IT Governance is a leading global provider of IT governance, risk management and compliance solutions, with a special focus on cyber resilience, data protection, PCI DSS, ISO 27001 & cyber security. In an increasingly punitive and privacy-focused business environment, we are committed to helping businesses protect themselves & their customers from the perpetually evolving range of cyber threats.
Ships have experienced a digital transformation in recent years. New technologies are helping them navigate the waters and ensure that everyone on board experiences the connectivity and convenience they expect. However, this increased volume of data has made ships an appealing target for criminal hackers.
What are the challenges specific to ships?
The days of ships navigating the waters with just a compass, chart and sextant for support are long gone. Ships are now more complex than the average organisation, and face a number of additional challenges.
Ships usually have an IP or Ethernet network for business systems, email and Internet usage, and a serial network for the operational technology, which controls vital functions such as steering, engine control and navigation data.
However, despite these on-board systems being vital to operations, cyber security isn’t quite as robust as it needs to be, leaving ships vulnerable to attack.
How can a ship be hacked?
At the most basic level, a ship’s Wi-Fi system(s) makes it easy for malware to be downloaded. Crew also regularly use USB devices to transfer data between systems on board. The devices may be used for both personal and professional purposes, and are often unencrypted, as are the files stored on them.
If a device was infected with a malicious file, all a criminal hacker would need to do to gain access from the IP network to the serial network would be to find the bridging points where a network device deals with both systems. This could be something like the synthetic radar, or voyage data recorder.
Serial data communications usually follow a standard communications protocol for linking computers and peripheral devices to allow data exchange, e.g. Recommended Standards such as RS-232, RS-422 or RS-485. Once on the serial network, an attacker can intercept and alter communications relatively easily, making changes that are almost imperceptible to an unsuspecting crew.
When the wrong people gain control
If a ship loses control of its systems, the passengers, crew and cargo face very real dangers. Cyber attacks can have physical repercussions. According to the UK Department for Transport’s Code of Practice for ships, a cyber attack can result in:
Physical harm to passengers, personnel, systems, cargo and the ship itself;
Loss of sensitive information, including personal and commercially sensitive data;
Disruptions caused by the ship no longer functioning or sailing as intended; and
Criminal activity, including kidnap, piracy, fraud and theft.
The motives for an attack aren’t always sinister, but the maritime industry needs to acknowledge the cyber security risks ships face and take steps to counter the threats. This could include:
They should also consider implementing an ISO 27001 ISMS (information security management system) to ensure that information security is managed in line with international best practice and business objectives.
The development of autonomous shipping and the rise of superyachts among the world’s super rich mean sea-faring vessels are likely to become even more appealing to cyber criminals. A life on the ocean wave is definitely not for the faint-hearted, and organisations must prepare to face the challenges head on.
Our team of experts is available to answer your questions. or call +44 (0)333 800 7000 for more information.
This incident is separate to the one that came to light in October, which prompted Google to announce that it would shut Google+ down – a decision that the Wall Street Journal said was calculated to avoid reputational damage and regulatory interest.
Following the latest incident, Google has decided to close Google+ four months earlier than originally planned.
According to Google’s statement, it “recently determined that some users were impacted by a software update introduced in November that contained a bug affecting a Google+ API. No third party compromised our systems, and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way”.
The bug is said to have affected 52.5 million users and involves such data as:
Google will now “expedite the shut-down of all Google APIs” within the next 90 days and consumer Google+ will be gone in April 2019.
A recent survey by Ping Identity shows that customers move away from brands that have suffered data breaches.
Data breaches are now a common occurrence – big-name brands affected in 2018 include FIFA, British Airways, Vision Direct, Eurostar and Marriott. These are just a few of the household names that have suffered at the hands of criminal hackers this year and under ongoing investigation; any penalties have yet to be confirmed.
It is essential for organisations of all types and sizes to do their absolute best to reduce the risks of a data breach. Not just because regulations and standards such as the GDPR (General Data Protection Regulation) and PCI DSS (Payment Card Industry Data Security Standard) demand it, not just because of the impact a breach has on daily operations, but because there is now statistical proof that customers will abandon brands that suffer a breach.
The risk of long-term reputational damage cannot be ignored.
One in five people (21%) have been victims of a breach. Of that segment, 34% experienced financial loss.
Following a data breach, 78% of people would stop engaging with a brand online. Furthermore, nearly half (49%) would not sign up and use an online service or application that recently experienced a data breach.
More than half of consumers (56%) are not willing to pay anything to application or online service providers for added security to protect their personal information.
