“We're All in this Together”: How Sea Pirates Exposed Cybersecurity's Big Lie
You probably heard last week's news about container ship pirates hacking into a shipping company's servers. But there's an unreported angle that you probably haven't thought of – one that shows a significant blind spot in the security industry.
Verizon RISK Labs investigated the (unnamed) company's servers and found that pirates had been submitting plaintext database queries to several compromised servers and finding information on valuable cargo, which they targeted in their hijackings. In response, the company shut down the affected servers, changed passwords, blocked the pirates' IP address (no proxy used!) and rebuilt the servers with an updated version of its CMS. The amateurish, if effective, hacking is stopped and now everything is fine. Right?
Wrong. Here's why.
The fatal flaw in this security approach is obvious when you read the description of the hijackings. From the Verizon report:
Rather than spending days holding boats and their crew hostage while they rummaged through the cargo, these pirates began to attack shipping vessels in an extremely targeted and timely fashion. Specifically, they would board a shipping vessel, force the crew into one area and within a short amount of time they would depart. When crews eventually left their safe rooms hours later, it was to find that the pirates had headed straight for certain cargo containers. It became apparent to the shipping company that the pirates had specific knowledge of the contents of each of the shipping crates being moved. They’d board a vessel, locate by bar code specific sought-after crates containing valuables, steal the contents of that crate—and that crate only—and then depart the vessel without further incident. Fast, clean and easy. (emphasis mine)
Do you see it? Hacking actually made the crew safer! Where once ship and crew were held hostage for months or even years, waiting on a multimillion dollar ransom payment the freight company may not have been able to pay, now the whole affair is over in a matter of hours. Hacking took the pirates from “Captain Philips” to “Ocean's 11”. (no pun intended)
Cybersecurity's Big Lie
As security professionals, we've almost all been guilty of making one big assumption: What's good for the company is good for the individuals working at the company.
These pirates put that lie to rest. For all the terror their victims may have endured, their worst case scenario was that their ship was slightly more likely to be robbed – and they were drastically less likely to be taken captive.
By patching the servers, the shipping company put their employees' safety at greater risk to protect their cargo, thus making clear the potentially adversarial relationship between corporate cybersecurity and the welfare of its workforce.
You can see the same thing on a smaller scale at any Fortune 500 company. Workers are forced to deal with rules and restrictions that prevent them from efficiently doing their jobs. The company may be safer, but the individuals working there feel more frustrated getting less done.
(Obviously, the anonymous shipping company was obligated to secure their servers. We can only hope they also took practical steps to keep their sailors safe from being taken hostage; they're like truckers of the high seas, not armored car drivers.)
Aligning Interests: A Better Approach to Cybersecurity
Cybersecurity shouldn't be adversarial. A more effective approach puts individuals and their company on the same side: against the hackers.
This alignment of interests encourages individuals to improve their cybersecurity, even if it's inconvenient, because they know it's good for them AND their company. It incentivizes them to stay current on cybersecurity recommendations and proactively engage in risk mitigation and remediation.
Finally, aligning interests works because employees are exposed to many, if not most, security risks outside work: at night, on weekends, or on a personal device. It's difficult, if not impossible, to enforce your cybersecurity policies outside the boundaries of work. Cultivating an intrinsic interest in cybersecurity is more effective than imposing burdensome rules at work and then leaving your workforce exposed outside the perimeter.
Conclusion: Whose Side are You On?
The shipping company patched their servers. What happens now? Well, the sailors should make their own lists of valuable cargo for use in negotiating safely with pirates.
Why not? When our security measures work against the interests of our workforce - by frustrating them, or tricking them, or treating them unfairly - we invite them to work around those measures. We invite them to cooperate with the hackers.
Just adding more cybersecurity won't necessarily make your company more secure. So what can you do now? First, communicate to your workforce exactly how your existing policies protect both them and the company, even if you think it's clear. Never assume that what's obvious to you is obvious to anyone else!
Going forward, any security product you consider should be designed to protect the interests of your company and the individuals who work there. Imagine the product experience from an individual employee's perspective.
And if it makes your life more difficult, don't be surprised if you find yourself rooting for the hackers to win.