12
WE PROTECT YOUR DIGITAL SHIP WWW.PORT-IT.NL WHITEPAPER: MARITIME CYBER THREATS CAN THEY BE PREVENTED?
WE PROTECT YOUR DIGITAL SHIPWWW. P O R T- I T. N L
WHITEPAPER:MARITIME CYBER THREATS CAN THEY BE PREVENTED?
ABOUT PORT-IT Port-IT is a specialized maritime IT service provider with over 15 years of experience. Dealing exclusively with the maritime industry gives Port-IT a distinct advantage and inside knowledge of the limitations and challenges that are involved when implementing IT and IT security in that particular sector.
Intimate knowledge about commonly used communication clients, protocols and connection methods lead to the development of a specialized Antivirus Service designed to give the best continuous protection possible without losing sight of data usage and technical skill needed for operation.
During the past 5 years Port-IT Antivirus has grown to be the market leading Antivirus solution in the Maritime sector by maintaining and improving on high level security, fast response times and low data usage and continues to do so.
INTRODUCTIONIn this document we will discuss in which manner digital threats can impact the systems on a vessel and how Port-IT Antivirus and additional software services effectively counters these threats in a manner that is suitable for a maritime environment.
We will show different ways a ship can be infected, the direct consequences and the potential longer term impact an infection might have.
In the second part we will clarify the different forms digital threats can take: • Malware • Viruses
• Worms • Trojans
In the third part the goals and current trends of Malware threats are discussed• Nuisance • Botnets
• Direct Damage • Ransomware and Cryptoware
In the fourth part we will drill down on the techniques used by Port-IT Antivirus to fight these threats, such as:• ESET Antivirus • Signature based antivirus • Advanced Heuristics • Exploit blockers
• Advanced Memory scanner • Vulnerability shield • Botnet Protections
In the fifth part we will highlight the unique aspects of our design that make this solution perfectly suitable for maritime use, including:• Streamlined update process • Integrated engine updates • Resending updates with full control
• Safe update distribution on board the vessel • Update monitoring and out of date signaling
In the Final part we will discuss additional Safety measures that can be taken to ensure the security of data and systems on board• Proper backup solutions • Data Encryption
• System Updates • Zero day Malware protection using advanced Firewall solutions
1
INFECTION In the Maritime industry, data transport is costly. Therefore internet connections are limited and kept to a minimum. Even when a permanent satellite connection is present, capacity is limited.
The fact that a vessel is only very briefly connected to the internet and with limited capabilities might give the indication that the risk of infection is also limited. However a digital threat does not need a large window in order to infect your system.
A great number of infections nowadays come threats that are disguised as digital documents (.docx, .pdf) that are sent via mail. The ongoing developments in this field make it easier for any person with minimal technical knowledge to engineer and tailor an attack to its recipient. (for more information on this, please see our online Hack demo video) This makes the risk of infection much more real because it only takes a single click to have a system infected.
Infection by physical file transfer.Every so often a file needs to be transferred to a computer by physical media, be it a USB drive or CD/DVD. Often this is done in port by an agent, but file transfers among the crew on board are also common.
This means bringing in data from the uncontrolled outside to the limited, controlled computer environment on board, meaning that the data they bring in is only as safe as the precautions they have taken.
USB drives that are used for personal use by the crew are often also in use for the transfer of files on business pc’s. This way an infection can spread from the uncontrolled personal computers on board to your systems used for daily operation, complicating the removal of the infection and increasing the risk of reinfection.
Infection through the World Wide Web.When a vessel is equipped with Crew internet and is allowed to visit the unrestricted internet, the risks of infection go up exponentially.
Nowadays infections are no longer only caused by visiting suspect websites, but can occur on every website that is visited, for example by showing an infected advertisement.
Combined with the circumstances provided above an infection can spread through your vessel like wildfire.
Digital distribution of documents and forms is standard nowadays. With the large amount of documents a vessel needs to send and receive on a daily basis, especially when approaching a port, this creates a perfect way to initiate an attempt to infect a system.
Infection via email
2
Consequences of infection Having established that a limited connection to the outside world does not guarantee a lower chance of infection. Limited connectivity however has no influence on the risk an infection poses.