59% prioritize the protection of their personal information when interacting with an online application or service, compared to only 12% who prioritize a convenient, straightforward user experience and 7% who prioritize a personalised user interface.
Although consumers are increasingly aware of risks and prioritise safety when choosing which platforms to interact with, the third finding highlights the fact that they still consider information security to be a corporate responsibility rather than a personal one.
How can organisations reduce risk?
Understand, align with and operate within the regulatory requirements of your industry. Whether that is the PCI DSS, the GDPR, Cyber Essentials certification or the NIS Regulations, compliance with regulatory frameworks will ensure you take the best steps to reduce risk as well as enabling you to effectively respond if you do suffer a breach.
Train your staff. Human error remains the leading cause of data breaches, so creating a cyber security culture in the workplace is the best defensive strategy. Training can be classroom-based, but there are other options such as e-learning, in-house training courses, and – of course – books for independent learning. Our staff awareness page is a great starting point, outlining areas for consideration and possible next steps.
Remain vigilant at all times. Within the realm of cyber security, being a little bit paranoid is a healthy approach. No one is too big (as seen from the names that have hit recently the headlines), nor too small. A 2018 survey revealed that SMEs are unprepared for cyber attacks despite 25% of them believing it is a matter of ‘when, not if’. The average cost for an SME to recover from an incident is about £90,000, so small organisations should invest in security measures to reduce risks.
Gartner predicts that global security spend will reach £71.72 billion by the end of the year due to four factors: regulatory change, buyers’ mindset, growing awareness of threats and changing to a digital business strategy. With more than 40% of UK businesses experiencing some form of cyber security attack or breach in the last 12 months, it is easy to see why organisations are looking to invest.
However, when building your business case for investment, don’t forget to consider the potential long-term damage a breach could cause to your brand and the human instinct to withdraw from danger. No organisation can easily survive losing 78% of its potential audience.
To comply with ISO 27001, the international standard for information security, you need to know how to perform a risk assessment. This process is at the core of your compliance measures, as it helps you identify the threats you face and the controls you need to implement.
To complete this process, you need a risk assessment matrix.
What is a risk assessment matrix?
Organisations can’t be expected to address every risk they face, so they need a way to prioritise them. A risk assessment matrix provides a simple way of doing that, quantifying the risk using a simple scoring system.
One axis represents the probability of a risk scenario occurring and the other represents the damage it will cause. In the middle, you have scores based on their combined totals.
How to use the risk assessment matrix
As you can see, the grid is colour-coded based on a series of thresholds: 1–3 is in green, 4–6 in yellow, and so on. Organisations can use these thresholds to help them determine their risk appetite, i.e. the level of risk they are willing to accept.
For example, an organisation might say that it will address anything with a score higher than 6, and accept anything lower as insignificant enough that it can be ignored. Where you set your threshold depends on the resources at your disposal. The lower your limit, the more risks you need to address and the more of ISO 27001’s controls you will need to implement.
There’s no universal system for determining the point at which the probability or damage of a risk moves from one number to the next. Organisations must decide that themselves, and document their rationale in their risk assessment methodology.
As a general guide, it’s worth remembering that the highest and lowest scores have to be indefinite (“anything that occurs more/less often than…”, “anything that causes more/less than x amount of damage…”). These should be the first two thresholds that you set, because they will have a big effect on how precise your scoring mechanism is and your risk appetite.
The higher your maximum value is, the lower the chances are of a risk scoring top marks. The reverse is true of your minimum value.
Need help documenting your risk assessment process?
IT Governance’s ISO 27001 ISMS Documentation Toolkit includes templates of every document you need to comply with the Standard, including comprehensive coverage of the risk assessment process. This toolkit makes it easy to document your:
Risk assessment procedure;
Risk management framework; and
Risk treatment plan.
Designed and developed by expert ISO 27001 practitioners, and enhanced by more than ten years of customer feedback and continual improvement, our ISO 27001 toolkit provides the guidance and tools you need for a hassle-free compliance process.
In November, Lush – the high-street store known for its fragrant, eco-friendly beauty products – temporarily lost the ability to take card transactions after a member of the IT team “deleted the till system by accident”.
As a result, Lush stores across the country could only take cash payments until the till system was restored.
Announced via Twitter, the story fizzed and quickly dissolved – much like one of the company’s bath bombs. However, although it has not been confirmed, it’s highly likely that Lush’s takings were hit hard by its inability to process card payments.
The value of an effective ISMS
Lush could have avoided this predicament by implementing an ISMS (information security management system) aligned to ISO 27001, the international standard for information security. The systematic approach of an ISMS aligns processes, technology and people, enabling an organisation to manage all of its information through effective risk management.
