, bringing organizations convenience and flexibility. According to B2BSaaS estimates, the SaaS market was valued at $273.5 billion in 2023 and is expected to grow to $1.2 trillion by 2032. However, this growth also comes with an expanded attack surface and more complex data flows. For organizations handling sensitive customer data and navigating strict regulations, these challenges are critical.

Two trends amplify these challenges:

*   Explosion of SaaS apps: Companies use hundreds of SaaS and cloud apps, many introduced without official approval, complicating security oversight. Shadow IT often results in blind spots, making it harder to assess overall security.
    
*   Evolving threat landscape: Attackers increasingly target third-party vendors. Generative AI (GenAI) has further complicated the landscape, enabling attackers to enhance tactics and exploit integration points, misconfigured cloud services, and stolen credentials. The Okta breach of 2023 demonstrated the potential scale of damage from a supply chain attack.
    

These challenges highlight the inadequacy of relying solely on traditional security questionnaires and annual SOC 2 reports. Continuous visibility into vendors' security practices is essential for effective risk management.

**The Problem With Traditional Third-Party Risk Reviews**

Traditional risk reviews involve substantial manual effort and fall short in addressing modern threats:

*   Inefficient manual processes: Manually sending, tracking, and analyzing vendor questionnaires consumes excessive time and energy and delays the resolution of security issues.
    
*   Superficial questions: Generic Yes/No queries (e.g., "Do your developers follow secure coding practices?") fail to assess the effectiveness of vendors' security measures. More specific questions, tied to real-world scenarios, often yield actionable insights.
    
*   Outdated reports: Reports like ISO 27001 and SOC 2 quickly become obsolete in evolving SaaS environments. The emergence of GenAI has further accelerated the pace of change, necessitating updated, dynamic assessments.
    

**Evolving TPRM to Handle Modern SaaS Challenges**

To tackle these issues, organizations must adopt agile, data-centric approaches to vendor security:

1.  Embrace real-time assurance through trust centers. SOC 2 reports are a starting point, but critical vendors should offer ongoing visibility through automated trust centers. Tools like Sprinto, Drata, and Vento provide real-time insights into security controls and compliance, enabling proactive decisions.
    

1.  Make questionnaires smarter. Replace generic questionnaires with tailored assessments that probe deeper. Focus on how controls are implemented and monitored. For example, shift from "Do you secure ABC?" to "How do you secure ABC, and how do you verify its effectiveness?" Questions that examine metrics and outcomes help uncover the true state of security.
    
2.  Address talent gaps and boost technical expertise. Invest in developing skills in cloud security, SaaS configuration, and API management. Training internal teams or partnering with specialized vendors can bridge expertise gaps. The SolarWinds breach of 2020 underscores the need for visibility into supply chain vulnerabilities. Workshops and certifications can enhance team capabilities, keeping them informed of evolving risks.
    
3.  Include shadow IT and "free" tools. Review unpaid apps, open source tools, and browser extensions — often overlooked but risky. Shadow IT tools, while offering productivity, introduce unknown risks. Assessing these apps before they integrate into workflows reduces unexpected exposure. Include them in audits to ensure they meet baseline security standards.
    
4.  Use modern tools, not spreadsheets. Transition from spreadsheets to SaaS security posture management (SSPM) tools, which monitor misconfigurations, excessive permissions, and suspicious activities. AI-powered tools can further analyze vendor responses and highlight inconsistencies. Leveraging these tools saves time and enhances accuracy.
    

**What Can You Do When Revamping Your TPRM Strategy**

Evolving TPRM processes isn't easy. Avoid common pitfalls:

*   Avoid risky inaction: Delaying updates to vendor management increases exposure. Start with small, impactful improvements and scale gradually.
    
*   Avoid overcommitting resources: Implement changes incrementally, prioritizing high-impact areas. This ensures resource efficiency without overwhelming teams.
    
*   Set realistic expectations for AI: Leverage AI where it adds value while recognizing its limitations. AI tools should complement, not replace, human oversight.
    