Once your system is infected, it’s limitations to connect to the outside can seriously hamper the cleanup process if no solution is present on board at that time. This can cause the infection to do its damage unrestricted for an extended period of time, at least until the next port can be reached.
An active infection on a vessel can disrupt normal operations in a number of ways, ranging from hiding important files to hijacking your computer and encrypting everything on it in exchange for a ransom fee. Disruptions in daily operations can vary from minor inconvenience to being unable to perform crucial tasks, resulting in anything from financial loss to endangerment of the crew on board.
FORMS OF DIGITAL THREATSBefore, we have established that the risk of infection is real and the consequences of such an infection can be severe. We will now evaluate a number of common infections. We will look at their characteristics, means and goals as well as their development over the years.
Malware A term which is used frequently and incorrectly as a separate category of threat.
Malware is a universal term for software with malicious intent. Key characteristic is that the software is specifically written with this intent and not a result of bad or buggy coding. If this characteristic is used as a base, all categories described below can be categorized as malware.
VirusThe most well-known, or at least most often used, description of a digital threat.
A virus is a piece of malicious code that attaches itself to an existing file in a parasitic manner.
This means that a virus always needs a host to attach itself to, usually an executable file. It spreads by copying and attaching itself to other files, each time infecting a larger part of your system. Because of the self-replicating nature of viruses they keep spreading by having the user just use an infected program.
When attached, often the original file will keep functioning as it normally would, but the virus might also opt to disable the executable file it has attached itself to.
The goal of virus-class threats can vary from causing slight annoyance (by opening popups for example) to disabling crucial system components or specific programs. Removing these threats can sometimes prove difficult because of their nature to embed in existing files. This often means that infected files cannot be cleaned but need to be quarantined or deleted, often rendering the piece of software it belonged to unusable.
3
WormComputer worms are similar to viruses in the sense that they are self-replicating and can cause the same type of damage.
The defining characteristic of a worm as opposed to a virus, which latches itself to an existing file, is that a Worm is a standalone file or group of files, often disguised as a legitimate process or file.
Worms often use a vulnerability in the system or social engineering to trick users into activating them. Once on your system, the worm will behave as a normal program on your system, using commonly available services from your operating system to spread on your pc or even other systems on your network which have file sharing enabled. This characteristic makes worms able to quickly spread across your network.
TrojanWith a name derived from the Trojan Horse from Greek mythology. Trojans rely on deception to infect your system. Often the user is tricked into activating the file which activates the Trojan.
Once embedded on the system a Trojan can do direct damage in the same way Viruses or Worms do, but often a Trojan is deployed to open a back door in the system, making it vulnerable for further infection or exploits. If all the Trojan does is open the door for another program, detection could sometimes prove to be difficult as the malware just lays dormant for most of the time.
Unlike Viruses and Worms, Trojans do not self-replicate, but solely rely on user interaction to spread. This makes them less infectious, but does not lower the threat they pose in any kind.
GOALS AND CURRENT TRENDSIn the past, malware was often used as a showcase of programming skills. This was reflected in the ways they manifested, being mostly slightly annoying. Occasionally a piece of malware with true malicious intent was written which usually resulted in unusable or deleted files.
Over the years malicious intent has become the main focus of most malware. The methods of doing damage have also improved, making newer malware much more destructive and more difficult to combat.
Malware nowadays is known to reside in “inaccessible” parts of your hard drive or actively mask it’s existing as is the case with so called “rootkits”.
Besides the development of more advanced malware, the most noticeable trend currently seen in Malware is the emergence of a new goal: Financial gain.
Most malware written and deployed nowadays is focused on financial gain in some way or another.
Advertisements and data gatheringThe simplest way for the maker to earn money of malware is for the malware to show advertisements on the computer by using popups, generating income per advertisement shown. This method is very noticeable for the user and quickly gives a signal that something is out of the ordinary, making it ineffective in generating a large amount of income. Combined with decreasing rewards for online advertisements, this method is quickly losing ground to other methods.
Another method employed by malware makers is the collection of data from the users and their behavior. By planting a piece of malware that keeps track of everything the user does on his computer. (time spent, sites visited, email addresses, passwords, credit card data) This information can then be sold to companies to use without your consent or financial data can be stolen, possibly resulting in actual money being stolen.
