Going Lo-Fi At Sea May Mitigate Cyberrisk

Cyberthreats have become seaborne in recent years, and preventative measures are on the radars of governments and the shipping industry.

GPS and other electronic systems have proven to help ensure safe and accurate navigation, but they have also put digital bullseyes on ship decks. These technology upgrades have unwittingly exposed ships to cyberrisk because their signals are weak enough for remote perpetrators to jam.

When ships and crew members rely solely on GPS systems, they can be at the mercy of a cyberhacker seeking to provide wrong positions (or “spoof”), endanger the crew and their cargo, or hold the crew, cargo or sensitive information for ransom.

These risks are exacerbated by the fact that ships typically do not have automatic backup systems, and younger crew members are increasingly reliant upon the newer electronic navigation tools.

Allianz’s Safety and Shipping Review 2017 highlighted the growing threat of cybercrime in the sector, and noted the increasing level of activity in the last five years. For example, World Fuel Services fell victim to an online bunkering scam in 2014 when it agreed to participate in a tender for a large amount of fuel from what it believed to be the United States Defense Logistics Agency. Cybercriminals collected $18 million from that successful impersonation. In 2016, hundreds of South Korean vessels had to return to their ports after North Korea allegedly jammed their GPS signals.

The report noted that most maritime cyberattacks have been aimed at breaching corporate security, rather than taking control of vessels, but warned that such attacks could occur.

Captain Rahul Khanna, head of marine risk consulting at Allianz Global Corporate & Specialty, noted in the report that more, larger-scale attacks are imminent if the risks are not appropriately addressed. “We can’t put IT security on the backburner,” Khanna said. “Just imagine if hackers were able to take control of a large container ship on a strategically-important route. They could block transits for a long period of time, causing significant economic damage.”

The report also stressed that “crew education and identifying measures to back up and restore systems should be implemented” to reduce cyberrisk.

Looking Back For a Signal Forward
Some companies and governments have heeded the warnings and are identifying these indicators of attack. Preventative measures may lie in a maritime tool that had taken a backseat to the prevalence of GPS—a backup radio technology called Enhanced Long-Range Navigation (eLoran), which was developed in the United States in the mid-1990s. It has continental reach, emits strong signals via a low-frequency and relies on land-based transmitters that reveal a limited number of fixed positions. These once-limiting traits could be the automatic backup systems ships need in the event of jamming or spoofing.

On July 20, 2017, when the Department of Homeland Security Authorization Act (H.R. 2825) passed the floor of the U.S. House of Representatives, eLoran’s importance was stressed. The act includes a section titled “Backup Global Positioning System,” which features provisions for the U.S. Secretary of Transportation to initiate an eLoran system. H.R. 2825 proposes that eLoran be made available as a “reliable…positioning, navigation and timing system,” with the purpose of providing “a complement to, and backup for the Global Positioning System to ensure availability of uncorrupted and nondegraded positioning, navigation and timing signals for military and civilian users.”

Reuters this week reported that South Korea’s Ministry of Oceans and Fisheries is looking to establish the technology in a test form by 2019.

Time will tell if eLoran is the most practical and cost-efficient method to mitigate cyberthreats at sea. It seems if companies want to mitigate maritime cyberrisk now, the first steps would be to look to the technology of the past and turn on the radio.

Companies Must Evolve to Keep Up With Hackers

If you ask a CFO if their company’s current cybersecurity strategy is working, it’s very likely that they do not know. While at first they may think it is, because the company’s bank accounts are untouched, an adversary could be lurking in their network and collecting critical data to later hold for ransom—threatening to destroy it if the money isn’t paid. The truth is that many organizations are lacking effective risk management that ensures the integrity and availability of their most essential data.

Corporate America needs to take the power back and stop hackers before they compromise networks and exfiltrate data for criminal uses, or simply threaten to destroy it for financial gain. To shift the power back in their favor, they must safeguard data, implement an effective risk management program, and invest in risk reduction activities. Organizations need to assess the maturity of their cybersecurity efforts, determine if they have any pre-existing conditions, and focus on risk reduction efforts that truly protect their data, while ensuring the ability to deliver products and services.

The fastest way to check for pre-existing conditions is by doing a compromise assessment to identify any current suspicious activity within their network. From there, they can determine what exactly needs to be done to reduce their organization’s cyber risk and develop a risk management plan that outlines clear steps for protecting their most critical assets.

