While Las Vegas is known for glamor and glitz, the city has also seen its share of tragedies – which was certainly on the minds of security officials this week as Super Bowl LVIII approaches.
Most prominent would be the Oct. 1, 2017, massacre of Route 91 Harvest concertgoers, and a mass shooting at the University of Nevada-Las Vegas last December. Three months ago, the city hosted a Formula 1 racing event, and now officials must secure the biggest, most lucrative sporting event of the year.
During the AFC Championship game 2 weeks ago, a Pennsylvania man managed to fly his drone over M&T Bank Stadium in Baltimore, causing an unexplained timeout during the first quarter.
Even this week, during a press conference about security and travel procedures for the Super Bowl, Las Vegas Metropolitan Police Department Chief Kevin McMahill had to explain at the podium what police were doing about a thrill seeker who climbed to the top of Sphere Las Vegas.
Referencing the AFC drone incursion, Department of Homeland Security Alejandro Mayorkas said, “it does not require much imagination to understand the significant threat such an incident would pose,” to the 65,000 fans expected Sunday.
Mayorkas said DHS’ Office of Intelligence and Analysis and the FBI have been assessing the threat landscape leading up to the game and have been sharing information with Las Vegas and Nevada security officials.
“There are no known, credible threats to the Super Bowl and Las Vegas, but we are vigilant and we are prepared,” Mayorkas told reporters.
Show of Force
There will be no shortage of physical security in Las Vegas Sunday, from McCarran International Airport to the Strip to Allegiant Stadium.
In addition to 65,000 fans at the game, police expect up to 330,000 people visiting the Strip to partake in other activities during the game.
Sasha Larkin, an assistant sheriff with Las Vegas Metropolitan Police Department, told the Clark County Commission the agency created about three dozen working groups to cover safety concerns such as civil unrest, cybersecurity, human trafficking and drones.
The Super Bowl is rated a Level 1 special event, deemed the highest at risk for threats, vulnerability and consequences by the Department of Homeland Security, requiring “extensive federal interagency support.”
Cathy Lanier, the NFL’s Chief Security Officer, says security preparations have gone well in large part because of relationships already established with private security firms who work along the Strip, resorts and casinos. “This is a complex environment. The expertise of agencies that work and live and collaborate here every day made it much better,” Lanier says.
DHS will have 385 employees and agents in place at various points in the metro area. In addition to intelligence and analysists from the FBI and DHS, the Cybersecurity and Infrastructure Security Agency has done vulnerability assessments. Multiple planning exercises and bomb safety workshops have been held with state and local authorities.
U.S. Customs and Border Protection has been scanning vehicles and cargo entering the stadium for weapons, drugs and other contraband. USCBP and the Transportation Security Administration are providing aviation security, video surveillance and non-intrusive inspections of cars, cargo and football fans.
The U.S. Secret Service, DHS, Immigration and Customs Enforcement, Homeland Security Investigations and CBP are focusing on human trafficking this year in unveiling the DHS “Blue” campaign, which will kick off with Lyft drivers in Las Vegas and grow throughout the U.S. this year.
Lyft will feature the Blue Campaign’s human trafficking resources in Lyft’s driver-only in-app Learning Center to teach drivers the signs that indicate someone may be a victim, and provide resources to help, including guidance on how to contact the right authorities.
The Blue Campaign is also disseminating digital and out-of-home advertising in the Las Vegas area to raise awareness of human trafficking among visitors, residents and those working in industries -- such as hotels, hospitality, and transportation -- where front-line employees are more likely to be in a position to identify and report human trafficking.
The Countering Weapons of Mass Destruction Office (CWMD) is providing surge support from its Mobile Detection Deployment Program and its BioWatch program in coordination with the city of Las Vegas. The U.S. Coast Guard’s Pacific Strike Team is also supporting the Mobile Detection Deployment Program to bolster the Department’s ability to detect and interdict chemical, biological, radiological, and nuclear threats.
For the first time at a Super Bowl, the Science & Technology Directorate will deploy easy-to-assemble, expandable security barriers that can be installed quickly to provide critical asset protection and intrusion prevention to fill coverage gaps in security at the stadium.
Cyber Threats Gaining Prominence
In addition to the massive number of physical security threats, this year’s Super Bowl also comes on the heels of the “Mother of All Breaches” (MOAB) that comprised 26 billion records from LinkedIn, Twitter, Weibo, Tencent and other platforms.
The Cybersecurity and Infrastructure Security Agency (CISA) held tabletop exercises with the National Football League last fall to plan out various hacking scenarios that could disrupt this year's Super Bowl. Some teams have also been directly targeted by hackers: A ransomware attack on the San Francisco 49ers offices led to a multi-million-dollar settlement. Host cities and sports betting services are also in the crosshairs.
For the Super Bowl, the first major test of cyber response came last fall when CISA, the National Football League, Allegiant Stadium, and Super Bowl LVIII partner agencies held a Super Bowl LVIII Cybersecurity Tabletop Exercise to explore, assess and enhance cybersecurity response capabilities, plans, and procedures ahead of the game.
The 4-hour exercise was aimed at discussing plans and procedures, resources, capabilities and best practices for protecting against, responding to and recovering from a significant cyberattack during the event.
During the exercise, participants discussed a hypothetical scenario that included phishing, ransomware, data breach and a potential insider threat -- all with cascading impacts on physical systems.