4
Botnet
A botnet is a network of computers that are being controlled by an outside source. Usually the owners of these infected system have no idea their computer is part of a botnet, mainly because they can lay dormant for an extended period of time until the botnet controller activates them.
Botnets are commonly used to carry out DDOS (Denial of Service) attacks in order to shut down or cripple certain online services. During these attacks, all infected computers try to connect to 1 point repeatedly and in doing so, overload the service, causing it to become unreachable for the general public.
Larger Botnets can consist of over 1 million unique PCs, making them potentially extremely powerful.
Sending spam messages is also a commonly used purpose of a botnet, as is information gathering.
Botnets can be seen as soldiers of fortune, where capacity is rented out by the controllers to fulfill the wishes of the highest bidder, be it incapacitating certain services or using the botnet to gather information or send spam messages.
Although being part of a botnet does no real direct damage to the PC, except for slowing it down, the connections these botnets make can lead to greatly increased data usage, which can prove costly when on a satellite connection. Also if suspicious behavior is detected there is a risk that the IP address or connection is blacklisted, making it impossible for the vessel to connect to certain addresses.
RansomwareThe latest and most troubling development is the emergence of Ransomware and Cryptoware.
After infection, both threats lock down your computer, making sure that important files and processes are no longer accessible.
Ransomware usually locks the computer, often displaying a screen where it states it acts on behalf of an official organization because something illegal was done on the system. The malware then suggests the problem can be solved by paying a fine to unlock the computer, after which the system should be unlocked. The screen provides payment details. After payment, more often than not the lockdown is not lifted, leaving the PC owner without a functional system.
Ransomware can prove difficult to remove, but in general the infection is not destructive. After removing the lock all files and folders are accessible again and intact. This makes them a nuisance and potentially costly, but ultimately in most cases no more than that.
5
CryptowareCryptoware shares many of the same characteristics as Ransomware in that they are purely driven by motives for financial gain. The methods used however are much more aggressive and potentially destructive.
Instead of denying access to your computer, but leaving all files unharmed, Cryptoware runs in the background and while doing so,searches and encrypts all files and documents that can be of any value to the owner (office files, images, .PDF files etc.). During this process it will make all the files it targets unusable unless decrypted using a key only the virus creator possesses.
Once the encryption is completed a screen will appear, ordering the victim to pay a certain amount of money (usually in Bitcoin) in order to be able to decrypt the messages. Often a timeframe is given in which the payment has to be fulfilled or the decryption key will be discarded, in which case the files can no longer be recovered and are essentially lost forever.
The encryption process is so advanced, and once completed irreversible without the key, that several national security agencies such as the FBI have stated that the best option is to “just pay the ransom”.
Paying the decryption fee does return access to the owner’s files in most cases, but can prove costly. The most common fee consists of 1 bitcoin, which amounts to around €380,- (at the time of writing).
The loss of data and funds is preventable by making backups on a regular basis, but prevention by using a properly updated Antivirus is always the preferred option.
PORT-IT ANTIVIRUS POWERED BY ESET NOD32 To ensure optimal security and protection against digital threats, Port-IT uses the powerful ESET NOD32 scan engines.
ESET is a reliable IT-security partner with over 25 years of experience in developing protection against all forms of digital threats. ESET is one of the leaders in the field of heuristic detection and specializes in technology that predicts emerging viruses and develop effective defenses before they can do any damage.
Vessels are often equipped with a great variety of computers, ranging from brand new with the latest operating system to older systems that have been running undisturbed for a number of years. Port-IT Antivirus is designed to be used on virtually all systems due to maintaining very low minimal system specifications. A minimum of Windows XP SP3 is required for the software to run.
ESET NOD32 Endpoint security uses a wide variety of methods to maintain a high level of security. In the following section we will briefly review and summarize these techniques and modules.
6
Signature based AntivirusSome might say that the traditional Antivirus method of detection by storing file hashes and fingerprints is dead, and in some ways it is. The ever evolving nature of threats has caused hash and fingerprint based to become ineffective in most cases, only covering an extremely small percentage of the threats in the wild.