*   Ensure team alignment: Align team skills with new vendor security goals. Equip teams to manage technical assessments effectively. Feedback loops can ensure continuous improvement and alignment with organizational objectives.
    

**What We Can Take From This**

Managing third-party risk in the SaaS era demands a proactive, data-driven approach. Organizations must go beyond checkbox compliance by leveraging real-time assurance, tailored assessments, and automation. Modernizing TPRM is essential to address the complexities of SaaS security.

While challenging, particularly for smaller organizations, the benefits of preventing breaches and protecting reputations outweigh the costs. Organizations can manage expenses effectively by prioritizing critical vendors and adopting phased changes while enhancing third-party risk management. The commitment to proactive strategies ensures resilience against an ever-evolving threat landscape.

**About the Author**

Information Security Officer, IMC Trading

Jatin Mannepalli, CISSP, CCSP is an information security officer (ISO) at IMC Trading, where he brings a deep commitment to managing security and risk across organizations. With more than 10 years of experience in the InfoSec space, he has built and led information security and risk management teams, and has also worked as a security consultant for major consulting firms like McKinsey & Company. Jatin is passionate about security governance and risk management, as well as developing technology-driven, customer-focused strategies that prioritize both organizational success and client satisfaction. Known for his holistic approach, he is dedicated to fostering a culture of security that aligns with the organization’s broader goals. In addition to his professional accomplishments, Jatin is recognized as one of the top voices in Information Security on LinkedIn. In his leisure time, he volunteers to promote security awareness in local communities and contributes to the cybersecurity community by helping develop exams for ISC2.

The Old Ways of Vendor Risk Management Are No Longer Good Enough

A critical security flaw has been disclosed in the Cacti open-source network monitoring and fault management framework that could allow an authenticated attacker to achieve remote code execution on susceptible instances.
The flaw, tracked as CVE-2025-22604, carries a CVSS score of 9.1 out of a maximum of 10.0.
"Due to a flaw in the multi-line SNMP result parser, authenticated users can inject

Critical Cacti Security Flaw (CVE-2025-22604) Enables Remote Code Execution

Broadcom has alerted of a high-severity security flaw in VMware Avi Load Balancer that could be weaponized by malicious actors to gain entrenched database access.
The vulnerability, tracked as CVE-2025-22217 (CVSS score: 8.6), has been described as an unauthenticated blind SQL injection.
"A malicious user with network access may be able to use specially crafted SQL queries to gain database

Broadcom Warns of High-Severity SQL Injection Flaw in VMware Avi Load Balancer

Hive creates a credentials file to a temporary directory in the file system with permissions 644 by default when the file permissions are not set explicitly. Any unauthorized user having access to the directory can read the sensitive information written into this file. Users are recommended to upgrade to version 4.0.1, which fixes this issue.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-c476-j253-5rgq: Apache Hive Incorrectly Assigns Permissions for a Critical Resource

Cybersecurity can't always be "Department of No," but saying yes all the time is not the answer. Here is how to enable innovation gracefully without adding risk to the organization.

Source: Javier Sanchez Mingorance via Alamy Stock Photo

Question: There are times when cybersecurity teams need to say, "No" to business stakeholders. What is the best way to go about it?

Answer: Saying "yes" in business feels good, but, unfortunately, it's not always possible. And among security departments, saying no isn't happening often enough. In its effort to avoid roadblocks to innovation, security leaders are saying yes too often, according to Rami McCarthy, an industry veteran, leader, and security researcher who blogs on security leadership and management. Instead, a deliberate, strategic no is necessary to ensure security isn't too permissive. Avoiding these hard conversations can lead to delayed decisions, technical debt, and burned-out teams.

If you need to say no, here are seven tips for doing so in a strategic, clear, and constructive way.

1\. Provide context: A flat-out no without an explanation leaves teams frustrated and unclear about risks or alternatives. Security professionals should explain the reasoning behind their decisions and offer actionable next steps, says McCarthy in a recent blog post about saying no.

"Security should not own most risks, so conversations should be about advising a business owner rather than outright denial," he says.

