Cyber criminals look for the weakest point of entry – just like burglars in the physical world. A few simple tests might illustrate, how mature an organization’s approach to cyber security is. However, an analysis shows a critical current-state, and highlights improvements how to strengthen your cyber security.
Cyber attacks perpetrated by criminals tend to be opportunistic in nature. You want to target a company which appears to have access to sufficient funds to pay a ransom, and you want to attack a company which appears to have a low level of cyber security.
How do you know if a company has a low level of cyber security? In essence, you do not know, before you genuinely attempt to compromise their systems. However, you can do quite simple reconnaissance prior to choosing a target to increase your chance of selecting a weakened target. This is no different than ordinary burglary – you take a quick look at a variety of targets and select the location, which appears to have a low level of security and with no-one appearing to be home. At times you may be surprised to then find a solid safe and bolted steel-door despite the initial look from the distance, but the odds are that if the target looks weak from the outside, then your chances of success also increases.
When it comes to cyber security, this principle is the same. You can look at very simple elements of security exposed visibly by companies and use this as an initial assessment of whether it appears to be an easy target.
It is important to note, that seeing weak security elements from the outside is not solid proof that security behind the scenes is also weak. However, it is an indication that if the visible outward facing security is not good, then there is a higher likelihood that the internal security is also flawed. And if you appear weak on the outside, you are quite simply also more likely to be attacked – simply because you appear to be an easy target.
Unfortunately, if we look at the container shipping sector,
this is a sector which continues to appear as an easy target.
At Improsec, we have looked at some of the most simple outwards facing indicators in 2014 and 2017. In both occasions, we found that the industry appeared to be quite vulnerable. We have looked into the same indicators in 2020, and unfortunately we find that the industry has only shown limited improvement over this 3-year period.
Password strengths – are weak
In 2014 we examined, which level of password security a carrier required from their customers when registering for their online e-commerce tools. It was found, that 46% enforced a password policy requiring a password with a minimum length of 8 characters and with a mix of letters, numbers and characters. In 2017 this had changed to 44% enforcing such stronger password security. The recent examination in 2020 shows the level to have increased to 64%. But this still means that 36% of the carriers examined are perfectly OK with passwords of a length shorter than 8. There is even a case of a carrier willing to accept the single letter “x” as a password – and this as of October 2020.
Secure web – leaves a door open to attacks
Another outward facing element is, whether a carrier is using https for their customer facing web tools, or whether they only use http. In this case, 25% of the carriers examined use the less secure http – despite https being one of the elements you use to prevent man-in-middle attacks - an attack type also seen used in the maritime sector.
Quote: “Only 50% use basic email security controls”
Mail security
The third and final outward facing element we have looked into, is whether the carriers use DMARC for security in their emails. The purpose of using DMARC is to prevent an attacker from being able to appear as a legitimate sender from the carrier itself. 50% of the carriers examined do not have DMARC enabled at all. 36% of the carriers do have DMARC enabled, but in a state where they actually do not prevent a third party from sending out fraudulent emails in their name. Only 14% have DMARC enabled in a way where fraudulent emails sent in their name are effectively blocked.
An end note…
As mentioned in the beginning, seeing container carriers exhibit these specific weaknesses is not proof that their internal cyber defenses are weak. It is, however, an indicator to potential attackers that this is an industry where cyber security might be in a weakened state because when the “simple” elements appear not to be in order, then there is an increased likelihood that the more important back-end defenses are also not in order. And this leads potential attackers to the conclusion that this might be an industry which is worthwhile to target, as the potential success rate of an attack would be higher.
Improsec A/S
Improsec is a cyber security company specialized in pragmatic IT security. Advising in both prioritization and implementation, as well as technical solutions.
For further information, contact:
Claus Vesthammer, Partner and Security advisor at Improsec: [email protected] / (+45) 3131-9963