Considering Lush, the following ISO 27001 controls are of direct relevance:
Segregation of duties Control 6.1.2 of the Standard states that “segregation of duties is a method for reducing the risk of accidental or deliberate misuse of an organisation’s assets”. In Lush’s case, segregating duties would have meant that an individual couldn’t delete the till system.
Risk assessments Control 6.1.2 recommends that organisations carry out risk assessments to identify potential vulnerabilities. Lush should have:
Identified the information security risks associated with loss of availability;
Assessed the potential consequences if the risk identified were to materialise;
Assessed the realistic likelihood of the risk occurring; and
Determined if this was within its risk assessment criteria.
Alternatively, Lush could have put controls in place to reduce the risk, such as a two-step process for deletion, or limited the ability to delete via management of privileged access rights (control A.9.2.3).
Business continuity management Although Lush’s till system was restored, there was further downtime the following day. This suggests that the company hadn’t effectively tested its business continuity processes. Control A.17.1.3 defines business continuity management: “The organisation shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.”
Reduce your risks
ISO 27001 is the internationally recognised standard that provides the specification for a best-practice information security management system, and the approach can be applied to any organisation, regardless of size or type.
The process begins by defining a methodology, i.e. a set of rules defining how to calculate risks. Some organisations ignore this step, going straight into the assessment process, but this jeopardises their compliance posture. Without a documented methodology, organisations don’t have a consistent way to measure risks and therefore can’t compare the risks identified in one part of the organisation to another.
What does a risk assessment methodology do?
The main aim of an ISO 27001 risk assessment methodology is to make sure everybody in your organisation is on the same page when it comes to measuring risks. For example, it will state whether the assessment will be qualitative or quantitative. If you didn’t do this, one department’s assessment report might be full of interviews with staff and historical data, while another’s would simply give numbers on a scale.
This would make your results almost useless, because there would be no way to compare them without doing further work.
Methodologies also outline specific terms for an organisation’s:
Baseline security criteria: the minimum set of defences to fend off risks;
Risk scale: a universal way of quantifying risk;
Risk appetite: the level of risk the organisation is willing to accept; and
Scenario- or asset-based risk management: the strategies to reduce the damage caused by certain incidents or that can be caused to certain parts of the organisation.
What methodology should you use?
ISO 27001 doesn’t prescribe a certain methodology because every organisation has its own requirements and preferences.
This can make defining your methodology a daunting process, but fortunately you don’t have to figure everything out by yourself. IT Governance’s ISO 27001 ISMS Documentation Toolkit provides templates for all the important information you need to meet the Standard’s requirements. It outlines everything you must document in your risk assessment process, which will help you understand what your methodology should include.
Gap analyses and risk assessments are two of the most important processes organisations must complete when implementing ISO 27001 or reviewing their compliance status.
There are a lot of similarities between the two, which often causes organisations to confuse them and use elements of one process in the other. This leads to unnecessary work and expenditure, and in some instances can result in the organisation failing to meet ISO 27001’s requirements.
To make sure this doesn’t happen to you, we’ve provided a quick guide explaining how each process works and how they fit together.
What is a gap analysis?
An ISO 27001 gap analysis gives organisations an overview of what they need to do to meet the Standard’s requirements. It involves going through each clause of ISO 27001 and determining whether the organisation has implemented the necessary requirements.
This could be a simple tick-box exercise, with the unchecked requirements forming the gaps that might need to be addressed (not all clauses need to be implemented). Alternatively, you could take a more complex approach, determining whether:
There is no plan to implement the requirement;
There is a plan but the requirement hasn’t been implemented;
The requirement has been partially implemented;
The requirement has been implemented but hasn’t been reviewed; or
The requirement has been implemented and is regularly reviewed.
Gap analyses only need to be performed when developing your Statement of Applicability, which means that you don’t need to analyse the clauses contained in the main part of the Standard, only those in Annex A.
What is a risk assessment?
Risk assessments give organisations an idea of the threats facing them, how likely it is that each of those scenarios will occur and how severe the damage will be.
The process begins by creating a long list of risks, which will be given a risk score. This is calculated by assigning a number to varying degrees of probability and damage, thus enabling the organisation to prioritise its biggest risks and which of ISO 27001’s controls it should implement.
If there are no risks that would justify the use of a certain control, there is no need to implement it. By contrast, if a control helps prevent a highly damaging or probable risk, the organisation should dedicate additional time and resources to it.
What’s the difference between the two?