2\. Say no early: The later security intervenes, the more disruptive it becomes. Address potential risks at the earliest stages to allow for smoother course corrections. Avoid "aggressive passivity," where security hesitates to voice concerns until it becomes too late to address them efficiently.

"Belated nos disrupt delivery, create technical debt, and lead to burned-out teams," McCarthy says.

3\. Offer secure alternatives: Saying no should never be a dead end. Providing secure, preapproved alternatives helps teams achieve their goals safely. Even if the perfect solution isn't available yet, pointing to a road map fosters goodwill. Offering alternatives helps prevent roadblocks and build collaboration, McCarthy says.

4\. Be consistent: Inconsistent decisions undermine trust and create confusion. Security teams should establish clear policies and standards that allow stakeholders to anticipate decisions. Consistency builds credibility and reinforces a sense of fairness across the organization.

"Inconsistency in saying no leads to stakeholders who don't know what to expect — and that'’s a fast way to lose trust,” McCarthy notes.

5\. Align with business goals: Security should not operate in a vacuum. When saying no, it's crucial to align the decision with business priorities and risk tolerance.

"Security doesn't just mitigate risk — it enables the company to take smarter, bolder risks,” McCarthy says.

6\. Foster open communication: Encouraging dialogue between security and other teams builds trust and lowers barriers. Hosting "ask-me-anything" sessions, lunch-and-learn events, or open office hours can create an environment where security is seen as a partner rather than a blocker.

"Security teams that listen actively and engage in dialogue build a sense of partnership with employees,” says cybersecurity adviser Tom Van de Wiele.

7\. Balance empathy with pragmatism: Empathy is key, but it must be balanced with practical decision-making, according to behavioral scientist and cybersecurity expert Jessica Barker, MBE Ph.D.

"Empathy is not about being nice and saying yes when we mean no," she says. "It’s about reflecting understanding and explaining decisions without being defensive."

**About the Author**

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

7 Tips for Strategically Saying 'No' in Cybersecurity

The impetus for CrowdStrike's new professional services came from last year's Famous Chollima threat actors, which used fake IT workers to infiltrate organizations and steal data.

Source: Andrea Danti via Shutterstock

When CrowdStrike alerted 200 customers last summer that its OverWatch managed threat-hunting service discovered endpoint telemetry indicating that the company might have at least one fake IT employee working for it, many were initially doubtful that they were among those affected.

Upon further investigation, though, it turned out that 40% of them were victims of a North Korean APT group that recruits people to apply for open tech jobs and, when hired, use their network access to deploy malware and steal data. The spike in activity by the group, known as Famous Chollima, was the impetus for last week's launch of CrowdStrike's Insider Risk Service, a set of professional services for detecting rogue IT workers and improving hiring practices.

Famous Chollima — threat actors from North Korea — used rogue IT workers to infiltrate over 300 companies, according to a May announcement by the US Department of Justice. Several perpetrators were charged with allegedly defrauding US companies using online job sites and payment platforms with locally hosted proxy computers. Victims discovered malicious IT employees installed malware, notably BeaverTail or InvisibleFerret, or exfiltrated data.

According to the Justice Department, it was the largest criminal act using IT workers, resulting in an estimated $6.8 million in losses.

"I think it's significantly higher than $6.8 million; I would say it's on the order of tens of millions of dollars," Adam Meyers, CrowdStrike's senior VP for counter adversary operations, told attendees at the company's annual Fal.Con customer event in September.

**Customers Initially Dubious**

CrowdStrike's chief global services officer, Thomas Etheridge, recalls customers' initial skepticism that they may have unwittingly hired fake IT workers.

"We had many organizations that absolutely said, 'Thank you, but we don't have that problem,' and then they later reached back out to us and said, 'We realize you were absolutely spot on,'" Etheridge tells Dark Reading.

According to 467 cybersecurity professionals surveyed for Securonix's "2024 Insider Threat Report," insider attacks rose from 66% of organizations in 2019 to 76% last year. Moreover, 90% said insider attacks are equally or more challenging to discover than external attacks.

