The nut that holds the wheel
There’s an old adage about cars which also holds true for cyber. No matter how sophisticated your security, it’s no good if someone leaves the door open.
You may be the type of free spirit who drives something cool, vintage and groovy from the 1960’s—a VW bus perhaps, an old Caddy, or maybe an original Mini. For those of us who don’t divide our time equally between the side of the road and a home inspection pit, and have intact marriages however, our cars now have more computing power than the systems that guided Apollo astronauts to the moon. Yet despite the bewildering array of computers, sensors and other gizmos packed into them, we still manage to crash with monotonous predictability.
There is a well-worn adage about cars which warns the most dangerous part of one is the nut that holds the steering wheel. The inexorable move towards autonomous vehicles offers the hope that this one, overriding vulnerability of modern automobiles could one day be eradicated once and for all. But the weakness of sophisticated systems being compromised by human factors is already echoing across industries including maritime, and nowhere is it more acute than in managing the risk of cyber attack.
One would be forgiven for assuming that the difference between an organisation vulnerable to cyber attack, and one which isn’t lies in better computers and software or better connectivity. According to Symantec that is almost never the case. Whilst it may be necessary to have the very best technology available to secure your organisation, it’s still going to be insufficient. The weakest link in cyber security is invariably your people.
Cyber threats are usually considered to come from outsiders writing malicious code designed to steal corporate intelligence, confidential customer information or access financial systems. To an extent that’s absolutely correct, but they are only one part of the threat. The majority of the time the way these bad guys get a foothold is because the ignorance or negligence of your employees opens the door for them.
According to PwC’s Global State of Information Security Survey 2015—whether intentionally or not—employees have become the most-cited culprits of information security incidents. The number of companies citing current employees as the cause of cyber incidents has risen 10 per cent since 2013. Worse still, 32 per cent of respondents to the 2014 US State of Cybercrime survey say insider crimes are more costly and damaging than those committed by outsiders.
Cyber criminals are primarily targeting employees and using sophisticated techniques to manipulate their behaviour in ways that technical security controls organisations apply to their networks simply can’t combat. The behaviour of those responsible for data is linked to awareness of the risks, and that’s something which for many organisations is a big weakness, and a potential ticking time bomb.
A report from Ponemon Institute revealed that 71 per cent of employees have access to data they shouldn’t see. 54 per cent of the end users surveyed said they access such data frequently or very frequently, while 80 per cent of the IT professionals surveyed said their organisation doesn’t enforce a strict least-privilege data model.
The impact of insecure human factors is being exacerbated by another growing trend though. Unlike in the old days, digital doors to your organisation are proliferating at an alarming rate, and they’re no longer all in the IT department. Traditionally at the heart of modern organisational processes, the IT department was the natural place for cyber security responsibility to reside. Not any longer. Recent research by Gartner has shown that the movement of IT budget away from IT towards other departments and individuals is accelerating. 14 per cent of cloud storage, 13 per cent of social media and 11 per cent of office productivity software is purchased without the IT department even knowing about it. In fact IT is no longer the lead purchaser of technology. According to Gartner the marketing department is the new frontrunner and will outspend the IT department on technology by 2017.
The human element of weak cyber security is already way beyond the realm of the IT department, but for most organisations it’s still in an office or at a location somewhere on dry land. More pertinently, that human element will have experience of IT systems and the technology processes of the modern office environment, and often be subject to physical, real-time oversight. Shipping and maritime’s challenge is that a good proportion of our human element aren’t.
Cyber criminals are targeting employees with sophisticated techniques to manipulate their behaviour in way that technical security controls on networks simply can’t combat.
Until comparatively recently our ships and crews were effectively quarantined from the outside world by the prohibitive expense of deep sea satellite connectivity. The rise of IP systems like Inmarsat FleetBroadband and VSAT has seen technology deployment across the fleet rocket. Whereas not that long ago you would have been hard pressed to get a 3MB email attachment out to a vessel without eyebrows being raised, today data is being streamed back and forth in hitherto unimaginable volume. And it’s only going to get worse—or better—depending upon your point of view.
