GTMaritime is now offering a penetration testing service free of charge which allows customers to evaluate the ability of their personnel to identify phishing attacks
Hackers are constantly trying to come up with new ruses to outwit software-based protections. For this reason, crew cannot afford to become complacent in the belief that, with a technological safety net in place, everything reaching their inbox is trustworthy and can be taken at face value.
On the contrary, they must remain vigilant: the few malicious messages that do arrive will more likely resemble an authentic request or employ advanced social-engineering techniques, which make them harder to recognise.
Quality ship operators understand this and take a holistic approach to cyber defence. To supplement the work done by technological tools such as GTMailPlus by GTMaritime, they routinely remind staff to stay alert and offer training on what to look out for.
However, it can be difficult to gauge exactly how well these measures are working or to identify areas that would benefit from improvement. In the same way that cyber criminals are constantly refining their techniques, ship operators too must continually adapt.
Last autumn GTMaritime started offering a penetration testing service free of charge to its shipping company customers. The service involves sending a selection of crafted spoof phishing messages to crew to test for alertness and for response. These realistic but ultimately harmless simulated attacks offer an effective way of gathering quantitative evidence on the alertness of the frontline staff most exposed to hoax emails.
By revealing weaknesses in training provision, the free service allows customers to pinpoint where educational resources can be enhanced or redirected, knowledge gaps plugged and awareness raised.
Test results revealed weaknesses
We recently completed a two-round penetration test for an established shipping company. For the initial test the vessel operator sent to sixteen of its captains a spoof message appearing to come from a Port Authority requesting basic identifying information about the vessel and its owner.
Half correctly identified the message as a phishing attempt and ignored it, but half supplied the information asked for. Of the latter group, in no case was the message escalated to management for advice on how to proceed.
The 50-50 split certainly raised pulses at company headquarters, as the spoof email was written in poor English and emanated from a mysteriously unnamed port authority – both common traits that should ring alarm bells. To determine if the same result would be found if more detailed information was requested a second test was employed.
This time the message that supposedly came from a port authority had a personalised subject line that mentioned the target vessel’s name and IMO number. There is mounting evidence of cyber criminals including references to familiar people or organisations, adding a veneer of authenticity that encourages the targeted recipient to lower their guard. The rogue message then asked for a host of sensitive particulars and security details, which if passed on to pirates could jeopardise the safety of vessel and crew.
The response showed a marked improvement over the first test. Eight recipients immediately detected something was amiss and ignored the request. Encouragingly, three were suspicious enough to seek guidance from head office. Although head office personnel were kept in the dark about the test, they reacted correctly, advising vessels not to send any data and also alerted the IT department.
Even so, five vessels still obligingly followed the instructions in the message without properly considering either the safety or commercial ramifications of sensitive information falling into the wrong hands.
Path to enhanced education and procedures
Following the penetration tests GTMaritime supplied the vessel operator with educational materials for both staff and IT personnel. The operator took an enlightened view to the results, seeing them as an opportunity to learn rather than apportion blame. It later shared the full findings in a company-wide security bulletin in the hope that using real data rather than hypothetical scenarios to present the dangers would drive home the need for vigilance.
“The Anti-Phishing penetration test highlighted that whilst we have technological tools in place to help prevent phishing attacks, we are still reliant on our staff to be vigilant. We are using the results to help format our security procedures going forward and will run future penetration tests to ensure their effectiveness.”
At GTMaritime, we believe that technological and human components are equally important in developing cyber-resilience. While customers can rely on us to handle the technical defences, the exercise described above plainly demonstrates the usefulness of penetration testing in bringing to light and addressing the human-element.