A gap analysis shows organisations which of ISO 27001’s controls they have implemented, and in some cases provides additional information about their progress in meeting the Standard’s requirements.
However, it doesn’t help organisations understand whether each control is necessary. That’s what a risk assessment is for. The two processes therefore form two parts of a whole.
Free Risk Assessment and ISO 27001 green paper
The risk assessment process is often difficult, complex to manage and requires external assistance.
Hotel giant Marriott has confirmed that its Starwood Hotels & Resorts guest reservation database has been hacked by an unauthorised party.
Affecting up to 500 million people, the vast hack has exposed a considerable amount of data including:
Encrypted payment card numbers
Payment card expiration dates
While the payment card data was encrypted using Advanced Encryption Standard encryption (AES-128), Marriott has not yet been able to rule out the possibility that both components needed to decrypt the payment card numbers could have been taken.
In its statement, Marriott President and CEO Arne Sorenson said:
We deeply regret this incident happened. We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.
Marriott has reported that it became aware of the breach in September this year, when it was alerted by an internal security tool regarding an attempt to access the Starwood database in the US. However, during the course of an internal investigation, the chain learned “that there had been unauthorised access to the Starwood network since 2014.”
The fine – issued under the Data Protection Act 1998, which was in force at the time of the incident – was compounded by Uber’s decision to pay the attackers $100,000 to destroy the data they’d downloaded rather than report the incident.
The ICO’s director of investigations, Steve Eckersley, said:
“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.
“Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack.”
It’s been a pretty expensive week for Uber. As well as the ICO fine to contend with, it was fined €600,000 by the Dutch Data Protection Authority, the Autoriteit Persoonsgegevens, under its own pre-GDPR (General Data Protection Regulation) legislation.
However, both fines pale in significance when compared with the $148 million settlement Uber agreed to pay in the US in connection with the breach in September. Under its terms, the company was also required “to incorporate privacy-by-design into its products”.
According to the Financial Times, Uber said this week that it had made “a number of technical improvements to the security of [its] systems both in the immediate wake of the incident as well as in the years since”.
However, the first big GDPR fine could be on the way. Consumer agencies in seven EU countries have filed complaints against Google with their national data protection authorities for tracking users who have switched off their location history – in breach of the GDPR.
A press release from the European Consumer Organisation BEUC said:
“Google collects users’ location data notably through the features ‘location history’ and ‘web & app activity’, which are integrated into all Google user accounts. The company uses various tricks and practices to ensure users have these features enabled and does not give them straightforward information about what this effectively entails.
“These unfair practices leave consumers in the dark about the use of their personal data. Additionally they do not give consumers a real choice other than providing their location data, which is then used by the company for a wide range of purposes including targeted advertising.
“These practices are not compliant with the GDPR, as Google lacks a valid legal ground for processing the data in question.”
The council’s reaction was to delete the app, ask for it to be removed from app stores, and advise users to delete it from their devices.
However, what wasn’t clear at the time was that the third party involved was a developer for a technology company, who had contacted the council in line with its own guidelines when he detected that the app was leaking users’ personal data.
However, instead of thanking him for identifying the security vulnerability, the council reported him to the police.
This Tuesday, the company – the digital asset assurance platform RapidSpike – broke its silence. It explained:
“Despite the framing of this vulnerability report by the City of York Council, this vulnerability was disclosed following the Council’s own responsible disclosure guidelines. […]
“It is important to note here that our developer did not do ‘anything to exploit the vulnerability.’ He simply browsed to a page within the app, as any user would.”
It continued: “The Council’s initial statement and subsequent public media reporting left us confused with the portrayal of the issue. There is an established precedent in the UK for legitimate security researchers to disclose vulnerabilities within information systems to relevant security teams. The Council’s positioning of this good-faith disclosure as a deliberate attack flies in the face of the UK Government’s National Cyber Security Centre advice on the matter, and the International Standard framework for vulnerability disclosure.
“We have to say that North Yorkshire Police’s Digital Investigation & Intelligence Unit dealt with the whole situation superbly, and should be commended for their approach. It must also be noted that the security community have also stood up and supported our developer, even without the full story.”
According to ZDNet, a police spokesperson said the force did not regard the incident as criminal. “We recognise the benefits of software vulnerability disclosure as part of a healthy security environment and the researcher has acted correctly,” they said.
“There are times when ‘researchers’ overstep the mark but this is not one of those. We’d rather work with public-spirited individuals and share learning than criminalise people who act in good faith.”
“Whilst we consider we took appropriate measures based upon the facts at the time, we can now confirm that this was a well intended action by the individual concerned and we would like to thank them for raising this matter.”
Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.