This kind of event has a dynamic cybersecurity attack surface which changes rapidly as multiple partners and vendors, and thousands of fans come together and interact with ticketing systems and points of sale using stadium Wi-Fi via mobile devices. Mobile apps which access sensitive information must be verified as being protected from impersonation or manipulation.
“This was a safe, low-stress setting to identify any gaps in those plans and ensure we all have a shared understanding of roles and responsibilities. In short, this exercise will help ensure we’re ready for any challenges that come our way on game day,” said CISA’s Deputy Executive Assistant Director for Infrastructure Security, Steve Harris.
'Cyber Threat Hunters'
Joe McMann, Headof Cyber Services at Binary Defense, works with the Cleveland Browns employing cutting-edge security efforts now in use by the NFL.
Sports hacking is becoming a big industry for cybercriminals. NFL teams are a storehouse of valuable personal and financial information, as well as highly coveted sports IP and insider info such as game day strategies, player health status, scouting reports, coaching staff emails and the like. McMann says hackers are zeroing in on football and other sports and the NFL is using threat hunting to prevent these incidents before they occur.
For example, Binary Defense has a team of "cyber threat hunters" who scour the Dark Web, Deep Web, social media and more to look for any signs of possible trouble, from looming ransomware attacks to physical threats at the stadiums and even potential fan misbehavior. McMann says he is encouraged with what CISA and the NFL are doing to cooperate and prepare.
“I would say they're being extremely proactive with it. They’re very aware of the risks and of what the threats are, and very aware of what the impact could be on the NFL, individual team or a player or owner,” McMann says.
“I'm impressed how everybody is leaning into it and putting investment and resources in taking the necessary steps to prevent something from happening.”
Authorities could choose to do a top-down exercise, with a broad threat scenario that tests how an organization responds and the communication processes. Or it could be a highly technical incident from the bottom up, with a very single, small event, McMann says.
“How would it go from, let's say, from an individual sitting in front of a computer seeing that event across their screen? How does that start to expand out and bubble up and turn into that larger event?” McMann explains.
“Ultimately, the most successful exercises that are something that includes both views and meets somewhere in the middle so that you understand the technical piece of it, the operational piece of it, the low-level details of what happened, minute by minute, hour by hour, day by day, but then also understands the larger ramifications and all of the top-level pieces that need to be brought to bear to deal with that.”
Most successful organizations, McMann adds, have a team or individual responsible for assessing risk and they must have an understanding what the largest risks are to a business, customers, constituents – or in this case, the Super Bowl. Some of them could have a cyber or IT security component.
“At least from a cybersecurity perspective, that's where we're always going to start. What is the risk that that activity would present to a business who we're working with? And then model that down from there,” he says. “I'll say we want to start realistic. We're not going to start with a doomsday scenario. We're going to start with something that has the highest potential or likelihood, and ultimately something where ideally we have a response that will have a positive impact on that event.”
Ted Miracco, CEO at Approov – a firm that provides run-time security solutions for mobile apps and their APIs – says there’s not only a rise in the number of cyber attacks, but the aggressiveness of the perpetrators and size of the breaches. He believes artificial intelligence is helping attackers much more than it’s helping the defenders of data.
The difference between the fake websites that ask you to enter your username and password and the real ones used to be laughable -- only a fool would kind of fall for that,” Miracco says. “Now, cybersecurity experts have difficulty differentiating between what's real and what's not real. And you must look really carefully before you jump in.”
Something innocuous like a public charging station could be a threat, depending on the type of connection being used.
“Some of them will ask you to click ‘agree’ or something like that and it's going to give that connection access to all your data,” Miracco notes. “They can exploit nearfield communications, Bluetooth and other means to effectively get inside of your device. Your whole life is in that device. All your banking information, all your contact information, all your passcodes.
“A Wi-Fi network is one of the most vulnerable things that you can connect to for man-in-the-middle attacks.”
API Dangers
Wi-Fi isn’t the only problem – there’s also the link connecting the stadium to various infrastructure. So, a tabletop exercise helps the organizers “see what happens when somebody connects to the wrong network, or if communications can be intercepted between innocent people and the rest of the infrastructure,” Miracco says.
“You can create fake cell towers so if people aren’t even connected to the Wi-Fi network, it can route people's cellular communication through it.
Betting services like DraftKings and FanDuel will also be active, which is another risk. “You're going to have a bunch of people drinking, being careless, kind of socializing, betting. Those apps like DraftKings and FanDuel are going to be active. People are going to be wagering, those apps are going to be connected to their bank accounts, and people are going to be trying to get access to credentials.
Authorities are going to put disproportionate attention into the massive threats, “but it'll go all the way down the line to attacking individuals’ bank accounts to disrupting the whole event in a major way. And they must be ready for all scenarios,” he says.
Miracco believes CISOs need to be more concerned than ever about API security.
“You can't just depend upon a username and a password. You need to do other integrity checks besides just user credentials, because those have been massively stolen and they're out there on the dark web. You need to do other integrity checks.”
Mayorkas says the cyber-threat factor with the Super Bowl has been going up year over year for quite some time. “In an increasingly interconnected world we are only as secure as our weakest l ink,” he told the media this week. “Each individual has power to secure their own tech environment and we can build a stronger ecosystem.”
John Dobberstein is managing editor of SecurityInfoWatch.com and oversees all content creation for the website. Dobberstein continues a 34-year decorated journalism career that has included stops at a variety of newspapers and B2B magazines.