Then there are those proliferating doors to your organisation. The Bring Your Own Device (BYOD) trend is gaining momentum with Gartner reporting that BYOD Tablet policies offer better opportunities than those of enterprise-owned laptops or smartphones. “IT leaders can spend half a million dollars to buy and support 1,000 enterprise-owned tablets, while they can support 2,745 user-owned tablets with that same budget,” Federica Troni, research director at Gartner, said in a statement. “Without a stipend, direct costs of user-owned tablets are 64 per cent lower. When organizations have several users who want a tablet as a device of convenience, offering a BYOD option is the best alternative to limit cost and broaden access.”
Between now and 2017, Gartner says 90 per cent of organisations will support some aspect of BYOD and predict that by 2018 there will be twice as many employee-owned devices used for work than enterprise-owned devices.
The annual Crew Communications Survey (undertaken by Futurenautics Research and free to download on the Futurenautics website) tracks the adoption of connectivity solutions and devices aboard every type of merchant shipping, and the 2014 report demonstrates these technology and device trends are mirrored in shipping.
75 per cent of crew currently take a laptop PC onboard with that figure rising to 81 per cent amongst officers. And in the coming twelve months over 40 per cent of crew intend to purchase a tablet PC for use onboard. In 2014 the smartphone also overtook the cellphone as the most popular device carried onboard ships with 68 per cent of crew in possession of one when aboard. To compound matters a massive 40 per cent of crew are now routinely offered internet access by operators, with an astonishing 50 per cent of those providing it free of charge. That’s a lot of internet-connected wheels, and plenty of nuts holding them. In short, a big target.
The gap between ship and shore is often cited as an issue in maritime IT security, but the truth is the attitude of organisations is a far more pertinent problem. Speaking at the SingTel maritime roundtable just over twelve months ago a variety of senior ship operators indicated that operational data—which they unanimously consider to be of limited interest and value—does not require protection.
As a result, aside from traditional, ethics-based and confidentiality policies, most ship operators don’t appear to have any dedicated ship board data security measures in place. One participant even made the suggestion that, as the office is able to see from the logs who has accessed what and when, the technology effectively polices itself.
It is precisely that kind of relaxed naivety which is ringing alarm bells across the industry. No technology can police itself, but the lack of reported incidents in the maritime industry may be lending weight to the view that it is. Having said that there has been a significant increase in reported cyber attacks in the industry in the past twelve months.
“The only cyber attack I have ever witnessed was caused by an officer who had downloaded infested files and folders carried over from previous vessel and caused contamination of ship’s computers and as a result all communications ceased, archives lost, ECDIS and digital publications had to be downloaded again after re-formatting computers.”
That’s just one anonymous example of how serious an employee unintentionally compromising a ship’s system can be. But whereas it is possible to lock down office and shipboard computers to prevent USB’s even being read, most attacks are far more sophisticated.
Social engineering via phishing emails are one of the most common ways attackers attempt to exploit employees, and not even those in IT who should know better are immune. When Georgia Tech first piloted phishing awareness training using the 300-member Office of Information Technology (OIT), one out of every four people clicked on the link in the phishing e-mail message and could have had their system compromised.
The experiment showed that not only is social engineering common, but extremely effective. “That scared me,” says Jason Belford, associate director of cyber security for Georgia Tech’s OIT. “One out of every four people responded, and they were all technical. These are the people that had the keys to the kingdom.”
Georgia Tech’s experience is typical. The click-through rate on phishing e-mail messages typically starts at 20 percent or higher in most organisations, according to training companies. Training can help reduce that to single digits but only very infrequently to zero, which means that combining training with exploit-mitigation technologies is necessary to keep out attackers.
But while employees sitting in an office environment in front of a company PC might be more aware of security threats, that awareness is likely to drop significantly when they’re on their own time—or in their cabin. Smartphones are regularly used for business purposes, and are now all-pervasive on ships, but few of us seem aware that they represent a growing attack vector.
“Five or six years ago, everything was targeting the laptop, but smartphones have more data, more features, and more capabilities,” says Yeongjin Jang, a Ph.D. candidate in Georgia Tech’s College of Computing. “So the attackers are trying to get access to these devices through various means.” The response of Apple and Android respectively has been very different and produced correspondingly very different outcomes.
Google opened its Android platform to spur fast adoption and keep access to the app store as simple as possible, whilst Apple has kept iOS closed source and rigorously controls what’s allowed in its store. The result of these two policies has been dramatic in security terms. 99 per cent of mobile malware targets Android devices, trying to infect systems via the Google Play app store or persuading users to download and install applications from third-party stores and untrusted sites.
