Analysts: NFL Draft runs smoothly, but security concerns to persist through weekend

The NFL's first ever virtual draft went off without a hitch in the first round, but teams will have to be on watch through the six remaining rounds.

Super Bowl 52: How the NFL and US Bank Stadium will ensure fans can share their favorite moments on social media

The first round of the NFL's inaugural virtual draft went smoother than anyone could have expected, with few if any disruptions in the complicated digital broadcast event.

Unlike previous years, where the NFL Draft was held at Radio City Music Hall or other large venues, NFL Commissioner Roger Goodell announced each team's picks from the basement of his home in Bronxville, NY due to the coronavirus pandemic. 

Cybersecurity experts had a litany of concerns about how the event would be protected considering all 32 teams and the NFL league office had dozens of executives, scouts and coaches all coordinating picks and decisions from the privacy of their homes. 

Using a combination of Microsoft Teams and Zoom, teams managed to get everything done securely, experts said, but with the last six rounds remaining and even more teamwide coordination needed for obscure picks or trades, there are still worries among experts about how the event will unfold. 

"The NFL Draft may not have sensitive information that would entice criminal groups to steal or hack them," said James McQuiggan, security awareness advocate at KnowBe4. "However, it is the notoriety of hacking the NFL Draft and causing disruption, which would be worthwhile for them to target."

SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)

Teams sent the NFL Player Personnel department their draft choices using Microsoft Teams and coordinated internally through some combination of texting and video conferencing platform Zoom, which has been in the news for its litany of security issues and concerns. 

NFL officials told Reuters that teams cannot communicate with the league through Zoom and will only contact them with their picks through Microsoft Teams, which they have urged teams to use over other platforms. The league conducted a test run on Monday and teams have said they did their own run throughs ahead of the real thing on Thursday night.

"Malicious outsiders may either want the notoriety of having destroyed the first NFL virtual draft or something even more malicious or more nefarious in the sense of making money from knowing picks in advance," said Gerry Beuchelt, chief information security officer for remote connectivity service LogMeIn. 

He added that events of this size required weeks of preemptive testing of systems and proactive efforts to look at how cyberattackers would go about disrupting something like this. 

Having previously worked securing companies involved with the World Cup, he explained some of the things that would need to be done to secure something as massive as the NFL Draft.  

"The key element here is to build a system that has the necessary disaster recoverability, the necessary bandwidth and then test it from a number of different perspectives. As soon as you start to rely on digital infrastructure, you have to start thinking about what could happen during the event and what kind of protections you have to put in there," Beuchelt said.

"I would expect there to have been burden tests from connectivity to the central service. I'm sure they've had some close collaborations with Microsoft on doing penetration testing around this and doing full Red Team and Purple Team exercises that look at this from an adversarial perspective and simulate the kind of attacks that you would see." 

In addition to Microsoft's security operation centers and support staff, the league needed to look through the Dark Web and other sites to know what the threat landscape was like, a number of security analysts said.

Security and system needs

Beuchelt noted that for an event like this, operational support was needed for each team to make sure all smartphones, laptops and home networks were protected. In today's security environment, cyberattackers can easily use any device in a person's home against them, so it was key to secure every endpoint around. 

During the first round, the broadcast ran video of each team's lead executives working from their home office with multiple screens and devices, each of which needed to be secured. 

Teams also had to make sure that there are secondary and tertiary systems in case something goes out. ESPN reported that days before the draft, many team executives and head coaches hired cybersecurity teams that checked their homes to make sure everything was secured properly and some even bought backup generators and extra Wi-Fi systems just in case.

"They need to be able to cut over to something else and they need to understand who's in charge. Who is the event coordinator. What kind of notifications need to take place, who do you inform and have a clearly defined set of operational standard operating features that allow you to act very quickly to any changes to the operational picture," Beuchelt said.

"Starting with the player departments, through to the executives, through the coordinators and through to Goodell himself, everyone needs to be fully understanding of what is involved and how they can keep systems safe."

Surely enough, this became a problem during the draft. Denver Broncos coach Vic Fangio told reporters that his internet went out five minutes before the draft started and the team's senior vice president of information technology, who was at Fangio's home, had to call Comcast to have them restore it. 

DDoS attacks

Beuchelt added that DDoS attacks would be something the NFL should worry about throughout the draft because of how effective, cheap and simple it is to do. 

"That's the bread and butter. You need to test, you need to prepare, and then you need to test again. I'm sure they're going to be seeing multiple DDoS attacks during the event just because it's easy and every clown on the street can go out and rent a Botnet and say 'Hey I brought down the NFL,'" Beuchelt said. 

"There is a huge amount of notoriety to be gained by lesser competent actors. If you're DDoSing things, it's not only DDoSing the server. Microsoft can defend against that. What if somebody, maybe a more sophisticated actor, has done some advanced reconnaissance and is trying to find out where those senior-level executives or key participants are going to be coming from. They need to have special broadband lines, into those houses in order to make those kinds of activities harder."

He added that it was clear the league had thought through all of these things because of the test runs they conducted. But through the remaining six rounds of the draft it was clear this would be an overarching concern they would have to watch out for consistently. 

Potential credential stuffing attacks

Kevin Lancaster, founder of ID Agent and general manager of security solutions at Kaseya, said credential stuffing attacks have quickly become one of the most popular attack techniques as collaboration tools are widely deployed internal tools that are accessible via the internet. 

With credential stuffing, hackers get companies' private login information, such as usernames and passwords, through phishing attacks or by purchasing them on the Dark Web, and then they test those credentials on popular collaboration tools sites until there's a match.

"To combat this threat and protect its employee and team credentials, the NFL should immediately implement multi-factor authentication (MFA), single sign-on (SSO) and simulated phishing attacks to train their users, if they don't have one in place already, in addition to monitoring their domains and the Dark Web for any stolen credentials," Lancaster said.

Team on Team attacks

While not as critical as outside attacks, some cybersecurity experts questioned whether teams may try to hack each other for more information about potential picks or trades. 

In public interviews, Ravens head coach John Harbaugh has openly discussed his fear of being attacked by other teams.

"I really wouldn't want the opposing coaches to have our playbook or our draft meetings. That would be preferable," Harbaugh told reporters earlier this month

Beuchelt said teams should have conducted full adversary simulations, both from an outside perspective and from an inside-the-other team perspective because other teams will always be interested in what may be happening. 

"The NFL Draft involves high stakes time sensitive group decision-making—not the best moment to introduce new communication technology that has a reputation for being disrupted," said Josh Bohls, CEO and Founder of Inkscreen.  

"If I were a betting man, I'd wager there will be at least one technology meltdown leading a team to request a 'technology time-out.' I just hope it's not the Saints."

Also see


Image: CBS