CrowdStrike cites research from the Ponemon Institute, which found that 71% of organizations experienced between 21 and 41 insider incidents in 2023 — up from 67% over the previous year. The report also found that the annual cost of insider threats averaged $16.2 million per organization.

Data from 1,542 security decision-makers responding to Forrester Research's 2024 Security Survey indicated that 23% of data breaches resulted from internal incidents. Joseph Blankenship, VP and research director for Forrester's Security & Risk practice, says addressing insider risk is more complex than external threats.

"It's difficult to discern normal insider behavior from potentially malicious or accidentally harmful behavior," Blankenship says. "Insider risk services help to test the technology and processes organizations use to detect and respond to insider incidents."

**CrowdStrike's New Services Portfolio**

CrowdStrike's Insider Risk Service provides assessments to determine overall security gaps that enable both malicious and unintentional internal threats and HR hiring processes.

"We have some really rich telemetry around identity, around what threat actors are doing and the tooling they're using to remain persistent and undetectable in an environment, and we use those same techniques and tools to uncover insider activity," Etheridge says. "Putting a lot of these things together and bringing the people and process aspect to it really can help an organization up level and mature their insider-risk program."

The offering consists of a program in which CrowdStrike's consultants examine an organization's approach to insider risk and perform technical reviews to discover gaps and recommend improvements. The services also include tabletop exercises and red team simulations to test what defenses are in place and explore ways to discover vulnerabilities.

Not surprisingly, the services rely on threat intelligence and telemetry gathered from CrowdStrike's flagship Falcon platform and its OverWatch 24x7 threat-hunting service team. While major IT consulting firms like Accenture, EY, and smaller service providers offer risk assessment services, Etheridge touts CrowdStrike's platform as an advantage.

"These organizations are coming to us because we have a lot of the telemetry that they would need to understand the difference between normal activity occurring in the organization and non-normal activity," Etheridge says.

Meanwhile, activity from Famous Chollima is off from last year's peak, though Etheridge expects variations in this insider threat type to continue.

"It's not out of the realm of possibilities for other threat actors to try to either mimic or come up with another creative way to try to infiltrate companies," he says.

Forrester's Blankenship agrees.

"I believe threat actors like Famous Chollima will continue to be a risk," he says. "Without measures in place to confirm the identities of employees and contractors, organizations will continue to be vulnerable to threat actors posing as legitimate workers. Ongoing monitoring for suspicious insider behavior is also necessary to detect these threat actors."

**About the Author**

Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

CrowdStrike Highlights Magnitude of Insider Risk

The ransomware group provides everything an affiliate could want to breach and attack victims, including a quality controlled recruitment system to engage even more criminals.

Source: William Mullins via Alamy Stock Photo

NEWS BRIEF

The Lynx ransomware-as-a-service (RaaS) group has made a name for itself, standing out as a "highly organized platform" complete with a structured affiliate program and robust encryption methods.

Researchers at Group IB investigated Lynx's operations and detailed how the group orchestrates its ransomware attacks and manages its list of victims.

Lynx's affiliate panel is divided into sections, such as news, companies, chats, leaks, and more. This "user-friendly" interface allows affiliates to create victim profiles, generate ransomware samples, and even manage schedules, among a variety of other features. The group provides its affiliates with an "All-in-One Archive" that contains binaries for Windows, Linux, and ESXi environments. It also has a competitive recruitment-driven strategy that incentivizes affiliates with an 80% share of ransom proceeds and a leak site dedicated to posting stolen data publicly if a ransom goes unpaid. 

The group's recruitment operation requires a lengthy verification process for pen testers and skilled intrusion teams, detailing how the group emphasizes quality control, operational security, along with sufficient skills and experience before being able to join the business.

Using these strategies and more, Lynx has established itself as what the researchers consider to be a "formidable RaaS operator." By combining ransomware builds, a structured affiliate ecosystem, and a detailed management system, the group has created "an industrial-scale approach to cybercrime."

