In 2020, companies around the globe had their in-person event plans dashed by the coronavirus pandemic. This sent many thousands of companies scrambling to put together virtual events. In 2020, millions of employees, customers, and prospects attended virtual events for the first time. Many lessons were learned—and some were ugly. Yet, on the whole, virtual events were successful for many host companies (including BeyondTrust) and attendees.
With virtual events now well-established and expected to be more common in the future, what can we do make them more successful and more secure going forward? I’ll leave the first part of that question to the event planners, but in this blog, we’ll explore the key virtual event security practices and potential cyber risks that should be considered any time such an event is planned.
Are virtual events really a cyber threat target? Yes!
Hacking of virtual events and the attendees is a growing trend because it presents a wide addressable target market, a diverse risk surface, and the security controls around the events tend to be afterthought since making the event actually work is given the highest priority.
A typical goal for most threat actors is to remain anonymous during their illicit activities, which is quite easy within the cosy, trust-filled confines of virtual conferences. Keeping a low profile, hiding their tracks, and flying under the radar enables cyber criminals to prolong their nefarious activities to extract more value, while staying clear of any virtual event administrators.
Virtual events are rich with vulnerabilities that can be easily exploited by attackers because there tends to be built-in trust around:
- Accepting an event invitation (which could be socially engineered)
- Launching a virtual event platform software (which could harbor malware or spyware that could execute on the end user’s device)
- Interacting with attendees via chat, cameras, and audio (which could be used to conduct surveillance, or trick an unsuspecting user to click on a malicious link or document)
Depending on the end-user’s level of privileged access, and current state of their device in the form of asset risk, an attacker could gain a foothold in the corporate environment via the virtual conference and allow them to move laterally and escalate privileges to higher value assets. This just reinforces the importance of correctly applying the security fundamentals like privileged access management (PAM) and vulnerability management.
In 2020, we saw many unfortunate instances where threat actors also conducted attacks by joining a legitimate virtual event, posing as an attendee, and:
- Presenting inappropriate, illicit, or illegal content, hoping to gain a response
- Posting chat or questions with malicious links or contents that provide the first stage in an attack
- Creating disruptions by heckling the speaker using communication tools built into the virtual event platform
The three above attack methods are commonly referred to as “bombing” a conference call or virtual event and have been known to disrupt events hosted by educational organizations, companies, and virtual event vendors. While the end goal of virtual event bombing may not always be to steal data, they are effective strategies to provide initial penetration into an organization and also to cause embarrassment and disruption.
To that end, threat actors will almost always follow the path of least resistance to conduct their crimes. This is not because they are lazy—to the contrary—they are intelligent and hardworking. But if they can find an easy path to achieve their goals that is repeatable and anonymous, they will exhaust it until the effort is no longer yielding the desired returns or profitability.
What can attackers gain by targeting virtual events?
The threat actors committing these attacks are typically, but not always, associated with organized cybercriminal entities and nation states across the world. They are no different from the operators of ransomware, albeit the techniques needed to hijack a virtual event are trivial compared to conducting a successful targeted phishing attack and injection of ransomware.
While these virtual conference attacks might sometimes seem like an uprising of simple mischievousness, the organizations conducting these exploits utilize hired cyber criminals to execute predefined scripts of responses, links, and documents. These are devious attacks masterminded to lore an unsuspecting attendee operating within the sphere of blind trust around the event to execute, open, or click on a malicious payload, or simply supply credentials in a watering hole attack.
Often, these attacks use standard social engineering ruses up front to gather an attendee’s name, harvest information about them on the web using public sites like LinkedIn, and then collect information needed for a more targeted attack. Once the blind trust has been replaced with a more implicit trust, the targeted attendee is more apt to blindly follow the threat actor’s instructions.
The data stolen from the virtual events attendee list, to the actual compromise of an individual attendee, could all be sold on the Dark Web, used for a future spear phishing attack, or combined with other data for nation state surveillance.
Top security holes & vulnerabilities for virtual events/classrooms
Virtual events commonly have the following security holes, risks, and vulnerabilities that can be exploited:
- Insecure distribution of URL and attendee codes that allow for sharing of access
- Lack of multi-factor authentication to prove an attendee’s identity
- Lack of, or poor, implementation of encryption technologies to secure a computing session from eavesdropping or monitoring
- Software vulnerabilities within the virtual event platform
- Vulnerabilities on an attendee’s device being used to view the virtual event that could be leveraged against a virtual session via local software or a browser
- Lack of URL filtering and malware scanning of posted content in chat, as well as in questions and answer sections
- Lack of technology to prevent screen recording or capturing of the virtual event. This includes screen recording software and the use of cameras that might not be typically allowed in a physical event.
- Minimal security controls to obfuscate the attendee’s name, company, and email address in a virtual event (some vendors provide better controls than others)
Best practices for virtual event security
Whenever possible, the following security best practices should be considered to protect virtual events and attendees from exploitation by cyber attackers:
- All attendees should have a unique URL and access code
- Obfuscate and do not display attendees’ full names, email addresses, or company
- Automatically mute all attendee’s microphones and only allow attendees cameras if they manually enable them
- Restrict any attachments or URL postings in chat and question and answer windows to specific personnel
- All questions and answers should be private to the organizers of the event and can be manually promoted to “view all” after they have been screened
- Inform attendees if the session will be recorded. If anyone objects, request that they leave the virtual event and await further instructions on viewing the recording
- Inform attendees that all correspondence for the event will only come from these trusted email addresses to avoid third-party phishing attacks
Unfortunately, it is important to note that not all virtual event platforms offer the above security features. It is up to your organization to vet these prior to virtual event vendor selection. And it’s up to the attendee to leave the virtual event if they feel the security practices in place present an unacceptable risk.
How can attendees of virtual event ensure their personal cybersecurity?
Attendees of virtual events should always be aware of the potential cyber risks, and the potential that a compromise of their endpoint or account could also jeopardize security at their organization, depending on their access and privileges. With that said, virtual event attendees should adhere to these best practices:
- Verify the source of all emails, especially the authenticity of the source domain for a virtual event. A simple phishing email covering a well-known event can easily be spoofed.
- Do not click on any embedded links or documents hosted in the virtual event
- Verify the URL destination of any shortened or tiny URLs displayed during the event, or in follow-up emails
- Never provide your corporate credentials to join a third-party virtual event!! If the event is secured by a password, make sure it is unique and not reused or shared.
- Do not provide any additional information outside of your name and company when joining a virtual event. This information should have been collected during the registration process
- Make sure your browser and operating system are fully patched for security vulnerabilities before joining a virtual event.
Also, since it’s likely that most organizations will have employees participating in some kind of virtual event, it makes sense to educate and reinforce the risks and security best practices for virtual events as part of cybersecurity training.
Virtual events, and even virtual classrooms, are poised to be a more common part of life and business for the foreseeable future. To ensure these events are smooth and successful, security needs to be a prime consideration during each stage of the event development, though part of the onus will also lie with the attendees.
How a Major University Secures Remote Users & Privileged Access (Interview Transcript)
Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust
Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.