We Ranked the Olympic Nations on their Security Strength. The Gold Medal Goes to…

As the world eagerly anticipates the 2024 Paris Olympic Games, athletes are not the only ones making final preparations. Behind the scenes, a different kind of competition is brewing as cybercriminals are gearing up to exploit the global event for malicious purposes.

The intersection of cyber attacks and the Olympic Games has become a significant concern for organizers, governments, and cybersecurity experts but how are Olympic federations responding to this threat? We built a tool to check the security posture of all the Olympic federations to find out.

Email remains the #1 entry point for cyberattacks. With more than 1.5 million phishing sites created every month, email users are at risk of seeing their personal and business data breached. Indeed, the Olympics has a history of major email cyberattack breaches: in 2018 a fileless malware campaign was discovered targeting organizations associated with the winter Olympics held in Pyeongchang.

For this reason, checking the strength of an organization’s email security is an excellent indicator of their overall cyber security posture and is how we ranked the Olympic federations. But how exactly did we assess their email strength?

The following criteria were used to score the Olympic federations and committees, and build our rankings:

• Has Email Security Gateway: Having an email security gateway is crucial because it acts as a barrier against various email-borne threats such as impersonation attempt, phishing, malware, etc… and can ensure the continuity of email services.
• Has SPF record: An SPF record is important because it helps prevent email spoofing and protects against phishing attacks by specifying which mail servers are authorized to send emails on behalf of a domain.
• SPF record is good: Here, we’re considering SPF records effectiveness, for instance whether they are configured with a “softfail” option, which is weak.
• Has DMARC record: DMARC is crucial for preventing email spoofing and phishing by authenticating emails and specifying how to handle those that fail authentication, ensuring only legitimate emails reach recipients.
• DMARC record is good: We consider DMARC records to be good when they receive a positive mark on a scan, such as from https://tools.sendmarc.com/.
• Immune to bypass: Email security bypass is an old trick, but it is still working these days. This means that an organization has not restricted access to their email server, and as such, an attack can completely bypass their email security solution and directly reach their email server.  A recent paper on the topic: https://sumanthvrao.github.io/papers/rao-www-2024.pdf

Using the above criteria we created a very simple grading system. We built two different scales,  one for countries which had an email security gateway, one for those who did not, and attributed different weightings of the scoring criteria depending on our assessment of the respective contribution to email security.

Having carried out the assessment of Olympic federations we have determined “Team Great Britain” is in first place. They achieved this position by exhibiting the strongest overall email security posture. Most notably, they use an email security gateway and have strong SPF and DMARC protection. “Team USA” is in second place, and “Team Netherlands” in third place.

As we don’t want to draw the attention of malicious agents to specific federations, we decided not to reveal the full rankings but in carrying out this investigation we noticed some concerning email security practices.

We have observed that around 60% of federations are using the Microsoft 365 solution. This is likely because it’s one of the most reliable suites of collaborative tools on the market. However, we have identified that two nations are directly exposing their mail servers on the internet, which is not a recommended behavior.

We found that the majority of SPF records are well configured, except for one nation that has the softfail option in their configuration.  This means that the emails are likely to get delivered to the intended recipient even though the sender has failed the SPF check, and as such, it may open the door to successful spoofing attempts. We took a look on each DMARC configurations, we found that only a minority have a good configuration based on our analysis.

Most countries do not use an email security gateway and one country was vulnerable to the “email security bypass”.  Once again, while this is not a groundbreaking attack technic, it is concerning considering the nature of the poorly protected organization, the nature of today’s threat landscape as well as the timing with the Olympics looming in.

To properly protect your email technology environment, use Hornetsecurity email services such as:

• Spam & Malware Protection
• Advanced Threat Protection
• Email Encryption
• Email Continuity Service
• Email Signature & Disclaimer

To keep up with the latest articles and practices, visit our Hornetsecurity blog now.

The Olympics has long been a hotbed for cybercrime and the 2024 Paris Olympics Games will be no different. Unfortunately, most of the Olympic Federations we tested fall short of the level of email security that is necessary. And this threat extends to companies and individuals. This is particularly alarming considering that email remains the #1 threat vector.

This is not just limited to Olympics committees. Small and large business will once again be the targets of cybercriminals using the upcoming games as the backdrop of their cyberattacks, whether they are ticket scams or extorsion attempts. So over the next few weeks if you receive an email from your HR department informing you that they have free tickets to the Olympic Games to give away and the first 10 that reply get them, be sure to think carefully before clicking that link.

Want to see how you score on the same criteria we used to rank the Olympic federations? Try out our Email Security Check.