The Apple iOS is still vulnerable though: the well-publicised attack on iCloud allowed cyber thieves to steal intimate photos of celebrities taken on their iPhones and uploaded to the cloud.
Contributing to the problem is the application developers who are focussed on monetising their user bases and not on securing their software. Many, and possibly the majority of, apps have vulnerabilities which can be exploited. In 2014, 91 percent of the top 200 iOS apps and 83 percent of the top 200 Android apps had some risky behaviour, according to data collected by mobile app reputation service Appthority. As the trend towards mobile payments gathers pace the likelihood is that focus on smartphones will only intensify.
Whilst employees are undoubtedly being targeted by cyber criminals, there is a subset who are by no means unwitting victims. A study by Symantec and Ponemon found that 53 per cent of employees think it’s fine to take corporate data because ‘it doesn’t harm the company’. Unfortunately though, there are those employees whose objective is to do just that.
Malpractice accounts for 35 per cent of all data breaches, which also spike around the time employees prepare to exit companies. So whilst the outside threat is very real, the insider threat is actually the most costly. Companies require more time to detect and respond to insider attacks, nearly 260 days, compared to 170 days for other attacks, according to data from the Ponemon Institute’s 2014 Cost of Cybercrime survey. Incidents involving malicious insiders also cost, on average, more than $210,000 to resolve.
And it seems that it is this type of threat which really resonates with ship operators. For those at the SingTel roundtable the overwhelming belief was that the security threat was more likely to come from disgruntled employees wanting to disrupt commercial operations, rather than any external individuals or groups.
Captain Tey You Huat of Altus Shipping warned that crew sabotage of a network could have far-reaching operational implications for owners and managers and it would take some time to re-establish many day-to-day automated functions, “Internally if the crew sabotaged, your network is down so most of your day to day functions that depend on downloading data is all gone. It will take some time before you can restore it.“
Combating the insider threat is a growing area of concern. A potential solution could be Anomaly Detection Systems—modelling user behaviour and raising a red flag when people begin to act outside expectations. By determining behavioural profiles for employees organisations are then able to identify unusual activity—such as increased sickness absence, reduced productivity or excessive spending—which might signal an employee is about to go rogue. One such research project being run by Georgia Tech is called Layered Ensemble Anomaly Detection (LEAD). “We don’t want to catch insiders at the moment they do something bad,” says Erica Briscoe, senior research scientist at the Georgia Tech Research Institute. “We want to catch them before they do it.”
But Anomaly Detection continues to be difficult, because defining “normal” behaviour is difficult. The reality is that addressing the problem requires a variety of complementary approaches, combining technology, training and access control processes like enforceable two-person security. As rogue insiders often act alone, companies can defend against unapproved actions by requiring another person to sign off on risky activities. Researchers are already developing drivers for popular operating systems which will require two or more operators to sign off on actions like updating the operating system or copying data to removable media. It’s the same principle as the two keys necessary to launch a nuclear missile.
But when it comes to insider attacks there is an upside—we know where they are. And that offers us additional, useful tools like deterrence and punishment. “In most computer security areas, we have no ability to deter the attackers—the person who is breaking into your network is on the other side of the planet, and you are never going to find them,” says Tom Cross, director of research at security firm Lancope. “Even if you do, they are likely in a country from which they cannot be extradited. But you know the insider who creates the insider threat, you have a personal relationship with them, and you have access to them, so you can manage the problem in a different way.”
It’s an oft-repeated mantra in maritime that our people are our greatest asset. But in our new hyper-connected industry they’re fast becoming a liability. It doesn’t have to be that way though. It’s worth remembering that when a company gets breached it isn’t just commercial information that gets into the wild.
As the recent Sony hack amply demonstrated data and information that employees themselves categorically do not want made public—from personal records to internal, uncomplimentary emails—are as likely to be leaked. So properly informed, trained, engaged and supported our people could become a formidable weapon—a bulwark against the cyber-hordes at the gate.
The nut that holds the wheel will always remain a point of failure. But we’re all a lot safer if he’s got his head screwed on.
Images credit © Getty Images
This article appeared in the January 2015 issue of Futurenauticsread online and subscribe