Proceedings magazine is a communication tool for the Coast Guard's Marine Safety & Security Council. Each quarterly magazine focuses on a specific theme of interest to the marine industry.
Issue link: http://uscgproceedings.epubxp.com/i/436751
32 Proceedings Winter 2014 – 2015 www.uscg.mil/proceedings Caref ully establish incident response procedures: The team should follow the NIST incident response guidelines. 6 Be sure procedures are structured, logical, and effcient to minimize impact to seaports. Preserve evidence such as logs and fles for legal and liability issues. Follow established procedures closely: Handling a security incident can be tricky, as attackers can use unknown tactics. Examine assumptions to avoid traps. Contribute to a maritime information sharing and analy- sis center: Share information about incidents and responses via a maritime information sharing and analysis center. Cyber Security Policy, Education, and Training Enforce network and computer usage policies: Allow users to visit only trusted websites and use trusted applications. Since many cyber attacks require only one click on a mali- cious link or one visit to a malicious website, unlimited web browsing is inherently risky. Provide regular cyber security training: Cybersecurity requires a collective effort. Users are the weakest link in security, as they are subject to social engineering, spear phishing, employing weak passwords, and malvertising. Stress cybersecurity and cyber awareness to all users and contractors. In addition, provide basic security protocol training. Watch Trends, Boost Preparedness As people have recognized the potential impact of zero-day attacks, government agencies, developers, and, unfortu- nately, malicious attackers, have driven up the dollar value for unpublished vulnerabilities. Increased demand has also led to increased activities in penetration testing and vulner- ability discovery. In addition, zero-day vulnerabilities are often the critical frst step in gaining access to systems. Ter- rorist and state-supported organizations will likely invest more on zero-day vulnerability discovery, resulting in even more zero-day exploits. In particular, watering hole attacks 7 via planted malicious software on targeted servers through zero-day exploits will also increase, since preventing such attacks requires addi- tional business partner coordination and collaboration, cre- ating further delays and barriers to securing the systems. Along with increasing mobile device usage in businesses, zero-day attacks via mobile device vulnerabilities will increase as well. Mobile malware code increased from 792 in 2011 to more than 36,000 in 2012 and more than 50,000 in 2013. 8 Therefore, it is important for seaports to have clearly defned policies for allowed devices on seaport networks. Incident Response Establish steps and procedures to remove compromised components and restore systems in case of an intrusion. In the event that a seaport does not have its own incident response team, it should employ a certifed cyber incidents service to handle incidents properly. The Life Cycle of a Zero-Day Exploit When an attacker uses a worm, virus, or other zero-day exploit, he or she opens a window of opportunity to do harm. From the seaport's perspective, that is the period of real vulnerability. The port closes that window when it successfully applies the appropriate patch. The life cycle of a zero-day exploit has fve stages: 1. A system is developed and deployed with an unknown vulnerability. 2. A hacker discovers the vulnerability before the devel- oper does. 3. The hacker develops an exploit while the vulner- ability is still unknown to the developer or, if known, not yet fxed. 4. The public becomes aware of the exploit either by independent discovery or by its use, and the devel- oper releases a "signature" for the exploit. 5. The developer releases the fx /patch. 0 1 1 0 1 0 0 1 0 1 1 0 1 0 The Black Market Black markets for trading exploits among hackers have existed since hacking began, and, as the efects of zero- day exploits grow, so does their value. Recently, however, the markets for zero-day exploits are changing. For example, Microsoft recently paid $100,000 to a hacking expert for a new exploitation technique. 1 Unfortunately, this provides incentive for more people to mine zero-day vulnerabilities and develop exploits. The interactions among these diferent players are likely to change the zero-day exploit economy. Endnote: 1. J. Finkle, "Microsoft awards hacking expert, repairs browser bug," www. reuters.com/article/2013/10/08/net-us-microsoft-cybersecurity-idUS- BRE9970YK20131008. 0 1 1 0 1 0 0 1 0 1 1