Virtual Election Simulation Provides Glimpse of Security Risks

A virtual election simulation this week highlighted a typical November election day in the fictional city of Adversaria.

A red team of hackers does everything it can keep residents from voting. Meanwhile, a blue team of first responders from local, state and federal agencies springs into action. They do everything they can to limit disruptions, and ensure voting centers remain open and the integrity of voting remains intact.

This was the theme of Cybereason‘s latest Operation Blackout virtual election simulation.

Cybereason has been hosting virtual election simulation exercises with both public and private sector professionals to test resilience to possible disruptions.

There were surprises and lessons learned in this latest virtual election simulation. Election security remains a top concern across the United States, which lends even more weight to these exercises.

Cybereason’s Sam Curry

Sam Curry, Cybereason’s chief security officer, tells us how it went. He also talks about what can be applied to the upcoming election and beyond.

Channel Futures: What was the goal behind Operation Blackout? Does it reflect what’s expected during the November election?

Sam Curry: Their goal of the simulation is to sway public opinion, prevent voter turnout and undermine future elections. During the exercise, nothing was hacked, and no one was harmed because it is an exercise. We are not actually hacking an election. The goal was to simulate the experience without having anyone hurt. Naturally, the teams pick an aspect or two to emphasize and as such each simulation is unique.

All infrastructure systems are election systems, and what Cybereason has learned over the course of seven previous Operation Blackout exercises is … election day threats are real when attempts could be made on electricity grids, transportation systems and municipalities in general.

CF: Were there any surprises or lessons learned during the virtual election simulation? If so, can you give some examples?

SC: Every simulation has lessons and surprises. In this case, the blue team innovated with an excellent measure of installing specific election-only ballot boxes in cities across the country. They called for help when needed and stuck the landing for safety during the finale. The red team taught us how easy it is to create chaos and sow doubt on a shoestring budget. In some ways, they did a little too much, with some measures that countered one another or telegraphed direction. Overall, both teams performed.

CF: What were the end results of the virtual election simulation?

SC: Recognizing that having clear channels of information or disinformation was very important for affecting public sentiment for both sides. Control of social media networks for municipalities allowed the red team to easily spread misinformation through supposedly “legitimate” channels. Many of the activities performed by the red team were simple, cheap and commoditized. These activities do not necessarily require a nation-state attacker to carry out, just someone motivated and with a little knowledge.

CF: Do the results apply to ensuring election security and integrity?

SC: The results from the exercise have clear takeaways. One, the coordinated efforts of first responders is critical. And two, it is essential to control communications, to call for help, to show leadership, to focus on safety. These may seem obvious, but they are not. Operation Blackout exercises remind us to lean in and do our duty with smart and structured improvement, and not just dedication at go time.

CF: With election security being such a hot topic right now, is there reason to feel optimistic?

SC: Each election hacking simulation improves on the one before and these exercises have proven to be solid immersive experiences for practicing cyber incident readiness much as war games prepare the military in times of peace. The law enforcement participants on the blue team appreciate the utility of the exercise and how applicable it is to …

… coordination, orchestration and preparedness for future elections. The security professionals on the red team are always confident in their moves and the results.

We are one of the oldest democracies in the world. We have survived catastrophes as a nation far worse than election hacking, and we will not be sated by electronic fingers tipping the scales. But to ensure the integrity of the voting process, we need to continue to build on what we know. Democracy requires constant vigilance and constant learning. The 2016 election had lessons to teach, but we need to prepare to start preparing for the next election in 2024, not just this one on Nov. 3.

CF: Can cybersecurity professionals help to ensure secure elections at the local level?

SC: We have only begun to tap into the potential to create an army of cyber minutemen and women. Not only can we participate in educating our peers, we can also participate by directly protecting democracy. There are more election security tabletop exercises to run, and the adversary has more innovation in store for us all. Every generation needs to prepare to fight for democracy. Generations now must add the cyber battlefield to the more traditional land, sea, air and space battles.

SecurityScorecard Helps Make Elections Safer

SecurityScorecard is offering its ratings platform and questionnaire service at no cost to 2020 federal campaigns, and national parties and committees in partnership with Defending Digital Campaigns (DDC).

DDC is a nonpartisan organization that provides security products and services to federal campaigns to help them fend off cyberattacks.

SecurityScorecard’s ratings platform will allow any campaign to understand and continuously monitor its own cybersecurity risks. Campaigns also can send security questionnaires to any third-party vendors supporting their operations for a view of their cybersecurity risk.

Sachin Bansal is general counsel at SecurityScorecard.

