Based in silicon valley, california, security brief is a blog by chris louie. his posts discuss current information security affairs

I'M ON A BOAT: Iran Prompts New Warnings for Ships

I'M ON A BOAT: Iran Prompts New Warnings for Ships

The morning of Thursday, October 12, 2000, began like any other for the crew of the guided-missile destroyer U.S.S. Cole. It was on a routine refueling stop in Aden, Yemen, when a small boat loaded with explosives, pulled alongside it and detonated its payload. It would be the worst navel attack against the US Navy in nearly twenty-five years. Fast forward nineteen years later to today and headlines about ships being attacked daily grace the headlines of our news publications. Six oil tankers and a US spy drone have been attacked since May and there is no sign that this trend is slowing. Commentators monitoring the situation partially attribute the rise in attacks to newly enforced sanctions against Iran. Iran is competent in two areas: evading sanctions and cyber hacktivism. The attack against the U.S.S. Cole required two suicide bombers, hundreds of pounds of explosives, and the hope that the boat would not be detected or intercepted before it reached its intended target. In today’s cyber connected world, an attack to disable a ship could be made with just a few keystrokes.

The “hacker” Q plugs in an infected USB drive into a computer plugged into the production network

The “hacker” Q plugs in an infected USB drive into a computer plugged into the production network

Iran has previously lashed out against its adversaries using crippling cyberattacks. In 2012, Saudi Arabia owned oil company Saudi Aramco suffered a significant cyberattack with the Shamoon disk wiping malware. Oil shipments were at a standstill for weeks as Saudi Aramco rebuilt their infrastructure, which required purchasing every available hard drive from their manufacturer in Vietnam. In January 2018, a piece of malware believed to be authored by Iran called Triton exploited a zero-day vulnerability in Schneider ’Electric’s Safety Instrumentation controllers to attempt to blow up a gas processing plant in Saudi Arabia. Again, the endgame of the attack was to disrupt the energy supply chain of Iran’s adversaries. With tensions at an all-time high between western nations and Iran, the US Coast Guard has released an advisory for all ships sailing which could be the target of an Iranian attack. Now that engines are controlled by computers and not physical levers and switches, it is more important than ever to practice good cyber. The US Coast Guard advisory can be summed up in five bullet points, all of which should be obvious to serious security practitioners.

1. Implement network segmentation.

2. Create network profiles for each employee, require unique login credentials, and limit privileges to only those necessary

3. Be wary of external media

4. Install anti-virus software

5. Keep software updated

Let’s take these one at a time.

Network segmentation should be the most apparent security control in preventing unauthorized access. The network which allows the boat captain to check his personal Hotmail account should not be connected to the network that controls the ship’s navigation or engine control systems. If the captain clicks on a bad link, it should only affect the internet browsing network and not the ship’s core components. Implementing zero-trust network access solutions that allow for even deeper microsegmentation at the application level helps prevent lateral movement of a compromised endpoint or user account.

Creating unique logins for users with the principle of least privilege dovetails nicely with zero trust network access. By segmenting the network at the application level and applying business policies, users only have access to the applications that are required to perform their daily duties and no more. Zero trust necessarily requires users to have unique logins to grant the correct authorization level and auditing for non-repudiation.

Social engineering often preys on human nature that as a species, humans are curious. If a CD or USB flash drive randomly appears in a parking lot, people want to know what is on it and may insert it into their work machine. Performing this simple action can compromise endpoints and entire networks. While this sounds like a lousy plotline from a Bond movie or Call of Duty campaign mode, it happens more than most wish to admit.

While I feel aftermarket anti-virus software provides little to no value, it still has its place in a defense-in-depth strategy. Microsoft’s Windows Defender product that comes bundled with Windows 10 has gotten so effective at detecting and stopping malware. I do not believe that an aftermarket AV solution is needed when paired with a proper network security stack delivered as a cloud service.

Keeping software patched and up to date can be a challenging task when the internet is spotty in the middle of the Indian Ocean. However, applying security patches for known vulnerabilities is often one of the most significant steps IT administrators can take to keep endpoints and networks secure. Readers do not need to look further than WannaCry, Equifax, NotPetya, Drupal, or Yahoo! to know that flaws are left open for weeks, or even longer even when patches exist. The UK NHS, running much of its infrastructure on Windows XP, suffered when WannaCry hit them two years ago. Many UK attack vessels still run a modified version of Windows XP dubbed “Windows for Warships."

No story about boats would be complete without Boaty McBoatface

No story about boats would be complete without Boaty McBoatface

With some security patches having file sizes in the hundreds of megabytes or even gigabytes, it may not be feasible or even technically possible for a ship to obtain these patches while out at sea. While security patches are massive in size, malicious payloads that could potentially disable a boat are not. The WannaCry Malware was only 3.4 Megabytes in size. The last time I updated Microsoft Office, it was almost 2.0 Gigabytes. Using a cloud-hosted security stack has the benefit of always being on the latest version of the software with all available security updates applied. Unlike hardware appliances that need to download updates or adding additional hops to internet traffic by backhauling to a datacenter for inspection over an already unstable connection, cloud-hosted solutions sit and perform enforcement as close to the user as possible for the best user experience.

With political and economic tensions between western nations and Iran at an all-time high, it is more important than ever for organizations to implement the proper security controls to thwart potential attacks from an adversary that has proven highly capable in both the cyber and physical realms. Just like the plot in the Tom Clancy spinoff franchise, Iran could potentially launch a cyber attack and follow up with a real-world physical attack to cripple the infrastructure of its enemies. A cloud-hosted security stack as a service with zero trust network access will go a long way in preventing the next major cyberattack against the ships that protect us and transport everything from natural gas to athletic running shoes.

“I’ve never seen a piece of malware that sings to you:”

“I’ve never seen a piece of malware that sings to you:”

It's Your Turn To Be Afraid: Easy Money From Ransomware Is Gone

It's Your Turn To Be Afraid: Easy Money From Ransomware Is Gone

True Zero-Days: Marketing Speak Verses Reality for Coinbase

True Zero-Days: Marketing Speak Verses Reality for Coinbase