The researchers recommend that organizations take essential steps to protect their operations, especially if they are within a critical industrial sector, by implementing multifactor authentication and credential-based access, deploying advanced endpoint detection and response solutions, scheduling backups, prioritizing updates and security awareness programs, and more. Further details can be found in Group-IB's research blog post. 

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Lynx Ransomware Group 'Industrializes' Cybercrime With Affiliates

The now-fixed vulnerability involved a major travel services company that's integrated with dozens of airline websites worldwide.

Source: Ribkhan via Shutterstock

A vulnerability that exposed millions of airline customers to potential account takeovers has highlighted the significant risks organizations face from misconfigured OAuth authentication processes.

The vulnerability in this case involved a major provider of online travel services for hotels and car rentals. Many airlines have integrated this service into their websites, allowing customers to use their airline points to book not just flights, but also hotels and rental cars in one seamless process.

**OAuth Implementation Flaw**

Researchers at Salt Security, hunting for real-world examples of API supply chain attacks, stumbled upon a vulnerability in the travel company's process for authenticating users looking to access its services after making an initial airline booking. The flaw, which the travel services company has since fixed, basically gave attackers a way to redirect a user's OAuth credentials to a server of their choice.

The credentials would have allowed the attackers to obtain a valid session token from an airline's website and use it to log into the travel company's systems as the victim and book hotels and car rentals using airline loyalty points.

The discovered vulnerability enabled attackers to hijack victim accounts with a single click, Salt Security researcher Amit Elbirt wrote in a blog post this week, without revealing the identity of the travel services company.

While the takeover would have happened within the travel provider's service, it would have given an attacker full access to a victim's stored information on the airline company's site, including personally identifying information, mileage, and rewards data. "This critical risk highlights the vulnerabilities in third-party integrations and the importance of stringent security protocols to protect users from unauthorized account access and manipulation," Elbirt wrote.

OAuth (Open Authentication) is a security protocol that allows users to grant websites or applications access to their information on other sites without sharing their passwords. A familiar example is logging into a website using Google or Facebook (by clicking "Sign in with Google" or "Login with Facebook" links). In the case of the travel services company, OAuth enabled users to login to the company's site using their airline credentials.

As Salt Security explains it, when a user clicks on the login button to access the travel company's site, they are automatically redirected to the requisite airline company's login page for authentication. Once complete, the airline site sends an authorization code back to the travel company site, which initiates a process whereby the travel site receives an access token. The travel site then uses the token to request user data from the airline site.

**A Failure to Verify**

What Salt Security discovered was a weakness in the travel company's authentication flow that gave them a way to redirect the equivalent of a user's login credentials to their own server. "The specific issue here is that the travel company did not correctly verify that the sensitive authentication credentials were sent to a valid domain," says Yaniv Balmas, vice president of research at Salt Security. "By manipulating this flaw, we could force the travel company to send these credentials to us instead of the airline company, thus allowing us — or or a malicious actor abusing this — to take over the airline user account and perform any actions on their behalf."

To exploit the flaw, an attacker would have sent a malicious link, which would appear to be a valid airline link, via email or text message to users of airline sites integrated with the travel service provider. According to Salt Security, once a user clicks the link and successfully authenticates to an official airline service, the attacker gains full access to the user’s account within the travel system. "From the victim's perspective, it would be almost impossible to understand the link is malicious since it genuinely belongs to the airline, and there is no easy way to understand its malicious nature without an expert-level understanding of OAuth and authentication flows," he says.

**Common Issue**

The vulnerability with the unnamed travel company is more common that one might assume, Balmas says. In 2023, for instance, Salt Security discovered a similar vulnerability in Booking.com's OAuth implementation process that gave attackers a way to take over user accounts when using their Facebook accounts to log into the hotel reservation site. Another time, researchers from the company found OAuth implementation flaws involving Grammarly, Vidio, and Indonesian e-commerce site Bukalapak that gave attackers potential access to hundreds of millions of user accounts across multiple websites.