SecurityScorecard’s Sachin Bansal

“Third parties are the biggest attack vector for campaigns,” he said. “And many third parties for campaigns are small operations, such as a polling agency or an ad buyer. Despite their size, these third parties often hold sensitive data from campaigns, such as the personal information of thousands of voters who have consented to provide their information to the campaigns.”

In 2019, third-party data breaches were up significantly, Bansal said. So it’s not just campaigns that are struggling with the cyber hygiene of third parties, he said.

“There are two fundamental problems, which is what drove the creation of our partner, DDC,” he said. “The first is that campaigns have very limited resourcing since they are cash-strapped operations and cybersecurity can be costly. The other problem is cybersecurity-related expertise, which a campaign often does not have on staff. We’ve addressed this by donating our product through DDC, and our product is extremely simple to use so it does not require technical expertise.”

The number of cyberattacks has gone up exponentially since the pandemic started,” Bansal said.

“That along with the issues surrounding the 2016 election prompted us to take action and do our part to help make our democracy safer,” he said.

Massive Social Media Attack Highlights Weaknesses

A social media data broker exposed the public-facing profiles of 235 million TikTok, Instagram and YouTube users via a misconfigured online database.

Information exposed included profile name, real name, profile pic, account description, age, gender and more. Spammers can use this data to carry out more sophisticated and convincing phishing attacks.

Stephen Manley is chief technologist at Druva. He said organizations should protect themselves from this type of attack and the secondary threats that result from it.

“Cloud teams need to discover all their cloud assets so they can secure their data,” he said. “Some of the largest data leaks have come from …

… inexperienced users misconfiguring cloud object stores and databases. Since teams cannot secure assets that they do not know about, tracking everything is the critical first step to securing data.”

Once your cloud data is secure, you need to manage your customers’ and employees’ personal information, Manley said. With this latest data leak, individuals will worry about the personal information that businesses have about them. And regulations like the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) allow people to ask organizations to show and/or delete information about them, he said.

Each new leak and new law creates a spike in privacy requests, he said. Now is the time to prepare.

Druva’s Stephen Manley

“Finally, you need to protect against new ransomware attacks that may come from the TikTok/Facebook/Instagram data leak,” Manley said. “With the leaked personal information, cybercriminals can phish more individuals. Since everybody is working remotely, those phishing attacks can compromise a personal device, which then connects to a corporate network and spreads the ransomware. Therefore, core ransomware protection … becomes even more important over the coming weeks.”

Timm Hoyt is Druva‘s global vice president of partners and alliances.

Druva’s Timm Hoyt

“The onslaught of cyber threats, malicious actors and government or industry regulations can easily overwhelm an organization,” he said. “Working with a capable expert MSSP to help is often the wiser investment decision. MSSPs are solely focused on helping customers build the protective moat around their castle and also bring the firepower to eradicate the bad guys when they storm the walls. As organizations increasingly support a dispersed, remote workforce, it’s important MSSPs offer robust options to protect endpoint devices, SaaS apps and cloud-native workloads alongside data stored in traditional data centers.”

Bugcrowd Offers Pre-M&A Security Testing

Bugcrowd has launched a new bundle of security tests to evaluate M&A targets’ security status and mitigate cyber risk post-acquisition.

The tests combine remotelydeployed penetration testing with the asset discovery, alerting, attribution, prioritization, and management capabilities of Bugcrowd’s platform. Organizations can initiate these tests in 72 hours or less.

Ashish Gupta is Bugcrowd’s CEO. Historically, M&A due diligence focused on financial, legal, commercial and technological risk, he said.

Bugcrowd’s Ashish Gupta

“However, cybersecurity posture is becoming increasingly critical to M&A negotiations as the impact that can result from acquiring a company without a proper risk analysis can be devastating,” he said. “In fact, 60% of organizations engaging in M&A activity will consider security posture a critical factor in the M&A due diligence process.”

Marriott’s acquisition of Starwood is a recent example of what can go wrong when cybersecurity due diligence is not a part of the M&A process, Gupta said.

“To elaborate, when Marriott acquired Starwood in 2016, Marriott was unaware that the Starwood network had been compromised since 2014,” he said. “Two years later, Marriott announced that one of its reservation systems had been compromised, with hundreds of millions of customers’ information exposed, including credit card and passport numbers. To make matters worse, the credit cards were encrypted, but the encryption keys were stored on the same compromised server and were also exfiltrated by the attackers.”

Partners can sell Bugcrowd’s M&A assessment while participating in other products or services that complement the assessment, Gupta said.

“It does help channel partners address a broader market by allowing them to offer their customers cybersecurity due diligence pre-acquisition from a neutral third party,” he said.