Touchdown! Measuring External Cyber Posture and the NFL Hack
This week, sports fans reacted with disbelief when it was discovered that 15 NFL teams’ social media accounts were hacked. Those targeted included the two teams that will play in the Super Bowl LIV Championship match on February 2, the Kansas City Chiefs and the San Francisco 49ers.
In addition to the Super Bowl contenders, the following teams were hacked as well:
- Arizona Cardinals (Twitter account)
- Buffalo Bills (Instagram and Facebook accounts)
- Chicago Bears (Twitter account)
- Cleveland Browns (Twitter account)
- Dallas Cowboys (Twitter, Facebook, and Instagram accounts)
- Denver Broncos (Twitter account)
- Green Bay Packers (Twitter account)
- Houston Texans (Twitter account)
- Indianapolis Colts (Twitter account)
- New York Giants (Twitter account)
- Minnesota Vikings (Instagram account)
- Philadelphia Eagles (Twitter account)
- Tampa Bay Buccaneers (Twitter account)
The group that claimed responsibility for the hacks is known as OurMine, which has also hijacked social media accounts of high-profile celebrities and companies such as Facebook CEO Mark Zuckerberg, Twitter CEO Jack Dorsey and Google CEO Sundar Pichai.
According to ZDNet, the group said in previous interviews that they used leaked passwords from data breaches to gain access to accounts on other websites. If this is indeed how they succeeded in hijacking the NFL social media, then this attack might have been prevented by
- Changing passwords regularly
- Avoiding re-use of the same password
- Choosing more complex passwords
- Adding two-factor authentication
But were there any warning signs that this could happen?
In September 2018, Panorays conducted research to determine the cyber posture of all the NFL teams. We did this by evaluating the attack surface of the teams to uncover cyber gaps, in the same way that a hacker would perform reconnaissance on a possible target.
In light of the recent hack, we thought it would be interesting to check our findings to see if any patterns could be found. We wanted to know: Was there any indication in 2018 that some of the teams might be less likely to be targeted?
We found out that the answer was yes.
In September 2018, Panorays listed five teams that had received the highest cyber posture scores. They included:
- Kansas City Chiefs
- New York Jets
- Miami Dolphins
- Los Angeles Rams
- Pittsburgh Steelers
All five teams received a cyber posture score of at least 82, which was well above the average NFL team cyber posture rating of 79. Four out of five of these teams were not hacked.
The one outlier was the Kansas City Chiefs. However, we discovered that much has changed for the team since we released our research: The Chiefs’ cyber posture rating dropped nearly 20% since then. In addition, the average NFL team cyber posture score fell as well, from 79 in 2018 to 72 in 2020.
The steep drops in cyber posture ratings underscore why it’s so important to not only thoroughly assess cybersecurity, but to continuously monitor for any changes.
These findings clearly illustrate the accuracy of the Panorays third-party assessment method. Using Panorays, companies can get a comprehensive 360-degree view of cyber posture while continuously monitoring for changes in security.
Interestingly, Panorays also predicted in 2018 that the Chiefs would be the winning team. Will this turn out to be the case? We will find out on Sunday!
Find out how one company mitigated the security risk of a third party prior to a supply chain attack.