Home >> October 2020 Edition >> Phishing Penetration Test Measures Crew Vigilance
Phishing Penetration Test Measures Crew Vigilance
By Mike McNally, Global Commercial Director, GTMaritime


Now being offered — free of cost — is a penetration testing service from GTMaritime that enables customers to evaluate the ability of their personnel to identify phishing attacks.

Shipping companies choosing GTMailPlus and other solutions from the GTMaritime portfolio are employing best-in-class technology to prevent the vast majority of phishing attempts from ever reaching crew.

However, threats are continually evolving. Hackers are constantly attempting to come up with new ruses to outwit software-based protections and, occasionally, malicious messages do slip through.

For this reason, crew cannot afford to become complacent in the belief that, with a technological safety net in place, everything that trickles down to their inbox is trustworthy and can be taken at face value.

On the contrary, they must remain vigilant: the few malicious messages that do reach human eyes will have a higher than average chance of resembling an authentic request and may employ advanced social-engineering techniques which make them harder to recognize.

Quality ship operators understand this and take a holistic approach to cyber defence. To supplement the work done by technological tools, such as GTMailPlus by GTMaritime, they routinely offer staff training on what to look out for and work to ensure they stay ever on the alert to these dangers.

However, it can be difficult to gauge exactly how well these measures are working or to identify areas that would benefit from improvement. In the same way that cyber criminals are constantly refining their techniques, ship operators, too, must continually adapt.

Last autumn, GTMaritime started offering a penetration testing service free of charge to its shipping company customers. The service involves sending a selection of crafted spoof phishing messages to crew to test for alertness and for response.

These realistic but ultimately harmless simulated attacks offer an effective way of gathering quantitative evidence on the alertness of the frontline staff most exposed to hoax emails.

By revealing weaknesses in training provision and identifying instances where common hallmarks of illegitimate requests are missed, the free service allows customers to pinpoint where educational resources can be enhanced or redirected, knowledge gaps plugged and awareness raised.

Test Results Were Surprising

We recently completed a two-round penetration test for an established shipping company.

For the initial test, the vessel operator in question sent one spoof message that appeared to come from a Port Authority requesting basic identifying information about the vessel and its owner. Sixteen ships, comprising a mix of tankers, bulk carriers and managed vessels, were selected for the exercise. Half of these vessels correctly identified the message as a phishing attempt and ignored it — half complied with the request and supplied the requested information. Of the latter group, in no case was the message escalated to management for a second opinion or advice on how to proceed with the request.

The 50-50 split certainly raised pulses at company headquarters, as the spoof email was written in poor English and emanated from a mysteriously unnamed port authority — both common traits that should ring alarm bells. To determine if the same result would be found if more detailed information was requested, a second test was employed.

This time the message that supposedly came from a port authority had a personalized subject line that mentioned the target vessel’s name and IMO number. There is mounting evidence cyber criminals include references to familiar people or organizations, and that adds a veneer of authenticity to the message that encourages the targeted recipient to lower their guard.The rogue message requested a crew list, cargo declaration (or, if in ballast condition, intended cargo and loading port, if known), whether armed guards were on board or had been over the past three months (and name of security company engaged) as well as other information. Clearly, if intelligence of this sort was passed to pirates, it could jeopardize the safety of vessel and crew.

The response to this second test showed a marked improvement over the first message. Eight recipients immediately detected something was amiss and ignored the request. Encouragingly, three were now suspicious enough to escalate the approach to the head office for guidance on how to proceed. Head office personnel were kept in the dark about the test but reacted correctly, advising vessels not to send any data and also alerted their IT departments.

Even so, five vessels still obligingly followed the instructions in the message without properly considering either the safety or commercial ramifications of such particulars falling into the wrong hands. The testing resulted in heightened awareness and enhanced procedures.

Following the penetration tests GTMaritime provided the vessel operator with educational materials for both staff and IT personnel.

The operator took an enlightened view of the results, seeing them as an opportunity to learn, rather than apportion blame. It later shared the full findings in a company-wide security bulletin in the hopes that using real data rather than hypothetical scenarios to present the dangers would drive home the need for vigilance.

The Anti-Phishing penetration test highlighted that whilst we have technological tools in place to help prevent phishing attacks, we are still reliant on our staff to be vigilant,” said a vessel operator “We are using the results to help format our security procedures going forward and will run future penetration tests to ensure their effectiveness.”

At GTMaritime, the company believes that technological and human components are equally important in developing cyber-resilience.

While customers can rely on us to handle the technical defenses, the exercise described in this article clearly demonstrates the usefulness of penetration testing in bringing to light and addressing the human-element.

Mike has more than 25 years' experience working in the industry both at sea and in senior maritime communications management positions. He began his career at sea, working on offshore tugs and commercial fishing vessels before becoming a deck officer on Getty product tankers. After coming ashore, he joined Globe Wireless, a major global maritime satellite service reseller. During two decades at the company, he oversaw an exponential growth in sales figures and was instrumental in introducing VSAT, Iridium and iFusion line of Fleet Broadband solutions into its range of services. Several years prior to Inmarsat taking over Globe Wireless McNally was retained by Inmarsat in Switzerland to manage maritime distribution partners for its new Global Xpress service, ultimately becoming Vice President Sales for the Americas. Before joining GTMaritime in 4Q18, he spent the three years prior, as Managing Director for Telemar USA, overseeing its successful merger into Marlink.