Online infrastructure for the upcoming Paris Olympics is in a strong position, but Outpost24’s External Attack Surface Management (EASM) tool still revealed attack surface risks

Outpost24, a leading provider of cyber threat exposure management solutions, has today released its research findings after investigating the online infrastructure of the upcoming 2024 Paris Olympic Games. The research revealed that while, overall, the cybersecurity posture of the Olympic Games Organizing Committee Paris 2024 site is mostly secure, it also highlighted several risks, including open ports, SSL misconfigurations, cookie consent violations, and domain squatting.

With global interest, it is anticipated that over 1 billion people will be watching the Paris 2024 Olympics, with 326,000 people attending the multi-sport event which takes place from 26 July to 11 August. These events are a hotbed for cyber criminality, especially as online web traffic is expected to rise as the tournament draws nearer. Cybercriminals will look to capitalize on any weaknesses to cause disruption or steal sensitive information for monetary gain. For instance, the 2020 Tokyo Olympics infrastructure was hit by 450 million cyberattacks – 2.5x times the number seen just over a decade ago in London 2012.

Using its External Attack Surface Management (EASM) solution Sweepatic, Outpost24’s report highlighted the following core security risks with the Paris 2024 online infrastructure that would need addressing to reduce the overall risk of a compromising cyberattack:

  • Open Ports, if not configured properly, pose a security risk by allowing hackers to exploit vulnerabilities and access confidential information. Two exposed remote access ports (SSH servers) were identified as being vulnerable to brute-force attacks.
  • SSL Misconfigurations, caused by improper setup or management of SSL certificates, can lead to vulnerabilities within a network and an entry route for hackers. Moreover, Paris 2024 had 31 domains (5.8%) with invalid SSL and 86 domains (16%) with no SSL.
  • Security header issues were also identified as of the 294 associated websites, 257 had this particular problem. When a browser accesses a website, it sends request headers to the server, which responds with HTTP response headers. Security headers, vital to the HTTP protocol, enable information exchange between the client and server, crucially protecting websites from common attacks like XSS, code injection, and clickjacking.
  • Over 20 cookie consent violations were present for Paris 2024. Cookies track users, however, there are certain rules and regulations around how a business can use them, often differing depending on the user's location. For example, GDPR is the most used legal basis for end-user consent to cookies.
  • Signs of domain squatting or cybersquatting. This is the purchasing or registering of domains to illicitly profit from an organization's trademark. This leads to deceptive websites that appear legitimate and are often created to generate illegal profits, either directly or indirectly. These sites may compromise user security by stealing information such as passwords or credentials for sale on the dark web.
  • Other risks and cyber hygiene issues included: 404s and empty pages, outdated software and technologies and one set of leaked credentials that had been stolen by the LUMMAC2 malware.

To view the full research report, please click here.

“While we found several attack surface risks to analyze, it would be fair to say the overall cybersecurity posture of the Paris 2024 Olympic Games was good,” said Stijn Vande Casteele, CSO of Outpost24’s EASM.

“A few years ago, we analyzed the attack surface of FIFA’s 2018 Russia World Cup, which had an alarming number of outdated hosts and potential entry points into their infrastructure.

“In comparison, it’s clear more cybersecurity efforts have been taken by the Paris 2024 cybersecurity team. But even though we’d consider the Paris 2024 games as a ‘good’ example of how to manage an attack surface, it isn’t perfect (as perfection rarely exists with cybersecurity). The risks we’ll explore in the next section highlight the value of having an EASM solution in place to automatically pick up on the attack surface risks that inevitably fall through the gaps,” he explained.

The Sweepatic EASM tool is a cloud-based platform designed to monitor an organization's expanding attack surface. Through automatic data collection, enrichment, and AI-driven analysis, the solution evaluates both known and unknown internet-facing assets for vulnerabilities and potential attack routes. Straightforward and effective remedial measures to address any security weaknesses are then provided.

To request a free EASM scan, please click here.

About Outpost24

Outpost24 helps organizations improve cyber resilience with a complete range of Continuous Threat Exposure Management (CTEM) solutions. Outpost24’s intelligent cloud platform unifies asset management, automates vulnerability assessment, and quantifies cyber risk in business context. Executives and security teams around the world trust Outpost24 to identify and prioritize the most important security issues across their attack surface to accelerate risk reduction. Founded in 2001, Outpost24 is headquartered in Sweden and the US, with additional offices in the UK, Netherlands, Belgium, Denmark, France, and Spain. Visit https://outpost24.com/ for more information.

Thomas Moore Eskenzi PR thomas@eskenzipr.com