GTMaritime is now offering a penetration testing service free of charge which allows customers to evaluate the ability of their personnel to identify phishing attacks

Shipping companies choosing GTMailPlus and other solutions from the GTMaritime portfolio are employing best-in-class technology to prevent the vast majority of phishing attempts from ever reaching crew. But threats are continually evolving: hackers are constantly trying to come up with new ruses to outwit software-based protections, and occasionally malicious messages can slip through.
For this reason, crew cannot afford to become complacent in the belief that, with a technological safety net in place, everything that trickles down to their inbox is trustworthy and can be taken at face value. On the contrary, they must remain vigilant: the few malicious messages that do reach human eyes will have a higher than average chance of resembling an authentic request and may employ advanced social-engineering techniques which make them harder to recognise.
Quality ship operators understand this and take a holistic approach to cyber defence. To supplement the work done by technological tools such as GTMailPlus by GTMaritime, they routinely offer staff training on what to look out for and ensure they stay ever alert to the dangers.
However, it can be difficult to gauge exactly how well these measures are working or to identify areas that would benefit from improvement. In the same way that cyber criminals are constantly refining their techniques, ship operators too must continually adapt.
Last autumn GTMaritime started offering a penetration testing service free of charge to its shipping company customers. The service involves sending a selection of crafted spoof phishing messages to crew to test for alertness and for response. These realistic but ultimately harmless simulated attacks offer an effective way of gathering quantitative evidence on the alertness of the frontline staff most exposed to hoax emails.
By revealing weaknesses in training provision and identifying instances where common hallmarks of illegitimate requests are missed, the free service allows customers to pinpoint where educational resources can be enhanced or redirected, knowledge gaps plugged and awareness raised.

Test results were surprising

We recently completed a two-round penetration test for an established shipping company.
For the initial test the vessel operator in question chose to send one spoof message appearing to come from a Port Authority requesting basic identifying information about the vessel and its owner. Sixteen ships, comprising a mix of tankers, bulk carriers and managed vessels, were selected for the exercise. Half correctly identified the message as a phishing attempt and ignored it, but half complied with the request and supplied the information asked for. Of the latter group, in no case was the message escalated to management for a second opinion or advice on how to proceed.
The 50-50 split certainly raised pulses at company headquarters, as the spoof email was written in poor English and emanated from a mysteriously unnamed port authority – both common traits that should ring alarm bells. To determine if the same result would be found if more detailed information was requested a second test was employed.
This time the message that supposedly came from a port authority had a personalised subject line that mentioned the target vessel’s name and IMO number. There is mounting evidence of cyber criminals including references to familiar people or organisations, adding a veneer of authenticity that encourages the targeted recipient to lower their guard.
The rogue message went on to request a crew list, cargo declaration (or, if in ballast condition, intended cargo and loading port if known), whether armed guards were on board or had been over the past three months (and name of security company engaged) and other information. Clearly if intelligence of this sort was passed to pirates, it could jeopardise the safety of vessel and crew.
The response to this second test showed a marked improvement over the first. Eight recipients immediately detected something was amiss and ignored the request. Encouragingly, three more were now suspicious enough to escalate the approach to the head office for guidance on how to proceed. Head office personnel were kept in the dark about the test but reacted correctly, advising vessels not to send any data and also alerted the IT department.
Even so, five vessels still obligingly followed the instructions in the message without properly considering either the safety or commercial ramifications of such particulars falling into the wrong hands.

The testing resulted in heightened awareness and enhanced procedures

Following the penetration tests GTMaritime provided the vessel operator with educational materials for both staff and IT personnel.
The operator took an enlightened view to the results, seeing them as an opportunity to learn rather than apportion blame. It later shared the full findings in a company-wide security bulletin in the hope that using real data rather than hypothetical scenarios to present the dangers would drive home the need for vigilance. 
“The Anti-Phishing penetration test highlighted that whilst we have technological tools in place to help prevent phishing attacks, we are still reliant on our staff to be vigilant” says the vessel operator “We are using the results to help format our security procedures going forward and will run future penetration tests to ensure their effectiveness.”
At GTMaritime, we believe that technological and human components are equally important in developing cyber-resilience. While customers can rely on us to handle the technical defences, the exercise described above plainly demonstrates the usefulness of penetration testing in bringing to light and addressing the human-element.

■Contact: GTMaritime www.gtmaritime.com