"The biggest issue here is that from the airline's perspective, there is absolutely no visibility in case an attack occurs, and in fact, an attack request will look completely identical to a legitimate one," Balmas notes. "This basically means that the third party — the travel company in this case—is the one responsible for the security and safety of its customer users." Often, he adds, there's no certainty that a third party will hold to the same security standards as its customer.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

OAuth Flaw Exposed Millions of Airline Users to Account Takeovers

In their discovery, researchers found 31 PDF files linking to these phishing websites, none of which have been yet submitted to VirusTotal.

Source: Web Pix via Alamy Stock Photo

NEWS BRIEF

Researchers are highlighting the rise of a new phishing tactic: a campaign that uses PDF documents to trick victims by announcing expired Amazon Prime memberships.

Users are targeted by email and, after clicking on the PDFs, are taken to pages that impersonate Amazon, where they are urged to input their personal details and credit card information.

The researchers at Palo Alto Networks Unit42 who discovered the campaign have collected 31 PDF files with links to these phishing sites, none of which had been submitted to VirusTotal.

The chain of events in the phishing attack begins with the email containing the PDF attachment. Once clicking on the link from the PDF, the victim is redirected from the initial URL to subdomains of duckdns\[.\]org that host the phishing website.

"These phishing websites use cloaking to redirect scans and other analysis attempts to benign domains," the researchers wrote. These domains for most of the initial and intermediate staging URLs are hosted on the same IP address.

There are four initial links used in the campaign that potential victims should be wary of:

*   hxxps\[:\]//redirjhmxnasmdhuewfmkxchbnvjxfasdfasd.duckdns\[.\]org/XOZLaMh
    
*   hxxps\[:\]//redixajcdkashdufzxcsfgfasd.duckdns\[.\]org/CCq8SKn
    
*   hxxps\[:\]//zmehiasdhg7uw.redirectme\[.\]net/xn28lGa
    
*   hxxps\[:\]//rediahxjasdusgasdzxcsdefwgasdgasdasdzxdz.duckdns\[.\]org/agungggg1298w862847
    

"The initial attack vector, where users are beguiled into opening an email attachment containing a PDF file, is a stark reminder of the importance of remaining vigilant of emails," Javvad Malik, lead security awareness advocate at KnowBe4, wrote in an emailed statement. "Emails still remain the most popular attack avenue for phishing, so it's important that people have the right education and tools at their disposal to be able to effectively identify and report any suspicious activity."

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Phishing Campaign Baits Hook With Malicious Amazon PDFs

Concerns include everything from ransomware, malware, and phishing attacks on the game's infrastructure to those targeting event sponsors and fans.

Source: Steve Cukrov via Shutterstock

Sporting events like the upcoming Super Bowl LIX in New Orleans are prime targets for cyberattacks due to their massive audiences, extensive digital infrastructure, and the potential for high financial and reputational impact. Experts say organizers should be prepared for an onslaught of attacks leading up to and on game day, which is Feb. 9 this year.

Securing such events can be particularly challenging due to the vast array of potential attack surfaces, including ticketing systems, livestreaming platforms, in-stadium Internet of Things (IoT) devices, and valuable fan data. The New Year's Day terrorist attack in the city has only added to the concerns, and has prompted greater physical security measures in the form of increased surveillance, a significantly larger police presence than initially planned, and the use of drones and extra cameras to monitor for threats.

**High-Stakes Cybersecurity Playbook for the Big Game**

James DeMeo, faculty member with Tulane University's School of Professional Advancement, is an expert in sport event security, facilities, and venue risk assessment. The Super Bowl, he reminds, is a mega event that the Department of Homeland Security has designated as a Special Event Assessment Rating 1 (SEAR 1), which is the highest rating from a threat assessment standpoint. Following the Jan. 1 vehicle ramming incident in New Orleans' French Quarter, event security concerns are sure to have only heightened, he says.

The top cybersecurity concerns will include those around ransomware, malware, and phishing threats directed at critical infrastructure for the games and communication networks. "Command center controls will be tasked with averting bad actors from infiltrating CCTV, access controls, and wireless networks while ensuring a seamless fan experience," DeMeo says.