However signature based antivirus has evolved as well, going from storing file hashes and fingerprints to a more advanced way to recognize threats.
Signatures nowadays can be seen more as descriptions of malicious behavior and are used to describe certain characteristics displayed by malicious software, making it possible to detect a range of threats and instructions.
The strength of ESET’s proactive detection lies in the Smart DNA signatures. They ensure that the detection is effective, as well as efficient – a single well-crafted signature can detect thousands of related malware variants and enables our antivirus software not only to detect malware that is already known, or has been seen before, but also new, previously unknown variants.
Seeing Signature based Antivirus in this new light makes one draw the conclusion that it is not dead, but a good tool to cover part of the protection from threats in a fast and relative lightweight manner. This means that even though only Signature based Antivirus does not provide enough protection, it is still an integral part of the protection of your system.
Advanced HeuristicsAdvanced Heuristics is one of the technologies used for proactive detection. It provides the ability to detect unknown malware based on its functionality through emulation. The latest version introduces a completely new way of code emulation based on binary translation.
This new binary translator helps to bypass anti-emulation tricks used by malware writers. Along with these improvements, DNA-based scanning has also been extended significantly. This allows for better detections which address current malware more accurately.
Exploit blocker Exploit Blocker is designed to fortify commonly exploited applications such as web browsers, PDF readers, email clients or MS Office components. It monitors behavior of processes for suspicious activity that might indicate an exploit. It adds another layer of protection, one step closer to attackers, by using a completely different technology compared to techniques focusing on detection of malicious files themselves.
Advanced Memory ScannerAdvanced Memory Scanner works in combination with Exploit Blocker to provide better protection against malware that has been designed to evade detection by antimalware products through the use of obfuscation and/or encryption. In cases where ordinary emulation or heuristics might not detect a threat, the Advanced Memory Scanner is able to identify suspicious behavior and scan threats when they reveal themselves in system memory. This solution is effective against even heavily obfuscated malware. Unlike Exploit Blocker, this is a post-execution method, which means that there is a risk that some malicious activity could have been performed prior to its detecting a threat. However in the case that other detection techniques have failed, it offers an additional layer of security.
Botnet ProtectionBotnet protection discovers malware by analyzing its network communication protocols. Botnet malware changes frequently in contrast to network protocols, which have not changed in recent years. This new technology helps ESET defeat malware that tries to connect your computer to botnet networks.
Vulnerability ShieldVulnerability shield is an extension of firewall and improves detection of known vulnerabilities on the network level. By detecting common vulnerabilities in widely used protocols, such as SMB, RPC and RDP, it constitutes another important layer of protection against spreading malware, network-conducted attacks and exploitation of vulnerabilities for which a patch has not yet been released or deployed.
7
PORT-IT MARITIME SOLUTIONSWhen implementing an Antivirus solution in the Maritime sector, using a “normal” antivirus solution will often not suffice.
Normal antivirus solutions rely on access to a permanent and high bandwidth connection to the internet to stay up to date. As such data usage is not a factor that is considered when designing such solutions.
A typical Antivirus solution can use anywhere from 40 to 160MB per week.
This is not a problem when a permanent, fast and unlimited connection is used, but when implemented on a vessel using a limited satellite connection this behavior can lead to very high costs as a result of the bandwidth used.
Also, the lack of a permanent connection to the internet can cause the system to miss updates as they cannot be downloaded directly from the Antivirus provider server, causing the system to not update and therefore severely compromise the protection of the systems on board.
With these facts in mind Port-IT Antivirus has implemented a range of solutions that limit the bandwidth used, provide a hassle-free update process and give great control over sending and re-sending updates, making it easy to resolve any issues that might occur.
Streamlined update processIn order to limit bandwidth usage on your vessel Port-IT Antivirus uses an email based update system which only uses 480KB of data on average per week.
This is achieved by implementing a sequential and incremental update system, where each week, only new and revised definitions are sent, thus eliminating the sending of duplicate definitions.
By using a system of sequential updates, where the system will not update once a prior update is not processed, the system is guaranteed to have all updates implemented up to the last signature date and no that no prior definitions are missing. In this way we can guarantee optimal protection, while using minimal bandwidth.