To develop a cybersecurity risk management plan, executives need to first define the company’s “crown jewels”—the things that if compromised, would cause the most damage or inhibit the ability to deliver products or services that generate revenue. For instance, for a bank, this could be access to funds by their individual or business customers, or banking information that could be used for fraudulent purposes. Once an organization knows what it’s protecting, the executives can then create a security roadmap that ensures the secure delivery of products or services.

The security roadmap should start with a business impact assessment that identifies those crown jewels that are needed for delivery of essential services or producing products. These can include the data itself, technical architecture or systems used by their customers to transact business. Once these have been identified a prioritized risk reduction plan needs to be developed and tracked by the company’s leadership. Every facet of risk should be considered, from legal risk, to the consequences of a data breach, or inability to deliver services resulting from an intrusion or denial-of-service attack.

While security assessments and roadmaps are essential for defining an organization’s adequate cyber defenses, one of the biggest mistakes we see businesses make is being reactive when it comes to their defenses—relying on traditional technologies that only identify known threats and leverage Indicators of Compromise (IoCs). This method does not capture new exploits fast enough, nor versions of malware or other obfuscation techniques that are introduced by sophisticated adversaries. A great example is the sheer speed at which WannaCry ransomware spread to organizations of all sizes across the globe. Adversaries are capitalizing on this reactive security shortcoming by taking advantage of this window of opportunity to comprise data or networks.

Instead, organizations must take a proactive approach that focuses on indicators of attack (IoAs) that identify adversary behavior indicating malicious activity, such as code execution or lateral movement. IoAs can alert businesses to adversary activity before any damage is done. To effectively make use of this data, businesses also need to leverage threat intelligence for deeper insights into these IoAs.

Threat intelligence provides a crucial layer of information on adversary motives, tactics, techniques and procedures. For instance, a bank could look at a threat and see if this particular adversary typically targets the financial services industry, which regions they operate in and the motive behind their attacks.

Going one step further, organizations should leverage technology that enables threat intelligence to be shared rapidly and can protect numerous customers at once. At the end of the day, effective security requires a community effort. Corporate America needs to come together and truly leverage the power of crowdsourced intelligence—to keep from becoming victims of the next big attack.

From a lack of risk management plans, to reliance on reactive security measures, there are a number of areas where companies are falling short of having an adequate cyber defense. By putting the necessary plans in place to secure the integrity of their critical data, taking a proactive approach to cyber threats and working together across industries and businesses, corporate America can collectively build a stronger cyber defense.

North Korea Now Suspected in Ransomware Attack

The massive cyberattack that has struck businesses, government agencies and citizens in more than 150 countries may be tied to hackers affiliated with North Korea. Called WannaCry, the ransomware encrypts the victim’s hard drive and demands a ransom of about $300 in the virtual currency bitcoin.

According to the Washington Post:

Several security researchers studying “WannaCry” on Monday found evidence of possible connections to, for instance, the crippling hack on Sony Pictures Entertainment in 2014 attributed by the U.S. government to North Korea. That hack occurred in the weeks before Sony released a satiric movie about a plot to kill North Korean leader Kim Jong Un.

The New York Times reported that the malicious software, based on a vulnerability included in the National Security Agency tools published by the Shadow Brokers hacker group, was distributed via email. The ransomware takes advantage of vulnerabilities in Microsoft Windows systems, generating the largest ransomware attack to date. Although the flaw was patched by the company months ago, the wide spread of the attack illustrates how many users fail to update their software. Institutions and government agencies affected included the Russian Interior Ministry, FedEx in the United States and Britain’s National Health Service.

Organizations are advised to save their data and take other measures to avoid being hacked. Kroll said that while the particular ransomware variation involved in hundreds of thousands of incidents has now been rendered largely harmless, its cyber security and investigations team “strongly recommends that organizations recognize that a small change in the malware code could reactivate it. So action should be taken in conjunction with your technology unit to reduce your risk and prepare for inevitable future similar attacks. If the malware has entered your network, it has the ability to spread—and spread rapidly.”

According to Kroll:

  • Obsolete versions of Microsoft Windows are particularly vulnerable. We understand that there may be very specific circumstances that require you to use versions that are no longer supported, but now is the time to revisit the topic. See if there is any way you could use a supported operating system running a virtual version of the operating system you need.
  • Microsoft has been working to roll out updates that can fix the underlying security weakness that this malware exploits. You should make sure that both your personal and business machines running Windows are updated. We know that many people don’t want to take the time to close out all their files and restart their computers to allow updates to occur, but this is an important defense against the WannaCry ransomware. As an indicator of how serious the threat is, note that Microsoft has even released a security patch for the old Windows XP system. Please take steps to assure that all relevant machines running the Windows operating system are updated.
  • Organizations that don’t have well-thought-out backup and recovery plans are also very vulnerable. Management should be asking if there is a plan to assure that all important files are backed up in a way that will prevent a ransomware infection from attacking both the primary files and the backups.