Other focus areas for the security team at the Super Bowl will include protecting fan payment data and monitoring social media networks for signs of potential physical threat activity. "Law enforcement will be sharing relative and timely information with governmental stakeholders like the JTTF and the Secret Service," DeMeo says. Expect the DHS to monitor posts on social media platforms in real time before and during the games for conversations that indicate a threat to the event.

DeMeo expects drones will play a key role on the physical security side of things as well. "Drones are an effective risk mitigation tool for key Super Bowl security stakeholders," he says. "This technology can be implemented for properly monitoring crowds, crowd management, crowd ingress/egress, and reconnaissance for potential nefarious bad actors on the exterior perimeters of the venue."  

Additionally, such technologies as biometrics and iris scans can be utilized as an effective risk mitigation tool by event security leads, he says.

**A Collaborative Defensive Effort**

Mike Storm, distinguished engineer at Cisco, says preparation for an event like the Super Bowl actually begins years in advance, with collaboration between a number of entities, including the host venue, the local city, a wide network of tech vendors, and government entities like the FBI. "In the years, months and weeks leading up to the event, the cross-functional team engages in a wide variety of scenario and role-playing exercises so that should any issues arise during the event, responses are swift, coordinated, and ideally resolve the problem before it can impact the game or the fan experience."

As the primary network provider for the Super Bowl, Cisco has partnered with the NFL in a collaborative approach to manage threats to the game. "This playbook," he says, "is built on a few core attributes that are essential to successfully protecting an event of this magnitude — simplicity, visibility, reliability, and protection." As part of the effort, Cisco has deployed a range of technologies to secure the game network, including Cisco Secure Firewall, Cisco Umbrella, Cisco Security Malware Analytics, Cisco XDR with Meraki, and Splunk Enterprise.

The NFL is also tapping Cisco's Talos threat intelligence service for real-time intelligence pertinent to the event. The goal is to safeguard game day operations and respond to potential threats during the event to prevent disruptions, Storm says. "When it comes to large sporting events, we are looking for all types of attacks, at volume," he says. Many attacks are often focused on trying to degrade the experience of fans or on the misuse of data of viewers, guests, or participants of the game. "These events are targeted by a variety of different actors, which can include ideologically or politically motivated hacktivists and state-sponsored threat actors." These actors employ a variety of tactics, which can include targeting sponsors to disrupt the game or misusing branding to lure viewers to click something on something malicious.  

Storm points to the rising use of artificial intelligence as impacting Cisco's approach to protecting high-profile events like the Super Bowl. For instance, it adds complexity, he says: "The stakes of something going wrong with AI are incredibly high. On the other hand, it unlocks opportunities for faster, smarter security."

**The Threat from Unmonitored Service Accounts & APIs**

Meanwhile. the proliferation of automated systems and services like "just walk out" payment methods and frictionless checkout systems at events like the Super Bowl present a new attack vector that security teams need to guard against. The growing digitization has enabled faster retail transactions and a host of other benefits for fans. But it also led to an explosion of non-human identities (NHIs) and shared multiuse service accounts, APIs, tokens, and access keys that are often poorly monitored or completely unmonitored, says Tim Eades, CEO and co-founder of Anetac.

"Anetac's research indicates that large-scale events like the Super Bowl represent a perfect storm for NHI vulnerabilities," Eades says. "The combination of reliance on automated systems, rapid deployment, and the expansive network of NHIs required to support modern stadiums \[has\] significantly \[increased\] the attack surface," at events like the Super Bowl.

Eades perceives the targeting of NHIs as presenting a threat for event organizers in New Orleans and remote locations, "Bad actors recognize that automated accounts are gateways to critical infrastructure and sensitive data such as customer information, employee data, and more," he says. Securing such accounts, Eades notes, is important because they enable attackers to potentially gain control over stadium systems, from payment processing to manipulating environmental controls and emergency systems.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Tag

#auth