Updates can be sent in a variety of ways, and are mostly done via email. If an API or automated file transfer are available, updates can be processed without any manual interaction. If no API or Automated file transfer is possible, updates can also be automatically processed from a POP3 server using our Port-IT Guardian software.
Finally, if needed updates can also be sent as a one-click executable update file or even as raw update files for use with your own export solution.
Integrated engine updatesDuring the lifespan of an antivirus program it is necessary to update the software and scan engines to ensure protection against new types of threats and optimize the scan process.
Normal antivirus solutions incorporate these updates in their updates in an inefficient way leading to excessive data usage. As stated before, this is an unwanted scenario in a maritime scenario.
Some Maritime focused antivirus solutions require a physical cd to be transferred to your vessel in order to install these components, causing extra logistical actions and the need for Master to manually install the components to each system.
8
Port-IT Antivirus integrates these engine updates with the normal weekly updates, eliminating the need for physical media to be sent to the vessel or extra effort to install the updates.
All engine updates are sent and installed automatically without need for any extra action from Master or anyone else. This is done while maintaining the small size of the updates, minimizing the needed effort and costs for the vessel and ensuring maximum security at all times.
Resending updates with full controlIn the case a vessel misses an update and the antivirus definitions go out of date the user or it-manager can have full control over re-sending any missed updates using our Port-IT Antivirus Portal.
The last update can be re-sent with 1 click, but sending a range of updates, a specific missed update or even a missing part of a multipart update can be sent to the vessel.
Using the portal it is also possible to set the maximum update size, which is used to determine when an update needs to be split into multiple parts to avoid being blocked by email size filters. Update maximum sizes can be set to 512, 1024 or 2048KB per part, whichever is best suited to the company’s regulations.
The extensive re-send function makes getting a vessel back up to date after a reinstall or misconfiguration a quick and painless process.
Safe update distribution on board the vesselTo further minimize data usage, all LAN connected computers on board are updated using the LAN by a single central communication computer. Often this is your main email PC as all updates are processed on this computer.
All antivirus file distributions are done using HTTP, eliminating the needs for manually sharing files and giving other LAN computers access to the main email PC. This way of distributing the files is simple, safe and lightweight and is made possible by the inclusion of a lightweight web server which is completely configured directly after installation.
Installing clients is also done in the same manner, eliminating the need to copy files on USB drive to install new computer. All they need is a LAN connection.
Port-IT Antivirus features a dashboard page which can be accessed from each LAN connected computer. This page provides a quick overview of all installed PCs and their virus definitions date, making checking if all computers are up to date a matter of seconds. All manuals are also accessible using this page, as well as contact information for any support you might need.
Update monitoring and out of date signalingTo ensure maximum protection, keeping the Antivirus updated is something that needs to be a high priority.
The Port-IT Guardian process is designed to monitor virus definitions and signal the user if the Antivirus is out of date.
The user is then able to send an automatically generated message to the Port-IT support engineers to get the support needed to get the antivirus back up to date.
Another helpful tool for monitoring the antivirus protection state on board a vessel is the Clientstates option. If configured the Port-IT Guardian software will regularly check the definition date of all LAN connected PCs equipped with Port-IT Antivirus (using the HTTP server) and send an overview to an email address specified by the user. In this way not only the vessel master, but also the company IT manager can monitor the Antivirus health.
Port-IT Guardian can also import updates from a POP3 server if the vessel does not have an API or automated file transfer. This way virtually any vessel, regardless of the email solution used can receive and automatically process weekly updates, further ensuring that the Antivirus stays up to date with minimal effort needed by the crew.
9
ADDITIONAL SAFETY MEASURES Although a proper antivirus solution as implemented by Port-IT Antivirus provide excellent protection against digital threats, the crucial importance of company data nowadays and the sensitive information it contains, warrants another layer of protection. This is to ensure this crucial data is not lost or stolen in the case security is broken or due to mechanical failure.
Proper backup solutionsThe best way to ensure no data is lost due to calamity is by making regular backup of all critical data.
This means that if a system becomes inaccessible, due to mechanical failure, a digital threat or even user error, the “lost” data is available through a secondary copy.
