Defending against the cyber attacker

Shipping and Cybersecurity

By Félix Griman Cybersecurity expert

When the news reports a cybercrime, there will be a large number of companies that will clench their teeth thinking of the havoc these attacks represent, especially the lack of trust that their customers will experience towards that particular company.

In shipping as in most industries, there is actually a lack of infrastructure and personnel dedicated to detect, avoid and reject those intrusions and attacks from the outside. This is due to incorrectly assuming that these intrusions and hacking only happens to banks, financial industry, government security agencies or even the media.

The fact is that hacking, intrusions, attacks, stealing information, systems alteration etc., is such a reality and unfortunately, many companies do not realize that they are being affected by these kinds of crimes.

The dangers of having an open door for these attackers range from simple password stealing, to credit card data and/or personal information, payroll data, an enterprise’s confidential transactions, shipment data, drugs trafficking, smuggling, hardware and operating systems malfunctioning and destroying of systems.

All of us know how or what could be accomplished when an attacker steals information or data, but in most cases, companies don’t know that they might be shut down due to having their computers, communications, software or storage compromised or corrupted. This brings another big issue for any industry – how can they keep their business up and running, or applying a system backup, as most of them may lack a business continuity plan in case they are greatly affected by such attackers.

Confidence

One of the common ways to get into the company and personal information is as simple as the use of an e-mail, because it is one of the most commonly used technology and communication tools. Why this? The attackers have plenty of confidence in a very simple thing and that is the naivety and fear of the regular e-mail users.

For example, they can easily design an e-mail with exactly the same shape and layout of their banks and tell the “customer” their accounts are being compromised regarding its security and there is a need to update the account information and login. After that, they invite the user to do that update clicking on a link they provide.

There is a lot, and I mean a lot, of people who follow their fears and without asking or suspecting anything bad, click on the provided link and start to write all their bank information as if they were updating it, but the truth is, that they are giving in the most easy way, all the information to the cyber criminals.

This modus operandi could be applied from a personal mail account up to an enterprise mail account, giving the information needed to enter to the bank online account. Due to this, a lot of money and information has been stolen from a lot of companies that keep these things in silence to avoid being affected publicly and loose clients.

This is only one type of scam and is called phishing; there is a large range of cyber-crimes using the e-mail service as the vehicle to get the data they want and it can have a wide variety of implementations, i.e. auction fraud, chain mail, false computer support calls, donation scam, etc.

Sophisticated

On the other hand, we have the more sophisticated way of hacking and stealing information and data through direct attacks over the computing, communications and network devices. These kinds of attacks are called “Brute Force Attacks”.

This time, the attackers are high skilled technical professionals that use all of their knowledge to get access into the enterprise’s systems, breaking the security implemented, when it is implemented and well done; otherwise, anyone with a minimum knowledge could break into the systems and communications.

In these cases, the complete operational processes and information of the company can be affected, modified, stolen, erased, corrupted or a combination of all of these.

For example, I once was asked to perform a security audit in some servers from a worldwide oil company. It sounds like being a very big a powerful enterprise, all of this should be only to check what is supposed to exist (for ethical reasons, the name of the oil company cannot be mentioned). As a result, I was able to detect a number of security failures and get access to ALL the company confidential information.

Of course, being a professional and an ethical hacker, I previously signed a confidential contract with the company; I had to create a report with all my findings and as a result, the IT manager was removed from his duties.

In this example, the “authorized” intrusion was made directly by me. But what if an unethical hacker would want to try to get access to those networks and systems? They could have easily stolen all the information from wells data up to personal information of any employee.

Information

But beyond the stealing of a vital company and personal information, any security breaker would be able to damage and/or de-configure any computing or communication device and have all the operations down for a very long time in all the areas affected and it could happen in oil, gas, maritime and air shipments, ports, banks, insurance, logistics, food and any kind of company, including a shipping company.

Here we have another very big issue, what if there is no procedure or contingency plan to keep the business up and running after an attack? This is a very short article with a couple of examples regarding how companies can be affected; how information can be stolen, damaged and compromised by an unethical hacker if there is not a defense plan against intruders and most of all, if an industry, shipping in this case, doesn’t know all the risk it might have inside its operations.

Sadly, these kinds of things don’t belong exclusively in action movies but are very real.

About Félix Griman

Félix is an international expert in design and management of high-performance, fail-safe and resilient networks and systems infrastructure. Over two decades of experience in national security projects in several countries; implementation of secure transmissions, encryption, access levels; delivery times management, relationship with governments and companies as well as change management and dealing with conflicts at high-level national administration. Graduate in Systems Engineering and Chemical Engineering; Cisco CCNP, Microsoft MCSE. His interest is the cybersecurity applied to the shipping industry.