Why pen testing has never been more essential for online event

Without a doubt, hosting a global event during a pandemic is very different from hosting an event in normal times. We’ve seen significant changes over the last year, not least the shift towards holding events online. While in-person interactions have been cut, the move online has meant that many more people can take part in international events, with there no longer being a need to fly many hours to attend, or even to leave your home.

But with easier access, and the ability for people to hide behind their screens, there are more risks on the shoulders of online event organizers to keep the experience safe and secure, both for the organizers but also for the participants based around the world. 

As well as monitoring the security of an event while it takes place, it’s vital to put the time and effort into making comprehensive checks before the first visitor logs in, effectively attempting to hack the systems to look for flaws by using a penetration test (pen test), which is an authorized simulated cyber attack on a computer system, network and software, performed to evaluate the security of the system.

Ahead of the recent World Innovation Summit for Health, which is the global health initiative of Qatar Foundation, it was decided to go virtual due to pandemic rather than to hold the event physically in Doha, Qatar, as had been the case with all previous summits since the first in 2013. I was charged with ensuring the availability, confidentiality, and the integrity of it’s first online 3D platform.

There are a lot of tests and checks that need to be performed, however, due to length and the confidentiality I will be only discussing a few steps that were performed.

Since the event was going to be a web-based platform, I started by ensuring that the server could handle a large (potentially sudden) number of visitors to our 3D platform without any interruption to the solution by using cloud hosting with an auto scaling bandwidth (AWS). This way, we ensured that the server would auto scale its bandwidth to accommodate new visitors when needed, and we would avoid any downtime due to bandwidth. We also employed DDoS attack protection, this way we ensured the availability of the platform. 

Once registration to the summit became open to the public, I ensured that sensitive data such as visitors’ personal passwords were stored encrypted rather than in a plaintext format, and also made sure that all data was stored in a separate database rather than in the backend of the hosting website. Managing data confidentiality should always be treated as cybersecurity 101. Never store passwords in plaintext, instead always ensure that passwords are stored encrypted.

As we approached the summit, the platform was almost complete, which was the perfect time to run some tests and, of course, to go through the coding. However, since I am not an expert in coding, we at WISH had to involve the coding experts from Qatar Foundation’s IT department, as well as the organization’s specialist risk team, in order to evaluate and assess the platform and to recommend what need to be fix from a coding perspective, and to check the APIs to ensure that there were no backdoors or vulnerability in a platform that was about to be used by thousands from healthcare professionals, policy makers, investors, innovators, entrepreneur, and VIPs.

Prior to checking WISH’s security I had been involved in ethical hacking projects during the course of my master degree, but this was the first such project I’d been involved with in the real world. The experience was full of joy despite a few scary moments, and it was very rewarding to know I was helping make sure that whoever was going to access the platform was going to enjoy a safe journey, something that has become increasingly important considering that cyber crimes have been on the rise since the rise of Covid-19 has moved so many of our interactions, including events, online.

Take-home tips:

  1. Knowing who is attending the event ahead of time through the creation of a registration process provides a way of checking for undesirable “attendees” (e.g. bots) that should not be given access early on.
  2. Always ensure that sensitive data is saved encrypted.
  3. Ensure that the platform is hosted outside of your organization’s network (keep your network protected).
  4. Make sure the event platform is able to accommodate all attendees if not auto scalable.
Share:
Share on twitter
Share on linkedin
Share on whatsapp
On Key

Related Posts