A proper backup solution, such as ESET’s Storagecraft solution has to be set up once and will keep updates of all your critical data on a regular basis without any user action needed, minimizing the chances of a failure. If needed it can even be run as an invisible windows service, so users data is back upped without them even noticing.
Storagecraft sets itself apart from most solutions in the way it backs up data and the ease in which lost data can be recovered. Storagecraft backs up on a disk image level, meaning an entire disk is copied, making it extremely easy to restore a system in the case of, for example, a harddrive failure in a computer. On failure of the complete computer the backup can be easily restored to a new computer without the need of reinstalling, as the backup can be loaded onto a new system.
Besides restoring an entire disk, it is also very easy to restore single files, for example when a critical file is deleted or lost due to a virus infection.
Backups are an important measure to ensure operational availability on board a vessel and to ensure data loss in the event of calamity is reduced to a minimum.
Data encryptionEarlier, data encryption is mentioned as a means of attack, locking users out of their computer by making sure their data is inaccessible. The same principle is true when looking at it the other way.
Hacks and data theft are an increasing threat, a dedicated hacker might be able to bypass security measures on board a vessel and gain access to the computer systems on board. This would mean that all data on the LAN would be available for him to access, steal or delete, making a breach like this potentially disastrous for the vessel or the company.
However with a solution like ESET DESlock, all files on each computer on board can be encrypted, making it inaccessible for anyone who is not supposed to use them. On board, data can be shared freely due to a shared encryption key. Data can also be shared to an outside source, either encrypted or unencrypted.
Encrypting the files on board in addition to good Antivirus protection reduces the risk of data loss to virtually zero as, even if an attacker finds a way to bypass the Antivirus, any data found will be useless.
System updatesThe simplest, yet most overlooked measure to increase security on board is keeping the computer systems and programs updated. Due to the data usage involved, this function is often disabled on board of vessels.
Over time, the missed updates will lead to a substantial security risk. Updating all computers over a Satellite connection can take extremely long and will be a very costly process.
Offline solutions to this problem, such as WSUS can solve the issue of data usage by transferring all updates from a particular operating system to a USB drive. Periodically sending these updates to a vessel to perform will in a massive improvement for the digital security on the vessel and has the added benefit of various bug fixes, making the systems perform better in the process as well.
10
CONCLUSION The security level provided by the Port-IT Antivirus service is very high and should provide ample protection against virtually all types of digital threats that might threaten your vessel.
The technology that truly sets Port-IT Antivirus apart however is the smart implementation of update processing and distribution combined with a sophisticated signaling and monitoring method. Even in the instance the Antivirus gets out of date, the user friendly Port-IT portal and support engineers will ensure that the vessel security is back up to date in the shortest amount of time possible with minimal effort.
In addition to antivirus protection, backups and data encryption will ensure that vessel data is optimally protected against calamities.
Great security, high operational availability and ease of use will ensure the vessel is always protected, bringing the risk of infection and potential loss of revenue to a minimum.
For any questions regarding these topics please contact Port-IT at [email protected]
11
Zero day Malware protection using advanced Firewall solutionsWith Malware becoming more sophisticated than ever before and attacks being tailored more to the receiver, adding a second line of defense is highly advisable.
Because the new Advanced Malware types (such as the aforementioned Cryptolockers) are customized for each attack, detecting them has become much more difficult. This makes them a real threat to any company network, especially those who are unable to retrieve antivirus updates on a daily or hourly basis.
To minimize the risk of infection by Advanced Persistent Threats such as Cryptolocker, an advanced Firewall solution as provided by Watchguard provides the most efficient protection on market today. Port-IT has partnered with WatchGuard Technologies to make sure it can provide the right solution and the best-in-class technology to protect sensitive data onboard your vessels and on the office network
Available for all WatchGuard appliances, APT Blocker uses a full system emulation to get detailed views into the execution of a malware program. After first running through other security services, files are fingerprinted and checked against an existing database – first on the appliance and then in the cloud. If the file has never been seen before, it is analyzed using the system emulator, which monitors the execution of all instructions. It can spot the evasion techniques that other sandboxes miss. Due to the need of an Internet connection the Watchguard solutions are only of interest on vessels that have VSAT, GX or FBB ALYC thus Internet enabled. However Port-IT can also offer WatchGuard solutions for any office network.