President Trump ordered homeland security adviser Thomas P. Bossert to coordinate a government response to the spread of malware and find out who was responsible. According to the Times:

“The source of the attack is a delicate issue for the United States because the vulnerability on which the malicious software is based was published by a group called the Shadow Brokers, which last summer began publishing cybertools developed by the National Security Agency.”

Government investigators, while not publicly acknowledging that the computer code was developed by American intelligence agencies, say they are still investigating how the code got out. There are many theories, but increasingly it looks as though the initial breach came from an insider, perhaps a government contractor.

In a report, How to Protect Your Networks from Ransomware, the U.S. government recommends that users and administrators take preventative measures, including:

  • Implement an awareness and training program. Because end users are targets, employees and individuals should be aware of the threat of ransomware and how it is delivered.
  • Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.
  • Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
  • Configure firewalls to block access to known malicious IP addresses.
  • Patch operating systems, software, and firmware on devices. Consider using a centralized patch management system.
  • Set anti-virus and anti-malware programs to conduct regular scans automatically.
  • Manage the use of privileged accounts based on the principle of least privilege: no users should be assigned administrative access unless absolutely needed; and those with a need for administrator accounts should only use them when necessary.

Ransomware Attacks Increase, With U.S. the Primary Target

Ransomware attacks constituted the greatest cybercrime danger in 2016 as the volume and value of attacks rose sharply, according to a new report from internet security firm Symantec.

“Attackers have honed and perfected the ransomware business model, using strong encryption, anonymous Bitcoin payments, and vast spam campaigns to create dangerous and wide-ranging malware,” according to “Internet Security Threat Report (ISTR), April 2017.”

The average ransom amount involved in such attacks jumped 266% to $1,077 during 2016 from just $294 in 2015. Symantec also found that frequency increased, with detection of ransomware up 36% to 463,000 from 340,000 in 2015; or 1,271 per day in 2016 compared to 933 per day in 2015.

The United States saw the largest share of these attacks by far at 34%, followed by Japan (9%) and Italy (7%). “The statistics indicate that attackers are largely concentrating their efforts on developed, stable economies,” Symantec said. Further, research from Norton Cyber Security Insight team said that 34% of those attacked will pay the ransom, but that figure jumps to 64% for U.S. victims, “providing some indication as to why the country is so heavily targeted,” the Symantec report said.

Another indicator of rising ransomware activity is the tripling of new families of ransomware to 101 in 2016 from just 30 in both 2105 and 2014. While the number of new variants (distinct variants of existing ransomware families) declined 29% to 241,000 from 342,000 in 2015, this “suggests that more attackers are opting to start with a clean slate by creating a new family of ransomware rather than tweaking existing families by creating new variants,” the report said.

The proportion of ransomware infections on consumer computers rose only marginally to 69% from 67% in 2015 as the rate of infections for enterprise and other organizations dropped accordingly to 31% from 33% in 2015. Consumer infections totaled between 59% and 79% for every month except December, when they fell to 51%.

Beyond the top threat of ransomware, the report discusses exposures including “New frontiers: Internet of Things, mobile, & cloud threats,” and has a section that lists multiple challenges from malware, spam and phishing via email. Email, for example, was a major avenue of attack in 2016, “used by everyone from state- sponsored cyber espionage groups to mass-mailing ransomware gangs,” it said, adding that one in 131 sent during 2016 were malicious, the highest incidence in five years.

Symantec also discusses a few of the largest cybercrimes of the year, including the theft of $81 million from the central bank of Bangladesh and alleged tampering with the U.S. electoral process. “Cyber attackers revealed new levels of ambition in 2016, a year marked by extraordinary attacks, including multi-million dollar virtual bank heists, overt attempts to disrupt the US electoral process by state-sponsored groups, and some of the biggest distributed denial of service (DDoS) attacks on record,” according to the report.

Despite the apparent rising threat level portrayed in the report, the cyber insurance landscape remains untamed, Risk Management Magazine reported in April. Potential customers would be wise to educate themselves prior to approaching the market.