March Madness: An IT Security Nightmare

Ah, NCAA March Madness. The time of year that fans love, gamblers dream of, and IT security professionals should dread.

The March Madness tournament is an unstoppable force that fans will follow anywhere and in any way that they can. More than 50 million Americans participate in office bracket pools each year, with only 14% of employees reporting that they would not participate during work hours. With the sheer volume of tournament content (live games, bracket pools, analysis, highlights, social media) and the number of viewing options growing each year, IT staffers trying to manage it all can end up feeling like a 16-seed facing off against the 1-seed in the Round of 64.

That said, the impact of the March Madness tournament on network security never seems to get its fair share of attention. Well, that changes now. Let’s talk about the kinds of attacks that can occur during March Madness and what employers can do to mitigate the risk.

Popular Attack Strategies

• Phishing: Attackers can easily create emails to imitate bracket pool invitations and updates. These spoofed emails can be very convincing when they’re designed to look like they’re coming from the bracket program. With tens of millions of people participating, the odds of phishing success are even better than a #12 seed picking off a #5. An attacker’s main goal in these phishing scams is to get people to use their work email and password combination to sign up for a phony bracket game. They might also do this in the form of social media posts asking friends to check out their picks or catch a last-second, buzzer-beating upset… anything to compromise a workstation.
• Watering Hole Attacks: Watering hole attacks could also occur if a particular online bracketing website/system is prominently being used by the office. The attacker could target the official website and drop in exploits and malware for a contestant’s next check-in or update.
• Rogue Websites: If your company blocks access to official and/or popular March Madness websites, employees may resort to far worse workarounds to consume live streams and other content on unfamiliar sites. This raises the risk for malware and all sorts of other nasty stuff.
• Timed Attacks: Attackers can conceal attacks during tournament games, when bandwidth utilization is higher than normal due to employees checking scores or watching live games. If attackers are already inside your network, March Madness is a great time to exfiltrate data. (This is similar to the tactic used during the Target attack, where hackers waited until a surge of daytime activity to transmit their stolen credit card data.) This scenario is especially true in the Round of 64, which falls across two workdays and has the highest number of games and upset potential, driving more viewership. Smart hackers will have these days circled on their calendars.

What Actions can Employers Take?

Employers must decide whether to support viewership in the workplace or discourage it, but need to realize that many employees will watch the games regardless.

1. If you will support tournament viewing, encourage employees to view the tournament through official platforms that are a part of the NCAA-Turner-CBS partnership.
2. To navigate users away from suspicious websites, send a note to your office with March Madness updates linking to your approved sites. This way, you’re giving them a reliable source for information in a friendly way, and ‘leading your people to the water.’
3. Recommend employees consume NCAA content through their personal devices and service plans and not across company networks.
4. If your office has TVs, encourage TV use instead of live streaming. That’s what those 70 inch HD flatscreens and huge boardroom projection screens are for!
5. Use this as an opportunity to remind employees about phishing attacks, which should already be a part of your ongoing security awareness training. If you don’t educate your employees on phishing scams, this is a great time to start…employees will have IT’s attention if they are talking about anything related to March Madness!
6. Urge employees to use their personal email addresses for bracket games and other March Madness-related account setups. Too many people use one login and password across multiple accounts, posing a risk to companies if an employee account is compromised on a third-party site using workplace credentials.
7. Pay extra close attention to network activity during games, looking for attacks and any exfiltration that may be taking place. Attackers look to operate under the radar and hope your attention is elsewhere…disappoint them.

In short: Upset the attackers by remaining diligent when they hope you will be sidetracked! Minimize March Madness traffic across your company networks and encourage employees to follow good security practices for this exciting three-week period and all year long.