Millions will watch the Super Bowl on Sunday…including hackers

Starting in 2022, on the second Sunday in February, millions of people across the globe—from the United States and Canada to Hong Kong and the Czech Republic—will gather around their televisions to celebrate the Super Bowl as an (un)official national holiday.

For some of us, our first memory is watching the game while sitting on a relative’s knee. Right now, people are stocking up on chips and soda for viewing parties. Even those who don’t like football will show up just for the commercials. On Sunday night, the Super Bowl will have the world’s attention. It will also be a huge target for cyberterrorists.

However, the analysts behind the scenes have been preparing for this night for months. We’ll explain what they do to protect themselves and what you should be doing to defend your attack surface.

Previous hacks of the Super Bowl

Just to show to what length the NFL goes to protect this broadcast, in 54 years, there have only been two notable hacks.

The longest 30 seconds ever

In 2009, well before the sophisticated cybersecurity measures that we have now, a very crude hack took place right after the Arizona Cardinals’ quarterback threw a 64-yard pass that resulted in a potentially game-changing touchdown. With only three minutes left in the game, 80,000 Comcast viewers in Tucson, AZ, became witness to 30 seconds of inserted X-rated content.

After an extensive investigation, they found the employee responsible who had hacked a router with a stolen username and password. This was over a decade ago, and we’ve all learned volumes since then, but it’s still a type of security breach that companies should keep in mind.

“Everything is hackable”

In 2020, less than a week prior to the Super Bowl, the NFL and many of its teams had their Twitter accounts hacked by a Saudi Arabian group called OurMine. The NFL took immediate action to secure their accounts from what was essentially a publicity stunt. The lone tweet included a Contact Us email address and a message that stated:

Hi, we’re Back (OurMine). We are here to Show people that everything is hackable

While this statement is most likely true, we would also add that “Everything can also be prevented.”

Winners and losers

According to Derek Gabbard, the Vice President of Cybersecurity at Stratascale—an SHI Company, when he was at Carnegie Mellon’s CERT/CC working as a cybersecurity researcher, he was part of an elite team helping the Secret Service do advanced work on what they called National Special Security Events (NSSE).

“We did some presidential protection detail work with them and a few National Special Security Events, which are activities that warrant national attention,” says Gabbard. “And we sent out some of our folks to the Olympics, to the World Bank meetings in DC, and to the Super Bowl because the Secret Service was actually involved in providing protective detail, including cyber protective detail, as early as 2004 or 2005. So, [the Super Bowl] falls into that national special security event category, and there aren’t very many of those.”

If for the purpose of notoriety or hacktivism awareness, a group can infiltrate this level of security, it would be a huge feather in their cap. However, the biggest motivator with the most significant reward is financial criminal activity against Super Bowl advertisers. Gabbard goes on to say,

“You may find that attackers are in the background not looking for publicity, not looking at the activism side of things, but there’s financial gain to be had by trying to take one of the organizations that’s involved in the Super Bowl and successfully attack them and use that as a means to extort money so that it doesn’t become a big deal during the Super Bowl timeframe.

“Let’s say a company like McDonald’s is a sponsor and gets hacked the day before, but it’s only known internally. If they have a big event that’s going to happen during the Super Bowl, it would be a huge black eye to them and a huge problem to have that become public knowledge. So, the attackers may use that to ransom or extort…because the motivations for brand protection around such a big and well-attended, well-viewed event will be too much for their targets to want to deal with. They’re more likely, in crunch time, to write some large checks in order to make problems go away.”

Proactive defense

Many people may be under the misconception that cyberattacks, such as ransomware, can only be dealt with reactively. We recommend that an organization have a blend of proactive and reactive defense around whatever are the crown jewels for that organization—their most critical data, applications, or intellectual property. Defenses should be layered so that they not only protect but also help a company recover should a breach happen. For organizations who are more mature from a security and resiliency perspective, this is currently the standard.

Know your attack surface

Without comprehensive knowledge of your attack surface, you’re blind to what you look like from the outside looking in, which is generally how the attackers can exploit any vulnerabilities.

Ensure your digital cybersecurity solution team has an extensive partner portfolio

At SHI, we have hundreds of top-tier security vendor partners throughout every corner of the security landscape. We have sold, implemented, configured, and been running in many different enterprises and smaller customers. What makes us unique is the value-added services we bring to your company. You can buy something from one of our OEM (original equipment manufacturer) partners, and we can then take that product and make it even more meaningful and relevant to our end users. Our customers benefit from our entire portfolio of partners and our own advanced security service solutions.

SHI covers a wide swath of businesses that fall into one of our market segments.

When you’re watching the big game this Sunday, remember the cybersecurity experts, like SHI, who make a flawless show possible. However, on Monday, make sure to contact us to learn more about how you can put together your own winning cybersecurity team.