The National Security Center (NCSC) recently played host in its first ever cybersecurity summit to sports organizations, advising an industry that sees more than double the average amount of cyber-incidents impacting businesses in the UK. In total, 11 top-flight clubs from the English Premier League were in attendance, typically used to competing against each other, but now training together to bolster their defense against cyber-attacks.
The Threat Facing Premier League Clubs
The English Premier League, loved by football fans worldwide, is European football’s market leader, reaching revenues of £5bn pre-pandemic. Considered a high-value target for would-be attackers, a Premier League club has an infrastructure containing confidential transfer news, sensitive player information and large amounts of Personally Identifiable Information (PII) on customers and its fan base.
Most recently, Manchester United made headlines when the club fell victim to a disruptive hacking attempt that resulted in the cyber-criminals obtaining access to its systems. Although the club had been considered well-prepared for such an incident, the attack resulted in loss of functionality within the system, impacted employees’ access to business email and required shutting down areas for containment and preventing further damage. As required by the GDPR, the club alerted the Information Commissioner’s Office (ICO) of the breach, however, the club advised that no customer or fan data was compromised, meaning there would be no associated fines for the incident likely to be enforced.
In another recent incident affecting the Premiership League, a cyber-criminal compromised the email account of the managing director of an unnamed club and attempted to hijack a £1m transfer deal, which was only thwarted by the company’s bank, saving much embarrassment.
In both incidents, the NCSC worked with the clubs to understand the impact and reduce the threat of future attacks.
Common Attack Strategies Used
Phishing
Phishing is a tactic used by cyber-criminals to get a user to reveal their login credentials via a fake login page or by installing malicious software. It is usually carried out by email, mobile or social media and can lead to ransomware attacks or unauthorized access to a system.
Credential Stuffing
Credential stuffing is a technique employed by hackers where a leaked list of usernames and passwords is used against the login process to gain unauthorized access to a system. Due to its automated nature, if additional protection measures are not in place, then a hacker will gain access with relatively little effort.
Password Spraying
Primarily aligned to a brute force attack, password spraying uses large lists of common passwords and takes advantage of insecure and reused passwords that may have been publicly leaked. Again, as an automated attack, if these strategies are not prepared for, you are leaving your defense wide open.
Bolstering the First Line of Defense
In terms of cybersecurity, the first line of defense relates to your users. An organization can appear to be well-prepared by implementing virus and malware detection, event monitoring and other technologies, but essentially leave the front door open when it comes to their well-intentioned employees.
That need not be the case and you can consider these following areas to bolster your first line of defense against phishing, credential stuffing and password spraying, and instill confidence against the threat landscape facing your organization.
Awareness
The threat at hand needs to be communicated company-wide with every employee knowing the part they play as a potential risk within the organization. Ensuring extra vigilance, educating users on common attack strategies, training on identification of phishing emails, the importance of strong password use and fostering a cyber-aware company culture are all conversations that can be started today.
However, telling your employees what they must do does not guarantee the advice will be followed. Users claim to understand risks, but unfortunately, still admit to bad practice and a degree of enforcement will be required for best results.
Password Policies
Compromised passwords are responsible for 80% of hacking-related breaches, according to Verizon’s 2020 Data Breach Investigations Report. Creating a password policy that requires use of capital letters, numbers and special characters, however, is not the answer to your problem.
Taking steps to enforce complexity of passwords needs to be carefully considered as it can result in a poor user experience, leading to users writing passwords down, setting passwords which may appear complex but are in affect easy to crack (e.g. leet speak), or forgetting passwords. Forgotten passwords result in account lockouts and put significant burden on the IT helpdesk.
It is advised to measure your password policies against industry recommendations such as those provided by the NCSC, Cyber Essentials or NIST to help safeguard against common password-related attacks.
For additional security, consider incorporating breached password protection within your policy to prevent passwords being used which are already publicly available within leaked lists.
Authentication
Enforcing a strong password policy is a major priority in your defense, but in today’s sophisticated threat landscape, adding an additional layer of security through two-factor authentication (2FA) provides that extra confidence in ensuring the user is who they claim to be. 2FA is, in fact, not too cumbersome to implement and it is worthwhile leveraging its security benefits.
Multi-factor Authentication (MFA) takes authentication to the next level. 2FA can still be exploited in sophisticated attacks and could become a hindrance, if for example the authentication is via a mobile device which is forgotten. MFA can utilize a range of identify providers to ensure authentication is successful, mitigates the risk of impersonation and strengthens the defense against attack further.
In addition, MFA can also be leveraged to reduce resource and costs to the helpdesk, via implementation of a self-service password reset (SSPR) solution; in today’s world of remote working, this will inevitably pay for itself.
Specops Software is helping thousands of organizations strengthen their cyber-defense through the delivery of password security and user authentication solutions, focusing on simplicity of implementation and simplicity of use, reducing the burden on the IT department, helpdesk and users. Specops is currently offering a FREE solution to identify password vulnerabilities in Active Directory, which is a great first step in your situational analysis against topics discussed in this blog.