Cyber security is a very hot topic for the airline industry right now, with British Airways, Delta Airlines and, most recently, Cathay Pacific all being targeted, compromising the personal data of hundreds of thousands of passengers. The threat of compensation claims, and regulatory fines is significant enough in itself, but of even greater risk is the potential threat of disruption to aviation infrastructure and to the security of airplanes in flight. Sonny Sehgal considers how airlines can respond to the threat.
The threat is put into perspective when you consider the current profile of cyber criminals. Organised crime gangs, rogue state actors and even terrorist groups are all now investing in building up their own cyber-crime capabilities. Their motives might be financial or political, but the leverage they will use to get to their final objective is the same: the threat of disruption or disaster to extort money or achieve political goals.
The Insider Threat
As robust firewalls and virus monitoring software have hardened the corporate IT perimeter security, hackers have now started to focus on people as their principal target. The weakest link in the corporate security chain is now human beings rather than technology. The so-called insider threat, also known as ‘social engineering’, is an attack vector relying on human interaction that tricks people into breaking normal security procedures to gain access to the network. UK government data points to the success of this strategy, with 75% of businesses suffering staff-related data breaches in the last year according to the Cyber Security Data Breaches Survey 2018.
A social engineering attack looks to compromise a human being through several possible routes. The most commonly known is a spear phishing attack, where hackers put together target individual profiles researched through social media. They construct a jigsaw picture of an individual; his employer, phone company, bank, football team, etc. and then use this information to improve their chances of guessing his password, or hacking into less secure networks, such as his e-mail or Twitter account.
A less complicated trick is simply to go to a smoking area outside a big office and leave branded USB sticks on the ground. Sooner or later someone will pick one up, pop it in to the system out of curiosity and then the virus is on the inside.
Disgruntled employees are another route to obtain insider information. Cyber criminals may hire a social engineer to gain employment with, or access to, a target company, as a messenger, cleaner or desk worker. Once inside the company the social engineer can download data, passwords or employee lists or payment information. They could even knowingly download viruses via links attached to external emails.
So, what can be done to protect your company against the new social engineering threat? Here are six good practice security tips that can help to mitigate, if not eliminate, the threat:
Train your employees well and raise awareness about the social engineering threat. Warn them about information they make public on social media and about the threat from e-mails, hyperlinks and phone calls.
Protect all your employee devices against viruses and other malicious code using up-to-date anti-virus software. Also ensure that you have a robust BYOD (bring-your-own-device) policy, which guards against employees introducing viruses to your network through mobile devices that they bring to work or use remotely whilst connected to your network.
Secure your network from the internet by using a firewall. Avoid using Wi-Fi, if possible, and if you must then make sure it is securely configured. Only allow secure VPN connections with employees outside the office.
Require employees to use unique, hard to guess passwords, and make sure that your security policy requires password changes at regular intervals. Ensure that you revoke all passwords and other forms of secure access as soon as an employee leaves the company.
An offsite or cloud hosted backup system is now a basic business requirement. But this may prove useless if you do not ensure that your backups are stored securely and tested on a regular basis. Malware can encrypt all your sensitive data until you pay a ransom demand. A regular backup will allow you to wipe and restore rather than pay the ransom, in addition to guarding against other data loss issues.
Finally, implement a leading-edge network behaviour monitoring solution, such as ThreatSpike. This will monitor your network for suspicious insider activity such as failed password attempts, visits to dubious websites or downloading of data unrelated to an individual’s role. This can provide actionable intelligence to nip an attack in the bud or retrospectively audit old data trails to find out if past behaviour has been suspicious.
Sonny Sehgal is CEO and head of cyber security at Transputec, an innovative IT company that provides leading-edge monitoring software and cyber security as a service to its clients in the air sector and other industries.